You may have seen this political call for action by one-time rivals, Tony Blair and William Hague. Their call isn’t just about digital ID, but the point was that technology and the technology revolution can and will significantly change the world we live in, and therefore how Government governs. A central focus point of that is digital identity.
In the article, found within the The Times and the BBC, a call for everyone in Britain to be given a digital ID is made. We, and I think every company involved in digital identity would agree, this is very much needed. However, the call by Tony Blair and William Hague describes a single ID incorporating your passport, driving license, tax records, your qualifications and much more. Well wow. This is where we couldn’t agree less, to the point of, if this is the vision of digital identity, then there shouldn’t be a digital identity….
A single identity is simply dangerous!
No one should sign up to a vision of a singular universal identity. Yes, you will find there are lots of companies and movements that believe this is a good thing, but they have a vested interest. If you control identity, or the underlying infrastructure, you pretty much have a license to print your own money. Industry experts even make claims like, Identity is Money, or Identity is the next oil. Why? Because your personal identity, or even a corporate identity means valuable data, which can be exploited and monetized. It happens today right now…
As a result, it is obvious why so many organisations push forward that there should be a universal identity. The reality is however, that a single universal identity is simply dangerous. Even infrastructure that underpins identity solutions needs to be open for everyone and owned by no one.
Before we even discuss issues like, “what happens if I lose control of my digital identity”, there are so many other areas that illustrate the dangers of a universal identity. For example, in issuing a universal identity to you, an individual, you need to provide and prove everything about you. In the single ID put forward that incorporates your passport, driving licenses, tax records, qualifications etc you are essentially handing over the keys to your entire life to a third party. After all, you use these identities and information about yourself to get a job, prove you can live in the UK, open a bank account and make transactions. So handing it all over to a “trusted third party” is simply dangerous. It’s worse than handing out your online banking details – as here, you’re saying apply for credit in my name and you control it all.
Third parties may put in place great technology, fabulous policies and processes, however nothing is perfect and there will always be weaknesses that bad actors and cyber-criminals can exploit. But we don’t even have to go that far. With a single identity I am essentially sharing everything about me in one place, all the time. Even if I only share part of my digital identity, it is easy to correlate parts shared with third parties to form a complete picture of my identity.
Correlation is a bad thing. Cyber criminals today steal our identity and exploit it, not via some unbelievably complex method, but primarily by simple correlation. Cyber criminals find multiple sources of data about us and are able to correlate those sources and data back to us. The source could be data shared online, captured by using open and unsecured Wi-Fi connections, it can be from information shared in emails, it comes from perhaps documents left around or even directly from me, the identity owner by tricking me into handing out data. The point is, it’s hard to no share data that can be correlated, and it is simple correlation of that data then allows your identity to be spoofed or used.
In a digital world, with a universal ID, this has just been made a lot easier for a cybercriminal. Simple correlation is achieved by linking data back to that universal ID. For example, company A requests information about you from your digital identity, and company B also requests different information from you. Both data sources come from a singular universal ID and it can be correlated. Between Company A and B, more data about you can be found quickly and easily. The two companies themselves need not even collaborate, rather bad actors within the company, or malware on your personal device may have just correlated all that data and handed it over, ready for exploitation. And, if you lose control of that universal digital identity, how do you prove it is really you to get it back?
But again, we don’t even need to talk about cyber-criminals. Large tech companies today correlate vast amounts of data on us as individuals and on corporates. As correlated data it is then monetized by being sold on, or by being exploited to sell to us. Now some may argue that leads to better customer experiences, but at what cost? You can still enjoy the same level of customer experience without giving up your personal data, and if you wish to share that data, why is it not possible for us as individuals to monetize our own data? However, it is acceptable for third parties to do just that. Cookie policies in our web browsers, legislation like GDPR is put in place to try and protect us from correlation and data exploitation to an extent, but it doesn’t scratch the surface.
Now let’s talk about Governments. We may trust our Government in the UK, but sadly this isn’t the case across the globe. Many Governments prove daily that they are willing to exploit data and identity for many reasons, ranging from control to persecution. History has told us that even the most trusted Governments have done this. We cannot blame people or corporates from being concerned over privacy and security, we really can’t.
So privacy and security has to be at the heart of any digital identity solutions, and that starts by acknowledging that NO single universal identity is required. We all should hold multiple identities, with each one potentially independently telling us something about ourselves, and we should be able to ensure no correlation is possible even when we share that data.
