Towards a Common European Digital Identity

Lichelle Wolmarans

12 November 2019

Shifts in both the demand and supply of digital identity solutions are pushing governments to consider their role in the management of digital identities. With a greater need for frictionless digital public services, what role can European governments play in supporting innovative and universal digital identity solutions?

Modern citizens have to manage a range of digital identities across public and commercial platforms, including social networking sites, e-commerce, banking and government services. The boundary between online and offline identity continues to blur as digital services seep into most aspects of everyday life. Catalysing the need for a universal digital identity services which operates across a wide range of use cases is the rapid expansion of the Internet of Things (IoT) – the number of connected devices installed globally is expected to triple from 23bn to 75bn over the next five years. 

Consumers have rising expectations that their interactions across devices and services are personalised and consistent, which has largely driven the proliferation of digital identity products. Advanced digital identity authentication solutions are required to seamlessly operate and access networks of interconnected devices and services. BCG predicts that the market for identity authentication and fraud solutions is set to reach $28bn by 2023

We are transitioning into a world in which digital identity acts as a virtual key to access essential aspects of daily life. Digital identity is the backbone of future public services, enabling citizens to interact with government in an efficient, effective and secure manner. It is also a multiplier of future economic value, substantially reducing operational costs for governments and businesses. Digital identity systems also open access to healthcare, financial inclusion, and education to those who lack a formal identity.

Euopean governments are jumping on the opportunity to increase the effectiveness of public service delivery. The UK (GOV.UK Verify), France (Alicem), Belgium (Itsme), Italy (SPID), Denmark (NemID), The Netherlands (DigiD), Sweden (BankID), Norway (BankID), Finland (TUPAS), Switzerland (SwissID), and Poland have introduced national digital identity programmes, some of which involve biometric data. The market for digital identity services is, however, fragmented, unstructured and complex to navigate. In Europe, the digital identity ecosystem is distributed across multiple different national systems, regulatory environments, levels of digital governance, culture, and varying levels of trust in institutions. 

Without a common digital identity service across Europe, citizens from different countries will experience a varying range of data protection and ease of access to digital services. With shifts in both the demand and supply of digital identity services, what role can European governments play in laying the groundwork for a common digital identity service across Europe?

FOCUS ON USER EXPERIENCE

In a world where people are transacting across borders, a European system of digital identity is important for helping people access public services as they move across jurisdictions. Public services should scale alongside businesses within the Single Market. The 2016-2020 European eGovernment Action Plan sets out a strategy to deliver efficient, inclusive and user-friendly crossborder end-to-end digital public services. A common European digital identity service would be one way to facilitate the delivery of such inclusive, cross-border public services. 

Estonia has recognised the value of user experience in interactions between citizens and states, and has used its government user interface to attract business and capital into the country.  Estonia’s e-residency programme essentially redefines what it means to be a state, offering its digital user experience as a service to anyone with a registered Estonian digital identity. The country hopes that people across the world will register as an Estonian e-resident, to make use of its digital government services and conduct business more effectively. 

A selling point of digital identity software is that it is easier and more secure to use than remembering unique passwords and usernames for different services. Many studies have shown that consumers prefer to reuse a single digital identity rather than rely on multiple passwords, usernames and credentials. However, there are currently dozens of different identity verification products on the market, and none that provide a universal and transferable identity across all applications, platforms and services. A crucial component in improving user experience will be to address market fragmentation. 

 Mandating a single pan-European eID system and provider, may have detrimental effects for innovation. Additionally, not all governments are equally far along in their digital transformation – some may struggle to adopt a mandated technological solutions, whilst others, such as Estonia, may feel held back by the same solution. A healthy ecosystem of suppliers will give consumers greater choice, push down the prices of solutions and force companies to innovate to capture market share. 

“If states and government agencies all adopt different digital identity solutions that are not interoperable, then many of the efficiency gains of using digital identities are lost.”

Market fragmentation becomes a problem when systems are not interoperable, thereby introducing friction for the users. If states and government agencies all adopt different digital identity solutions that are not interoperable, then many of the efficiency gains of using digital identities are lost. The management of multiple online identities for different governments and services, leads to incongruencies between those identities which may present administrative and bureaucratic burdens for individuals down the line. In order to prioritise user experience, innovation and competition in the market should be supported, alongside a stringent set of standards on interoperability, user-friendliness and data protection. 

Government mandates still have a role to play at the national level, where agencies and institutions may be reluctant to adopt the use of digital identity services. Denmark, which has one of the most developed digital governments in the world, used legislative measures to deal with market fragmentation, forcing institutions and government agencies to adopt the national eID. In the Danish experience, the only way to get various actors on board with the national eID system, was to use legislation to make it mandatory. 

Solutions will only succeed if they are designed with consumer preferences in mind – the more frictionless and less visible digital identity verification systems are, the more likely they are to be adopted. To encourage and build trust in digital interactions with government, citizen user experience must be front and center. User experience is, however, not well served by a fragmented market. Governments should push to ensure that, in lieu of a common digital identity service, national digital identity systems are interoperable.

FACILITATE SECURE AND APPROPRIATE DATA SHARING

Artificial intelligence and machine learning has the potential to automate large parts of the identity authentication process, which would make the process seemingly invisible. Algorithms can search for digital footprints, which are generated by a wide variety of activities and transactions individuals engage in online on a daily basis. These digital footprints can be used as a verification of identity rather than the static credentials stored in government databases. However, many users and data points are needed to train these algorithms. The larger the available data set, the more efficient, effective and accurate identity verification will be. Sharing data securely and appropriate will enable governments to offer a new generation of digital identification services.

