Empowering citizens to manage their own data helps restore the trust economy by highlighting the value that services provide in return for data access.
The Optus data breach, and more recently the Medicare data breach, is having a ripple effect across industries as citizens now begin to question where, how and why their personal data is needed, let alone being stored by organisations.
In the natural course of life, we are regularly asked to share attributes of our total identity profile (TIP) with organisations that in turn will confer upon us a trusted & verifiable accreditation that can be used by other organizations to provide us a service or controlled good.
While that may seem like a mouth full, in simple terms it means sometimes organisations need to be sure we are who we say we are before they can give us access to what they offer. The problem is that no single identity document serves all purposes and the documents we do have, offer often too much unnecessary private information.
In response, the Government is taking new steps to enlist digital identity strategies. In New South Wales (NSW) for example, a new Digital ID program has been promised that builds on and ‘improves’ the work already done by the Federal myGovID program.
The program, dubbed simply ‘NSW Digital ID’ will see NSW pilot photo verification technology that will empower customers to have more control of their personal information while enabling convenient and secure proof-of-identity transactions online with both government and business.
However, while the move towards such digital identity services seems great in principle, the proposed ecosystem may fail to attract uptake from privacy-savvy Australians who seek more control over how and when their data is used. Why? Because at the end of the day, the citizen does not own their data, the Government does.
Before we know it, we’re back in an ‘ownership’ dilemma — sparking a holding pattern at which trust is at the crux of. And so the first step in solving this problem is to give citizens the opportunity to take back control of their data in a simple, frictionless way.
At a high level, this is what the Government’s Trusted Digital Identity Framework (TDIF) system aims to achieve. However, simply taking control of your data in this way does not solve the problem of privacy and trust. Under TDIF, the third party still has full visibility of all citizen data irrespective of the need for it, which raises a series of concerns from savvy and trust-led users.
This is where the concept of a Self Sovereign Identity (SSI) system comes in. SSI turns data privacy on its head and gives control of what is shared back to the user. A digital version of an ‘identity wallet’ is created where users can store any and all credentials that contain attributes of their TIP — be it Medicare card, passport, university degree or tax file number.
While it may sound similar, this is not what’s being offered under the proposed NSW Digital ID program. Reason being, SSI is the collection of personally identifiable data attributes of a physical or digital credential/accreditation, which is then validated in real-time through an encrypted digital verification key (not the actual data attribute) that is issued by an issuing authority — such as a Service NSW.
One key difference to pull out here is that the NSW Digital ID program relies on a photo verification process, as opposed to digital verification keys. Whilst this is an important and necessary step forward as it means all verifying bodies will need to store extremely sensitive biometrics data from the user in order to be able to confirm it is them requesting verification of their data.
Conversely, an SSI system doesn’t give the data requester ‘free reign’ on citizen data that isn’t necessary to the service request, as this overtime could lead to a case of data abuse from those who lack accreditation to access such information or a breach as introduced here. At the end of the day, the best way to avoid a data breach is to never hold the citizen data in the first place.
Whilst both TDIF and SSI systems have developed quite separately, SSI builds on the principles of the TDIF and NSW Digital ID in that it provides an arch that bridges from a blanket approach to data access, into citizens deciding how much of that data verifiers really need to see in order to provide a service.
The system is made possible by emerging data treatments such as Zero-Knowledge Proof (ZKP) and Decentralised Identifiers (DID). Under ZKP you can prove something about your identity without ever saying explicitly what it is, for example your age or income. While with DID you don’t have to store that proof with any particular organisation.
The truth is, we’re not far from achieving an SSI system. There are many organisations already offering leveraging products underpinned by SSI principles, such as ConnectID from Australian Payments (previously EFTPOS) and perhaps one of the most complete and available market offerings is Datakeeper.
Built on SSI principles, Datakeeper is a new digital wallet built by Rabobank in Europe. It’s a great example of a universal digital wallet application that facilitates identification, data sharing and electronic signing in a safe, fast and secure process. Through Datakeeper, users can provide service providers with validated data, such as age and income, which is safely and decentrally stored on a user’s own mobile device and nowhere else — similar to the NSW Digital ID, but not underpinned by the use of biometrics.
Systems underpinned by SSI, such as Connect ID and Datakeeper, allow users to rent a car or apply for a mortgage all in the palm of their hand, and eliminate the need to carry additional documents. Not only is this convenient for the user, but empowering citizens to manage their own data in this way also helps restore the trust economy by highlighting the value that services provide in return for data access.
IT and data security is like an arms race, there is always someone smarter or willing to spend more to get access to data of value. We can’t blame Optus, or Medicare ask for and holding your data, as they could not provide their service without it. What we need to do is to provide them a mechanism that’s not regulatory and technical so that they can infer your personal data and never actually hold it.
SSI is the next natural step in protecting citizen data by building on the government’s existing data systems, including TDIF and the NSW Digital ID systems, to create a unique infrastructure to provide verified digital identity services across departments and organisations. A system built on self-sovereign identity principles creates an opportunity for a seamless digital ecosystem that government, businesses and most importantly citizens can benefit from, without risk or doubt, to create truly frictionless digital experiences and it’s why the future of Australia’s digital identity system needs to be self-sovereign.
Gustavo Quiroga is General Manager of Mobiquity in APAC