Recently, EEMA held fireside event on Decentralised Identity, do people really want to be in charge of their ID? It was a well attended session with good discussion and lots of perspectives from the panellists. But at the end of the event, David Alexander, Chief Executive of Mydex CIC noticed a sense of frustration from EEMA Special Projects Director, Roger Dean and followed up by email.
This prompted a rich exchange covering many questions: Is there one, single, ‘best’ solution for identity? If not, how to progress? Do we have the infrastructure we need to make identity work? What are the design principles that should define how it works? And what role should/could individuals/citizens play in making it happen. The following is an edited version of the email exchange.
David: Hi Roger, At the end of what I thought was an intelligent discussion last night you threw a question into the room which by your tone sounded like you were disappointed or frustrated in some way that we may not have reached a conclusion. Clearly we did get answers and views from a good panel and audience, albeit quite specialised. So I am writing to ask you am I interpreting your tone and question correctly? Or were you simply trying to be provocative?
Roger: I too thought it was a very good event, good discussion, excellent speakers as usual, together with some solutions. However, I was a little frustrated with my own thoughts from past experience.
I do appreciate and acknowledge that there will be no one solution and probably never will be. However, in Belgium for instance, as you know, they have a government approved and adopted ID that can be used for many applications and everyone trusts it. Additionally there is the issue of liability, which John Bullard raised and has been talking about for many years. No one (as far as I know) will take this financial responsibility.
David: The solutions in place in different parts of the world are useful examples of what happens with different levels of state control and influence. But as was discussed last night, trust in the state and organisations is highly volatile and is not a solid foundation for the issues of identity. We live in a world where people are becoming more mobile, accessing products and services from across the globe. We each have something like 700 different relationships during our lifetime with third parties. We move around the world by choice and by force in a number of forms e.g. economic, political, safety and personal preference.
There will never be a single system for identity or portability of the proofs and information about your life. In simple terms there are too many stakeholders to reach agreement in this way. Accept that fact and you have to solve a different set of problems. These are:
Portability of data about you and your life, along with portability of trust about the data about you. This means metadata, a means of verification of those attributes and the process of generation of those attributes. If you look at the full spectrum of data about yourself across your life, across all sectors, needs and interests it is vast no one organisation will want to hold it all or be interested in all only you, this makes it logical you hold it under your control and can share when and when needed.
Interoperability – portability means we need interoperability as a core part of it. The relying party, independent of any relationship and agreements with the attribute provider, needs to be able to trust the data they get from the citizen.
Personalised configuration – The sheer volume of transactions, tasks and activities we as individuals undertake with a broad and diverse range of service providers, online and offline, means we need to be able personalise identity evidence (verified attributes) to meet the specific needs of those relying parties who service us. Trying to get service providers (relying parties) to agree universally on 4 levels of assurance is an exercise in futility which leads to barriers to access and to over-supplied levels of information that inherently conflict with legislation around data protection and privacy.
This is an infrastructure issue – Focusing on removing friction, risk, cost and effort speaks to an infrastructure model not a market model for things like attribute exchange and support of use cases like identity and entitlement assurance. Think of how many years you and many others have spent trying to technically solve issues of access and control following a state centric or organisation centric or sector centric model. It has not really succeeded in spite of the technology being available.
This is a design challenge – Looking at this from the perspective of the individual makes it easier to solve – Only the individual can and wants to see the full spectrum of their lives, their needs and the time, cost and effort they are faced with in getting things done. Common sense screams out at them about all the apparently pointless repetitive barriers put up in front of them daily in getting things done. They crave convenience, removal of friction and effort, yet they want to be kept safe and secure.
This has led to a disconnect between what people say they want and what they do. Convenience trumps, trust and safety today because to get the latter is simply too hard for the citizen. Commercial organisations who want to make money, gather data and use personal data have worked out that providing a set of identity credentials and easy means of sharing of data addresses friction and convenience while increasing the dependency on their service. This feeds their business model of data aggregation and reuse. They have built a powerful hold and concentration of power over people’s use of online services for social, retail, entertainment type activities.
