Our interconnected digital world has started to make a mockery of traditional forms of identification. Being asked to produce ‘two forms of ID; at least one from each of the two following lists’ already seems hopelessly anachronistic in a world of automated password-managers, RFID-driven payments systems, and bio-metric authenticators on our mobile phones. The idea of having a single digital identity (Digital ID) that can replace the need to hold a plethora of cards and documents, from your passport and driving license to your library card and even your CV, is not only one whose time has come, it is one that is all but presumed to exist already. Although it doesn’t quite yet.
This ‘initial perspective’ is intended to provide a provocation for thinking and deeper discussion about the impending implementation, and future, of Digital Identity and its role and value in society.
In addition, we are also undertaking a set of 5 expert workshops across 4 continents in Q4 2018 (London, Singapore, Sydney, San Francisco and Brussels). If you are interested in joining, we would welcome your feedback and contribution to help build a richer view. Do let us know.
4. 4
TheFutureofDigitalIdentityAnInitialPerspective
This paper provides a provocation for a discussion on the future of
digital identity. It emphasises pressing questions raised rather than
necessarily attempting to resolve them, and outlines some of the key
future issues, as well as opportunities, going forward.
One of the trickiest aspects of writing a paper like this for such a vast
and complex topic, is the need to tread a fine line between keeping
things simple and broad enough to allow all potential stakeholders
and participants to see where their own expertise plays a vital part in
discussion, and yet recognise the deep complexities (both social and
technical) involved in any discussion of digital identity. We fully accept
that many of the concepts we casually introduce here deserve much
deeper consideration. Where we have over-simplified, we apologise.
Our hope is that this paper will serve as a point of departure for deeper
and more meaningful conversations about the future of digital identity,
or rather, conversations about our future in which the question of how
we resolve our digital identity is going to play a significant part.
5. 5
TheFutureofDigitalIdentityAnInitialPerspective
Our interconnected digital world has started to
make a mockery of traditional forms of identification.
Being asked to produce ‘two forms of ID; at least
one from each of the two following lists’ already
seems hopelessly anachronistic in a world of
automated password-managers, RFID-driven
payments systems, and bio-metric authenticators
on our mobile phones. The need to rifle through
one drawer looking for your most recent utility bill,
another to find your passport, and your bags and
back pockets for a driving license or ID card, is
surely not an experience that your children are going
to have to live through. Is it?
The idea of having a single digital identity that can
replace the need for all of these documents is not
only one whose time has come, it is one that is all
but presumed to exist already. Although it doesn’t
quite. Yet.
That is not to say that digital identities and digital
identification and authentication systems do not
already exist. They do, of course. From the earliest
days of the internet, people have been developing
digital identities. Originally, they may have been
no more complex than a username or ‘handle’,
sometimes accompanied by an ‘avatar’, used to
indicate that it was the same person posting on,
say, a UseNet thread. Such ‘handles’ might have
had a connotation of gender or race or political
affiliation, but these attributes were not verifiable as
such. Someone’s online identity might have reflected
their true (offline) selves, or not. In the early days of
the internet, verifying the truth of the matter, often
didn’t matter.
With the true dawn of ‘web 2.0’ in the early 2000s,
and the subsequent avalanche of social and
interactive web and internet services that defined
it, the creation and use of digital identities saw a
period of rapid expansion. Online ‘accounts’ for
social media services, retailers, dating services,
membership organisations and so on, invited
users to store many of their ‘real-life’ personal
attributes such as gender, race, location, age, and
photographs in ‘profiles’. Sensitive information such
as credit card details, national identification numbers
and bank account numbers, often sat alongside.
At the same time, digital payments systems were
rapidly out-moding chequebooks and signatures,
with instant online bank transfers and credit card
transactions. The need to protect these accounts,
and the information contained within them,
alongside the need to verify and authenticate those
engaged in financial transactions online, brought
the tsunami of account, username and password
combinations that still define much of the landscape
of digital identity and authentication today.
Today identifying and authenticating ourselves
digitally in order to access services is a familiar
exercise. That is exactly why the continued use
of, and reliance on, paper-based identification
documents in order to access certain services feels
so out-dated. And yet it is precisely this dizzyingly
fast and haphazard explosion of opportunities to
create digital identities, and the accompanying
labyrinth of digital identification and authentication
protocols, that has left us with a problem when
it comes to releasing a truly reliable, secure and
interoperable digital identification system. What we
have now is wide familiarity with the concept, but
an identification infrastructure defined by confusion,
inconsistency, muddled expectations, contradictory
social norms, and, as continuing high-profile
data-breaches make painfully clear, a profound lack
of security.
Identification in a digital world
Our interconnected digital world
has started to make a mockery of
traditional forms of identification.
