Building Trust in the Digital Economy through Digital Identities

Guest blog from TrustCloud as part of our #UnlockingDigitalID campaign week 2024.

In the evolution of the digital economy, trust is an invaluable currency. The ubiquity of smartphones has proliferated the widespread adoption of digital identities by governments and private-sector players to democratise access to public administration and socio-economic services and bolster e-commerce activities. Secure and verifiable digital identities facilitate the safe interaction of online actors and are crucial to building trust in the digital service ecosystem.

A digital identity (DI) is a digital representation of an individual’s or entity’s identification data comprising of personal attributes such as name, address and biometric information (facial images, voice, fingerprints).

Centralised Digital Identities (CDI): Challenges and Shortfalls

A CDI is issued by a single authority which collects, stores and manages identification data by assigning each user a unique identifier and act a single point of reference for such information. The system is predominantly utilised by governments and corporations to authenticate individuals, grant access to resources and enable transactions. Examples of identifiers include usernames, financial account numbers and government-issued credentials such as national IDs, social security numbers.

Fraud has become an underlying menace in the DI ecosystem with the amplification of document forgery using fake credentials, identity impersonation through deepfakes and compromised security of ID databases through data leaks, criminal and state-backed hacking. The centralised control and storage of personal data creates a target for malicious actors to launch cyber-attacks. According to the UK Finance Annual Fraud Report 2024, losses reported from fraud-related crimes in the UK (2023) reached a staggering £1.17 billion. Consequently, organisations are shifting towards a zero-trust environment. The deployment of identity verification solutions such as TrustCloud VideoID provides document authentication (MRZ checks, optical security feature assessment), biometric recognition (face-match), two-factor authentication (OTP), liveness tests and deepfake detection solutions mitigate the risk of identity theft by validating the identity of online actors.

From a consumer vantage point, CDIs necessitate the creation of multiple digital identity accounts whose credentials management can be overwhelming to the end-user. Poor password hygiene such as password reuse may result to data leaks. Furthermore, some organisations may process or transfer the personal data of their users without obtaining proper authorisation due to the opacity of information handling practices by the issuing authority.

Decentralised Digital Identities (DDI): Empowering Individuals

A DDI provides unified storage for multiple identity credentials in a digital identity wallet, independently managed by an individual, without relying on centralised intermediaries to authenticate their identity. Since the credentials have already been validated by third party sources, the process of identity authentication is accelerated leading to faster and seamless onboarding processes.

eID wallets grant the user direct and exclusive control of their personal data by enabling them to restrict the amount of information shared with third parties. DDIs are built on blockchain which employs distributed ledger technology to collect, process and store information in an immutable, transparent and tamper resistant manner. For example, TrustCloud Digital Wallet uses encryption technology to store identity credentials in the form of cryptographic keys which reduce the risk of data breaches and cyberattacks considerably.

EU Perspective

The legal recognition of DIs was benchmarked in the EU through the enactment of eIDAS Regulations (EU) No. 90/2014. The legislation championed the establishment of national eID schemes and trust services where member states were invited to create and implement national eIDs that adhere to certain regulatory standards. These CDI systems were designed to create a digital profile where the identification data of each EU citizen could be uniquely presented, verified and attributed. The introduction of qualified electronic signatures and seals proliferated trust in the DI ecosystem as they provide a virtual legal equivalent to handwritten signatures.

This trust was fortified further by the enactment of eIDAS 2.0 Regulations (EU) No. 1183/2024 which inaugurated the EU DI Wallets. These wallets are set to promote interoperability between various national eID schemes by allowing individuals to manage their identity credentials and attributes independently and enable them to access digital services across the EU in a seamless manner, whilst maintaining high standards of privacy and security. Furthermore, the legislation provides for the electronic attestation of attributes as a trust service. This enables EU citizens to validate the authenticity of their identity attributes through the selective disclosure of attested attributes e.g. a user can prove their age without disclosing the full date of birth.

UK Perspective

The UK has had a unique approach to digital identity with no centralised identity management system that issues legacy national IDs. Consequently, the quest for digital identities has been rooted in the private sector although supporting legislation is yet to be enacted.

The Digital Identity and Attributes Trust Framework (DIATF) published in 2021 by the UK Department of Science, Innovation and Technology (DSIT) set industry standards to benchmark the delivery of trusted digital identity solutions. By demonstrating their adherence to these standards, organisations receive certification as either an identity, attribute or orchestration service provider. Though voluntary, the DIATF certification has strengthened user trust and confidence by affirming that registered providers implement robust data protection, AI governance and cybersecurity practices.

The Data Protection and Digital Information (DPDI) Bill proposed in 2022 was intended to make provision for identity verification services and facilitate the legal recognition of electronic signatures and the DIATF. Unfortunately, the bill was quashed with the change in government mandate before it was finalised. Nonetheless, the newly proposed Digital Information and Smart Data Bill seeks to solidify the position of DIATF in the creation of digital identity products and services and set up data schemes that allow secure sharing of customer data.

Conclusion

Digital identities have revolutionised trust in the digital economy, enabling secure and reliable authentication of individuals and entities online. While centralised systems have historically provided this trust, decentralised identities are redefining it by empowering individuals to control their own personal data. Without decentralisation, eID systems pose a significant threat to humanity, as the concentration of personal data in the hands of a few entities heightens the risks of exploitation, surveillance, and data breaches. This human-centric approach mitigates the risk of data misuse and sets the foundation for a more democratic and inclusive digital ecosystem.

Welcome to techUK’s 2024 Digital ID Campaign Week! On the 14-18^th Oct, we are excited to explore how our members are increasing efficiency for both businesses and users, combatting fraud, as well as what creative and innovative ways our members are expanding our understanding of Digital Identities.

Whether it’s how we’re communicating, shopping, managing our finances, dating, accessing healthcare or public services, the ability to verify identity has quickly become a critical vanguard to the Digital Economy.