Digital identity and…the United Nations Sustainable Development Goals?

Over the last few years, I have approached digital identity(ies) from a particular perspective, concentrating on the different types of digital identities that we have (none of us has a single identity, when you think about it), and the usefulness of these identities for various purposes, including purposes in which the identity of the person must be well established.

I have also noted the wide list of organizations that have expressed an interest in digital identity. Because of pressing digital identity needs, many of these organizations have moved forward with their own digital identity proposals, although now they are devoting more effort to ensure that their individual proposals play well with the proposals of other organizations.

Enter the United Nations (or part of it)

Well, let’s add one more organization to the list of those concerned about digital identity: the United Nations.

Although actually “the United Nations” is in reality a whole bunch of separate organizations that kinda sorta work together under the UN umbrella. But each of these organizations can get some oomph (an international relations diplomatic turn) from trumpeting a UN affiliation.

So let’s look at the Better Than Cash Alliance.

Based at the United Nations, the Better Than Cash Alliance is a partnership of governments, companies, and international organizations that accelerates the transition from cash to responsible digital payments to help achieve the Sustainable Development Goals

Note right off the bat that the Better Than Cash Alliance is not focused on digital identity per se, but digital payments. (Chris Burt of Biometric Update notes this focus.) Of course, digital payments and digital identity are necessarily intertwined, as we will see in a minute.

Enter the Sustainable Development Goals

But more importantly, digital payments themselves are not the ultimate goal of the Better Than Cash Alliance. Digital payments are only a means to an end to realize the United Nations Sustainable Development Goals, issued by a different UN organization.

Because of its primary focus, the Better Than Cash Alliance concentrates on issues that I myself have only studied in passing. For example, I have concentrated on the issues faced by people with no verifiable identity, but have not specifically looked at this from the lens of Sustainable Development Goal number 5, Gender Equality.

Principle 2 of the UN Principles for Responsible Digital Payments (October 2021 revision)

For this post, however, I’m going to focus on the digital identity aspects of the Better Than Cash Alliance and its report, UN Principles for Responsible Digital Payments (PDF), which was just updated this month (October 2021).

One of the key factors outlined in the report is “trust.” Now trust can have a variety of meanings (including trust that the information about my identity will not be used to throw me into a terrorist concentration camp), but for my purposes I want to concentrate on the trust that I, as a digital payments recipient, will receive the payments to which I am entitled.

To that end, the revised principles include items such as “ensure funds are protected and accessible” (principle 2), “champion value chain accountability” (principle 9), and other principles that impact on digital identity.

The introduction to the discussion on principle 2 highlights the problem:

A prerequisite of digital payments is that they match or surpass the
qualities of cash. All users rightly expect their funds to be safe and readily available, but this is not always the case. The causal factors behind this are multiplex.

(“Multiplex”? Yes, this document was written by government committees. Or movie theater owners.)

AMC Ontario Mills. (California, not Canada.) By Coolcaesar – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=104309320

To avoid the multiplexity of these issues, one offered response is to “proactively track and protect against unauthorized transactions, including fraud and mistakes.” This can be done by several methods near and dear to us in identity-land:

Advocate for appropriate security controls to mitigate transaction risks (e.g., biometric security,34 two factor authentication,35 limits on logins or transaction amounts,36 creating “need-to-know” administrative privileges for interacting with client data).

Now most people who read this report aren’t interested in the footnotes. But I am. Here are footnotes 34, 35, and 36 from the document.

34 Examples include the use of biometrics in India’s Aadhaar identification system, and UNHCR’s use of iris technology to distribute cash to refugees in Jordan

35 See EU PSD2 Articles 97–98, Ghana’s Payments Systems and Service Act, 2019 (section 65(1)), and Malawi’s 2019 e-Money regulations (section 17)

36 India Master Direction on Prepaid Payment Instruments, Section 15.3

Of course the report could have cited other examples, such as the use of fingerprints for benefits payments in the United States in the 1990s and 2000s, but I’m sure that falls afoul of some Sustainable Development Goal.

Although it’s harder to criticize a UN entity, such as the aforementioned UNHCR, when it uses biometrics.

Or maybe it isn’t that hard, when you think about Access Now’s criticisms of the UNHCR program.

Refugees should not be required to hand over personal biometric data in exchange for basic needs such as purchasing food, or accessing money. However, iris scan technology supplied by UK-registered company, IrisGuard, is reportedly being used by the World Food Programme (WFP) and the United Nations High Commissioner for Refugees (UNHCR) in refugee camps and urban centers in Jordan.

Based on reports suggesting the absence of meaningful consent, and an opaque privacy policy, Access Now has serious objections to the lack of transparency and privacy safeguards around this precarious tech rollout. 

Wow. Jordan is as bad as Illinois. Maybe Jordan needs a BIPA! Hope their doorbell cameras aren’t a problem…

So while the Better Than Cash Alliance is focusing on other things, it’s at least paying lip service to some of the stronger identity controls that many in the identity industry advocate.

Of course, it’s outside of the scope of the Better Than Cash Alliance to dictate HOW to implement “appropriate security controls.”

But anything that saves the whales AND the plankton (and complies with BIPA) will be met with approval.

IATA endorses the EUDCC. But will it matter?

In a Bredemarket blog post in February 2021, I quoted something that I wrote in 2013 in one of my personal blogs, Empoprise-BI.

I’m sure that many people imagine that standards are developed by a group of reasonable people, sitting in a room, who are pursuing things for the good of the world.

You can stop laughing now.