6. 6
TheFutureofDigitalIdentityAnInitialPerspective
Before going any further, it is worth perhaps
outlining exactly what we mean by a ‘digital identity’
and in particular clear up the difference between two
distinct but overlapping ways of understanding
the term:
1) An ‘online’ or digital ‘persona’ created by a
user (or collection of users) for use in one or
other digital space. Examples of different digital
identities might include characters created by
players in video games, profiles on digital dating
services, the collection of attributes inside
accounts on social media profiles etc. A single
individual may create multiple digital identities
within just one digital context, or across multiple
contexts, and these identities may be similar
to each other, or differ wildly. They may bear
some relation to the individual’s offline (real world)
identity… or none at all. It is about how an
individual chooses (or individuals choose) to
represent themselves in digital spaces.
2) A digitally stored set of verified data ‘attributes’
(such as age, gender, citizenship etc.) that can
be used to identify that people (or entities, within
a digital system, exchange or transaction) are
who they say they are, or have the attributes they
say they have.
It might be useful to think of the first of these
definitions as a social and/or cultural definition,
whilst the second is a more technical definition that
has arisen from the digitisation of various social and
institutional interactions, and financial transactions
that require formal identification (such as paying for
goods and services, applying to use public services,
etc.).
The latter definition of digital identity is perhaps
better thought of as the digital equivalent of an
official ID card or document like a passport or
driving license, that can be ‘shown’ during digital
interactions or transactions in much the same
way as we might produce a passport at an
international border.
Just like identity documents, the primary purpose
of a ‘Digital ID’ would be to verify that someone
is who they say they are and/or has the attributes
they claim to have, such as the right to travel
freely. The immediate differences are simply that
(i) whereas physical identity documents tend to
contain just certain specific bits of information, a
‘digital ID’ can hold a potentially limitless number
of data points or ‘attributes’, and (ii) that the digital
equivalent of ‘showing your ID’ needs a slightly more
complicated, technology-enabled set of protocols
and infrastructure than does pulling a document
out of your bag. Assuming that such a ‘digital
identity system’ existed however, there would then
be no reason why a digital ID could not be used
anywhere that had access to that system, including
during face-to-face interactions (entering a club,
buying alcohol, or hiring a car etc), where we might
currently use physical ID documents.
This paper focuses on this latter, technical, definition
of digital identity as a ‘Digital ID’, whilst recognising
that the choices we make now in regard to it, may
in turn, have profound effects on our social, cultural
‘digital identities’. After all, as the first section of
this paper makes clear, we are currently in a world
in which aspects of both understandings of digital
identity have been mixed up and mashed together
in countless ways, on countless different digital
platforms and in countless different digital contexts.
Digital identity and ‘Digital ID’
7. 7
TheFutureofDigitalIdentityAnInitialPerspective
Authentication
Just as we have attempted to define digital
identities and Digital ID, it may also be necessary
to draw the distinction between a Digital ID on the
one hand, and the process of authentication on
the other. It is easy to confuse the two, not least
because authentication processes often involve
the use of attributes that are also contained within
an ID, such as a fingerprint. The distinction is
important however, because strong authentication
is sometimes mistaken for strong ID. Take, as an
example, a social media profile in which a collected
set of attributes constitute a digital identity. The
account which stores this profile may have a
strong set of authentication protocols associated
with it such that the owner must use a variety of
authentication methods (a fingerprint, a one-time-
code, a password etc.) to gain access to it, or to
use it as a gateway to another service. Yet nothing
about this strong set of authentication protocols
means that the profile contains verified information
that could be used as a ‘Digital ID’ in contexts that
require a high degree of confidence that the owner
of the account has the attributes they claim to have
in that profile. By going through the authentication
protocols, the owner of the account has simply
verified that they are the owner of the account and
of the digital identity it contains. Nothing about how
the attributes in the digital identity relate to the ‘real
life’ attributes of its owner have been verified.
That said, strong authentication processes are
critical to the success of any Digital ID system, since
their rates of success and failure will ultimately be a
key factor in determining overall levels of trust in the
reliability and security of that system. The methods
and tools that we use to authenticate ourselves
can today be categorised according to a simple
taxonomy: something you own (like a phone, or
credit card), something you know (like a password),
something you are (a biometric attribute, such as
your fingerprint). New technologies and techniques
in authentication are likely to bring innovations in all
of these areas, some of which may actually begin
to feed back into identities themselves and lead to
entirely new ways of thinking about who we are.
Strong authentication processes
are critical to the success of any
Digital ID system.
8. 8
TheFutureofDigitalIdentityAnInitialPerspective
For many, the development of fully realised Digital
ID that can replace traditional forms of ID is an
inevitable evolution, and certainly as we write this
paper, the call for strong digital identity systems is
getting louder.
Convenience
The most obvious reason to develop Digital ID
is convenience, as many processes that require
formal identification feel so anachronistic today.
Job applications, airline bookings, opening a bank
account, applications for parking permits or state
benefits, even mobile phone contracts etc. can
all still involve cumbersome exercises in repetitive
form filling, document scanning, face-to-face
presentations and so on. These processes can
be more and less secure, but they all feel slow in
today’s world.
