June 4, 2018
The Future of Property Rights Program is currently writing a paper on self-sovereign digital identity. As we continue our research, we would like to share some thoughts for discussion with the international development and identity spaces.
Please stay tuned and if you have thoughts on where we are heading please let us know at FPR@NewAmerica.org.
Myriad actors --governments, NGOs, and international organizations-- provide services to various populations globally. Rohingya refugees in Bangladesh need an identity for micropayments, documentation of their land rights in Burma, and a way to claim supplies within a refugee camp. Farmers in Haiti seek tenure security after registries were destroyed in natural disasters. The urban poor --in slums from Johannesburg to Karachi-- lack access to microcredit, health care, and education.
As service providers gradually transition to digital solutions to address these problems, they need a digital identity layer in their solution stack. After all, it is essential to know who is who when providing digital vouchers for food subsidies or microloans; or recording critical information like immunizations or land rights.
Governments, NGOs, and international organizations generally have two options when implementing a digital identity solution, make or buy.
- Make: They can internally develop a solution through the use of biometrics and commonly available identity solutions, such as OAuth.
- Buy: They can outsource the creation of an identity solution to a vendor who specializes in identity.
In our experience, these stakeholders default to Make. However, we are starting to wonder if Buy, increasingly makes more sense. Three reasons:
1. Lower Burden of Risk and Responsibility
By taking identity in-house you are adding avoidable and increasing burdens.
In-house development and implementation of a digital identity solution are increasingly complicated. Beyond internal storage of passwords, one likely has to worry about biometric data and regulations. The security and privacy of this sensitive information is the responsibility of the service provider. Data protection becomes a serious headache, as hackers are quick to attack such a cache.
Any worthwhile digital identity solution must last for decades --at least. Individuals need to steadily build up stronger IDs and reliably use them into the future. The identity platform, as well as personally identifiable information (PII) and any other relevant data, must be persistent through time. This burden necessitates software maintenance and updates, as well as the archiving of data --often on costly servers.
The May 25th implementation of the EU’s General Data Protection Regulation (GDPR) only exacerbates the potential legal and financial consequences of poor data usage and governance. Relevant organizations must allocate significant time and resources to become GDPR-compliant. Moreover, a failure to apply to its standards may result in sanctions and hefty fines.
Rollout of an internal identity solution also creates scalability issues. Current biometrics --commonly fingerprint, facial, and iris scans-- all require high-quality readers. An NGO or government must provide this technology if its internal solution is to be useful. Financial and logistical constraints may prevent implementation at scale.
Use of a digital identity provider often alleviates these problems. Vendors, who specialize in the technology, are better able to employ mobile phones, advanced cryptography, and blockchain technology to store PII and biometrics in a secure, decentralized, and persistent manner. These companies also provide relatively low-cost options --such as MMS facial scanning or the use of a smartphone-- to read biometric data and identify/verify an individual.
2. Expanding the Use of Self-Sovereign Identity (SSI)
There is a stark choice between a single-purpose tool and the beginning of SSI.
Many NGOs and international organizations create “silos” of identity that are designed for a specific purpose --such as for subsidies in a refugee camp. Yet a single-purpose digital identity solution places an unnecessary burden on marginalized populations. It is another password to remember or another card to safeguard, a new bureaucratic system to worry about.
Why not spare disadvantaged individuals the hassle, and instead start them on the track to a robust and reusable "self-sovereign" identity? While still achieving the same organizational goals? Numerous vendors are currently creating platforms specifically designed for the emerging technology. Governments, NGOs, and organizations, such as WHO and UNHCR, possess the ability to enroll vulnerable populations in a third-party self-sovereign identity (SSI) solution.
SSI is designed for privacy, security, and portability. Ideally, it is user-controlled and stored on a distributed ledger. Some instances of the “customer-facing” software are intuitive to use, often accessible from anywhere, and adaptable for a wide range of use cases --including banking, healthcare, and land administration. These solutions are usually available at a lower cost as well. We believe it is a compelling option for identity issuers to consider leveraging these platforms, especially in the developing world where existing options may be particularly weak.
3. Identity is Best Left to the Specialists
Complicated technology in identity solutions now necessitates expertise.
In the past, identity solutions could simply utilize OAuth, and required a username and password for login. However, the technology surrounding identity and its security --such as biometrics, zero-knowledge proof algorithms, and distributed ledger technology-- has evolved to a significant level of complexity at present. There is no sign of this trend slowing down. Furthermore, the integration of SSI into the real world requires nuanced considerations concerning scale, speed, and cost.
Design and implementation by governments or NGOs has become increasingly technical and resource intensive. Many public solutions, while impressive in their ambitions, have challenges. Not enough consideration is given to a solution’s implementation or usability. The Aadhaar system in India is perhaps the best example. It frequently suffers from data leakage and its legality is currently being debated in the Indian Supreme Court.
Technological complexity suggests that built-for-purpose vendors are more capable of the creation, rollout, and upkeep of digital identity solutions. These companies have developed considerable expertise and are better able to keep up with emerging technologies. They actively conduct demos and pilots to learn from the past and to develop best practices. As a result, third-party vendors can often provide a higher-quality product for a lower cost. Of course, there is the issue of vendor-capture, but with SSI --depending on the choice of platform-- this may be less relevant.
Why then, do governments, NGOs, and international organizations continue to internally develop digital identity solutions when the utilization of a third-party digital identity provider can result in a more secure, scalable, and user-friendly solution?
In our forthcoming paper on self-sovereign digital identity, we introduce a number of leading identity firms and examine their respective solutions. The analysis is based on potential design requirements of stakeholders in the international development space --from inclusion to user control, access, interoperability, and protection. It is our goal to familiarize decision-makers in government, at NGOs, and in international institutions with viable and effective answers to their identity dilemmas.