With the rise of national digital identity in several countries, and the very real need for one billion people around the world without an official identity, there are many questions around how best to do it; what is the right kind of technology? What level of privacy is required? Who should be responsible for it? I’ll say it now; there are no perfect answers, but there’s a lot to consider for each question. We must consider what is ideal, but more importantly, what is feasible.

The new technology on the block is blockchain (genuinely no pun intended). There is a lot of hype around blockchain based digital identities, and though I’m always weary of hyped up “new” technologies, when it comes to privacy, I can see why people might consider blockchain platforms. It is good to consider though, the vast majority of blockchain transactions, are not truly private and we can classify them as pseudo-anonymous. This just means that everyone can see when and with who a transaction is made with anonymous user names, like who signed a contract with who, or who sent money where. With some investigation it is possible to uncover identities but it’s not easy.

Maybe we should quickly look at some of the advantages of a national digital identity before going further. I’ve dug into this in previous posts, which you can find here, but to summarise very quickly, national digital identities, when widely used and truly trusted, enable automation across government and connected online services, and high assurance, remote transactions like money transfers and contract signing. It’s the latter advantages that are called into question when the topic of privacy is brought up alongside government oversight of the identity.

Theresa May, as Home Secretary in 2010, said ID cards in the UK would increase control over citizens. This feels like a fairly baseless comment, due to the fact, that in 2010, there were very few national digital identity solutions in existence, let alone any that would even hint at this. Almost ten years on, and even now, China is the only country I’m aware of that has done something like this, and, at least in my opinion, I don’t think the governments in China and the UK are comparable. It may be that Mrs. May’s comment stems from a feeling that citizens don’t trust their government to always act in their best interest, but rather than get too political, I’ll stop that train of thought for now. Imagine there were leaves on the track.

For me, the average citizen, I like the feeling that if someone steals money from my bank account or spends money on my credit card without my permission, that money can be returned to me or the transaction cancelled. Maybe the bank loses out, but they are better able to afford it. In 2018, $1.8B of cryptocurrency was stolen and some claim you only have a 1 in 5 chance of getting it back. Now if we put that in terms of identity, can we make the assumption that if someone steals your identity or acts on your behalf, there’s only a 1 in 5 chance you’ll be able to prove it wasn’t you? That might not correlate, and I may have a mild bias against blockchain, but happy to discuss in comments.

I know a lot of this has been about blockchain, but it does appear to be the competing technology to existing digital identity solutions based purely on PKI and a centralized identity provider. When we look at the latter option here, there are some quick and easy advantages to call out like the ability to delete certain information from record (required by GDPR) and the idea of transparency with regards to who has looked at your data. So, in terms of feasibility here, blockchain may not fit.

So blockchain can provide privacy in a way that everyone can see every transaction, but it’s effectively anonymous, while a centralized identity service on a decentralized data exchange platform provides privacy in a way that only those that have your data can see that data, only a trusted third party can see all your transactions (only metadata), and you can see who looks at your data. Though we must trust the identity provider in the centralized option, we must trust someone in all scenarios, whether it’s a cryptocurrency exchange or those maintaining a blockchain, or a national Certification Authority (CA) or government department.

When it comes to privacy, we do have to consider real world feasibility. Where we have laws and regulations, we must abide, and sometimes we are forced to give up certain privacy rights. I’m not shocked or appalled that if the police ask for my identity document, I’m obliged to present it. I’m not outraged, that if a judge deems good reason, the police can enter my home and search it. So, when it comes to my data, I understand why the government would expect the police to have access to it in a simple manner when justified. So, these laws take some privacy away, but other laws (in Estonia) apply severe punishments to those that access my data without permission, or laws that force businesses to release my data to me or delete certain data about me (in Europe). These laws also ensure that my data cannot be used in ways I have not given permission for (in Europe, California, and spreading). So, while a blockchain solution might seem great for privacy, it might not conform with the rules and data regulations in a specific country, bringing feasibility into question.

In terms of who is responsible for the digital identity service itself, a good option, and an option used here in Estonia, is a third-party trust service provider that, by law, is unable to use any of the data it receives and stores for any reason other than when requested by law to provide it. It is separate from the government. It’s audited under ISO standards and its technology is evaluated by certified third parties. If I had to trust anyone with my digital identity, this is who I’d trust. Another option is, of course, the government itself. The same government that already has most of my personal data, is responsible for my taxes, my pension, and for some, their benefits and welfare. We already have a fairly serious amount of trust stored in the government, whether we like to think it or not. Of course, a widely used digital identity across not just the government but also private businesses will provide the government with interaction data, such as who, when, and where, but we then must rely on the rules and regulations in that country to be upheld.

It’s a tough one. It’s unlikely any one solution will make everyone happy, fulfill all their privacy beliefs, and still abide by the latest data privacy regulations, but when we look to real world examples of what’s in place and what has been successful, as I often tote, Estonia is where we should be looking; thousands of services, hundreds of millions of automated transactions, trusted online voting, and no public outcry regarding data misuse.

Privacy comes in many different forms, on quite an extensive spectrum, and can mean very different things to different people. Could society function if no one knew anything about anyone? There are interesting thought experiments to be had on this topic, but where ever they take us, we must always try to stay routed in what is possible or feasible in modern society.

@MaxCvdP