Security and accuracy
The development of strong and secure systems
of digital identification is important as it could play
a significant role in enhancing cyber security for
individuals, organisations and states. Cases of
identity theft and cyber-fraud are a growing problem
(whether measured in terms of scale or severity),
and are often driven by the large-scale theft or
distribution of databases full of identity attributes
commonly used for identification and authentication
(i.e. ‘data breaches’). Cyber-security incidents
are also increasing in severity, with critical state
infrastructures now facing the same kinds of threat
as an individual’s credit card. High profiles incidents,
such as the hacking of Democratic Party emails in
the USA in 2016, or the attack on Ukraine’s energy
infrastructure at the end of the same year, are often
popularly portrayed as highly technological, involving
‘injections of malware’, for example. It is worth
remembering that attack of this kind most often
start with the very same kinds of identity and/or
credential theft that drive simpler credit-card frauds.
With cyber-criminals becoming increasingly
organised and sophisticated, the number of cyber-
crime victims rising, quite literally, by the second,
and the proceeds of highly organised cyber-crime
being used to fund some of the most abhorrent
of ‘real world’ crimes, the case for more secure
systems of Digital ID and authentication is an easy
one to make1
.
The case for Digital ID
9. 9
TheFutureofDigitalIdentityAnInitialPerspective
The expansion of digital service provision
The number of services that are now accessed and
delivered digitally is growing. As governments in
particular, move increasingly toward online service
delivery and access, so too do the number of
‘official’ identification and authentication procedures
associated with them. In fact, governments around
the world have been leading the way in terms of
creating and implementing Digital ID systems.
National ID systems vary in form and scope of
course, but in many cases they are paving the way
for broader Digital ID systems and, perhaps more
importantly, building and embedding a set of citizen/
consumer behaviours around the use of stronger
Digital ID. They have also, sadly, highlighted some
of the risks associated with poor implementation,
and the temptation for bad actors provided by
the treasure trove of data that Digital ID systems
contain. The large-scale breach of the Indian Aadhar
national ID system2
is a case in point.
Alongside the expansion of services to the digital
world, there is also an expansion of access, for users,
to different service providers. Where once services
requiring strong identity verification might have
required a face-to-face transaction, people now have
the opportunity to access services across national
borders, geographical expanses and through an array
of different channels. Digital IDs have the potential
to make such transactions much simpler and more
secure, especially where they are recognised across
different jurisdictions, digital or otherwise.
Transaction cost reduction
Simply put, the costs involved in trying to deliver
services that require some form of identification, in a
world without Digital ID, seem to be an unnecessary
burden. Further, they are increasingly an active barrier
to innovation. Consider the UK’s drive for ‘open
banking’ for example. This initiative has the potential
to transform the relationship between individuals and
their money, and their financial service providers. But
the possibilities offered in terms of speed of access,
portability of financial histories etc. are all constrained
by the need for secure identity and authentication
procedures, which, in a world without a fully realised
Digital ID system, still rely on cumbersome protocols,
face-to-face visits, and so on.3
Combining identification attributes
Traditional forms of ID, such as a passports or
driving licenses, often contain very specific pieces of
information (names, dates of birth, addresses etc.).
Digital IDs need not be so restricted. A single Digital
ID, for example, could contain all of the attributes
that are currently distributed across different
documents. The rights to drive certain vehicles
currently contained in a driving license could sit
alongside passport identification attributes, our
health and education records, even a student ID,
allowing a single digital identity to be used in a wide
range of different contexts.
Interoperability
Interoperability in relation to Digital ID is difficult
to define accurately, and difficult to conceive in
practise. The easiest way of thinking about it
perhaps, is to consider how an individual, with a
Digital ID, would experience a truly interoperable
Digital ID system. In such a system, a user would be
able to present their Digital ID or specific attributes
from within a Digital ID, in the way they want to,
affirm their ownership of that ID, and move their ID
attributes between Digital ID providers, whenever,
and in any context, in which they needed to do
prove their identity or a specific attribute within their
identity. At the moment, we are long way from this
world. Current digital identities, such as social media
profiles, do not offer anything like the degree of trust
required for say, financial transactions. Conversely,
financial service providers do not store enough
identity attributes for use in all contexts that demand
ID. And finally, identity attributes in general, which
may be stored in multiple different places (digitally or
otherwise) are not stored according to widely used
standards and formats that would otherwise allow
for use across a wide-range of contexts.
The closest thing we have to an
interoperable system of identification
and authentication today, is that which
underpins financial transactions and
payments across the globe.
10. 10
TheFutureofDigitalIdentityAnInitialPerspective
As argued in the World Economic Forum’s landmark
paper “A Blueprint for Digital Identity”4
, the closest
thing we have to an interoperable system of
identification and authentication today, is that which
underpins financial transactions and payments
across the globe. As such, it may be that this
infrastructure provides us with the ‘blueprint’ for
building a truly interoperable Digital ID system5
.
