Digital Identity – Silver Bullet or Dangerous Werewolf?

17/1/22, 9:16 am

As we close the door on a turbulent 2021 and dive headfirst into a new year, two key trends have dominated the last year:

• COVID-19 has forced a technological leap towards digital services across all industries; and
• Incumbent technologies are struggling to combat an exponential increase in fraud and cybercrime

According to the Australian Institute of Criminology, identity theft is costing Australians billions of dollars a year. Consumers are feeling this impact via the rising costs of insurance, negative effects on credit and misuse of personal information. Considering this worrying trend, the case for a trusted and verifiable ID system has never been stronger.

The NSW Government has proven to be a global leader in redesigning improved services for communities and driving a digital transformation agenda to provide digital government services to citizens. With record funding allocated for digital infrastructure across the 2019 – 2022 budget, contemporary delivery of government services will make life easier for people in the state.

NSW Government agencies are already seeing technology advancement benefit the end-user: Digital Drivers Licence, Energy Switch (an online comparison tool for NSW household electricity providers), and Park’nPay (a mobile app to pay for parking from your phone) are sparking a true digital revolution, setting a best practice benchmark for countries around the world.

According to a Service NSW report, as of December 2020, three million people have downloaded a Digital Driver License, representing over a third of all license holders. The digital licence is now accepted by police across all state jurisdictions in Australia.

The investment dollars are not restricted to the NSW Government. Victoria, South Australia, and Western Australia have all seen a significant rise in their 2019 – 2023 digital commitments and the Federal digital transformation budget allocation surpasses all previous years. The commitment to fight online fraud and cyber-crime is evident, in particular post-COVID.

To enable a digital economy, a robust digital identity is not only the enabler of user experience but also the building block required to combat fraud and related cybercrime.

This type of transformation comes with its challenges. For many, entrusting their personal information to a centralized digital ID system isn’t something that people are familiar with and don’t fully understand. Such a system might make agreeing to ID checks a daily occurrence, requiring a handful of mundane tasks. Showing our online movements via digital breadcrumbs for some could be interpreted as an invasion of privacy.

Software requires a unique identifier to give the correct context to the digital transaction and/or inquiry. Without a secure identity, the entire digital ecosystem is open to fraud and risks failing to provide tangible outcomes, and this is where the challenge resides.

By analysing why identity programs fail we can see trends for success. In 2002, the UK Government started its well-documented national ID program to combat identity fraud and international terrorism. The card and associated centralised database would hold biometrics such as the cardholder’s fingerprints, photo, and iris scans. The grand vision was to feed into the subsequent digital identity program called “Gov Verify” providing a secure and unique access platform to Government services for over 25 million users.

In an article for ZDNet, David Blunkett, the Home Secretary at that time, and Nick Heath, technical author ZDNet, explain why the mega-IT project fell out of favour with the public and was scrapped, "We got all tied up with civil rights and privacy when the intention was never to intrude on people's privacy at all". The data itself was hamstrung by the decision to turn it into a travel document allowing cardholders to travel within Europe, according to Gus Hosein, visiting fellow in the information systems and innovation group at the London School of Economics (LSE) and co-author of a report into the scheme. The centralised nature of the data storage whose primary purpose was to be read by both local and foreign governments was a key point of failure leaving individuals with no control over what data was shared.

Countless examples exist of getting it wrong concerning building centralised identity stores; none more telling than the extreme case of the outgoing Afghanistan government handing over its national identity scheme, fully loaded with biometric data, to the incoming Taliban army. According to an article in the Technology Review, by capturing 40 pieces of data per person — from iris scans and family links to their favourite fruit — a system meant to cut fraud in the Afghan security forces may have aided the Taliban. The open nature of the centralised data lake to back-of-house staff may be seen as a design fault from a privacy viewpoint.

Ultimately, with the shift to a digital world, the problems of physical ID systems need to be addressed and this can be done in multiple ways, but everyone should be wary of any solution design that is controlled and monitored via a centralised data store. The potential for abuse is far too high and this risk can be ameliorated.

In conjunction with avoiding a centralised data design, trust frameworks need to be established upfront, use cases between departments and participating entities such as banks, agreed in advance and importantly individuals need to retain control of their data.

When backed by biometric data and using the power of decentralised blockchain ledgers, digital IDs stand to address many of the lingering issues with traditional ID documents. Already, various forms of fraud and illicit access are occurring more frequently as consumers spend more time and money online. Leveraging these new technologies can deliver IDs that are nearly impossible to fake or manipulate and can be designed to interoperate with new systems.

When implemented correctly, decentralised digital IDs can make it harder to infringe upon civil liberties and privacy. That said, it’s essential that these IDs are not federated or corporatised but are, instead, self-sovereign identities, fully controlled by the end-user — made entirely possible by blockchain’s trustless verification.

Self-sovereign identity perhaps is the silver bullet that can prevent the wolves of the cyber world from taking advantage of this post-COVID transformed digital economy. After all, the blockchain distributed ledger technology and the related peer-to-peer decentralised network has proven the test of time by keeping the dark web and related economy anonymous for 20 years.

Gus Fahey
Specialist BDM, Cyber, Biometrics and Smart Cities
gus.fahey@nec.com.au