As I noted back in 2013, and again in February, there are many instances in which standards do not evolve from a well-designed process. In reality, standards emerge via that process that I referred to in February as “brute force.”

By イーストプレス – 「ゴング格闘技」=1951年のブラジル地元新聞からの転載, Public Domain, https://commons.wikimedia.org/w/index.php?curid=13320163

For those who are not familiar with the “brute force” process, I’ll provide two illustrations.

  • If a lot of people like something, it’s a standard.
  • If a trillion dollar company likes something, and I like something different, then the thing that the trillion dollar company likes is a standard.

If two trillion dollar companies like two different things…it can get messy.

Back in February, I was just beginning to talk about something that I called “health passports” at the time. Later, I personally decided that “health passports” is a poor choice of words, and have instead gravitated to using the phrase “vaccine certificate.”

Regardless, my concern back in February was that there were all sorts of these things floating around. Even back then, Clear had its own solution, IATA had one, IBM had one, iProov had one, Daon had one, and there were many, many more.

So what happens if I have a Clear vaccine certificate but the airline or building that I’m approaching supports the iProov certificate? Can the iProov certificate read the Clear certificate? Or do I have to get multiple certificates?

This post looks at a new development in the vaccine certificate brouhaha. I’m not talking about what vaccines are honored by the vaccine certificate, but about acceptability of the vaccine certificates themselves. In particular, I’m talking about acceptance of one certificate, the EU Digital COVID Certificate (EUDCC).

Because one big player is getting behind it.

How do international air transport folks feel about the EUDCC?

While the EUDCC can conceivably be used for a number of use cases, such as entering a private business like a restaurant, one of the most popular use cases for the EUDCC is to board an airplane that is crossing an international border.

So if there was an organization that was dedicated to the business of flying airplanes across international borders, and if that organization thought that the EUDCC was pretty cool, then that endorsement would have as much pull as Google (and Facebook) endorsing a web image format.

Enter the (drumroll) International Air Transport Association, which issued a press release on 26 August.

The title?

“IATA Backs European Digital Covid Certificate as Global Standard.”

Now those who read my February post will recall that IATA was one of those groups that was already developing its own vaccination certificate. So how does the EUDCC compare with the the IATA Travel Pass?

The DCC…is fully supported by IATA Travel Pass.

But in addition to mere self-interest, there is another reason why IATA is endorsing the EUDCC: it’s supported by a lot of countries inside the EU, and other countries are looking at the EUDCC as a model.

The EU DCC is implemented in the 27 EU Member states and a number of reciprocal agreements have been agreed with other states’ own vaccination certificates, including Switzerland, Turkey, and Ukraine. In the absence of a single global standard for digital vaccination certificates, up to 60 other countries are looking to use the DCC specification for their own certification. 

Oh no, I’m just looking

However, it’s one thing to be “looking” at something, and another thing entirely to actually “do” something.

Before assuming that the EUDCC will become the de facto DCC, consider how two countries in particular will approach it.

This image or media was taken or created by Matt H. Wade. To see his entire portfolio, click here. @thatmattwade This image is protected by copyright! If you would like to use it, please read this first. – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=5004719

One of those countries is my own, the United States of America. While one can argue whether or not the U.S. enjoys the same level of power that it enjoyed immediately after the end of the Cold War, it is still a major player in world economic and travel affairs. And regardless of who the President of the United States is at any given time, the U.S. has often decided to go its own way. Couple this with the power of individual U.S. states in my country’s federal system, and it’s quite possible that even if the U.S. goes along with IATA, and some form of the EUDCC is adopted by our Transportation Security Administration, that does not necessarily mean that the same certificate can be used as it is in Europe to grant access to museums, sporting events, and concerts.

The other country that may have an issue with the EUDCC is China. If the United States is potentially a waning world power, China is potentially a gaining world power. The relationship between China and the rest of the world varies from time to time and from issue to issue. China may decide that it’s not in its best interest to adhere to an international standard for certifications of COVID vaccination, testing, or contraction. And if it’s not in China’s best interest, China won’t do it.

So before declaring that IATA endorsement of the EUDCC settles the issue…we’ll see.

The (possible) Afghan data treasure trove doesn’t just threaten the Taliban’s enemies

Recent events in Afghanistan have resulted in discussions among information technology and security professionals.

Taliban fighters in Kabul, Afghanistan, 17 August 2021. By VOA – https://www.youtube.com/watch?v=nAg7egiXClU, Public Domain, https://commons.wikimedia.org/w/index.php?curid=109043891

One August 17 article from the Intercept hit close to home for me:

THE TALIBAN HAVE seized U.S. military biometrics devices that could aid in the identification of Afghans who assisted coalition forces, current and former military officials have told The Intercept.

This post talks about the data the Taliban could POTENTIALLY get from captured biometric devices and other sources, and how that data could conceivably pose a threat to the Taliban’s enemies AND the Taliban itself.

What data could the Taliban get from biometric devices?

The specific device referenced by the Intercept article was HIIDE…and let’s just say that while I don’t know as much about that device as I should, I do know a little bit about it. (It was manufactured by a company that was subsequently acquired by Safran.)

Another source implies that the Taliban may have acquired another device that the Intercept DIDN’T reference. The Taliban may not only have acquired live HIIDE devices, but also may have acquired devices from another company called SEEK.

(Yes, folks, these devices are called HIIDE and SEEK.)

At the time that this was revealed, I posted the following comment on LinkedIn:

Possession is not enough. Can the Taliban actually access the data? And how much data is on the devices themselves?