Digital inclusion
The UN estimates that more than 1 billion people
around the world lack identification documents,
either due to forced migration, restrictive legal
environments or simply due to a lack of proper
access to bureaucratic structures, or a fixed
address6
. Lack of identification documents can
lead to exclusions from, or restricted access to,
all manner of critical services, from banking and
housing, to work and even a mobile phone. Digital
ID systems could go some way towards addressing
this, since Digital IDs can theoretically be issued to,
and used by, anyone with even intermittent access
to a mobile phone or the internet. Furthermore,
with the expansion of digital identification attributes,
digital identities can be created in the absence of
certain attributes (postal address, for example) that
are often required for the issuance of a document-
based ID.
Peronsalised services
Services are becoming increasingly personalised
and tailored to individual citizens, service-users and
consumers based on the increasingly sophisticated
collection and analysis of personal data. Digital
ID could play a significant role in this developing
feature of a digital world. In the first instance, Digital
ID could greatly enhance the accuracy with which
service providers can determine who they are
providing services to. But beyond this, Digital IDs
could provide a means for individuals to securely
store vast amounts of personal data of many
different kinds, and selectively share it with (or
temporarily grant access to) service providers, in
exchange for personalised services. This would not
only give individuals greater control over the use of
their personal data, but would incentivise service-
providers to be transparent when it comes to the
collection, analysis and use of personal data.
Privacy
A case is often made that digital ID can enhance
privacy in a data-driven world, by giving citizens
and consumers the ability to have more fine-grained
control over the types of data and information
they share, in different contexts and with different
institutions and service providers. This is certainly
possible, but the claim needs some unpacking,
as the promise of greater privacy depends entirely
on the ways in which digital identity systems are
implemented and controlled.
The UN estimates that more than
1 billion people around the world lack
identification documents,
11. 11
TheFutureofDigitalIdentityAnInitialPerspective
It is beyond the scope of this paper to outline all of
the technical complexities around different ways of
implementing a Digital ID service and/or system.
However, some broad-brush comments on the
implications of different implementation decisions
are necessary.
Security and privacy
The processes by which digital identities are
presented and authenticated digitally will need
to have a high level of security to ensure both
that personal data is kept private, and also that
authentication does in fact foster trust among all
parties in a transaction, that all parties are who
they say they are and have the attributes they say
they have.
Encryption is a given, but there is more than
one way to implement encrypted exchanges of
information, and key decisions will need to be
made over what is (and is not) kept ‘secret’, the
precise moments within a process that encryption
and decryption occur, and the physical locations
in which encryption and decryption are handled.
Different protocols have different implications in
terms of convenience and usability, but also in
terms of both security and privacy. Poorly handled
implementations could lead to catastrophic data
breaches and, potentially, a loss of faith in a provider
of Digital ID services, or perhaps even in the whole
principle of Digital ID. The same may also be true,
for example, of implementations that use a veneer of
security to hide invasions of privacy7
.
Of course, Digital IDs actually have the potential to
provide more security during digital transactions
than their paper-based counterparts. Digital
identities can include identity attributes that
are much harder to mimic or steal (such as AI-
determined behavioural bio-metrics) which can
be used in highly secure authentication protocols
or leveraged in real time to determine suspicious
attempts to use a Digital ID. Furthermore,
transactions involving digital identities can be highly
specific, potentially limiting the data that is at risk of
being exposed. The commonly cited example here
is the use of a Digital ID to prove that a person is
above the legal age required to buy alcohol. During
this kind of transaction, the only data that might
need to be transferred from one party to another,
is a simple affirmation of a specific attribute (i.e.
‘current age is greater than X years’). By way of
contrast, the presentation of a physical form of
identification, such as a driving license, is likely to
expose a far greater amount of personal data, not
least, a precise date of birth8
.
This last point is often used as a start-point for an
argument that using Digital IDs may afford users a
greater degree of privacy in an increasingly data-
saturated world. If users have fine grained control
over the kinds of data attributes that are held within
a digital identity and there is transparency over
precisely the kinds of data that are being shared,
during which transactions, and for what purposes,
the argument goes, then we get greater privacy.
Couple this with new technologies such as zero
knowledge proofs (ZKPs) in which, theoretically,
authentication of certain attributes can happen
without the sharing of any data at all, and we have
the hallmarks of a system that would radically alter
the privacy landscape as it appears today.
Implementation matters
12. 12
TheFutureofDigitalIdentityAnInitialPerspective
There are perhaps two counter arguments:
First, is the question of ‘from whom are we keeping
our data private?’. In the scenario imagined above
- in which a person needs to prove they are over
the legal age required to buy alcohol - it seems
perfectly plausible to see how a Digital ID system
can limit the data that the retailer receives. But what
about the data footprint of the transaction itself?
