Governments are playing an increasingly active role in the development of a digital identity framework, and the options are almost endless. But it need not be so different to the old 100-point system that has served Australia since the late eighties, according to a former federal privacy commissioner turned information management consultant.
In 2012, the Department of Prime Minister and Cabinet looked at possible ways to bring about a “National Trusted Identities Framework”. It was assisted by Information Integrity Solutions, a consultancy run by former privacy commissioner, finance sector veteran and one-time senior public servant Malcolm Crompton, which set out the options and talked to finance, communications and technology stakeholders as well as non-government advocates for privacy and consumer rights. IIS then produced a discussion paper to elicit further input, before the NTIF was put on the backburner.
Australia’s 100-point identity check, introduced in 1988, balanced the need for stronger verification to reduce fraud in the financial system with widespread privacy concerns, which led to the Hawke government’s Australia Card being shot down in the Senate a few years earlier. Crompton sees it as an elegant solution that broadly exemplifies what a good digital identity framework should also look like.
“In the absence of 100% [effective proof of identity] anywhere in the world, our 100-point system was a very clever way, at a moderately low cost, of reducing the risk down to an acceptable level,” he told The Mandarin. “It didn’t eliminate anything, but no system does. It basically said, in a statutory way, in the law, that this is the way of managing the risk down to a level that is acceptable to government or a bank.”
While some countries issue single identifiers for their citizens — Estonia has won considerable praise for its digital identity framework, which uses such a model — efforts to do so have been resisted strenuously in others. The Australia Card is a case in point, and Crompton says there’s no major advantage to a single identifier, in any case.
“The 100-point system is evidence that a ‘single source of truth’ process isn’t needed, isn’t as infallible as often claimed, and it’s a good way of doing things that we should think again about,” he said.
Identification as risk management
Crompton points out than even though identity itself can be a rather nebulous concept, the main purpose we use it for is very simple, and boils down to a basic problem: “How to reduce the risk of an interaction between two parties down to a level that is acceptable to both parties.”
“It could be buildings, it could be people, it could be software — in the internet of things, it’s machine to machine — but one way or another, two entities have to decide if they’re going to do business with each other,” he explained. “And one of the reasons they’re going to decide to do business with each other is that the risk of doing it is acceptable to both, [and] what matters for managing that risk differs in the circumstances.”
The idea of robust identity verification as a way to prevent financial fraud and other criminal activities via digital transactions came up again last December, when the final report of the Financial System Inquiry recommended the Commonwealth “develop a national strategy for a federated-style model of trusted digital identities”. It listed 10 existing mechanisms that would be “elements” of a such a framework, among them myGov, which could in future be used as digital identification by banks and other companies if the government decides to make it available for such use.
In the model sketched out by the inquiry panel, “public and private sector identity providers would compete to supply trusted digital identities to individuals and businesses”. Government would nurture this digital identity management market through ministerial strategising and seed funding for pilot projects, if required. The inquiry suggested the model should be:
- Voluntary, and enable consumer choice and convenience.
- Transparent and privacy enhancing.
- Cost effective, flexible and innovative, and enable the best use of technology.
- Secure, resilient and interoperable.
In the digital realm, Crompton explains, it is especially important that both parties receive an acceptable level of assurance, not just the more powerful entity. And while there is a strong temptation for large organisations to collect as much personal information as possible, the smartest systems ask only for what they need. The best systems rely on nothing more than the exchange of what he calls “relevant, verified attributes” to maximise privacy and security.
He gives an example: at bare minimum, only a single attribute must be confirmed in order for an Australian to buy alcohol: that they are aged 18 or over. If it was possible to provide something that would assure any bar, club or bottle shop that a person was 18 or over — not their age, birthdate, name or anything else, just the answer to that one yes-or-no question — that would satisfy the legal requirement. But it isn’t possible, so we hand over our passport or driver’s license.
“If the way in which I entered the pub is by showing them my driving license and they take an image of it — which they [sometimes] do — they’ve collected much more information than is necessary,” Crompton points out.
NSW takes ‘digital ID’ literally
Most pubs and clubs don’t actually photograph identification cards, but soon the New South Wales government will offer digital versions of the state’s 123 different licenses, which might force the punters to hand over a different kind of unnecessary information.
This slightly more literal type of digital identification looks just like a plastic card but appears on a mobile phone screen. The NSW Digital Council — chaired by customer service commissioner Mike Pratt and including members from police, Roads and Maritime Services, the Office of Finance and Services and ServiceNSW — is tasked with mapping the way ahead and addressing security, privacy and regulatory issues.
“If I go to the pub right now and wave my driving license to the pub owner, the driving license authority doesn’t know that I did that,” explained Crompton. “If, however, every presentation of a digital driver’s license is verified by the issuer — in this case the [Roads and Transit Authority] — then a new party in the game is following me around.”” … test of uniqueness also contain other rich information, one of the challenges is, do you collect or analyse or use the other rich information?”
The use of biometrics to establish identity is also on the rise and according to Crompton, the collection of meaningful biological information to use as a unique identifier is a potential concern. “Biometrics are very, very interesting,” he said, “because they often convey something in addition to the test of: ‘Is this the same piece of meat turning up this time as turned up last time?'”
Biometric data can be reduced to simplified digital signatures that are still unique but carry no biological information. But in other cases, from gait analysis to retina scans and DNA, biometric identifiers can reveal personal information most people would prefer to keep private. Storing this kind of information for long periods is also a major privacy risk, says Crompton, especially as analysis techniques will only become more advanced in future.
“All of those things are initially being used as tests of uniqueness, but because they also contain other rich information, one of the challenges is, do you collect or analyse or use the other rich information?” It’s a challenge that has always come up in identity management, he says, and it now revolves mainly around metadata.
As we conduct more of our communications and transactions online, reusable single digital identity credentials can give rise to powerful sets of metadata about people that would have significant commercial value, to banks, insurance companies, employers. Crompton explained:
“Depending how you build them, identity management systems can also build a second tranche of data, which is metadata, if you have to present a single claim about an attribute all the time in the digital world — namely, ‘I have this password’ or ‘I have this RSA token’ or ‘this is my identity number as given to me by the government’ — and we must remember that the non-digital world is fading away.”
The predominance of one digital identity credential — whether issued by a government or not — is not only unnecessary, it also increases risks for some parties to the transactions by extracting more information than they need to give up. Crompton uses the term “digital god” to describe the undesirable traits of a centralised, single-identifier system:
“If only one thing in your life has the ability to set you up into digital existence and that same thing, at any time, can take you out of digital existence, and that same thing, between those two points, is able to observe everything that you do and keep a record of it, you actually have the equivalent of what the bible would call ‘God’ … because it creates you, it kills you, and it watches you.
“And my point is, that isn’t necessary. You actually have to justify as a matter of public policy that that is what the system needs to do. It doesn’t have to do that.”
The development of a common system of “trustworthy yet privacy preserving attribute-based credentials” is the goal of the European Union’s ABC4Trust project. Using fancy maths, the technology already exists to underpin a system where a rental car company can reliably check your driver’s license status with the relevant authority, for example, while requiring you to hand over the minimum of information.
“What happens mathematically through that process is that the driving license authority doesn’t know who asked the question, whether it was Avis or Hertz or anybody else, and it doesn’t know who the question was asked about yet the relying party can rely comfortably on the verification,” said Crompton. “The metadata at the driver’s license end was not even created.”
Whether or not the digital identity systems that come to be created, adopted and accepted by the biggest institutions achieve these ideals, he adds, is a matter of public policy and economics. “It’s not a matter of feasibility, so you can’t hide behind the technology.”