Why is digital identity so important? A conversation with the experts of our working group

‍

As shown in our article published in November 2023, the Human Technology Foundation launched a research project to target best practices regarding the roll-out of digital identity systems.

We want to understand the main points of distrust among users when a new digital identity system is offered to them but also identify the levers of trust so that the benefits promised at design stage materialize in daily use.

Today we are giving the floor to several members of our working group so that they can explain more to us why digital identity is today a crucial subject that concerns us all. We are lucky to have the points of view of:

• Claire Godron (Thales)
• Charles Morgan (McCarthy Tetrault)
• Régis Chatellier (CNIL)
• Marie Garnier (Docaposte)

‍

1. Can you tell us, in a few words, why centralized and decentralized digital identity systems are critically important today? Why should they be included in the public debate?

Claire Godron - Digital identity systems are a major challenge for our 21st century societies for two reasons. Firstly because they are, or are about to become, central in our daily lives as citizens: we use them to connect to online sites, to prove our identity in real life or on the internet, to prove that we have a driving license or health insurance. Secondly because they manage valuable data: the identity attributes of each of us.

Régis Chatellier- The question of the identity of people is central in the organization of any society, since it makes it possible to attribute a role or a status to individuals in a collective organization. Identity is multiple and is not limited to the identity that appears in civil status registers and on our physical identity cards. We have several identities depending on the context, which allow us to identify ourselves with digital services, games, social networks, or in space, and of course the digitization of civil status.

Charles Morgan - Digital identity solution can be harnessed to promote human access, agency and autonomy.  Considering that 1.1 billion people in the world struggle to access basic services due to insufficient proof of identity, digital ID systems have the potential to empower individuals to participate in our society and to facilitate access to both public and private sector services. Ensuring that all individuals are able to participate and express their voice in an increasingly digital society promotes human agency. Embracing the data minimization potential of digital ID further encourages both agency and autonomy, allowing individuals to decide what information that share with whom and when. Public consultation will help ensure that digital ID system designs are grounded in principles that satisfy individual and institutional needs, maximizing user benefits and encouraging social acceptability. 

Marie Garnier - Digital identity systems respond to a major societal challenge, namely the establishment of a trusted digital system. In a context where everything is dematerialized, it seems more than necessary to protect citizens and what is most precious to them, their personal data.  In a world where all information about us is becoming digital (our school results from first grade, our health data, our internet connections), their protection and preservation are at the heart of public debate.

We need to be able to offer citizens means of authentication that are as secure but also as easy to use as the identity card in our everyday life.

‍

‍

2. We selected 4 verticals for our study (health, elections & democratic process, age verification and responsibility for content posted online): for one (or more) of these verticals, can you tell us what lessons were learned regarding the deployment of digital identity systems? On the contrary, what are the unknowns that remain to be studied?

Charles Morgan - From an e-democracy standpoint: both India and Estonia’s e-voting system have provided lessons worth taking into account:

• India’s Aadhaar is the world’s largest voluntary biometric identity system that allows every resident of the country to establish their identity. The digital ID, combined with the likes of e-voting apps such as right2vote, create an ecosystem that simplifies civic engagement by facilitating processes tied to electoral roll and voting. While Aadhaar has facilitated access to public services in a country where many citizens were historically excluded from the “formal economy” due to lack of fixed, permanent address and official documentation, the Aadhaar system’s security shortcomings have already highlighted the risks of an ill-conceived digital ID solution. For example, a 2017 Center for Internet and Society report analyzed public datasets tied to Aadhaar, revealing that over 100 million Aadhaar and bank account numbers had been disclosed. Lesson learned: in providing services to the population, emphasis should be placed on security to prevent the increasing threat of cyber-attacks and oversharing of data. Accountability is essential.
• Estonia's electronic voting system allows users to vote from anywhere in the world by logging into the system using a government-issued digital ID and casting a ballot during a designated pre-voting period. Despite the discovery of a security flaw in the ID that impeded 750,000 users from accessing services such as banking, tax systems and the health registry, 98% of the Estonian population was using the digital ID card by 2019. Unsurprisingly, public perception is vital to operations.

