Why is digital trust so important? We asked Digital Identity NZ’s executive director Colin Wallis for his perspective on an equitable digital future. Plus, we preview the top trends in digital identity.
Q: What is digital trust and why is it so important?
A: Trust lies at the heart of human relationships. While the notion of trust has been with us since the beginning of humanity, it is rooted in the physical world, where people can be close to each other, understand their heritage from their village, iwi and hapū. In this context, sources of authority can vouch for their integrity. Back in those days just as today, this extends to commerce and entitlements and the privacy-respecting nature of those.
In a digital world where this physical closeness doesn’t exist, other methods are required to gain confidence and assurance in someone’s identity and data. This includes overall security of the system and the personal data it processes to ensure the parties are acting in good faith. Without digital trust, the digital economy falters and ultimately cannot function.
Q: What underpins digital trust in New Zealand?
A: In essence there are two brand categories of underpinning – the public sector and the private sector. The Government for example, is generally trusted and seen as the authoritative source for much of our identity related information. Meanwhile, the private sector for example, banks, financial services and many other sectors operate digital services as well as physical services and in some cases solely through the digital channel. These are often extensions of our trust in brands in the physical world. Some brands, including big platforms like Apple, straddle both the physical and digital worlds while other brands like TradeMe, are online only, where people’s trust in the service has been built over time.
In the medium term, the introduction of the Digital Identity Services Trust Framework Act has the potential to provide a game-changing regulatory foundation for the identification and authentication components of services delivered through the digital channel. Those services that choose to be independently audited for compliance against the Framework’s security and privacy oriented rules and standards to become accredited, would then be able to differentiate those digital service brands through displaying an accreditation mark. This would provide the public with greater confidence, assurance and level of trust in those services relative to other services that do not carry the mark. It was a key motivation in the establishment of Digital Identity New Zealand.
Q: What makes digital trust so complex?
A: The sheer range of actors and roles, technology options and technical approaches, plus the requisite legal compliance and information security, data protection and privacy standards means that there are a wide range of concerns to actively manage. All these factors need to be able to operate safely, respectfully and easily (ideally seamlessly) for people, and at scale nationally and internationally.
Despite significant advances during the past 10 years, the ecosystem is relatively immature and in keeping with modern day life generally, is continuously evolving in response to policy changes, technical advances and emerging new cybersecurity threats. New techniques and technology give rise to new ways of weaponising digital trust and in turn new techniques and technology are developed in defence of it.
Q: What are barriers to digital identity adoption?
A: Digital literacy, confidence to use, knowledge of and equitable access to technology are all barriers to digital identity adoption. Trust and beliefs can also be an inhibitor to including everyone on this journey. Governments and large technical platforms are typically key actors in digital identity systems. People who distrust Government, big tech or anything digital for whatever reason present a challenge to ubiquitous inclusion.
There are also barriers for digital services and service providers regarding legal compliance, lack of definitional alignment, interoperability and cross recognition among jurisdictions. Regardless, the business model for digital identity is typically opaque, given future uncertainty in policy, costs, technology options, market dynamics and adoption. As in all of modern life’s uncertainties, the risks and costs of investing can quickly outweigh the benefits.
Q: What does an equitable digital future look like?
A: Equitable and inclusive! In an ideal world, everyone would have equitable access to the digital economy and participate in it securely, safely and with confidence.
This is easy to say, but much harder to deliver at scale with constrained resources. An equitable digital future requires significant, sustained investment of resources across society in order to leave no-one behind in offering the opportunity to participate. This begins with literacy, education and technology. Improving digital literacy and equity requires a national programme of sustained investment with collaboration across Government, the private sector, the charity sector and non-profit industry associations such as Digital Identity New Zealand.
Q: What are the top trends in digital identity and identity management?
- Decentralised identity architectural approach. This established but new-to-digital-identity approach promises a more streamlined, user-centric and privacy-centric digital experience where, after an initial set up process, personal identity-related data never leaves an individual’s device, thus reducing the amount of personal data transferred, stored and processed by other actors in the system and reducing the associated risks potentially exposed by those activities. While this would potentially remove some barriers to adoption for those distrustful of actors in systems based on centralised or federated architectures, and give people agency over which parties see their data, this approach is still early in its implementation lifecycle. Nonetheless with standardisation efforts underway, the DID specification was recently approved.
- Tokenisation. Again, the concept of Tokenisation is not new, having been used in a rudimentary form in New Zealand’s digital identity systems for 15 years, but the term and its application to digital identity systems more broadly is new to the global community. This is when assets of almost any type can be trusted as being representative of the asset (physical or digital) itself but carrying ‘no exploitable value’. Given the nature of identity-related information, it’s no surprise that the concept has found its way into the realm of digital identity. Tokens are typically categorised into Fungible or Non-Fungible asset types. Tokens used in identity management are of the Non-Fungible variety and most commonly associated with decentralised identity implementations.
- Passwordless. This is a technical approach to confirming or recognising a returning person that has previously registered at a digital service – the process known as authentication. It removes the need for people to type in a password after their username, instead using a high security option such as a cryptographic key pair and leveraging the person’s smartphone or similar device. More digital identity services are offering this option because by removing the password, a fraudster’s password guessing and brute force attacks against the person are minimised.
- Trust Frameworks. As with many other established concepts newly applied to digital identity, Trust Frameworks have been in use in the private and public sectors for decades in sectors such as financial services operating payment card systems underpinned by the Payment Card Industry Data Security Standard (PCI DSS). As MATTR, one of Aotearoa’s foremost digital identity service providers explains, “Trust frameworks are a foundational component of the web of trust. A trust framework is a common set of best practice standards-based rules that ensure minimum requirements are met for security, privacy, identification management and interoperability through accreditation and governance. These operating rules provide a common framework for ecosystem participants, increasing trust between them”. The trust framework has the potential to significantly aid more frictionless e-commerce and velocity in the digital economy by giving people more confidence in the safety, security and privacy in their digital lives and control over their identity-related data.
Q: What can we learn from other countries?
A: Aotearoa can learn more from countries who have high levels of public and private sector collaboration in the development of digital identity ecosystems. Collaboration with industry associations like Digital Identity Identity New Zealand have advanced developments in the EU, the US, the UK and Canada and there is capacity to do more similar collaboration in New Zealand. It must be remembered that while of foundational and paramount importance, identification and identity – be it physical or digital – is a sub-system of a much larger set of business and governmental processes. Countries that have achieved high levels of cross party commitment to continued long term investment in process modernisation are in theory better placed to achieve better outcomes with better optics, delivered with more agility as a result. Oftentimes the most valuable interventions to demonstrably move the needle are things that don’t make headlines and in and of themselves don’t attract votes.
Meanwhile, other countries have also learned from us! In 2007 Aotearoa was the first non-national ID card country to operate a national web-based login service and used early tokenisation techniques for privacy and security preservation referred to in the industry as ‘blinding’ well ahead of other jurisdictions. In 2023/24 it is expected New Zealand will be the first common law country of those typically compared, to pass Trust Framework legislation and operate a regulatory framework for digital identity.
Q: What are the global opportunities for New Zealand as a trusted economy?
A: New Zealand’s growing capability and maturity in all things digital, needs to be consistently reflected in the development of digital services, be they online gaming or digital support in supply chain integrity for physical products that our association colleagues in AgriTechNZ promulgate. Digital identity underpins them all. Local companies can more easily expand to enter and operate in overseas markets with potentially less friction if internationally recognised digital identity standards and practice are consistently applied. Armed with these tools, we have the potential to develop a strong competitive advantage in the digital economy globally.