Principles of Identity: An FPR Synthesis

Identity is now recognized as a crucial tool for development in the Global South. Sustainable Development Goal 16.9 explicitly targets "providing legal identity for all" by 2030. Key members of the international development community have, in turn, developed separate, yet overlapping principles for identification.

Prominent sets are within:

• The National Digital Identity Programmes: What's Next? report by Access Now
• The Known Traveller report by the World Economic Forum
• The Principles on Identification for Sustainable Development report by the World Bank
• The ID2020 Alliance Concept Note

Several thought leaders within the digital identity space have also developed their own principles or laws:

• Kim Cameron of Microsoft introduced seven laws of identity in 2005
• Christopher Allen presented ten principles of self-sovereign identity in 2016
  

These various sets are relatively consistent. Principles prevalent throughout this recent literature broadly include universal coverage and accessibility, protection, data minimization, and users' rights to fully control and transport their identities. We synthesize and recast these principles, but admittedly present a similar set. The major difference being that we have added a principle of "Inclusion" and removed that of "Existence." The former is critical for the adoption of digital identity in developing countries and the latter is implicit in other principles, including "Consent." We believe that this grouping sufficiently incorporates most suggested principles in the space. The resulting set is:

1. Inclusion - Identity should be available to all

Every individual should be provided with an identity from birth to death. Enrollment processes cannot discriminate against an individual due to ethnicity, gender, socioeconomic status, illiteracy, language, a lack of resources, or technological ineptitude. An identity platform should ensure minimum cost to the end user in order to maximize inclusion.

2. Control - Users must control their identities

An individual must have ultimate authority over their identity and all related data. Storage should be decentralized to the greatest extent possible. It is the user's prerogative to update, share, and hide any information. Solution administrators and/or stewards must be prohibited from revoking a user's identity.

3. Access - Users must have access to their own data

A user should be able to easily and directly access their identity and all related data. Gatekeepers cannot restrict access. An individual's identity should be accessible from anywhere at anytime --regardless of the possession of a mobile device. Access must not depend on technological or infrastructural capacity.

4. Transparency - Systems and algorithms must be transparent

The manner in which an identity system functions, is managed, and is updated must be publicly available and reasonably comprehensible. Solution design should be based on accepted standards and open source software --in part to prevent vendor lock-in. The governance model of the solution should be specifically defined and limited in scope.

5. Persistence - Identities must be long-lived

Identities and identity systems must last forever. Solution vendors should implement sufficient foundational infrastructure, and design sustainable commercial and operational models. As a caveat, the persistence of digital identities should not contradict the "right to be forgotten."

6. Portability - Information and services concerning information must be transportable

A digital identity cannot be restricted to a single solution. Users must be able to transport their identities --as well as credentials and attestations-- from one platform to another. The transfer of data should be uncomplicated. All vendors should strive for simple and consistent user experiences.

7. Interoperability - Identities should be as widely used as possible

There are numerous contexts in which an identity is required. Through open standards and scalability, digital identity vendors should allow myriad stakeholders to leverage the benefits of a solution. Different organizations, or databases, or registries must be able to quickly and efficiently communicate with each other globally through an identity system.

8. Consent - Users must agree to the use of their identity

Users must give explicit permission for another entity to access and/or utilize their data. The process of expressing consent should be interactive, deliberate, and well-understood by the user. Shared information must only be used for a specific function. No secondary or unconnected use can occur without a user's confirmed consent.

9. Minimization - Disclosure of claims must be minimized

Any identity solution should mitigate against the risk of correlation. A platform must minimize the type and quantity of information collected by an entity. A user should share only the least possible amount of data necessary to accomplish the task at hand. Minimization can help to ensure privacy.

10. Protection - The rights of the user must be protected

Any solution should be embedded with "privacy by design." Users' rights must always take precedence when in conflict with the needs of the network. Safeguards should exist against tampering, data traffic should be encrypted end-to-end, and restrictions should be placed on the monitoring of information. Affected parties must also be notified in the event of a data breach.

Utilizing our set of principles as a basis of analysis, we have asked a number of firms questions concerning the design specifications of their self-sovereign digital identity platforms and/or products. Through presentation of the resulting analysis, we hope to familiarize stakeholders in the international development space with effective solutions to their identity problems.

bit.ly/FPR-IDPrin