17. Digital Identity: Which Way José?
A year on, there has been little progress with Digital Identity, but at last there are some indications that the strategic question will come into focus...
Digital Identity 2024: a lot of talk, more regulation, EU pilots starting up, Passkey expansion, but little progress towards actually coming up with an answer to the big question:
“how do we implement a national identity infrastructure?”
But there is hope - recent pronouncements in three different countries suggest that this broad question is coming into focus. The evidence is somewhat circumstantial but I invite you to make up your own mind about Australian Age Assurance, Aotearoa New Zealand Age Assurance, and a US pivot to Identity Authorization Networks.
And I invite you to think about the future…
Australian Age Assurance
Isn’t it great when politicians legislate something into existence - it removes all that messiness of Business Cases and Net Present Value analyses. And that is what the Albanese Government has done by decreeing that Age Assurance must be live by December 2025 and initiating an Age Assurance Trial that is due to report back by June 2025.
Now Age Assurance is an identity problem at heart - the challenge is to authenticate a person and check that their age (a credential) is within range. This is the goal of this trial which will consider three technology options:
Age Verification: like Identity Verification, images are taken of identity documents and combined with live video of the person to confirm the individual is of a certain age (as recorded in their identity document such as a drivers license)
Age Estimation: utilizes sensory information (face, movement, voice) to estimate the age of a person
Age Inference: highly general big data approach of using broad sources of information to infer age
It’s good to see progress, but:
Clearly Age Verification has useability challenges - there are a lot of moving parts and it takes time.
Clearly Age Estimation and Age Inference have accuracy challenges - they have the words ‘estimation’ and ‘inference’ in their titles for a reason.
Are these the only alternatives? Why has the trial limited its solution scope? See below for two more options.
Aotearoa New Zealand Decentralization
Over the ditch in Aotearoa New Zealand, the Department of Internal Affairs has established the Trust Framework Authority (TFA) to regulate the Digital Identity Services Trust Framework that supports the accreditation of Digital Identity service providers.
The TFA recently added some resources including a use case for age assurance! This use case is a decentralized solution which is unsurprising as the TFA states in Key concepts and principles that: “Personal information will not be held in a centralised database … The rules and regulations for the trust framework support a decentralised approach to the holding and sharing of information”.
Great, but one can only ask:
Why has Australia not recognized the one technology option that New Zealand has adopted as the chosen solution for Age Assurance?
Why is New Zealand so confident that this solution will work when there are no functioning solutions yet implemented?
Leading Research Agency in USA finds IANs
I have been a great fan of liminal.co — for many years they have covered the big strategic issues of Digital Identity, and they are now recognizing Identity Authorization Networks (IANs) as the next emerging trend.
In their report, they compare IANs to BankID in Scandinavia and as the name suggests, find that networked organizations is a central aspect of such solutions. IANs will provide a “scalable, cost-efficient, and user-friendly solution that securely links real-world identities to online actions.” Heady stuff but:
why do neither Australia or New Zealand recognize IANs?
Identity 2.0, Identity 2.5, and Identity 3
All these initiatives fit into the framework of identity evolution that I described some time ago:
So, three fundamentally different approaches, two of them by governments of neighbouring countries.
My Questions to You
The first obvious question is “how can all these three initiatives be so widely different in a world of instant access to information and expertise?” This is a most bizarre situation and while I know the apologists that will say this is normal and good and all that type of excuse-mongering, the bottom line is that we all (especially governments) should be better at defining the options for Digital Identity.
My second question is “if we do not have a full view of all the options, how can we make good strategic choices?” These are important issues and we should ask why we are not better informed. Someone ought to insist on some better strategic thinking before we leap into decision mode (maybe it is already too late?).
My third question is “Which way José?” I expect the answer must be Identity 2.5 Networked simply because it is the only cost effect, secure, and useable approach. I just hope we have rational decision making processes.
Best wishes for the holiday season,
Regards
Alan