Someone interviewed by the Intercept speculated that even if the Taliban did not have the technological capability to hack the devices, it could turn to Pakistan’s Inter-Service Intelligence to do so. As we’ve learned over the years, Pakistan and the Taliban (and the Taliban’s allies such as al Qaeda) are NOT bitter enemies.

As I said, I don’t know enough about HIIDE and SEEK, so I’m not sure about some key things.

  • For example, I don’t know whether their on-board biometric data is limited to just biometric features (rather than images). While there’s the possibility that the devices stored biometric images, that has a drawback because of the large size of the images. Features derived from the images (which are necessary in matching anyway) take up much less storage space. And while biometric images are necessary in some cases (such as forensic latent fingerprint examination), there’s no need for images in devices that make a hit/no-hit decision without human intervention.
  • In addition, I don’t know what textual data is linked to the features (or images) on these devices. Obviously the more textual information that is available, such as a name, the more useful the data can be.
  • Also, the features stored on the devices may or may not be useful. There is no one standard for the specification of biometric features (each vendor has its own proprietary feature specification), and while it may be possible to convert fingerprint features from one vendor system to be used by another vendor’s system, I don’t know if this is possible for face and iris features.

Best-case scenario? Even if the Taliban or its friends can access the data on the devices, the data does not provide enough information for it to be used.

Worst-case scenario? The data DOES provide enough information so that EVERY PERSON whose data is stored on the device can be identified by a Taliban-equivalent device, which would presumably be called FIND (Find Infidels, Neutralize, Destroy).

I’ll return to that “every person” point later in this post.

But biometric data isn’t the only data that might have fallen into the Taliban’s hands.

What data could the Taliban get from non-biometric devices?

Now Politico has come out with its own article that asserts that the Taliban can potentially acquire a lot of other data. And Politico is not as pessimistic as the Intercept about the Taliban’s tech capabilities:

That gives today’s technologically adept Taliban tools to target Afghans who worked with the U.S. or the deposed Afghan government with unprecedented precision, increasing the danger for those who don’t get out on evacuation flights.

Before looking at the data the Taliban may have acquired, it’s useful to divide the data sources between data acquired from clients and data acquired from on-premise servers. HIIDE and SEEK, for example, are clients. (I’m only talking about on-premise servers because any data stored in a US government cloud can hopefully be secured so that the Taliban can’t get it. Hopefully.)

Unlike HIIDE and SEEK, which are mobile client devices, the Politico article focuses on data that is stored on on-premise Afghan government servers. It notes that American IT officials were more likely than Afghan IT officials to scrub their systems before the Taliban takeover, and one would hope that any data stored in US government cloud systems could also be secured before the Taliban could access it.

So what types of data would the Afghan government servers store?

Telecom companies store reams of records on who Afghan users have called and where they’ve been. Government databases include records of foreign-funded projects and associated personnel records.

More specifics are provided regarding telecom company data:

Take call logs. Telecommunications companies keep a record of nearly every phone call placed and to whom. U.S. State Department officials used the local cell networks to make calls to those who were working with the United States, including interpreters, drivers, cooks and more…

And mobile phone data is even more revealing:

Cell phones and mobile apps share data about users with third-party apps, such as location data, that the Taliban could easily get…

The geolocation issue has been known for years. Remember the brouhaha when military users of a particular fitness app effectively revealed the locations of secret U.S. military facilities?

Helmand province in Afghanistan. Photograph: Strava heatmap. Reproduced at https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly. In Helmand province, Afghanistan, for instance, the locations of forward operating bases can be clearly seen, glowing white against the black map.

Now perhaps enemy forces already knew about these locations, but it doesn’t help to broadcast them to everyone.

Back to Afghanistan and other data sources.

Afghan citizens’ ethnicity information can also be found in databases supporting the national ID system and voter registration.

This can be used by digital identity opponents to argue that digital identity, or any identity, is dangerous. I won’t dive into that issue right now.

Politico mentions other sources of data that the Taliban could conceivably access, including registration information (including identity documents) for non-governmental organization workers, tax records, and military commendation records.

So if you add up all of the data from all of the Afghan servers, and if the Taliban or its allies are able to achieve some level of technical expertise, then the data provides enough information so that EVERY PERSON whose data is stored on the servers can be identified by the Taliban.

Before we completely panic…

Of course it takes some effort to actually EMPLOY all of this data. In the ideal world, the Taliban would create a supercomputer system that aggregates the data and creates personal profiles that provide complete pictures of every person. But the world is not ideal, even in technologically advanced countries: remember that even after 9/11, it took years for the U.S. Departments of Justice, Homeland Security, and Defense to get their biometric systems to talk to each other.

Oh, and there’s one more thing.

Remember how I’ve mentioned a couple of times that the Taliban could conceivably get information on EVERY PERSON whose data is stored on these devices and servers?

One thing that’s been left unsaid by all of these commentaries is that this data trove not only reveals information about the enemies of the Taliban, but also reveals information about the Taliban itself.

  • The HIIDE and SEEK devices could include biometric templates of Taliban members (who would be considered “enemies” by these devices and may have been placed on “deny lists”).
  • The telecommunications records could reveal calls placed and received by Taliban members, including calls to Afghan government officials and NATO members that other Taliban members didn’t know about.
  • Mobile phone records could reveal the geolocations of Taliban members at any time, including locations that they didn’t want their fellow Taliban members to know about.
  • In general, the records could reveal Taliban members, including high-ranking Taliban members, who were secretly cooperating with the Taliban’s enemies.

With the knowledge that all of this data is now available, how many Taliban members will assist in decrypting this data? And how many will actively block this?