The fact that the user has used their digital identity
to buy alcohol. Whether this kind of data is kept
private, and from whom, will depend on the digital
identity eco-system and implementation. We could
imagine, for example, that in a highly centralised
digital identity system, there is in fact the potential
for identity ‘keepers’ to gather vast amounts of data
about their users as they deploy their Digital IDs in
myriad social, political and economic contexts. It is
also hard to imagine, at the time of writing, that a
digital identity system rolled out in China, in which
the Chinese government had a key role to play,
would afford its citizens greater privacy.
Second, many of the promises made around Digital
ID are made on the back of data collection, rather
than data minimisation. Personalised services, new
methods of bio-metric authentication, cross-border
interoperability etc. all involve significant amounts of
data capture and storage.
Multiple partners and stakeholders
Any digital identity eco-system is going to require a
number of different stakeholders and partners. Aside
from the users/holders of Digital IDs, we will need:
institutions that can initially collect and verify the
attributes that are going into the ID; institutions and
organisations that can manage the authentication
process across a wide range of contexts; and,
of course, institutions and organisations that will
accept and trust Digital IDs to do the job of ensuring
that entities are who they say they are and have the
attributes they claim to have.
Trust – on a number of levels - is the key factor
here for all parties. There is the question of who
we, as users, trust to collect and verify our identity
attributes, who we trust with the task of keeping
those attributes safe during different types of
interactions and transactions, and who we trust in
terms giving access to our identity attributes. For
organisational or institutional parties in the system
the same questions will apply. For example, which
bodies will be trusted to accurately collect and verify
identity attributes of their users or customers?
Centralised or distributed?
The question of whether a centralised system
for the management of digital identities, or a
de-centralised system, based for instance on
blockchain technologies, is the more preferable,
is still open to debate. A blockchain-enabled or
otherwise distributed implementation might remove
the need for users to place their trust in a single
specific institution, but may also be a barrier to
seeding and developing the wide-spread uptake
and interoperability critical to the development
of a fully functioning digital identity eco-system.
Conversely, more centralised Digital ID systems will
aid the development of an interoperable and widely
accepted eco-system, but require us to ask the
question of which (few) institutions we trust to hold
the keys to our identity; a question which is unlikely
to yield a single or unchanging answer, particularly
when we consider the question in a global context.
There is also a question for the future, around
to what extent users might be able to store and
maintain their own Digital ID on their own devices.
Distributed implementation might
remove the need for users to place
their trust in a single specific institution,
but may also be a barrier to seeding
and developing the wide-spread
uptake and interoperability.
13. 13
TheFutureofDigitalIdentityAnInitialPerspective
Different identities in different contexts
Just as we use different forms of traditional ID to
access different kinds of services, it is possible
to imagine a world in which we come to have
multiple different digital identities too. During the
very first rounds of Future Agenda Open Foresight
discussions in 2010, this insight was writ large with
the use of the phrase ‘Cocktail Identities’.
In a non-digital world, a library card seems
more than enough to ensure we have access to
borrowing books and we might baulk at having
to produce a passport; but we might equally be
unimpressed by a bank that only required us to
produce a library card to prove our identity during
a financial transaction. In a digital space the same
might also be true. A social media identity might be
sufficient to provide access to a community web-
forum, but insufficient to enable us to buy airline
tickets. In this way, it is possible to imagine a world
in which citizens and users have multiple different
Digital IDs that are deliberately separated, rather
than combined, for use in different contexts.
In this scenario, we may well see a proliferation of
Digital ID providers offering different, context-based,
Digital-ID-as-a-service propositions. To some extent
we are already seeing this, with tech providers
(Facebook and Google most prominently) offering
authentication services that can work in a number
of different contexts. What is still missing however,
is the interoperability that could provide users with
the choice of using different Digital IDs for a single
moment of authentication and identification. As an
example, many digital service providers currently
offer users the ability to use a ‘Facebook login’ or
a ‘Google login’, an ‘OpenID’ login or to create a
‘unique login’, but in order to provide these options,
users must be presented with four separate login
forms.
14. 14
TheFutureofDigitalIdentityAnInitialPerspective
Regulation
In keeping with many of the other aspects of
the digital revolution, Digital ID is likely to land
and expand very quickly, with both benefits and
consequences arriving in the wake. Regulators will
almost certainly, and yet again, be faced with the
task of ‘building the aeroplane whilst flying it’. On
the one hand, regulatory approval or mandates
for certain institutions to accept Digital ID could
play the critical role in the development of a Digital
ID system. On the other, regulators will have to
respond to the challenges such mandates create.
These could include:
• Addressing the unique tendency for digital
systems to tend towards monopolies - especially
in a field in which there are a limited number of
players that can deal with the sheer scale of the
task - and therefore the potential emergence of a
Digital ID oligopoly.
• The need to create or address a framework of
rights and responsibilities around Digital ID,
possibly as part of a broader consideration of
digital rights.
• Addressing the question of who pays for the
maintenance of a properly regulated Digital ID
infrastructure.
