Securing the digital economy

Our experience of the internet seems to be one of a myriad of passwords and separate logins, often being asked for the same information repeatedly as we create digital services accounts. There must be a better way, and a way which is more secure and less open to fraud.

In short, we need to make progress on how we create digital identities and establish the trust framework which allows those digital identities to be widely accepted. Done right, this can help ensure security and privacy controls are in place, and that the identity providers are appropriately regulated and overseen given their role as part of our critical digital infrastructure.

Government will of course play a key role as the ultimate authority on the identity of a citizen, and the regulator of any digital identity provider. But only by public-private co-operation can we harness the innovation, agility and scale which the private sector can bring in building the necessary solution.

When we look at the array of digital identity initiatives underway to date, the failures which litter the past, and the privacy challenges ahead it’s understandable if the casual observer is simultaneously inspired, cautious and reticent.

If we define digital identity as the movement to replace physical token of identity (such as passports and drivers’ licenses) with electronic certificates and infrastructure which make it easier to interact with the digital economy, we see considerable private and public sector effort underway, particularly in Europe and Asia. Amongst them, Swedish banks have successfully established a common digital identity card that now covers three-quarters of their national population. At the same time, other programs have experienced false starts as they navigate unfamiliar nuances of technology, regulatory and public opinion.

Unfortunately, despite a variety of successful programs introduced from Estonia to Australia, there is little consistency, and limited mutual recognition, between different approaches, in different sectors or countries. This makes it hard to envision a time when one single globally interoperable digital identity system could serve all, or most, of an individual’s identification purposes.

But that does not diminish the vast potential of such efforts. It’s worth remembering that it has been over two years since e-commerce sales passed the US $25 trillion a year point^[1], and it’s growing fast, providing a solid case for transitioning citizens to digital identity programs.

This would represent a massive shift from the current patchwork of paper-based identity documents in use, and the vast swaths of the world population where people have no identity documents at all, which complicates the delivery of social, health and development programs.

Widespread adoption of digital identity models would represent a great improvement from the status quo, since paper-based documents, with few authentication safeguards, are highly vulnerable to theft and fraud. Even the typical security measures incorporated into existing digital services often depend on basic authentication methods like readily hackable password protocols. When you consider that 87 percent of identity fraud occurring in the UK today is through digital channels, it’s clear that our security methods must change as we embrace the digital economy^[2].

Put simply, digital identity systems have the potentially to be vastly more secure than the paper documents they replace since they are underpinned by a strong, cryptographic certificate-based approach. They can also be further secured with time-limited and customized restrictions to control access to specific services or types of personal information.

With that in mind, imagine the massive potential if digital identity certificates can be bound to a citizen’s mobile phone – a technology that is highly accessible, affordable and familiar across much of the world’s population – creating a one-stop and trusted source of digital identity. And, these devices can be further secured by biometric features like thumb prints or facial recognition scans linked to the device. Suddenly, you have the underpinning to a strong, secure and accessible digital economy.

The above vision is increasingly within reach, when you consider the multiplying efforts to design the necessary controls for both emerging digital identity systems and the individual communication devices upon which they can be housed. In addition, creative approaches are being tested to apply decentralized, blockchain techniques, to avoid reliance on a large, centralized database model, and better manage and contain those risks.

Privacy is another complex - but far from unsolvable - hurdle to digital identity implementation. Although some may question whether digital identity will compromise individual privacy rights if system providers gain unlimited access to each individual’s transactions and behaviors, such risks can be mitigated by architecting systems to minimize the amount of transaction data collected as part of identity verification. Essentially, by establishing clear privacy principles upfront, and incorporating them into the design foundations, you can embed the necessary protections into these systems. This approach will also help build digital trust with end-users, and assist in driving widespread adoption, and the required scale, to deliver many of the benefits of digitization.

In fact, building digital trust is every bit as important as the underlying security controls. And earning such trust could hinge on partnership between the private and public sectors.

First, governments must play a core role in ensuring the correct structures, controls and governance are in place. They must then introduce and explain these systems with transparency and accountability. The European Union, for example, recently completed its consultation on an EU digital identity, which will extend rules for electronic transactions to the private sector and promote trusted identities for all Europeans, including safer and easier use of online services and more control over personal data. You can hear more about the critical role privacy plays in the new BBC World Planet ‘digital identity’ series here.

Private sector technology firms can also play an integral part in earning user acceptance since many of these global names are already trusted providers of authentication mechanisms on popular digital services. The private sector can often bring great value to such public/private partnerships through their ability to instill ease and simplicity into system design.

At the end of the day, the challenges of rolling-out digital identity are not insurmountable, but we must learn from previous failures and perhaps the belief that technology by itself can provide a silver bullet.

We will only realize the vision of a secure and usable digital identity infrastructure if all parties work together and build public trust in the operation of system. This will require collaboration across sectors and geographies to achieve consistency and scale – alongside embedded security, privacy design and user-friendly function – and we will need to build this consensus over time, and also recognize the different culture and political environments this must work across. Organizations such as the World Economic Forum have a key part to play in creating this community and build momentum, and their recently publication on the future of cybersecurity, emerging technology and systemic risk is a great primer on the challenges ahead.

If we get this right, we can securely connect the world to the digital economy and drive economic growth and social development; and surely that is a benefit to us all.