Oh, and even if all of the Taliban were completely loyal, any entity (such as the Pakistani Inter-Service Intelligence) that gets a hold of the data will NOT restrict its own data acquisition efforts to American, NATO, and former Afghan government intelligence. No, it will acquire information on the Taliban itself.

After all, this information could help the Pakistanis (or Chinese, or Russians, or whoever) put the, um, finger on Taliban members, should it prove useful to do so in the future.

Then again, Pakistan may want to ensure that its own digital data treasure trove is safe.

Update on Covishield and the EUDCC, as long as you can prove you were born

It’s been a while since I looked at issues regarding the European Union Digital COVID Certificate (EUDCC).

And there are a ton of ramifications and unintended consequences.

Covishield and the EUDCC

When I last looked at the EUDCC, I examined its effect on travel from people outside of the European Union. The question at the time was what would happen to people who were vaccinated with something other than the European Medicines Agency-approved vaccines, thus rendering them ineligible for the EUDCC.

In particular, people who were vaccinated with the Covishield vaccine were not eligible for the EUDCC. Depending upon whom you asked, Covishield is either just the same as the EMA-approved AstraZeneca vaccine (now referred to as “Vaxzervria” in EU-speak), or it has a radically different manufacturing process that disqualifies it from automatic acceptance.

This non-recognition of Covishield has a great impact on African nations, because that vaccine is popular there. However, EUDCC disapproval has been offset by the actions of several individual countries to recognize Covishield as a vaccine. For example, Greece recognizes ten vaccines (including Covishield) as opposed to the EU’s four. Of course, you have to go through additional paperwork to get authorization to enter a specific country.

But Joseph Atick notes that there’s another issue that adversely impacts the ability of Africans to enter Europe.

Linking a vaccination to a person

Assume for the moment that you have received an EU-authorized vaccine. This is only part of the battle, because the act of vaccination has to be tied to you as a person.

Dr. Joseph Atick of ID4Africa. From https://id4africa.com/the-general-secretariat/

And Atick notes one complicating factor in making that link:

One of the biggest barriers to setting up these systems—and one that could greatly complicate digital health certificates – involves traceability, which for an official digital ID means documenting one’s birth event.

In Africa, not everyone has a birth certificate, and many struggle to trace their identity to the birth event.

If you cannot prove to the satisfaction of the European Union (or whoever) that you were the actual person who received a vaccine, then you may face barriers to entering Europe (or wherever).

And what are the ramifications of this?

A digital health certificate has appeal as an efficient and effective way to manage COVID-19 risks. But if we don’t pause now to consider the implications of getting it wrong and look for ways to get it right, these marvellous digital innovations could also be supremely effective at creating a binary world of those who can prove their COVID-19 risk status and those who cannot.

The requirement for a digital identity

Oh, and there’s another issue that Atick didn’t address, but which bears noting.

All of the solutions listed above assume as a given that people will be the owners of a unique, government-authorized digital identity.

As I’ve noted elsewhere, there are people who are fervently opposed to this.

In my country, both some people on the left and some people on the right believe that “governmental digital identity” naturally equates to “governmental digital surveillance,” and that governments shouldn’t be abusing the data that they can obtain from all the vaccinations you get, all the places you travel, all the things you buy, and all the other things that you do.

(Well, except for voting. Some on the right fervently believe that government identities are essential to voting, even if they’re not essential to any other activity.)

But are people truly banned from travel?

So where does this leave the people who cannot prove that they were vaccinated with an authorized vaccine, or perhaps were never vaccinated at all?

In many cases travel for the unvaccinated is not banned, but they have to go through additional hoops to travel. Using one example, unvaccinated U.S. citizens can travel to Austria if they “have recovered from COVID-19 in the past 180 days; or present a negative COVID-19 PCR or antigen test result procured within 72 or 48 hours of travel.” For more country-by-country specifics as of August 13, click here.

But how will the unvaccinated get to Europe, or anywhere else?

But on the other hand, a vaccination in and of itself is not a guarantee that you can travel. Norway has a long list of requirements that an incoming person must satisfy, vaccination or not. This isn’t the time for an American to go on a sightseeing tour to Oslo.

Or Pyongyang.

So a binary division into the “travels” and “travel nots” may not become a reality. Instead, it will be a gradation of travel allowances and non-allowances, based upon a variety of factors.

In this post, “NGI” stands for Non-Governmental Identity

I admit to my biases.

As a former long-time employee of a company that provides finger and face technology for the Federal Bureau of Investigation’s Next Generation Identification (NGI) system, as well as driver’s license and passport technology in the United States and other countries, I am reflexively accustomed to thinking of a proven identity in governmental terms.

Because the government is always here to help.

From World War II. By Packer, poster artist, Artist (NARA record: 8467744) – U.S. National Archives and Records Administration, Public Domain, https://commons.wikimedia.org/w/index.php?curid=16929857

What this means in practice is that whenever I see a discussion of a proven identity, I reflexively assume that the identity was proven through means of some type of governmental action.

  • Perhaps the identity was tied to a driver’s license identity maintained by a state agency (and checked against other states via AAMVA’s “State to State” to ensure that there are no duplicate identities).
  • Or perhaps the identity was proven via the use of a database maintained by a government agency, such as the aforementioned NGI or perhaps a database such as the CODIS DNA database.

However, I constantly have to remind myself that not everyone thinks as I do, and that for some people an identity proven by governmental means is the worst possible scenario.

Use of DNA for humanitarian efforts

Take an example that I recently tweeted about.