In the context of age verification and online content, we are seeing an influx of legislative changes. Canada has recently proposed an Act restricting online access to sexually explicit material while Utah and Arkansas have passed laws that would require age verification for minors using social media.

‍

Marie Garnier – I'd like to shed some light on age verification. At Docaposte, we have launched a secure system that allows a user to prove their civil majority (+18 years old) or their digital majority (+15 years old) while guaranteeing their anonymity thanks to the association of different application components. This experience was rich in lessons.  In the case of the protection of minors, we have to think about the complex dimension of addressing a population that we are going to exclude with our solution, which will in fact arouse their desire to bypass our tool. In this case, it is rather at the societal level that acceptability should be considered and encouraged. For a digital identity system to work, it must first and foremost be understood and adopted by the target population. The second issue is the importance of confidentiality and traceability. Trust is a key point that we put at the center of all our solutions. That's why we've developed a double anonymity system.  Finally, the economic stakes also remain important and must be taken into account.

‍

Claire Godron - First of all, I would like to salute the choice of these verticals, which perfectly illustrate the double requirement that digital identity systems face: being a tool used on a daily basis, while providing the best protection for our personal data and a guarantee of the authenticity of the shared data.

We are still at the beginning of the deployment of these systems, and there are still many unknowns. We can cite, for example, the way in which ecosystems for the use of digital identities will be created and evolve: what are the use cases that will encourage citizen adoption? How will digital identity documents actually be used by citizens? etc.

Nevertheless, the first projects of this type have taught us lessons. On usage first, it has for example become clear that  the access granted to the “circle of trust” in health digital identity systems must be quite extensive and include in particular doctors, pharmacists, health insurance companies. Concerning data security, the latest regulations, such as eIDAS 2.0, have strengthened security requirements, by defining a “high” level of assurance, which can apply to the verticals studied.

‍

3. Can you give us several fundamental principles that absolutely must be taken into account at the design stage of a digital identity project? In practice, what role do developers, businesses and governments have in this design process?

Régis Chatellier- In its file on digital identities, the CNIL highlights in particular the challenges for security and respect of fundamental rights. Everyone should be able to use different digital identities depending on the context, in fact the aim is to avoid the establishment of a single means of identification for all online uses.

Identification and authentication levels should be chosen according to the level of trust necessary and sufficient for each online service. The plurality of solutions avoids the issue of a concentration of risks, particularly in the event of an attack and leaves everyone the possibility of having several identities, more or less complete, by context of use, and not linked to each other.

As for the players who offer solutions, these must make it possible to disclose the minimum amount of information possible, and therefore integrate the protection of privacy by design, an obligation provided for by the GDPR.

‍

Charles Morgan - Three main principles are essential: it must be people-centered, empowering and trustworthy.

Empowerment can be promoted by basing the system on the notion of informed consent, i.e. ensuring that the user is sufficiently informed about how their digital identity is used and when she uses it. Another consideration in this regard is data portability, which allows users to control their data for sharing or transfer purposes. Finally, public acceptance will only come about through trust. Ensuring transparency, accountability and security are essential to achieving mass buy-in.

• Data minimization should be at the forefront of a people-centric system: no more information should be collected than is necessary for the service. Users should also have the ability to manage digital credentials and delete them if they feel it is no longer necessary.
• Empowerment can be promoted by basing the system on the notion of informed consent, i.e. ensuring that the user is sufficiently informed about how their digital identity is used and when she uses it. Another consideration in this regard is data portability, which allows users to control their data for sharing or transfer purposes.
• Finally, public acceptance will only come about through trust. Ensuring transparency, accountability and security are key to achieving mass buy-in

‍

4. Can you cite examples of digital identity systems (centralized or decentralized) that have been widely adopted by their target population/users, and what have been the lessons learned so far from different deployments (successful or not) of systems? digital identity?

