Should governments control our Identity?
The Swiss have just rejected the idea of a government mandated Digital ID scheme in a referendum by a two-thirds majority. Meanwhile governments around the world from Australia to Sweden are also looking at how to implement Digital Identity in a world where COVID has massively accelerated our use of digital and online technologies and dramatically reduced opportunities for traditional analogue checks.
Privacy campaigners, libertarians and often the public as a whole are up in arms about a range of issues from big brother to the often-commercial nature of these systems — and there is a real question, around whether governments are the right thing to be providing a trust system. It’s not just the Swiss who don’t trust their government, Edelman’s trust barometer shows it’s a global problem, nowhere more serious than in the UK according to Politico.
Are people right to be concerned? I think they are, but not just because I fear a state sponsored delve into our privacy, I also see some specific issues the framework as it is being proposed raises:
First; Data
Digital identities rely on data about us. Data which in point of fact we as individuals have a right to have, alongside a right to say how and where that data is used. So, the possibility that our data might become legally enshrined in a structure which forces us to become beholden to companies who we pay to maintain and secure our identity feels like something to worry about.
The data that could be gathered through this framework is incredibly attractive to politicians and a civil service which has historically been banned by our constitution from correlating data about citizens across departments. Let alone pulling in additional data from commercial sources.
Our rights to data are already under threat, the data protection consumers currently benefit from under GDPR is to be weakened as the Government diverges from GDPR after Brexit. We should think very carefully before changing the relationship between citizen and state by allowing the state access to and rights over our data.
Second; Identity by the back door
Identity is legally different from country to country, so I’ll focus on the UK where identity is not a legal construct, but a human one (to the annoyance of successive governments.) Here the contract between citizen and state gives us the right to be here and do as we please, provided we do not break the law and behave honestly with the officers of the Crown. If a policeman here asks you who you are, you have to tell them and tell them the truth, but you are not required to prove it, instead it is for the police to prove you aren’t who you say you are, because here the citizen is not beholden to the state. As a result, our identity is inherent in us, it is not embodied by a passport or an ID card, just by being.
The UK’s is a very human form of identity. In the pre-digital world it worked well, but the advancement of technology has begun to expose it’s weaknesses. As we transition to doing more and more online we need to maintain the relationships and the principles that have governed our freedoms for nearly a thousand years. What is being suggested - a legally mandated ID framework with citizen services being provided to them by private companies - sounds innocuous, but in practice it is significant constitutional change.
The framework turns our personal data and our identities into commodities, shifting the cost and the burden of proof onto consumers and making the provision of Digital Identities a profitable business. Once they become mandated, those costs will risk disenfranchising those in society who are already so marginalised.
In hiding the creation of an ID system behind a framework with commercial entities providing the systems the government weakens the one argument for state controlled ID, namely security. This framework, because it is reliant on the actions of the weakest link has none of the robustness or security necessary to deliver on the digital challenges we face. Far from being a framework on which trust can be based, it is in fact just a weakened ID system.
Third; The flow of trust
What is being proposed is not mutual trust, it is users having to answer questions from and provide data to organisations who won’t be digitally identifiable in the same way their users are. That’s not trust, it’s control.
So, the seemingly innocuous document released by the Department for Culture, Media and Sport carries within it threats to our freedoms, constitution and privacy. It is imperative that we tackle the issues that have come along with rapid digitalisation, from cyber-bullying to fraud, but we have to do so in a manner that doesn’t simply replace one set of problems with another.
Putting the ‘I” into identity
To solve the digital ID challenges, we need technology to be people-led, not state mandated and commercially driven. Digital Identity needs to operate on a human level, not bound by the concepts of government, nation or bloc. It should treat all humans as equals and give each of them the tools to interact with the world around them.
I’m generally wary of trusting people I don’t know, especially with my bank details. But I’d trust my closest friends, and I’d have some trust in someone my best friend recommended and even more trust if several friends independently recommended the same person. That human embodiment of trust in a web of trust is incredibly powerful, and it’s technology equivalent has been around for some time.
A Web of Trust doesn’t need government, regulation or legislation. It also doesn’t need the systems, databases, security and audits that the UK’s Digital Identity Framework envisages, because there’s no central system, nothing to hack and nothing to misuse. It’s just a tool for sharing trust and attributes which have been verified between people.
At Self we’ve been developing an enhanced web of trust, designed to solve the problems which have hampered the wider use of WoT previously. Amid the slew of stories of how little regard big tech has for privacy, it’s technology designed to allow people to trust each other, communicate with each other and protect their personal data.
We welcome the prominence that UK government attention is bringing to the issues surrounding trust online. We hope that the proposed Framework morphs into something ground-breaking and privacy led as opposed to a digitised version of the status quo that will turn our very identities into corporate profits.
There are suggestions in the framework that they just might.