I recently read an article from Thermo Fisher Scientific, which among other things provides a slew of DNA instruments, software, and services for both traditional DNA and rapid DNA.

One of the applications of DNA is to prove family relationships for migrants, especially after families were separated after border crossings. This can be done in a positive sense (to prove that a separated parent and child ARE related) or in a negative sense (to prove that a claimed parent and child are NOT related). However, as was noted in a webinar I once attended, DNA is unable to provide any verification of legitimate adoptions.

By Nofx221984 – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7429871

Regardless of the purpose of using DNA for migrants, there is a certain level of distrust among the migrants when the government says (presumably in Spanish), “We’re the government. We’re here to help.” You don’t have to be a rabid conspiracy theorist to realize that once DNA data is captured, there is no technical way to prevent the data from being shared with every other government agency. Certain agencies can establish business rules to prevent such sharing, but those business rules can include wide exceptions or the rules can be ignored entirely.

Therefore, Thermo Fisher Scientific decided to discuss humanitarian DNA databases.

As a result of migration, human trafficking and war, humanitarian databases are a relatively new concept and are often completely separate from criminal databases. Research has shown that family members may distrust government databases and be reluctant to report the missing and provide reference samples (1). Humanitarian databases are repositories of DNA profiles from reported missing persons, relative reference samples, and unknown human remains and may be managed by non-governmental organizations (NGOs), though in some instances they may be managed by a governmental institution but kept separate from criminal databases. Examples of humanitarian databases can be found in the United States (NamUsUniversity of North Texas HDID), Canada (Royal Canadian Mounted Police), Australia (National DNA Program for unidentified and missing persons) and internationally via the International Commission on Missing Persons (ICMP).

As you can see from the list, some of these databases ARE managed by government police agencies such as the RCMP. But others are not. The hope, of course, is that migrants would be willing to approach the humanitarian folks precisely BECAUSE they are not the police. Reluctance to approach ANY agency may be dampened by a desire to be reunited with a missing child.

And these non-governmental efforts can work. The Colibri Center claims to have performed 142 identifications that would not have been made otherwise.

Reluctance to set national standards for mobile driver’s licenses

Because of my (biased) outlook, mobile driver’s licenses and other applications of government-proven digital identity seem like a wonderful thing. The example that I often bore you with is the example of buying a drink at a bar. If someone does this with a traditional driver’s license, the bartender not only learns the drinker’s birthdate, but also his/her address, (claimed) height and weight, and other material irrelevant to the “can the person buy a drink?” question. With a mobile driver’s license, the bartender doesn’t even learn the person’s birthdate; the bartender only learns the one important fact that the drinker is over 21 years of age.

Some people are not especially wowed with this use case.

The DHS Request for Comment has finally closed, and among the submissions is a joint response from the American Civil Liberties Union, Electronic Frontier Foundation (EFF), & Electronic Privacy Information Center (EPIC). The joint response not only warns about potential misuse of government digital identities, but also questions the rush of establishing them in the first place.

We believe that it is premature to adopt industry standards at this time as no set of standards has been completed that fully takes advantage of existing privacy-preserving techniques. In recent decades we have seen the emergence of an entire identity community that has been working on the problems of online identity and authorization. Some within the identity community have embraced centralized and/or proprietary systems…

You can imagine how the ACLU, EFF, and EPIC feel about required government-managed digital identities.

Is a Non-Governmental Identity (NGI) feasible and reliable?

Let’s return to the ACLU/EFF/EPIC response to the DHS Request for Comment, which mentions an alternative to centralized, proprietary maintenance of digital identities. This is the alternative that I’m referring to as NGI just to cause MAC (massive acronym confusion).

…others are animated by a vision of “self-sovereign
identity” that is decentralized, open source, privacy-preserving, and empowering of individuals. That movement has created a number of proposed systems, including an open standard created by the World Wide Web Consortium (W3C) called Verifiable Credentials (VCs)….

DHS should refuse to recognize IDs presented within centralized identity systems. If a standard digital identity system is to be accepted by the federal government, it must be created in an open, transparent manner, with the input of multiple stakeholders, and based upon the self-sovereign identity concept. Such a system can then be used by federal government agencies to view identity credentials issued by state departments of motor vehicles (DMVs) where doing so makes sense. If standards based on self-sovereign identity are not considered mature enough for adoption, efforts should be directed at rectifying that rather than at adopting other systems that raise privacy, security, and autonomy risks.

For all practical purposes, the chances of the ACLU/EFF/EPIC convincing the Department of Homeland Security to reject government-proven identities are approximately zero. And since DHS controls airport access, you probably won’t see an airport security agent asking for your Verifiable Credentials any time soon. Self sovereign identities are just as attractive to government officials as sovereign citizens.

Who issues Verifiable Credentials?

As ACLU/EFF/EPIC noted, Verifiable Credentials are still under development, just as the centralized system standards are still under development. But enough advances have been made so that we have somewhat of an idea what they will look like. As Evernym notes, there is a trusted triangle of major players in the Verifiable Credentials ecosystem:

There are a number of directions in which we can go here, but for the moment I’m going to concentrate on the Issuer.

In the current centralized model being pursued in the United States, the issuers are state driver’s license agencies that have “voluntarily” consented to agree to REAL ID requirements. Several states have issued digital versions of their driver’s licenses which are recognized for various purposes at the state level, but are not yet recognized at the federal level. (The purpose of the DHS Request for Comment was to solicit thoughts on federal adoption of digital identities. Or, in the case of some respondents, federal NON-adoption of digital identities.)