Digital identity is a more secure way to access services, both public and private, than usernames and passwords, but still has many vulnerabilities which enable identity theft and fraud. Identity fraud in the UK alone has risen by 50% over the last three years. Synthetic identities combine valid identity artifacts with false information to create fictional identities.  Using an initial stolen identity artifacts, such as a National Insurance (NI) number or Credit Profile Number (CPN), malicious actors initiate “proof of life” events to build a synthetic digital identity trail. With a well established digital identity trail, synthetic identities can be used to open bank accounts and make fraudulent claims, transactions and purchases. Synthetic identities play a large role in the cross-border flows of money between and within criminal organisations. 

Harnessing the power and data of a shared digital identity network across the EU would help defend against this problem. With access to a large enough database of personal information, digital identity networks can be trained to spot anomalies and detect synthetic identities. The effectiveness of the digital identity networks in doing this will depend once again upon the size and quality of the available dataset. Using an accurate and intricate EU dataset provides more sources of information against which to cross-reference identities and is therefore a more effective approach than addressing the problem at the national level. To facilitate the data sharing necessary to counter the threat of synthetic identities, identity and threat data needs to be standardized, structured and organised so that governments and businesses can quickly incorporate it into existing data sets. 

In April 2019 the EU voted in favour of creating the Common Identity Repository (CIR) to simplify border control and policing. The CIR is a massive interlinking of biometric databases of both EU and visitors. A large databases of personal information introduces its own range of risks for individuals. Because biometrics are permanent, if the repository is compromised, individuals’ personal data is compromised permanently. Personal information should be protected using hashing, and the hash algorithm shared between government organisations to authenticate individuals. 

The threat and risk of a system wide shutdown increases as everyone uses a common digital identity service. This happened to Denmark in 2013 when a DDoS attack caused the entire national digital identity system to shut down, resulting in a halt of government digital services and internet banking. If an interoperable system is to be rolled out across Europe, legislation needs to be used as a tool to standardise security levels across governments and institutions so that there is no weak point in the system. 

PROMOTE TRANSPARENCY AND CITIZEN CONTROL OVER DIGITAL IDENTITIES

Protecting individuals and their data should be of central concern to any digital identity service. Unfortunately, convenience often takes precedence above security for consumers. 41% of respondents in a study declined the use of multi-factor authentication for their social media account. Identity solutions must account for the fact that consumers expect greater security but are unwilling to incur extra costs or change their behaviour to ensure greater security. Storing information using distributed ledger technology, rather than in centralized databases, as government tends to do, provides greater protection of personal data.

“Protecting individuals and their data should be of central concern to any digital identity service.”

If all documents tied to individual identity were stored on a distributed system, individuals would have greater control over who can access their information, whilst ensuring safety. Using smart ledgers, individuals could grant or revoke access to documents, and control forwarding rights, restricting third-party access. Such self-sovereign identity systems could completely reshape the role of government actors within the identity ecosystem, with individuals being the ultimate guardians of their digital identities. 

Estonia has established a portal which gives individuals access to a log of every actor who has accessed their personal information through the national digital identity system. In one click individuals can report unwanted or intrusive access to their data to an ombudsman, which will then place an onus on civil servants or practitioners to justify the intrusion. A pan-European digital identity service which grants diverse sets of actors access to personal information, must be built on principles of transparency and accountability. Especially amidst increasing concerns about the development of surveillance states, governments will have to earn and maintain citizens trust in order to successfully implement a supranational system. 


SUPPORT INNOVATION IN THE DIGITAL IDENTITY MARKET

Banks are currently the largest investors in digital identity software, collectively pouring over $1bn a year into developing solutions. Banks have an advantage over governments and third-parties in capturing this market, as they have already verified the identity of large proportions of the population, and have transferred those identities online. Under European legislation, banks also have to keep a detailed record of how they have verified a customer’s identity – something that smaller providers, especially those using digital footprints as verification, may struggle to do. 

Due to banks advantaged position within this market, several national governments have partnered with them to develop national digital identity verification services. With banks entrenched as providers of digital identity solutions, many smaller innovative companies struggle to access the market. AidTech, Yoti, Onfido, and Passbase are just a few of the startups who possess potentially market-disrupting technology. Though these startups have managed to raise venture capital, governments should evaluate the barriers to entry for these companies, and consider changing regulations which exclude them from the market. 

“Governments should investigate how data can be made available to help startups scale their solutions without compromising the security of data subjects.”

Startups with the most promising technology, face a catch 22. In order to scale products they need users on their platforms and access to a large number of data points. However in order to attract users and generate data, they need a product that is already scaled and has a successful track record. Market incumbents such as banks and governments also control many of the important types of data which could be used for identity verification. Without access to this data innovative companies struggle to develop their solutions. As a result there are fewer affordable, accessible, and user-friendly market-ready products for governments to choose from. 

Governments should investigate how data can be made available to help startups scale their solutions without compromising the security of data subjects. In addition, governments should also ensure that the co-development of identity services with banks, does stifle innovation in the digital identity ecosystem. 

The GovTech Summit will gather the champions of digital innovation in government from all around the world – make sure you don’t miss this unique opportunity to hear from public leaders & entrepreneurs transforming public services. Get your ticket now.

One Comment

  1. Will Ross December 12, 2019 at 11:40 am - Reply

    Comprehensive overview of the dynamics and barriers. Always interesting to see the ways that digital ID improves access to services: banking, civic participation, professional accreditation.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.