Pandemic as proof
If we wanted proof that citizens of countries across the entire globe do not trust governments with sensitive information about ourselves, we need look no further than the recent COVID-19 pandemic. With rafts of conspiracy theories being put forward, including that vaccines are used to track our individual movements, or that Bill Gates wants to know everything about us (why this one could ever be believed proves the point being made), people are paranoid and sensitive about their privacy. And they should be.
ID Crypt Global even started to work with local communities to investigate digital identity that showed you had received your vaccine, however, so many individuals didn’t trust in having the vaccine or somehow proving they have had it. Identity therefore MUST be not only secure and private, but must also be understood and proven to be so, so that all can enjoy the benefits of an identity. That’s the tough part. Education. And with so many identity-based solutions focused on single universal identity or proprietary identity infrastructure, this is made even harder.
ID Crypt Global believes in SSI (Self-Sovereign Identity) and the 12 principles that that means. It’s an open model, where identity data should be self-sovereign, that there is no single store or issuer identity information. The only single store of identity based data is you as the individual, your identity is sovereign to you. The same applies to corporations.
Identity infrastructure should be seen as a utility, owned and operated by many, not one organisation and trust should be provided in mathematics – delivering a zero trust model. (We cannot have companies saying “trust us” any longer.
Identity isn’t a singular thing, rather it is a domain, a collection of identities and their attributes that form an identity. As such, each of us, and organisations, should hold multiple identities, with each identity containing its own set of attributes that can be proven cryptographically.
We also believe that even our role in identity should be small and constrained. At ID Crypt Global we do NOT want to be issuing lots of digital identities in terms of “types”. What do we mean. If we look at Tony Blair and William Hague call for a single identity that incorporates our Passport, Driving License, Tax records etc, we see each one of those as independent identities.
I as an individual will hold multiple identities at least one for each element (maybe more). So, I hold a digital ID based on my passport, I hold a digital id based on my driving license, I hold a digital id based on my salary band, I hold a digital id based on my tax band, I hold a digital id based on my school qualifications, I hold a digital id based on my university degree, I hold a digital id based on where I work, I hold a digital id based on where I live, I hold a digital id based on my gym membership, I hold a digital id based on my GP surgery etc etc etc. Now within all those IDs, ID Crypt Global will provide just one or two, no more.
As an issuer we verify the claims and attributes about that ID to an ultra-high standard-level so that the data within the Identities issued can be trusted. Then we issue the identity. We may help others issue identities, but we will never see that data. Our systems will never know for example, what you earn, rather we would empower your employer to be able to issue you with your identity that confirms your earnings. That data is then sovereign to you, as an individual held on a device you control. Nothing to do with ID Crypt Global at all. You can then present that ID when applying for a bank loan for example, and ID Crypt Global would never know that you even had a relationship with the bank, let alone that you shared that information with them (ID Crypt Global wouldn’t even know that information could be shared). That’s exactly how digital identity needs to work…
AnonCreds and Zero Knowledge Proofs
I will bring this post to a close by mentioning that, even with multiple identities, we need to ensure that only that which is needed is shared. In Europe, GDPR was brought in to protect individuals’ personal data, and it constantly shows that most companies request more information than they need on their customers, and that they share it in ways which means that data could be exploited. I am not saying that is on purpose, but its life.
For example, we speak to potential clients all of the time about what data is held in a CV. When applying for a job many organisations receive a CV and then share this, via email, with various colleagues who may or may not be involved in the interview process or hiring administration. Each email is a copy of that CV. You now have personal, sensitive and identifiable data floating around an organisation via multiple copies that are now out of the control of the organisation. That’s data that can be seen and used when it really shouldn’t be possible.
AnonCreds and Zero Knowledge Proofs ensure that only that which is needed is shared. The easiest example is proving your age. Often we must prove we are over the age of 18, and this is done by sharing our date of birth. However, date of birth is an identifiable feature of us. We use it often to open bank accounts for example, so its data that could be correlated and later exploited. So why share it? There is no need. The request is to confirm you are over the age of 18, this can be cryptographically proven with AnonCreds and Zero Knowledge Proofs without ever sharing your date of birth. So that is what must be done.
All Identity solutions must adopt AnonCreds and Zero Knowledge Proofs if we want to ensure privacy and security at all times. We shouldn’t accept any “proprietary” implementations as that locks our identity data into a single provider, and that allows correlation again or too much information to flow via a single provider.
Later posts will look through AnonCreds and Zero Knowledge Proofs in detail.