Digital identity cards, not digitised identity cards

You all know who Marshall McLuhan was, right? And that he predicted not only the internet but its impact on society

Born in Canada in 1911, McLuhan studied at the University of Manitoba and University of Cambridge before becoming a lecturer at the University of Toronto. He rose to prominence in the 1960s for his work as a media theorist and for coining the term “global village”, which was a prescient vision of the internet age.

Half a century ago, he said of the networked world he predicted that “In the new electric world, where everybody is involved with everybody, where everybody is involved in complex processes, the old identity cards, the old means of finding out who am I, will not work”. I wish that more people would take this on board, give up trying to digitise the old identity systems and start building the new digital identity system we need.

Here’s an example. I notice (via my friends at One World Identity) that the Australian state of New South Wales is soon to provide citizens with “digital driver’s licenses, stored on a user’s smartphone, allowing them to ditch their physical ID card”. I read that article and it seems to me that these aren’t digital driver’s licenses or anything like them. They are digitised driver’s licences, nothing more than virtual shadows of their mundane progenitors. They have no functionality beyond their heritage in industrial age bureaucracy and provide absolutely nothing new to the new economy.

We need digital identity, not digitised identity, a point I intend to make loud and clear in Washington on 26th and 27th March, where I will be chairing the 2nd KnowID conference. And I’ll be talking about McLuhan, because McLuhan had this notion of identity as smeared across entities, depending on the relationships and interactions between identities (what Ian Grigg calls “edge” identity). If this is indeed the correct vision for post-industrial online identity (and since he was right about most other things, I’m certainly not going to call McLuhan out on this one) then what would it mean for the driving licence?

Well, I (and others) have long argued that shifting to an infrastructure where transactions are between virtual identities and enabled by credentials is the way forward. Hence the right way to see a driving licence is as a bundle of credentials. How would we use those credentials? To make claims that we need in order to enable the transactions. In Phil Windley’s “Self-Sovereign Identity and the Legitimacy of Permissioned Ledgers” he says, if I interpret him correctly, that a claim is the process of providing a credential and authenticating its use in order to obtain authorisation. I like the “claims are processes” way of thinking and it seems like a reasonable working definition, so let’s move forward with that, using my favourite Three Domain Identity (3DID) as the framework.

 The Three Domain Identity (3DID) Model

The attributes that are needed in the Authorisation Domain might be very varied, but for sake of the discussion, let’s assume that in the case of the driving licence there are three claims that should be supported:

  • A policeperson might need to know who you are.

  • A car rental company might need to know that you are allowed to drive.

  • A bar might need to know that you are over 18.

Now the digitised driving licence doesn’t know who is asking, what they are asking for, or whether they are allowed to ask for it. So it shows everybody everything and (in the general case) they have no idea whether any of the claims are true or not. But a digital driver’s licence could know all of these things. So when the policeperson asks your digital driving licence who you are, your digital driving licence can check the digital signature of the request and the authorisations that come with them. The digital driving licence knows that the bar can ask if you are over 18, but not who you are because it’s none of their business – although the licence may return a service provider-specific meaningless but unique number (MBUN) that the bar can use for loyalty (and barring). I cannot stress just how much of a new idea this is not. A decade ago John Elliot, Neil McEvoy and I wrote a chapter called “This Is Not Your Father’s ID Card” for the book “Digital Identity Management”. In it, we said that:

Because computers, biometrics and digital signatures can work together to disclose facts about someone without disclosing their full identity. Your ID card could, for example, send a message to a machine confirming that you are over 18 without disclosing who you are or what your citizen number is.

I’m sure we were not the only people to have realised this. The problem then, and now, is that the people in charge of identity cards, and driving licences, and passports and all of the other identity infrastructure, still see these documents only as dumb emulations of paper and not as what they are: nodes in an identity network. They are nodes and our identities, to go with Ian’s formulation, are the edges between them.

All very well, I can hear you saying. All very nice in theory. But what about deployment? How would will you connect up all of the bars and car rental counters and police cars and so on. What would the person in the bar use to interrogate your digital driving licence? Well, their digital driving licence of course! Surely one of the defining characteristics of the digital age driving licence that has a computer in it and is now a node is that… it can talk to other driving licences. There is a beautiful symmetry to this: no digital driving licence is different from any other digital driving licence, nor privileged above any other digital driving licence. No need to for custom equipment. Every has the same digital driving licence – you, the cop, the barman – but these licenses are loaded with different claims.

So this is how Phil Windley’s claims work in practice then: I want to get a drink so in the Authorisation Domain the barman sets his digital driving licence (a smartphone app) to request a claim for IS_OVER_18 and then via NFC, Bluetooth or QR code interrogates my digital driving licence (a smartphone app). My smartphone app sees that his request is signed by a valid licensing authority and has not expired and checks what credentials it has to hand. It discovers two virtual identities containing the relevant IS_OVER_18 attribute: one from the Driving License Authority and from my car insurance company. It selects the first one and sends it to the barman’s app.

