Despite years of strenuous effort, the idea of mass digital identity remains stuck somewhere between non-existent and a total mess.
Ask someone to prove their identity today, and almost without exception they will fall back on a paper passport, driving licence, or bank account statements, usually backed by a social security number (SSN). The online world struggles to accommodate these.
Digital identity systems such as the UK government’s Gov.UK Verify exist but barely any are used in anger. They float around in no man’s land, like clever experiments whose original objective their creators have lost track of.
Meanwhile, shadowing flesh and blood human identities are virtual ones built from oceans of online data. Much of this is handed over willingly to “surveillance capitalists” – Facebook, Google and advertisers, for instance – but lots more exists in this parallel dimension people are only dimly aware exists.
It’s also the world of identity middle-men such as Equifax, which collected so much valuable data it eventually burst at the seams, spilling millions of names, addresses, SSNs, birth dates and driving licence numbers to cybercriminals who could use it to fuel industrial identity theft for years to come.
Not everyone is giving up yet, however, including the Social Market Foundation (SMF), a UK think tank, which argues in a new report that governments should stop shilly-shallying around and press ahead with full-blown digital ID systems.
But aren’t government systems a damp squib? According to the SMF, the problem of systems such as Gov.UK Verify (which uses private-sector partners) is that they were conceived to serve access to government services such as tax and benefits when the real need is much wider.
Verify’s usefulness would improve dramatically if only companies could use it to identify people too:
Encouragingly, use of Verify in private sector contexts is being actively explored, and we believe there are significant benefits for consumers that could arise from this.
Advantages such as:
- Passports could give way to app-based identity systems, possibly backed by biometrics
- Expensive paper systems could be banished forever
- Online verification could be transformed from today’s guesswork and assumption-based model.
- Welfare and immigration fraud would be reduced
- Because everyone would have an ID, social exclusion faced by people who lack documents could be reduced
- Verification and digital identity could be about to become an industry in its own right so jobs could be at stake
And cybercriminals would no longer find is easy to carry out identity theft against a system that included real-time identity checks on individuals themselves.
Sceptics will see in this as a reprise of the failed UK identity card scheme of a decade ago, eventually scrapped in 2010 after burning through £4.5bn ($6.3bn). Certainly, it’s hard to see how a new ID system wouldn’t initially need to rely on physical documents of the sort that sank the original system on cost grounds.
The other problem is government itself. Solving the digital identity conundrum once and for all can probably only be done at government level – but what if people don’t trust government?
The poster child for digital ID is Estonia, the first country in the world to conduct general elections across the Internet backed by a digital identity system years ahead of other developed countries.
Then there’s India’s Aadhaar, a biometric digital ID system with 1.2bn members that critics have described as “Orwellian”. The worry is that the Aadhaar model hands government the power to withhold as well as enable access to services as a form of social control.
Which of the two extremes should countries such as the UK and US look to? Probably both deserve scrutiny, but it’s interesting that some of the same civil liberties arguments levelled at Aadhaar also dogged the UK’s ID cards.
This suggests that the path to 21st century digital identity will not be smooth. The flaw in today’s identity model is that data is smeared just about everywhere and anywhere, and incentives to guard it have become warped by commercial self-interest.
But until someone comes up with a way to implement an alternative that doesn’t simply over-centralise power with governments, digital identity will remain a rocky road.
With identity theft at record levels what is hard to believe that digital identity can’t be postponed indefinitely. But the old world of uncertain, weakly defended identity won’t go away quickly – expect Equifax-style breaches to be with us for a while yet.
5 comments on “Governments must fix the digital identity mess, says think tank”
The fear with government identity schemes is that they are seen as the ultimate proof of identity and if the underlying database get compromised (to for instance indicate that your biometrics “belong” to the name and record of say, a paedophile, whilst said criminal’s biometrics are attached to your identity and clean criminal record) you are in big trouble well beyond those associated with today’s identify theft!
Do you trust the government (particularly one that believes in backdoors), do you trust their contractors (who probably submitted the lowest bid)?
Hi, I live in South Africa, and work for the company who’s been instrumental in getting the new I’d card system in place, which is a smart card with a digital identity on the card. I was wondering your thoughts of this form of identity in the world of identity fraud and identity theft
Actually the Estonian system was co-developed with several other countries including Austria (under EC funding). In the early days, it had a chip/PIN card that could hold multiple identities, some using 4 digit PINs and some with 6 digits. Thus, there was a great incentive for users – instead of a wallet full of cards, they were reduced to a manageable number.
If we want to go down the digital identity route, one possible way would be for a reputable organisation to develop a single loyalty card that held multiple separate identities. Once this has been proven for a few years, and proven not to cross leak information, and has survived being secure when the stakes are relatively low, then you will at least have consumer acceptance and trust to be able to start adding more valuable services. Ideally you would probably start these days with a contactless system, and at least one financial institution backing it for small scale financial transactions.
“Because everyone would have an ID, …”
Apart from those who don’t have smart phones, or don’t have a computer, or don’t have internet access…
Or are they proposing that the government should provide these things to every citizen?
at least here in the West people should all have access to this via libraries etc and one would assume the gov would have to expand that access. of course for any sort of verification that relied on more than your biometrics, passwords etc (eg 2FA) you might need a device? not sure how a paper doc is more secure than biometrics and a password though. Any time you needed to verify I guess you’de be presented with a device, much like signing for parcels is no longer on paper but via the handheld device the driver carries