Digital Identity: Current Landscape
The concept of identity involves the way we recognize, remember, and respond to people and things. The transition to native digital identity, marked by software automation and digital signatures, aims to bring efficiency, security, and new possibilities to online interactions while addressing challenges posed by fragmented approaches and lack of a universal digital identity layer.
Digital identity is a burgeoning paradigm for how people create relationships digitally with peers, companies, and governments. As a result, there is a wide cohort of organizations and bodies that are involved in crafting the future of standards and how implementations can interoperate to protect the interests and privacy of individuals. The contributions of these organizations outlined here help to ensure solutions built are interoperable for many use cases and adopt the best practices for digital security and protecting privacy.
ISO and IEC have collaborated to publish standards like ISO/IEC 18013-5 for mobile driver's licenses, focusing on security and data exchange. AAMVA contributes to uniformity in the U.S. and Canada through model programs for mobile driver's licenses, while additional standards and regulations in the digital identity landscape play a vital role in understanding the broader context.
This article covers a list of relevant identity, privacy, and data protection laws and regulations that affect the conversation around digital identity, across the United States and the European Union.
In an ideal digital world, individuals should control their data and be able to hold and present various credentials, such as a university diploma and a driver's license, without disclosing unnecessary personal information. Standardized data formats and interoperability across different verifiers and wallet applications are crucial to ensure seamless integration of credentials, as recognized by efforts like the Mobile Driver's License (mDL) outlined in ISO/IEC 18013-5.
Today, our driver’s licenses are scannable physical cards we carry around in our wallets. Conversely, in order for cryptographically signed ID documents to be machine-readable for various use cases, there needs to be a cross-industry and cross-jurisdiction approach for standardizing data formats.
Authorization and authentication are two distinct concepts that are often used interchangeably but have different meanings in the context of computer security. Authentication is about verifying who you are, while authorization is about determining what you are allowed to do based on your identity and privileges.
It’s very simple in the modern age to copy and paste images, so we need to build security solutions to prevent that from happening. One way to combat this is through device binding.
Depending on the workflows selected by the DMV, mobile driver's licenses can be issued both in-person and remotely. The ability to issue driver's licenses remotely, without compromising on security by employing advanced security technology, improves the accessibility and convenience.
Retrieval of mDL data for verification, meaning presenting information to a Verifier to prove the validity of certain attributes about your identity, can happen in either an offline or an online environment. In addition to data retrieval models, the interactions themselves can be both offline or online, meaning attended or unattended.
In the increasingly digital landscape of identity checks, even the most technically-savvy individuals can be vulnerable to phishing scams. To address this, there is a need for thoughtful solutions that incorporate guardrails, such as indicators for trusted verifiers, varying risk levels for different types of information, and a societal shift towards minimal disclosure to enhance the security of digital identity checks.
The principle of minimal disclosure in identity verification emphasizes sharing only the necessary information, such as proving age for entry to an age-restricted venue, without divulging excessive personal details. To uphold minimal disclosure, it is crucial to prevent collusion between entities conducting verification and employ privacy-by-design technology to limit the correlation of information across different verifiers.
The surge in cybercrime, particularly identity theft and fraud, has led to over $5.8 billion in consumer losses in 2021, a 70% increase from 2020, emphasizing the urgent need for a secure digital identity infrastructure. With identity-related fraud affecting public benefits and financial assistance, businesses face significant costs due to data breaches, with the average cost for a U.S. company being $9.44 million, highlighting the global challenge and the importance of establishing a trustworthy and secure digital identity system.
In the envisioned future, individuals possess digital wallets containing credentials issued by trusted authorities, starting with cryptographically signed ID documents like mobile driver's licenses. These digital credentials, representing various aspects of one's identity, enable secure online verification, streamlining processes from opening bank accounts to accessing medical records.
Verifiable credentials are cryptographically signed ID documents, such as a driver’s license, that can be stored securely on a mobile device. They are cryptographically signed by the issuing authority and this signature can be verified by other parties.
To trust that a mobile driver’s license is authentic and has not been tampered with, it needs to be digitally signed by the issuer (such as a State DMV). Due to advancements in cryptography, this type of digital signature is now possible.
The critical privacy considerations for mobile driver's licenses involve limiting verifier collusion, ensuring selective disclosure where individuals only share necessary information, and addressing concerns about issuers tracking holders' movements; the goal is to prevent unintended surveillance and profiling, emphasizing user-controlled identity and selective disclosure to empower individuals in digital interactions and align with data protection regulations.
The Department of Homeland Security's (DHS) request for information (RFI) in 2021 prompted concerns from the Electronic Frontier Foundation (EFF), ACLU, and EPIC regarding potential privacy issues related to mobile driver's licenses (mDLs). The major concerns include increased identity checks impacting online privacy, potential misuse of centralized databases, equity issues with smartphone-dependent solutions, and the risk of digital IDs being controlled by a few Big Tech companies; the EFF emphasizes the importance of technology solutions to address these concerns, advocating for principles such as minimal disclosure and selective disclosure to safeguard user privacy.