Note that in the Verified Credentials model, the Issuer can be ANYBODY who has the need to issue some type of credential. Microsoft describes an example in which an educational institution is an Issuer that represents that a student completed particular courses.

Without going into detail, the triangle of trust between Issuers, Verifiers, and Holders is intended to ensure that a person is who they say they are. And to the delight of the ACLU et al, this is performed via Decentralized Identifiers (DIDs), rather than by centralized management by the FBI or the CIA, the BBC, B. B. King, Doris Day, or Matt Busby. (Dig it.)

But NGIs are not a cure-all

Despite the fact that they are not controlled by governments, and despite that fact that users (at least theoretically) control their own identities, no one should think that digital identities are the solution to all world problems…even when magic paradigm-shifting words like “blockchain” and “passwordless” are attached to them.

Here’s what McKinsey has said:

…even when digital ID is used with good intent, risks of two sorts must be addressed. First, digital ID is inherently exposed to risks already present in other digital technologies with large-scale population-level usage. Indeed, the connectivity and information sharing that create the value of digital ID also contribute to potential dangers. Whether it is data breaches and cyber-intrusions, failure of technical systems, or concerns over the control and misuse of personal data, policy makers around the world today are grappling with a host of potential new dangers related to the digital ecosystem.

Second, some risks associated with conventional ID programs also pertain in some measure to digital ID. They include human execution error, unauthorized credential use, and the exclusion of individuals. In addition, some risks associated with conventional IDs may manifest in new ways as individuals newly use digital interfaces. Digital ID could meaningfully reduce many such risks by minimizing opportunity for manual error or breaches of conduct.

In addition, many of these digital identity initiatives are being pursued by large firms such as IBM and Microsoft. While one hopes that these systems will be interoperable, there is always the danger that the separate digital identity systems from major firms such as IBM and Microsoft may NOT be interoperable, in the same way that the FBI and DHS biometric systems could NOT talk to each other for several years AFTER 9/11.

And it’s not only the large companies that are playing in the market. Shortly after I started writing this post, I ran across this LinkedIn article from the Chief Marketing Officer at 1Kosmos. The CMO makes this statement in passing:

At 1Kosmos, we’ve taken our FIDO2 certified platform one step further with a distributed identity based on W3C DID standards. This removes central administration of the database via a distributed ledger for true “privacy by design,” putting users in sole access and control of their identity.

1Kosmos, IBM, and Microsoft know what they’re talking about here. But sadly, some people only think these technologies are “cool” because they’re perceived as anti-government and anti-establishment. (As if these companies are going to call for the downfall of capitalism.)

Which identiy(ies) will prevail?

Back to governmental recognition of NGI.

Don’t count on it.

Anticipated DHS endorsement of government-issued digital identities doesn’t mean that NGI is dead forever, since private companies can adopt (and have adopted) any identity system that they wish.

So in truth we will probably end up with a number of digital identities like we have today (I, for example, have my WordPress identities, my Google identities, and countless others). The difference, of course, is that the new identities will be considered robust – or won’t be, when centralized identity proponents denigrate decentralized identities and vice versa.

But frankly, I’m still not sure that I want Facebook to know how much I weigh.

(Although, now that I think about it, Apple already knows.)

(Bredemarket Premium) Another mobile driver’s license pilot…but this one may move forward and become the real thing

When looking at U.S. state implementations of mobile driver’s licenses, there are various gradations of these implementations.

  • Some states have only performed pilots.
  • Some states have implemented production versions of mobile driver’s license, but their acceptance is limited and you still have to carry your physical driver’s license with you.
  • I don’t think any state has reached the level where the mDL is acceptable for ALL state purposes, and you DON’T have to carry your physical license with you any more.
  • NO state has reached the level where the mDL is acceptable for state AND federal purposes (such as boarding planes). That is still in process.
Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

This post looks at what is going on in one state, what may happen in the future, and what resistance the state may (or may not) meet from its own residents.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

Biometrics IS the financial sector

“Have to update my chart again.”

C. Maxine Most of Acuity Market Intelligence. From https://twitter.com/cmaxmost/status/1418306725510193152

Since I’m treading into financial territory here, I should disclose that Bredemarket has financial relationships with one or more of the companies mentioned in this post. This is not investment advice, do your own due diligence, bla bla bla.

I don’t monitor the market enough to know if this is part of an overall trend, but there has been a lot of biometric and digital identity investment recently. Both Biometric Update and FindBiometrics (and other publications such as FinLedger) have written about some of these recent investments, and IPVM has published its acquisition analysis (for subscribers only). Here’s a partial list of the biometric and/or digital identity companies who have received new funding (via investors, IPO, or acquisitions) recently:

I am not a financial expert (trust me on this), but I suspect that these companies are benefiting from two contradictory factors.

  • The apparent WANING of the COVID threat suggests better market performance in the future.
  • Some biometric and digital identity investments are very attractive precisely BECAUSE of the COVID threat, and the resulting attractiveness of remote and touchless technologies.

Of course, markets run in cycles, and it’s hard to predict if this is just the beginning of money flowing to biometrics/digital identity companies, or if all of this will suddenly come to a grinding halt. Remember how hot so-called “fever scanners” were a year ago, until their deficiencies were identified? And remember how Microsoft was prompted to divest from Anyvision not too long ago?

It’s possible that a number of external factors, such as an increase in government bans of facial recognition use, consumer resistance to digital identity, or the entry (or re-entry) of much larger players into the biometrics and/or digital identity markets, could dampen the revenue hopes for these funded companies.

