Digital identity is inextricably linked with concepts such as authentication, trust, assurance, interoperability, and transparency. But also, with issues like surveillance, privacy, and intrusion.
On the one hand, a single digital ID might simplify access to a range of services, both locally and internationally, opening doors of every kind while protecting the user. But on the other, it might encourage state overreach. Such risks are a bigger cultural obstacle in the UK than, say, Europe, the US, or China, where carrying a physical ID is part of everyday life.
Were a digital ID to be stolen, cloned, subverted, or spoofed online, however, then it could enable crime and damage lives. Reliable, secure authentication would be critical.
So, might a digital ID system be of more benefit to IT companies than to citizens? Sue Daley is Director of Technology and Innovation at industry body techUK. Chairing a Westminster eForum on digital identity, she said:
Helping deliver a digital identity [system for the UK] provides significant opportunities, operational efficiencies, cost savings, and productivity across a range of industries and sectors. It could add three percent of increased GDP to the UK economy by 2030.
But the benefits of digital ID go beyond that too: it can improve the customer experience when interacting online. It can help reduce the incidence of fraud, and help people to manage their personal data safely and securely, while helping to build greater trust and confidence in interacting and transacting online.
All those reasons are why techUK has been focused on digital identity for many years. We see it as key to the UK’s digital future.
Bold words. To get to that point, building a trust framework and doing more to explain the benefits to the public will be essential, she said, as will ensuring interoperability between private- and public-sector IDs.
The risk of interoperability
But might that be a bigger challenge than it appears to techUK – which is, after all, a trade association? More and more services encourage sign-on with Facebook, Google, and other vendor- or platform-centric IDs. Not all those credentials come with citizen trust guaranteed.
For example, anyone signing onto services with their Facebook login might wonder how Meta is using their data. Post Cambridge Analytica, would citizens really be comfortable with Zuckerberg owning the doorway to, say, their tax, benefit, or healthcare information?
We believe government should allow private-sector digital IDs to access government services. And if there are barriers that prevent that from happening, then we need to look at how we overcome them.
Why? Asked by diginomica to clarify these points, she said:
I'm not just talking about those organizations [Google, Facebook, et al], but also about how you develop an approach that works for all providers in this sector in the digital ID ecosystem.
It could enable interoperability, and could enable services to be interoperable. But that doesn't mean that privacy and security are not important.
Much depends on your definition of interoperable. A technology-level handshake, or an exchange of data?
Remember: the digital supply chain is under increasing cyberattack, with the broadest platforms being the biggest targets. In an interoperable world, therefore, wouldn’t a successful hack of your Facebook account give attackers access to other services that use the same login? How would that benefit the citizen? (Good luck getting Meta to care!)
One of the often-cited barriers to adopting digital ID tools would be regulatory compliance, regulatory duties, and legal practitioners putting themselves at risk of a breach, especially over their anti-money-laundering responsibilities. So, there is an obligation on legal practitioners not to outsource those responsibilities.
However, the statement clarified that, while legal practitioners will be liable still for their AML responsibilities, this will be regardless of whether they use manual or digital methods of identity verification.
What that means in practice is that regulation applies regardless of the way a legal practitioner decides to verify ID. […] It turns out that no regulator in the UK jurisdiction prevents the use of, or reliance on, digital means of identity verification and legal services.
We highlighted that the responsible selection, adoption, and implementation of these tools can contribute to improving compliance practices across the legal sector, as well as bringing improved customer outcomes.
The organization also stressed the “universal benefits” of digital ID verification. She added:
We built on two specific use cases. One is to do with professional indemnity insurance, where we highlighted how insurers are engaging with digital ID technology when it comes to quantifying risk and evaluating insurance premiums for law firms.
And the other is a use case in conveyancing, where the Land Registry offered a safe harbour to conveyancers using digital ID methods under the standard. This means they will not seek recourse against those who comply with the digital ID standard, even if the client was not who they claimed to be.
Fascinating, because it implies that conforming to technology standards will, in some instances, be more important than the person being correctly identified. In the legal profession!
The problem of usable security
This moved the discussion onto another, more troubling topic: the ways in which even some forms of biometric ID – an area of growing importance – can be subverted.
Andrew Bud is founder and CEO of Iproov, a UK scale-up and now global provider that focuses on the critical element in digital ID: verifying that the subject is who they say they are.
In an alarming presentation, Bud explained that, without rigorous verification, even once-secure forms of ID are no longer safe or reliable in a sophisticated criminal world. He said:
We saw a number of key trends in 2022. And what they communicate is the tremendous rate of change and increase of sophistication with which attackers are attempting to compromise, create, steal, and take over digital identities by attacking the bind between the identity and the human being.
According to Bud, there has been a 150% uptick in indiscriminate attacks, which emulate real IDs, spoof metadata, and use increasingly high-quality fake imagery. Plus, there has been a 300% boom in digitally injected face-swapping attacks, which use real identities. These are getting harder to spot, he said.
Meanwhile, digital injection attacks overall are becoming far more sophisticated. He added:
Attackers are attacking digital IDs using digital injection or stolen or synthetic imagery, which is directly digitally injected, bypassing any camera. This has been talked about for a while, but we saw an explosion of it in 2022.
Previously, the weak point was always the Web, and therefore people thought that if you could defend the Web, things like mobile apps would be safe. But not anymore.”
This indicates that even low-skilled criminals now have access to toolkits on the Dark Web, so they can readily and cheaply launch sophisticated attacks. And this is a fundamental challenge to the biometric step [in digital identity]. And it's getting worse.
Hardly a resounding vote of confidence in digital IDs. Another challenge is vendors’ tendency to make identification device-specific, by linking it with an individual smartphone, tablet, or laptop. Bud said:
It's really important that identity should not impose any requirement for special devices, hardware, or sensors on the user, because you exclude those who can't afford it. Device-based solutions carry tremendous risks, and also make it impossible to gather threat intelligence and evolve defences.
Inclusion and accessibility are incredibly important. You have to give people choice, and you have to give them easy ways of recovering their identity when they lose one or other of their credentials.
But most important of all: when I hear people saying, ‘We have to educate the public, we have to teach them about this’, I think that is fundamentally wrong.
The binomial between usability and security is no longer acceptable. And it's especially not acceptable in the world of digital identity. It’s our task to relieve users of the burden of responsibility, to make the problem of usable security ours rather than theirs.
Wise words, and regulation must be built around the user’s needs.
But technology aside, Bud cautioned that the UK faces some unique challenges of its own. Its ‘go it alone’ policy – post Brexit, by implication – is not helping the nation move towards achieving its policy aims for digital identity.
Acknowledging that there is “huge enthusiasm” in Whitehall for the concept of digital IDs, Bud warned:
We're not seeing a joined-up approach. There hasn't been clear political leadership, especially not at the top level, for some considerable time. And that's going to become a huge problem.
We're going to have to decide whether verifiable credentials, for example, are an integral part of British identity policy or not. The Europeans have already decided that if we don't do that, we don’t have interoperability.
We'll end up with all sorts of standards and culture wars, and a real mess is going to develop.
So, the irony is that, while the UK might benefit from a secure, verifiable, digital identity system – or at least interoperability between platforms – Westminster’s ‘anything except what the EU wants’ approach is making it much harder to achieve. An island of choice, but not a continent or planet.