(The virtual identity contains a unique identifier, a public key, a number of attributes and a digital signature.)

The barman’s app checks the signature and recognises that it is valid. Since the barman is using his smart driving licence app it either stores or has access to the public keys of the driving licence authorities, car insurance companies, car rental companies and so on. My smart travel app would have similar information for airlines and car rental companies, hotel companies an so on. The barman’s driving licences sends back a message encrypted using the public key. My app can decode this, because it has the corresponding private key, so in the Authentication Domain it asks for me to authenticate myself. I use my fingerprint or PIN or whatever and the app decodes the message. Then it replies to the barman’s app. The barman’s app now knows that I have the corresponding private key and thus it can accept that IS_OVER_18 applies to me.

The claim as process – I want to see a virtual identity that contains a credential that includes this attribute / here is a suitable credential / OK, so prove it is yours / here you go, I decoded your message / Thanks, now I’m happy to serve you – delivers both security and privacy and shows that we use digital identity to create an infrastructure that goes far beyond emulating our broken physical industrial age identity system to provide something so much better,

It’s time to move on from the cardboard age to the communication age, and I hope that you’ll join me at KnowID to discuss all of that latest developments in the digital identity space and to formulate practical strategies for making the long-overdue change to digital identity in the mass market, whether centralised, decentralised, federated or whatever else might work. 

Noted author talks fraud at Royal Institution

What a piece of luck! I was giving a talk at the CallCredit Fraud Summit at the Royal institution in London and I chose to talk about just how broken our identity infrastructure is. Hardly an original theme, but one that is worth amplifying. As Chris Green (CCO at Call Credit) noted in his introduction to the event, identity fraud is heading towards £200 billion per annum and identity theft is an epidemic.

Pretty bad. Worse still, it looks to me as if no one knows what to do about this, particularly the Government. Given that the Social Market Foundation (SMF) had just issued their report “A Verifiable Success — The future of identity in the UK” (August 2017) which noted that identity verification processes in the UK have not kept up with either technological or social change and says that “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion”, I thought I’d talk about how to actually do something about identity in the mass market.

RI

I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger (“C”,  the head of MI6 which is James Bond’s department of the British intelligence services) who explained just how hard it is to be a spy these days. In the old days, it was easy. Just grab a fake passport out of the draw and off you go. But, as the chief spy pointed out, today social media means that it is far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account. It’s easy, but not very useful to a spy. To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago. The point is that it’s hard for James Bond to pretend to be me, but seemingly easy for me to pretend to be a James Bond on internet dating sites. This is a fun and interesting way to think about some of the issues around identity and I think the audience liked it!

So what was the piece of luck I referred to at the beginning? Well, I turned up at the event, along with the bestselling author (and former politician) Lord Jeffrey Archer. As we had some time spare, I thought I would be helpful and give Jeffrey a few tips on writing books, having just published one myself.

RI

 

 I think Jeffrey really appreciated my hints and suggestions but unfortunately had to leave for an urgent meeting so I wasn’t able to go into too much detail with him. Before my talk I went off to grab a cup of coffee and picked up the day’s Times to read. It had the very perfect story for me featured prominently. Hence I was able to whip out a copy of the day’s Times and wave it around to great effect at the appropriate point in my presentation!

RI

The point that I was making, of course, is that identity is not just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to stop forward with a vision for a better identity future! Where is this person! I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio a few weeks ago in a report on the government’s introduction of mandatory age verification for adult sites. When asked how members of the public could gain access to adult services, the Minister said that people could use credit cards (which is a terrible idea, see for example Ashley Madison) or show their passport to adult sites (which is an even worse idea). I confidently predict that the widespread adoption of either of these solutions will push identity theft even higher.

So why is identity not fixed yet?

As I tried to persuade the audience, if we are going to make any progress we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet but as the cornerstone of digital relationships and therefore reputation in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds. I explain this using the three domain model, as shown on the slide below, and hopefully demonstrated just how powerful this view of identity is.

3DID Basic Colour

 

We need to move our transactions into the authorisation domain as soon as possible. Let’s go back to example in the newspaper to see why. Imagine I go to the dating site and create an account. As part of this process, the dating site asks me to log in via my bank account. At this point it bounces me to my bank where I carry out the appropriate two factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the Internet dating site, which tells them that I am over 18, resident in the UK and that I have funds available for them to bill against. In this example my real identity is safely locked up back in the bank vault but it has been bound to a virtual identity which I can use for online interactions. So my Internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch. This seems to me a very appropriate distribution of responsibilities. When the Internet dating site gets hacked, as they inevitably do, all the criminals will obtain is a meaningless token: they have no idea who it belongs to and Barclays won’t tell them.

One of the key attractions of this architecture, and I’m sure that I am not the only person who thinks this, is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, then I’d expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any PII.

This is important because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence the complete cycle needs to be thought through because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally but gives it up when the system fails, or when we attempt recovery from failure.

Digital identity gives us a vision of how to do this in our new online world. It is how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities. A huge thank you to Call Credit for asking me along to share this vision with their audience.