Of course, investors are used to analyzing risk, and in many cases the investments with higher risk can yield the greater rewards.

It’s all just a game.

You will soon deal with privacy stakeholders (and they won’t care about the GYRO method)

I’ve written about the various stakeholders at government agencies who have an interest in biometrics procurements- not only in this post, but also in a post that is available to Bredemarket Premium subscribers. One of the stakeholders that appeared on my list was this one.

The privacy advocate who needs to ensure that the biometric data complies with state and national privacy laws.

Broken Liberty: Istanbul Archaeology Museum. By © Nevit Dilmen, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1115936

If you haven’t encountered a privacy advocate in your marketing or proposal efforts…you will.

Utah Gov. Spencer Cox has appointed Christopher Bramwell as the Department of Government Operations’ first privacy officer….As privacy officer, Bramwell will be responsible for surveying and compiling information about state agencies’ privacy practices to discern which poses a risk to individual privacy. He will also work with the personal privacy oversight commission and state privacy officer to provide government privacy practice reports and recommendations.

Obviously this affects companies that work with government agencies on projects such as digital identity platforms. After all, mobile driver’s licenses contain a wealth of personally identifiable information (PII), and a privacy advocate will naturally be concerned about who has access to this PII.

But what about law enforcement? Do subjects in law enforcement databases have privacy rights that need to be respected? After all, law enforcement agencies legally share PII all the time.

However, there are limitations on what law enforcement agencies can share.

  • First off, remember that not everyone in a law enforcement database is an arrested individual. For example, agencies may maintain exclusion databases of police officers and crime victims. When biometric evidence is found at a crime scene, agencies may compare the evidence against the exclusion database to ensure that the evidence does not belong to someone who is NOT a suspect. (This can become an issue in DNA mixtures, by the way.)
  • Second off, even arrested individuals have rights that need to be respected. While arrested individuals lose some privacy rights (for example, prisoners’ cells can be searched and prisoners’ mail can be opened), a privacy advocate should ensure that any system does not deny prisoners protections to which they are entitled.

So expect to see a raised concern about privacy rights when dealing with law enforcement agencies. This concern will vary from jurisdiction to jurisdiction based upon the privacy (and biometric) laws that apply in each jurisdiction, but vendors that do business with government agencies need to stay abreast of privacy issues.

A little more about stakeholders, or actors, or whoever

Whether you’re talking about stakeholders in a government agency, stakeholders at a vendor, or external stakeholders, it’s important to identify all of the relevant stakeholders.

Or whatever you call them. I’ve been using the term “stakeholders” to refer to these people in this post and the prior posts, but there are other common terms that could be used. People who construct use cases refer to “actors.” Marketers will refer to “personas.”

Whatever term you use, it’s important to distinguish between these stakeholders/actors/personas/whatever. They have different motivations and need to be addressed in different ways.

When talking with Bredemarket clients, I often need to distinguish between the various stakeholders, because this can influence my messaging significantly. For example, if a key decision-maker is a privacy officer, and I’m communicating about a fingerprint identification system, I’m not going to waste a lot of time talking about the GYRO method.

My time wouldn’t be wasted effort if I were talking to a forensic examiner, but a privacy advocate just wouldn’t care. They would just sit in silence, internally musing about the chances that a single latent examiner’s “green” determination could somehow expose a private citizen to fraud or doxxing or something.

This is why I work with my clients to make sure that the messaging is appropriate for the stakeholder…and when necessary, the client and I jointly develop multiple messages for multiple stakeholders.

If you need such messaging help, please contact Bredemarket for advice and assistance. I can collaborate with you to ensure that the right messages go to the right stakeholders.

The ITIF, digital identity, and federalism

I just read an editorial by Daniel Castro, the vice president of the Information Technology and Innovation Foundation (ITIF) and director of the Center for Data Innovation. The opinion piece, published in Government Technology, is entitled “Absent Federal IDs, Digital Driver’s Licenses a Good Start.”

You knew I was going to comment on this one.

Why Daniel Castro supports a national digital ID

Let me allow Castro to state his case.

After Castro identifies the various ways in which people prove identity online, and the drawbacks of these methods, here’s what Castro says about the problem that needs to be addressed:

…poor identity verification is one of the reasons that identity theft is such a growing problem as more services move online. The Federal Trade Commission received 1.4 million reports of identity theft last year, double the number in 2019, with one security research firm estimating $56 billion in losses.

Castro then goes on to state his ideal solution:

The best solution to this problem would be for the federal government to develop an interoperable framework for securely issuing and validating electronic IDs and then direct a federal agency to start issuing these electronic IDs upon request. 

Castro then notes that the federal government has NOT done this:

But in the absence of federal action, a number of states have already begun this work on their own by creating digital driver’s licenses that provide a secure digital alternative to a physical identity document.

Feel free to read the rest of the story.

“Page two.” By Shealah Craighead – The original was formerly from here and is now archived at georgewbush-whitehouse.archives.gov., Public Domain, https://commons.wikimedia.org/w/index.php?curid=943922

But for me I’m going to stop right there.

Why Americans oppose mandatory national physical and digital IDs

Castro’s proposal, while ideal from a technological standpoint, doesn’t fully account for the realities of American politics.

Many Americans (regardless of political leanings) are strongly opposed to ANY mandatory national ID system. For example, many Americans don’t want our Social Security Numbers to become mandatory national IDs (even though they are de facto national IDs today). And while the federal government does issue passports, it isn’t mandatory that people GET them.

