10 points on the what, how and why of digital identity
Click on image to download one-page PDF
1. A digital identity can arise in many ways…
At its core, a digital identity is a set of attributes that can allow an individual or entity to be represented in digital form in an online environment. It could even represent a thing.
2. …and take many forms…
A digital identity can take a myriad of forms, ranging government protocols to private solutions and "self-sovereign" products. Even a gaming "avatar" and a social media profile are forms of digital identity. Digital identity may be accessed via a card / device, username / password or via your biometric data – or a combination.
3. …with a variety of attributes.
The data may be verified by a government body, financial institution or other third party. Conversely, it may simply be self-certified, or even false. It may comprise basic details such as name, date of birth and identification number, or extend to much deeper information, such as medical history, preferences, behaviour and social graph data.
4. Creating a digital identity can be simple or complex…
A digital identity can arise organically from information provided and activities online or it can be purposefully produced. Various technologies underpin these projects, including encryption, cloud, open API and/or blockchain.
5. …and it can be used in a variety of ways…
Digital identity can be used to facilitate identity authentication, digital signatures, rapid form-filling, regulatory compliance, data analytics and building cognitive systems. There are numerous current use cases, including Estonia's e-identity programme, India's "Aadhaar" scheme, and industry-specific applications such as Sweden's "BankID". The United Nations also deploys digital identity through the World Food Programme.
6. …including smart contracts and IoT.
Digital identities can help power smart contracts. When attached to things, they are also especially useful for building the internet of things (IoT), and assisting with its effectiveness and systemic integrity.
7. It must meet legal and regulatory requirements.
Data privacy, cybersecurity, outsourcing, anti-discrimination laws and other local market expectations must be addressed. If digital identity has a "regtech" compliance aim, it must also be fit for that purpose.
For example, digital identity can only be used for AML/CTF purposes if it is accurate, reliable and up-to-date. Whether or not data meets these tests depends largely on its source. For example, if open API connects a digital identity with government-held data, it is far more reliable than self-certified information.
8. Digital identity does not come without risk…
The most significant risk is data breach, particularly where sensitive information is used. In particular, biometric data can make digital identity more secure, but if "stolen", it cannot be "reset" as with a username and password. An individual's fingerprint will always be their fingerprint.
9. …which can be mitigated but not eliminated…
Risk is minimised through proper design, diligence and documentation. Three-factor authentication, the use of open APIs to minimise the creation of "honey pots" of data, regulatory controls and well-drafted contracts are some of the key risk management tools.
Blockchain technology can also be useful, although one of its greatest advantages (immutability) can pose a barrier to privacy compliance if carelessly adopted. This means that legal and regulatory issues must be a part of its fundamental design.
10. …and responsibility must land somewhere.
The use of digital identity needs a robust statutory and/or contractual liability model to address complaints, civil claims and other consequences arising from the misuse, loss or unreliability of data.
Importantly, it is not always possible to contract out of all liability. Regulators also often take a dim view on exclusions that unfairly affect customers. Reputation risk is particularly critical to manage, as digital identity is fundamentally predicated upon trust.