I have control

Can we truly own our identity?

Digital identity is a complex subject; as with most digital transformations, taking a process that exists in an analogue world and digitising it for use online doesn’t create a great solution.  A number of models for digital identity exist, and are often spoken about in terms such as centralised, federated, distributed, user-centric, self-sovereign.  There are countless papers by the great and the good of the identity world that talk about the merits and flaws of the varying models.  There’s a school of thought that centralised is bad and self-sovereign is the panacea for digital identity – though often these ideas focus too much on the model and less about the use.  And the arguments are often mired in digitisation of analogue.

Self-sovereign digital identity is a model which:

• Places the individual in absolute control of the digital representation of themselves 
• Is based upon the kernel of self that exists in the real world
• Assures the individual of access to all the data regarding them and provides transparency of how data flows
• Persists for as long or as short as the individual decides
• Assures portability and interoperability
• Functions on explicit user consent
• Operates sharing based on principles of data minimisation

These are all traits which it is hard to argue shouldn’t be the foundation of any digital identity model – never one to shy away from an argument, here goes:

Places the individual in absolute control of the digital representation of themselves 

Until such time as we plug in to the matrix, a digital identity and the flesh and bone which it represents cannot be linked with absolute certainty.   When the link between the two is, or is reasonably believed to be broken, control of the digital identity must be revoked (either permanently or temporarily).  This introduces a higher power of control over the individual’s identity.

Is based upon the kernel of self that exists in the real world

Identity in the real world is also complicated.  In the real world, our identities are often assigned by central authorities such as governments; or they’re guaranteed by 3^rd parties such as our parents; or they’re accepted based upon assigned attributes such as name, address and date of birth; or they’re based upon our DNA.  And more often than not, they’re a combination of all of these.  If our digital identity is based upon our real-world identity it cannot be self-sovereign.

Assures the individual of access to all the data regarding them and provides transparency of how data flows

We should always strive towards openness and honesty.  Yet there are circumstances where we need to keep data hidden and circumstances where its beneficial for the user to do so.  As an example, the organisation who will rely on digital identity are often required to check for fraud and criminality against our identity.  This isn’t information that we should give to the user, yet it is often closely tied to their identity.  So commercially and practically it needs to flow with the identity assertion.  When we give information to an individual, we also have a duty of care not just when that data isn’t correct, yet also when that information risks disenfranchising the individual.  Credit scores used to be information passed from Agency to Supplier about the individual without their involvement.  This changed, and in the last 20 years, they have gone from information that we know, to information that we can actually manage.  Yet for many people, a poor credit score creates exclusion – which leads to disenfranchisement.  If digital identity is to be inclusive, the data that we give back to the individual needs to have the duty of care built in.  We should work towards openness, we shouldn’t dive straight into it without understanding the consequences.

Persists for as long or as short as the individual decides

For some nations, having a government issued identity card is mandatory, for others it is optional or simply doesn’t exist.  Rather than eulogising on which is right, digital identity needs to recognise all models do and will exist, and look to provide a digital identity model which supports mandatory and optional membership of government registers.  Similarly, fraud systems need to persist identity elements to protect from bad actors.  We can offer choice in how long our digital identity as a “thing” persists, on the data that makes it up we can’t.

Assures portability and interoperability

Data portability is a convenience factor that shouldn’t be wilfully restricted.  Identity portability is where the value and complexity lies.  In order to drive the market, the work done in proofing the identity and attribute claims can’t simply be ported from one party to another.  To do so risks separation of effort and reward, which disincentives the commercial efforts required to develop and maintain a functioning marketplace.

Interoperability can only be assured with mutual trust.  Mutual recognition is reliant on the creation and adoption of interoperable standards.  Interoperability of systems should only be required once interoperability of standards is achieved.  We shouldn’t expect that everything interoperates with everything else unless everything is equal.

Functions on explicit user consent

The notion that an individual can explicitly permission what data is shared by whom and with whom is reliant on goodwill that doesn’t exist.  If we are given the choice to share only positive information and withhold anything negative, this is going to be a common choice.  This will restrict the ability for the receiving organisation to rely on the data.  Hobson’s choice (take what’s on offer or nothing at all) isn’t explicit consent for data sharing either.  We should be far more honest with how we define consent, so that a user understands when we need broad consent to search for good and bad information about their identity and when we’re seeking explicit consent to only share attribute X from organisation Y with organisation Z.

Operates sharing based on principles of data minimisation

Users shouldn’t need to understand the principles of data minimisation.  In a self-sovereign model, where they’re free to share their own data as they choose with whomever they choose, they need to understand who they’re sharing their data with and whether they’re only asking for the data they actually need.  In other models, such decisions are made on behalf of the user based upon their own rules -  for example, the Passport Office can permission that “X holds a valid passport” and “X is a Citizen of country Y” to be shared with anyone that the individual wishes; and that “X has passport number 12345678” only with parties which it trusts – which takes away both the control and the responsibility from the individual. 