And many Americans don’t want state driver’s licenses to become mandatory national IDs. I went into this whole issue in great detail in my prior post “How 6 CFR 37 (REAL IDs) exhibits…federalism,” which made the following points:

  1. States are NOT mandated to issue REAL IDs. (And, no citizen is mandated to GET a REAL ID.)
  2. The federal government CAN mandate which IDs are accepted for federal purposes.
  3. Because the federal government can mandate the IDs to use when entering a federal facility or flying at a commercial airport, ALL of the states were eventually “persuaded” to issue REAL IDs. (Of course, it has take nearly two decades, so far, for that persuasion to work, and it won’t work until 2023, or later.)

So, considering all of the background regarding the difficulties in mandating a national PHYSICAL ID, imagine how things would erupt if the federal government mandated a national DIGITAL ID.

It wouldn’t…um…fly.

Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

And this is why some states are moving ahead on their own with mobile driver’s licenses.

LA Wallet Louisiana Digital Driver’s License. lawallet.com.

However, there’s a teeny tiny catch: while the states can choose to mandate that their mDLs be accepted at the STATE level, states cannot mandate that their digital identities be used for FEDERAL purposes.

Here we go again.

Of course, federal government agencies are starting to look at the issues with a mobile version of a “REAL ID,” including the standard(s) to which any mobile ID used for federal purposes must adhere.

Improving Digital Identity Act of 2020, or 2021, or 2025…

While the government agencies are doing this work, another government agency (the U.S. Congress) is also working on this. Castro mentions Rep. Bill Foster’s H.R. 8215, introduced in the last Congress. I’m not sure why he bothered to introduce it in September 2020, when Congress wasn’t going to do anything with it. As you may have heard, we had an election at that time.

Of course, he just reintroduced it last month, so now there’s more of a chance that it will be considered. Or maybe not.

Regardless, the “Improving Digital Identity Act” proposes the creation of a task force at the federal level with federal, state participants, and local participants. It also mandates that NIST create a digital identity “framework,” with an interim version available 240 days after the Act is passed. Among other things, the ACT also mandates that NIST Special Publication 800-63 become “binding operational directives” for federal agencies.

(Does that mean that it will be illegal to mandate password changes every 90 days? Woo hoo!)

Should this Act actually pass at some point, its directives will need to be harmonized with what the Department of Homeland Security is already doing, and of course with what the states are already doing.

Oh, and remember my reference to the DHS’ work in this area? Among those who have submitted verbal and/or written comments, several (primarily from privacy organizations) have stated that the government should NOT be promoting ANY digital ID at all. The sentiments in this written comment, submitted anonymously, are all too common.

There are a lot of security and privacy concerns with accepting digital ID’s. First and foremost, drivers licenses contain a lot of sensitive information. If digital ID’s are accepted, then it could potentially leak that info to hackers if it is not secured properly. Plus, there is the added concern that using digital ID’s will lead to extra surveillance where unnecesary. Finally, digital ID will not allow individuals who are poorer to be abele to submit an ID because they might not have access to the same facilities. I am strongly against this rule and I do NOT think that digital ID should be an option.

I expect other privacy organizations to submit comments that may be better-written, but they echo the same sentiment.

Are unified digital IDs a thing?

I’ve been busy helping a client who needed summer fill-in help, but I’m finally making the time to catch up on my reading. And this article from Government Technology was on my reading list.

When I read the title “Mobile Driver’s Licenses Pave the Way for Unified Digital IDs,” I was intrigued by the last three words. I mean, there are more and more states releasing (non-pilot) mobile driver’s licenses, and the standard is coming along, and work is being done to prepare for federal acceptance.

But what about the “unified” part? How did David Raths address that?

Government uses of digital ID

Well, he listened to Eric Jorgensen, director of Arizona’s Department of Transportation.

“I actually hate the term ‘mDL’ because it doesn’t recognize the power of what we’re doing here….The whole concept is that we’re providing a way to remotely authenticate a person, to provide a trusted digital identity that doesn’t exist today. Once we provide that, we’re opening doors to enhanced government services. Also, the government can play a key role in facilitating commerce, providing a better citizen experience and providing for the security of that citizen — that goes way beyond what a driver’s license is about.”

Although all that Jorgensen is discussing is providing a trusted digital identity that is equivalent to a trusted physical identity. If you have to show your driver’s license when visiting a government office’s physical location, conceivably you can show your digital driver’s license when visiting a government office’s website.

Enterprise uses of digital ID

And there are applications beyond government. Delaware and other states are persuading private businesses to accept mobile driver’s licenses as valid forms of identification. There’s a powerful use case for age-restricted products, of course; since all that an alcohol-selling business needs to know is whether you are over the age of 21, the mobile driver’s license ONLY shows that you are over the age of 21. It doesn’t show your address, your weight, or even your birthdate.

But what about a true UNIFIED digital ID?

However, I semantically question whether this is truly a “unified” ID. This is just digitization of an existing government-endorsed ID. A “unified” ID would be one that would not only let me drive, vote, and buy alcohol, but would also serve as my ID to log into Facebook or buy Bitcoin. (Yes, I realize that use of a government ID to buy Bitcoin violates the space-time continuum in some way.)

And for that to happen, work may need to be done to make mobile IDs compatible with existing authentication/authorization methods such as OAuth and OpenID Connect.

And the whole “but what if I don’t have a digital ID?” question must be addressed.

And the whole “but what if I want to use a self-sovereign ID that is NOT government endorsed?” question must be addressed.

And presumably a myriad of other questions would need to be addressed also.

But for me, I can’t address unified digital IDs today. Just got a message from my summer-challenged client…