• Dealing with the regulatory consequences of
emergent Digital ID business models (e.g. stronger
digital privacy laws, rights of redress etc.).
• The need to address political (state) and individual
concerns around data sovereignty and whether
and how valuable data should be kept within
borders in an interoperable Digital ID eco-system.
• The need to establish and maintain common
standards for the purposes of secure and
convenient interoperability.
Adoption
What are the key factors that will drive user and
consumer adoption of a Digital ID system? Will it be
the identification of certain unique use cases that are
so compelling to consumers that adoption is all but
inevitable (e.g. zero-wait time at border crossings,
instant access to government services, etc)? Or
will adoption require regulatory or legal incentive?
Interestingly, private sector organisations often
imagine adoption of new technologies and services
initially taking place at the ‘top of the market’. In the
case of Digital ID, the earliest adopters may well be
nearer the bottom of the pyramid, those who need
to become familiar with Digital ID in order to access
basic needs through government services.
Digital literacy and identity education
Digital literacy is an issue whose prominence is
growing thanks to increasingly stark digital divides
and the lack of transparency that marks the pace
of change in a digital world. A wholesale move
toward Digital ID could be one of the more profound
moments in the shift to a digital life, and may require
it’s own programme of education to teach people
how to maintain their Digital ID, keep it safe from
attack and ensure that it works for them.
What might matter even more
In the case of Digital ID, the earliest
adopters may well be nearer the
bottom of the pyramid, those who
need to become familiar with Digital ID
in order to access basic needs through
government services.
Regulators will almost certainly, and
yet again, be faced with the task of
‘building the aeroplane whilst flying it.’
15. 15
TheFutureofDigitalIdentityAnInitialPerspective
It is safe to assume that our collective futures will
involve digital identity. The exact form and function
of the digital identities we make use of may vary
from institution to institution, individual to individual
and organisation to organisation, but the case for
digital identity is surely too strong now to ignore. As
ever more of the transactions and exchanges that
comprise human social life migrate to connected
digital worlds and spaces, more fragments of our
selves must surely follow suit.
In this paper we have highlighted a number of
the drivers that are likely to take us to a world in
which digital identity is commonplace, and have
introduced a number of different concepts and
facets of digital identity that provide the basis for
thinking about the future of Digital ID, and a future
world in which Digital ID plays a key part. As a
provocation then, it might be worth thinking through
some of the potential future pathways and shifts
that could come about.
You are what you eat
One of the potential upsides of digital identity is
enhanced security through the development of
new kinds of identity marker. The mainstreaming
of the uses of bio-metrics such as voice and facial
recognition, fingerprints and iris scanners are the
first step along this road, but with the growing
capabilities of AI-driven pattern recognition,
and a steadily rising stream of personal data
in which to recognise patterns, new forms of
behavioural fingerprinting are likely to emerge.
These might simply be more kinds of physical bio-
metric fingerprints, such as the unique pattern of
pressures we apply to a keyboard as we type, or
the idiosyncratic ways in which we tap on a mobile
phone screen or move a cursor around, but there
is also the possibility that we present other kinds of
unique fingerprints in behaviours that look more like
cultural or social behaviours; our ‘routines’, if you
like. These might include things like the times we get
up each morning, who we speak to and when, or
the kinds of food we chose to eat at different times
of different days. We are still in the early days of
learning about what makes us unique.
The use of these kinds of identity attributes may be
very useful in terms of detecting fraud, especially
where AI can be used to detect subtle changes
in behavioural patterns. But their emergence will
need to be managed carefully. Human history is
littered with examples of the use of identity markers
such as ethnicity, religion, or gender, to structure
systematic programmes of exclusion, violence and
discrimination. With the emergence of new kinds
of identity attributes, we are likely to see new kinds
of bias and discrimination based on previously
unimaginable points of differentiation.
“I can tell from your voice harmonics, Dave, that
you’re badly upset. Why don’t you take a stress pill
and get some rest?”
Hal 9000, “2001: A Space Odyssey”, Arthur C.
Clarke, 1968
Fake ID
It would be naïve to imagine that any digital identity
system will be immune to abuse. Fake ID, long the
goal of every would-be alcohol-drinking teenager
along with other bad actors seeking access to
services they would not normally be allowed to
access, is bound to play a part in any system of
digital identification. Fake ID could manifest in two
ways: 1) Entirely fake digital identities that bear no
relation to any real entity, and 2) Authentic digital
identities augmented with fake attributes. As with
all digital manifestations of physical world problems,
the particular problem with fake digital ID, is scale.
Where once a fake passport would only really be
used in a single context at any given moment, fake
digital IDs have the potential to be used in hundreds
of different contexts at the same time, scaling up the
consequences in kind.
Future directions
Fake digital IDs have the potential
to be used in hundreds of different
contexts at the same time, scaling up
the consequences in kind.