Self-sovereign identity is a utopia that may never exist based on principles that may be better achieved through other means.  We should focus more on the things that a user needs from a digital identity and worry less about the model that we use to achieve them.  In designing digital identity, if we do so based on principles the user will value, and deliver them in a way which they will engage, we have the opportunity to revolutionise identity for the digital age.  Can we truly own our identity?  Does it matter providing we can assert our identity when we need to, to get things done?

Read my other posts

Let's get physical - how to get fit for the digital era by leveraging the offline world
Just in Case - From early adoption to maturity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk 
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile

Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA


Connect with Bryn on Linked In: Bryn Robinson-Morgan

Distributed Identity Has No Clothes

In January the Government Chief Scientific Advisor, Sir Mark Walport, published a report setting out the findings of a review exploring how distributed ledger technology can revolutionise services, both in government and the private sector.  This 88-page report explored a vision of how distributed ledger technology could reshape how government interacts with its citizens.

Whilst the concept of “Identity on the block chain” has been talked about for a while, the seeming endorsement from the Government Office for Science for this idea has triggered the rush for the bandwagon.   In the weeks since there have been a number of blog posts saying how block chain technology will solve the problem of how we establish our digital identity, will increase security, will prevent fraud, will either provide gold standard trust or do away with the need for it altogether, will end world hunger, eliminate bureaucracy, give privacy, return control of data to the individual… in fact it will do so many wonderful things we’ll all wonder how we lived before it.

The trouble is, the people forcing their way on the bandwagon often don’t understand block chain technology, or they don’t understand identity, or they don’t understand the problems that they’re claiming putting one onto the other will solve.  And here I’ll lay my cards on the table – I’m not a block chain guru; indeed when I blogged about this topic back in August 2015 -  Unblocking Digital Identity – my conclusion was inconclusive.

So why then, while every one else fights to grab onto the bandwagon – backed by the Chief Scientific Advisor and other people far more intelligent than I am – am I stood pointing and shouting that the emperor is naked?  Well, leaving stupidity aside, there are a few reasons.

Firstly, identity isn’t transactional.  When you ask how old I am I tell you my age, I don’t transfer it to you.  So if we’re talking about attributes of my identity that can be associated to a transaction – did the supermarket checkout operator get confirmation of my entitlement to buy alcohol? – so this could be written to a distributed ledger as immutable evidence for compliance purposes.  Though this is putting supermarket sales on the block chain, not my identity.

Secondly, identity and entitlement often get interlaced.   So one of my identity attributes is my date of birth, which when I hit 18 entitled me to buy alcohol (in the UK) – so actually the supermarket isn’t interested in my identity, they’re interested in my entitlement.  When claims are made of fraud prevention by putting my identity on the block chain it doesn’t address the fact that people claim things that they’re not entitled to… even when they’re known to the organisation they’re defrauding.

Thirdly, when it comes to security there’s a great comparison to most things in life.  The amount of reward to be gained guides the amount of effort we’re prepared to put in.  Bad people spend a lot of effort trying to break into bank systems because they know that there’s a lot of reward on offer.  And the banks put a lot of effort into protecting their systems because they have a lot to lose.  Now if you’re being attacked – the best thing is to know about it – so you can do things to prevent it.  If I give you a copy of the identity of every citizen – I tell you what the prize is - and let you take that away and do whatever you want with it – no matter how secure I think it is now, I’m not sure that I feel comfortable in leaving it with you without knowing what you’re doing to it.

Finally, and most importantly, identity isn’t about what was, it’s about what is.  People do strange things – like move house, change name, die.  So if I verify your identity and write an immutable record of it to the block chain, it is immediately worth less than at the point that I did it.  So being able to point to that transaction in 10 year’s time offers very little benefit.  If I go to rent a car, the car hire company don’t care that I was given a driving licence 30 years ago, they want to know if it’s still valid now.  If I write the event of my marriage to the block chain and have that signed by Government, I can prove that I got married; I can’t prove that I am married unless I go back to Government for them to confirm that I haven’t since got divorced… or died… or that my partner died (which is about their identity, not mine).

Which brings me to the same conclusion as before, though now with much more clarity. Distributed ledger technology will have a role to play in identity – though not in the way that the bandwagon would currently have you believe.  What that way is – I don’t know… though I do know it currently has no clothes on.

Read my other posts

Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk 
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile

Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA

Connect with Bryn on Linked In: Bryn Robinson-Morgan