However the substantial transactions and services within an individual’s life that supports them have lost touch with these types of benefits. They resist allowing the data they hold to be used by their customers and have failed to design their services to suit individuals because they are only focusing on their monetisation and narrow view of their relationship with citizens.
If we start designing around the individual to make things safe and easy their life gets easier, safer and more convenient. But that means addressing the market failure we see today, which is the lack of availability and portability of verified attributes. Everyone wants to consume, no one wants to provide verified attributes unless they are getting paid to do so, and even then not really wanting to do it. We have to address this market failure to drive transformation and improved outcomes, efficiency and remove risk from the economy
Roger: Also, as I said the delegates are highly qualified and knowledgeable, but this is a relatively specialised few, and that the question remains (as always) how do we educate the “public” and get them to accept their responsibilities? Which I believe is the big issue. Many give away their “identities” and data for points or ease of access. We see so many articles about people being defrauded by an ever increasingly knowledgeable and informed criminals and as I said yesterday with PSD2 arriving in September next year how do we protect the public?
David: I think this “educate the public” approach is not going to work in a practical way. If we design around the individual and make it safe and easy for them to access and maintain that access to verified attributes about themselves from the service providers across public, private and third sectors it is game changer. When a citizen is able to use verified attributes where and when they want safely, securely and easily we will see the world change because it will be easier for them to get things done. Remember convenience trumps everything, people also learn from experience, enabling them to get stuff done is how education happens not by teaching and preaching. Make it easy, safe, seamless and frictionless and you have adoption. This means addressing the lack of verified attributes. PSD2 and Open Banking have started this but the barriers to setting up and approving exchanges of data are too complex for people and of course they are locked into a sector centric model.
Roger: I also believe that without these discussions in a forum like EEMA we wouldn’t move forward or achieve anything, which is why we hold these sessions and value the opinions and thoughts of people such as you. And believe me, I do fully appreciate the time and effort everyone puts into these events.
David: I agree these discussions need to happen but the domain experts and practitioners have to overcome their own blinkers on this issue. A lot of these talented people are system builders, market builders, threat protectors with generations of inertia behind their thinking and approaches. This is a human centred design challenge. Equipping citizens with tools that make their life safe, easy and frictionless is essential. At Mydex we think that is a Personal Data Store acting as your own data exchange hub, collecting verified attributes from anywhere, all the time while you sleep and sharing them where and when they need to automatically aligned to their needs based on the settings and preferences they make or decisions made for a specific situation.
From that baseline they can carry their own means of assuring their identity and status to any service and use a set of credentials that does not bleed privacy and can work anywhere. Open standards and protocols are being used cross sector, cross organisation and cross nations but they need metadata to work and be interoperable.
When you as a citizen have control of access and use of your attributes then you can make good use of something like a personal AI (agent) that works for you and interacts with the world around you handling much of the admin and effort for you. Personal AI is not the current crop of commercial organisation side AI or consumer propositions like Alexa, Siri etc, it is something that works for you for your whole life, it will end up talking to the organisational AI for you.
Roger: Many thanks for your thoughts and comments David, when EEMA started 31 years ago there were two main issues we had to solve “Security” and “Interoperability” amazingly as stated above we still have those issues today – but we do move forward.If you have any suggestions that I or EEMA can do to improve our industry please let me know. For example several people said to me afterwards that we should have a longer session with a set of objectives.
David: Thanks for clarifying your frustration and its source, hopefully we can move this conversation forward, we have been in a vice-like grip of organisation and state centric thinking around identity assurance which is, after all, only a use case of verified attributes. The broader issue of sets of credentials and passwords is another area where we have to make it personal and centred on the individual. Use of devices as proxies is fine but in the end you need to be in control and that means not being dependent on a commercial vendor or service where its use or loss of it suddenly locks you out of your life
Roger: Please keep supporting EEMA and I look forward to working with you in the future.
David: Will do
So there you have it a lot of concepts and challenges being discussed. What is your view? Join the discussion now by adding your own comments on this blog.
David E. Alexander, FRSA, F.APS is Co-Founder & Chief Executive, Mydex CIC
Roger Dean, Director, Special Projects, EEMA