16. 16
TheFutureofDigitalIdentityAnInitialPerspective
Null attributes
We currently live in a world of data breaches. At
the time of writing, Facebook is reporting a breach
in its digital identity and authentication system
potentially affecting 90 million users, but whenever
this paper was produced, it is likely that there would
have been news of a recent data breach of similar
scale to point to. Many of these breaches involve
sensitive personal information of the kind that we
would otherwise assume to be critical components
of any digital identity and authentication system.
Some data breaches leave us with more serious
consequences than others when thinking about the
future of Digital ID, and three in particular leap out in
this regard: the Equifax data-breach that contained
detailed financial histories and credit scores9
, the
US government’s Office of Personnel Management
(OPM) data breach which contained detailed
employment histories, social security numbers and
even fingerprint scans10
, and the ComElec breach
of voter registrations in the Philippines. In each of
these cases, highly sensitive information of exactly
the kind upon which digital identity systems might
be built was stolen and leaked. In the case of OPM,
this even involved bio-metric data. This raises a
possible future scenario in which certain identity
attributes we currently understand to be essential,
could become unusable or ‘null’ with regard to a
digital identity eco-system.
Re-evaluation of cyber-risk
Breaches to digital identity systems have the
potential to be far more catastrophic than any
previously seen data breaches. This may cause
organisations to re-evaluate the idea of ‘acceptable
risk’ with regard to cyber-security.
Stateless netizens
As digital identities evolve, collecting different kinds
of attributes and providing access to services in
a globally networked system of service provision,
it is possible that certain people could begin to
see their digital identity as more important than
their citizenship of states. We are likely to see new
networks of individuals bound together by shared
identity attributes (some of which may be entirely
new) coalescing into new kinds of polity and
mutual organisation. Early manifestations of this
phenomenon are likely to emerge from among the
millions of migrants and refugees being displaced,
and effectively rendered stateless, around the world.
The battle for ownership
Around the world, state actors, private actors and
individuals all have an interest in having a controlling
hand in a digital identity eco-system. We can
expect to see a battle for ‘ownership’ of the identity
space in which competing interests are driven
to the forefront of identity debates e.g. data for
social good, data-driven innovation and economic
opportunity, rights to privacy, national security, social
order and control etc. Powerful voices are already
beginning to emerge in this space (such as the
Electronic Frontier Foundation), alongside newer
players such as Hu-manity11
, and many others.
New digital worlds
It is relatively easy to imagine how we will make
use of digital identities in the connected world of
today, with an internet largely defined by online
accounts and online retailers. It is harder to imagine
how digital identities will be made use of in the new
digital spaces provided by technologies such as
virtual reality and augmented realities. For example,
augmentations to digital identities might involve
3-dimensional avatars that represent different
aspects of our digital identity.
Breaches to digital identity systems
have the potential to be far more
catastrophic than any previously seen.
17. 17
TheFutureofDigitalIdentityAnInitialPerspective
Assertion of new digital rights
As digital identities collect and accumulate
attributes, we will need to think hard about the
right to be forgotten, the right to change and
the right to delete. It is not hard to imagine, for
example, somebody wanting to have their gender
re-assigned, and that might be a relatively trivial
thing to change within a digital identity. But what
if that person also wanted any previous record of
their originally-assigned gender removed from their
identity?
Data-less business models
Innovations in AI and new ways of allowing access
to data without actually sharing data, may lead to
the development of new kinds of business model
in which service providers are able to leverage
the data contained in digital identities to provide
sophisticated and personalised services, without
actually collecting and storing it themselves. This
‘data-less’ business model will likely be used
as a positive, privacy-preserving, proposition to
consumers.
A bi-furcated digital realm (or ‘many internets’)
It is highly likely that many of the questions and
possibilities we raise in this paper will not lead to a
single outcome, or single global solution. Instead
we may see the internet split into different realms.
They might be defined by, for example: an open-
internet in which standards reach across the globe,
public services, mainstream services and open
civic digital spaces are protected and verified by
widespread use of Digital ID; a dark internet in
which Anonymous IDs, distributed data storage
and encrypted connections and transactions are
the norm; island internets, with localised Digital
ID systems, defined by a lack of interoperability
with other connected systems, but which provide
connectivity internally.
Super-surveillance
It is a near certainty that in certain states, and
certain market-economies, the potential for Digital
IDs to give highly accurate and relatively clean
surveillance data, will lead to mass surveillance by
those who see an advantage in doing so. China’s
much talked-about ‘Social Credit Score’ is surely
the first example of one potential outcome of
super-surveillance that could result from certain
implementations of Digital ID i.e. social control12
,
other potentially dystopian outcomes might include
‘Digital ID slavery’ in which our Digital ID and that
data it contains is used to deliver services to us,
which in turn reinforce the data within our Digital
ID, in a feedback loop that would be very difficult to
break free from.
New Digital ID markets
Digital ID has the potential to play a critical role in
social and economic life. A whole new range of
economic opportunities could emerge around it.