‍

Marie Garnier - One of the success stories of recent years in Europe in terms of centralised digital identity is undoubtedly SPID ID in Italy. In less than 3 years, more than 70% of the population is equipped with it. One of the key points of this deployment lies in political voluntarism and a public-private partnership to promote its adoption by as many people as possible. The user experience, which seems to us to be key in adoption: a digital identity will only be used and accepted if it is easy and practical and does not make processes more cumbersome under the pretext of strengthening security. And it comes back to trust: identity is what makes us who we are; You can't leave it in the hands of just anyone.

‍

Claire Godron - We can cite the mobile authentication solutions of certain European countries (BankID Norway, BankID Sweden, Itsme, etc.). These solutions are used by more than 90% of adult citizens of the countries in question, and make it possible to identify and authenticate to a very large number of online services (several hundred per country).

There are several lessons to be learned from this. First of all, these systems are good illustrations of a successful choice of use cases. In fact, they were launched by federations of players in the private sphere, and in particular banks, who were seeking to pool an authentication solution for their online sites. These systems are therefore built around a frequently used use case: authentication in one's personal space of one's online banking, which has greatly facilitated their adoption. They are also good examples of a virtuous ecosystem effect: the greater the number of connected citizens, the more it attracts online service providers – and vice versa.

On the other hand, these systems are national systems, which do not offer the possibility of international interoperability. In addition, although they are very successful authentication solutions, they do not allow the sharing of attributes, whether attributes coming from other identity documents (driving license, health card, birth certificate , etc.) or a unique attribute such as proof of age. It should also be noted that the security qualification of these different systems was carried out at the national level.

‍

Charles Morgan - Aadhaar in India and Estonian digital identification system for electronic voting have been successful given the rate of adoption by the population. THE Philippines, the Ghana, the Sweden and the China are all countries whose populations have also widely adopted digital identification solutions. Their respective approaches to digital identity may vary in nature, but the general lessons remain similar. On the one hand, it is essential to take a balanced approach that leverages technological innovation while taking into account privacy and security concerns. Second, it is imperative to establish a digital identification system that is inclusive, accessible to all and fair.

‍

5. How do you see the future of digital identity solutions in the next 5 to 10 years?

‍

Charles Morgan - While public acceptance and trust remain paramount, digital identity solutions will only become more relevant in the future. Most importantly, digital identity solutions respond to the public interest and the need for action. Recent polls in Canada and Europe showed significant support for the development of digital identity credentials. In an increasingly digital world, the deployment of social services and economic benefits relies on the use of reliable and secure digital identity credentials. Public and private actors who do not move forward on this path risk losing their global strategic positioning and their potential for economic growth. The adoption of digital identity solutions will continue to play an important role in driving economic, social and civic engagement.

‍

Claire Godron - A lot of things will happen in the next 5 to 10 years! First of all, we are likely to see a proliferation of digital identity solutions. We can also expect continued reflections and debates around the centralization and decentralization of digital identities – and perhaps we will see that certain use cases lend themselves better to a centralized or decentralized scheme. We will also likely see regulations and recommendations around the security of digital identity systems and the protection of personal data become clearer. These last two points are particularly important to us at Thales!

‍

Marie Garnier - Digital identity solutions are being transformed, driven by changing regulations. In 2014, the eIDAS v1 regulation, still in force, outlined the contours of electronic identification by laying the foundations for a secure digital space common to the countries of the European Union.  To adapt to new uses in terms of electronic interaction and to develop cross-border transactions, the regulation will evolve in the coming months.  eIDAS V2 creates a digital identity wallet, called a Wallet. It allows European citizens to securely store personal identification data to carry out operations anywhere on the continent. It is a question of generalising digital identity but also limiting the disclosure of personal information and above all of giving back the hand to citizens who will be able to choose the attributes they wish to share or not with whom and when and to work on interconnection to define a Europe-wide system.