This might include:
• Bio-metric attribute specialists
• ID-AI (the development of AI-driven ID
services such as pattern-recognition, intelligent
interoperability are likely to proliferate)
• Digital ID managers (builders, cleaners, enhancers etc.)
• Digital ID insurance providers
• And many more…
Privacy reclaimed
Many potential future pathways for Digital ID seem
dystopian, but Digital ID also has the potential
to reinsert control, at least in certain contexts,
of the data we all generate. New encryption and
authentication protocols, alongside local-AI and
data management technologies may allow us
to simultaneously unlock the power of our data
and keep it private, leading to a world in which
the promotion of the private individual re-asserts
itself as an attractive economic and social option
for consumers, citizens, and profit-driven service
providers alike.
18. 18
TheFutureofDigitalIdentityAnInitialPerspective
Given the emergence of and expected pace of
change surrounding digital identity, organisations,
governments and their advisors are readying
themselves. While some of the key shifts ahead are
likely to have short-term impact, others may have a
longer gestation. There are a number of emerging
questions for many participants to consider. These
include:
1. What are the key factors that will drive user and
consumer adoption of a Digital ID system? Over
what time frame? What key triggers must occur
to ensure successful, significant adoption?
2. How should we establish and maintain common
standards for the purposes of secure and
convenient interoperability of digital identity?
3. How best to address political (state) and
individual concerns around data sovereignty and
whether and how valuable data should be kept
within borders in an interoperable digital identity
eco-system?
4. What ethical considerations, must we consider
now, as opposed to after the ‘horse has bolted’
with regards to digital identity systems?
5. Which bodies will be trusted to accurately
collect and verify identity attributes of their users
or customers?
6. Who will pay and how?
7. How will we ensure that privacy is appropriately
maintained?
8. How can we adequately ensure that we don’t
create increased opportunity for still greater and
more damaging data breaches?
9. How can regulators usefully keep ahead of the
coming digital wave to support innovation and
protect the market?
10.How, when and who creates a framework of
rights and responsibilities around Digital Identity,
possibly as part of a broader consideration of
digital rights?
11.What is required to help people understand how
to maintain their digital identity, keep it safe from
attack and ensure that it works for them?
12.Are we doing enough to ensure that data seen
as unique today (e.g. fingerprints), remains
as such going forward and does not become
compromised through rogue actors?
Emerging questions
20. 20
TheFutureofDigitalIdentityAnInitialPerspective
This ‘initial perspective’ is intended to provide a
provocation for discussion. We hope that it provides
a point of departure for a meaningful conversation
between different stakeholders about the future of
digital identity, how it might develop and its role and
value in society.
We would welcome your feedback and contribution
to help build a richer view.
In addition, we are also undertaking a set of 5 expert
workshops across 4 continents in Q4 2018 (London,
Singapore, Sydney, San Francisco and Brussels).
If you would be interested in joining please do get in
touch via james.alexander@futureagenda.org
Next - Building a broader
perspective
22. 22
TheFutureofDigitalIdentityAnInitialPerspective
Contact details
To discuss this project further please get in touch
Dr Tim Jones
Programme Director
Future Agenda
tim.jones@futureagenda.org
www.futureagenda.org
+44 780 1755 054
@futureagenda
References
1
For a more detailed study of the mechanisms and consequences of cyber-crime see “Into the web of profit” (McGuire,
2018) https://www.scribd.com/document/377159562/Into-the-Web-of-Profit-Bromium-Final-Report
2
This article provides a thorough account of the implementation of the Aadhar national ID system and its weaknesses
https://www.eff.org/deeplinks/2018/02/can-indias-aadhaar-biometric-identity-program-be-fixed
3
For more detail see https://assets.publishing.service.gov.uk/media/57ac9667e5274a0f6c00007a/retail-banking-market-
investigation-full-final-report.pdf
4
http://www3.weforum.org/docs/WEF_A_Blueprint_for_Digital_Identity.pdf
5
For a more detailed discussion of the concept of interoperability in relation to Digital ID, see https://cyber.harvard.edu/
interop/pdfs/interop-digital-id.pdf
6
http://www.undp.org/content/undp/en/home/blog/2017/6/1/Moving-towards-digital-technology-for-legal-identity.html
7
An example of this might be the recent revelation that Facebook has been using data provided by users for the express
purpose of enhancing security, to deliver targeted advertising. https://gizmodo.com/facebook-is-giving-advertisers-
access-to-your-shadow-co-1828476051
8
For far more detail, see http://www.dgwbirch.com/words/books/identity-is-the-new-money.html
9
https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
10
https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
https://www.theguardian.com/technology/2016/apr/11/philippine-electoral-records-breached-government-hack
11
https://hu-manity.co/who-we-are/
12
https://en.wikipedia.org/wiki/Social_Credit_System It is worth remembering that much about the social credit system is
shrouded in secrecy, and therefore guesses about how it will work and what it will mean remain just that for the time being.