Digital Identity & E-ID: What HUMANS Need And Want

I present some focused results from the insights I gained while mentoring a Digital Identity startup and did a qualitative study (over 20 in depth interviews, 90 minutes each) I’ve done around 3 years ago and worked intense on the point of view of the most important stakeholder in the Digital Identity ecosystem, who is constantly forgotten in the discussions on this topic.

Do we want to digitize old thought patterns and just digitize the principles of the physical identity card and passport? Do we want to add a new type of Identifier to be able to make authentication and logins easier? Or do we want to understand the overall picture of the digital world and human identity and really approach the topic of “digital identity” including our contexts of life and the associated data? And if so, do we start it with focus on new business models - or do we want to break down people’s needs as a basis that cannot be evaded?

Terminology: Digital Identifyer, Identity, Digital Identity

So MY DIGITAL IDENTITY is a much richer concept that just A DIGITAL IDENTIFIER. This often gets forgotten when people reduce this topic on the identifier.

Overview: 7 clusters of people’s needs regarding …

1. TRUST in issuer or provider

People want a combination of 5 mandatory needs regarding trust, issuers, provider. They want some kind of checks and balances, so that different needs are served by different players to combine their contributions.

1. STATE: To be able to trust in such a sensitive topic, people want the state to have the upper hand in a certain way (and only in that certain way), at least when we talk about Switzerland. Only the state should be able to ...

• confirm that this person really exists
• state whether a person is still alive
• know and confirm that a person is a citizen of a certain state
• know and confirm the actual date of birth
• make it possible to provide binding identification to another person or organization
• know and confirm the status of a foreigner in this country
• know and confirm or deny a person's criminal record
• enable a person to participate in elections, to apply for a new ID, to submit your tax return, etc.

2. An independent representation of the interests of the Digital Identity holder must be ensured, commercial abuse must be prevented

3. Data, processes and technology must be handled professionally and securely

4. Portability: The freedom of choice for a technical ID provider must be guaranteed

5. Formation of encapsulated identity personas or roles are necessary, so people are able to trust in security. Who someone trusts is partially context dependent: e.g. trust in banks as ID provider only in the context of payments, so here the encapsulated Payment Identity Persona should apply.

2. General Applications

CRITERIA FOR APPLICATIONS:

1. Great benefits (simplify life seriously)
2. High reach
3. Extreme security (even in the case of theft or loss of identifiers or mobile phone)
4. Prevent the use of data for corporate interests (my data stay with me)
5. Credibility of the ID data operator / partner

MAJOR CATEGORIES OF APPLICATIONS:

1. ?STATE?: Full replacement for physcial ID and passport, make visits to the authorities obsolete
2. ?DIV. CONTEXTS / DAILY LIFE?: Patient & health data / vaccination book / have health insurance card have digitally available or be able to make it available to a hospital or doctor, public transport, replace everything online where you usually log in with the logins of Facebook or Google etc.
3. ?My Digital Identity Assistant?: Almost all people want to be assisted by their Digital Identity: (a) with reminder functions for tax returns, vaccination appointments, birthdays, bill payments, (b) to get additional information while shopping or traveling, (c) to reach their own goals better and to better achieve the desired lifestyle

3. Relevant specific Use Cases

Priority 1:

1. An assistant functionality, which helps me to find the best product offers or information for me - without giving my data to others! (e.g. getting warned of products, find best trainings for me, get and use data for health insurance comparison)
2. Secured Business Communications: To be sure that the person you talk to really is that person: for chat, transfer and signing documents, etc.

Priority 2:

1. With 1 click be able to do 3 things online: Put my address data into a form + Login automatically + Pay
2. Exchange of health data (with doctors or hospitals)
3. Send sensitive documents to persons
4. Give specific rights for guests (e.g. from Airbnb) in your appartment
5. Switching health insurance (simplify process & data exchange & taking rights on data away)

4. Security and feeling secure

1. Authentication needs to be experienced as safe
2. Most people feel safe with biometrical authentication
3. The Digital Identifier shall basically never work independently of that person who owns the identity
4. Authentication levels must be determinable (user must be able to quickly raise authentication levels for specific cases or contexts)
5. Strong support in case of abuse - including recovery

5. Data

1. Top 1 Prio: My Digital Identity system/app gets data from organizations (and not vice versa)
2. Be able to give an organization single-use data
3. Automatically enter data in the purchase process
4. Confirm attributes without specifying data (e.g., "Yes, I'm over 18")
5. To be able to obtain a service at a discounted price, if they want data from me
6. Have Transparency & Control over Data & over granting permissions
7. To be able to revoke the data rights from an organization
8. My personal data should be up to date everywhere, semi-automatic (user wants to choose)
9. New residential address should be changed by the user once on his/her own Digital Identity system, not on a foreign central system

6. Identity Personas

1. Users want to have an encapsulated identity for each application context ("identity persona")
2. The data of one context (e.g. health) should be fundamentally unavailable in another context (e.g., payment context) ("My health insurance does not need to know where I was on vacation")
3. If a context (or "identity persona") is hacked, the other identity personas should remain untouched and intact
4. In a certain context (medical, shopping, travelling, ...) the appropriate data and functions should automatically be available without the user having to do with settings

7. Reach and Universality

1. People do not want an extra ID or card in addition to the existing one, but something that replaces previous ids, logins, and cards
2. As a replacement for the Swiss ID card and passport: Most users demand global usage (as with the real ID and the real passport)
3. Some people would agree with focus on CH, but then it really needs to work everywhere in every shop and every authority
4. Online: It must be usable in the most important 10 shops and websites, in which one always logs in (note: not only CH pages!), Especially for Amazon and hotel bookings
5. Physical Business Switzerland: The largest 4 retail shops would be enough
6. Needs to have payment card function
7. Use for public transport

Highly recommended sources to gain a deeper understanding on Digital Identity

1. Digital Identity 3.0 - The Platform For The People: https://chairdigitaleconomy.com.au/wp-content/uploads/2018/04/Digital-Identity-3.0-The-Platform-for-the-People-by-Mertens-W-Rosemann-M.-2015-unpublished-Digital-Identity-3.0.pdf
2. Designing Identity 3.0 to fix a broken Identity ecosystem: https://www.youtube.com/watch?v=_YdEwKh10EU&t=304s
3. Reimagining Digital Identity: A Strategic Imperative: https://www3.weforum.org/docs/WEF_Digital_Identity_Strategic_Imperative.pdf
4. “Identity” Commandments: https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf
5. Identity Management: Identity First Principles (1 of 5): https://www.youtube.com/watch?v=tfj1DKOAeQI
6. Identity Management: Operating with Personas (2 of 5): https://www.youtube.com/watch?v=ZlG3yZfk9tw&t=183s
7. Identity Management: Trust and Privacy (3 of 5): https://www.youtube.com/watch?v=1eESVQHpmp8
8. Identity Management: Entities and Entitlement (4 of 5): https://www.youtube.com/watch?v=nithVcPYO1o
9. Identity Management: Building a Global Identity Ecosystem (5 of 5): https://www.youtube.com/watch?v=5dnPS3eYZiE
10. The internet’s missing identity layer: https://nimakam.com/identity/topics/internet-missing-identity-layer.html
11. A solution by Swiss startup Synacts to the Internet’s missing identity layer: https://www.digitalid.net/
12. The Inevitable Rise of Self-Sovereign Identity: https://sovrin.org/wp-content/uploads/2017/06/The-Inevitable-Rise-of-Self-Sovereign-Identity.pdf
13. The Path to Self-Sovereign Identity: The Evolution of Internet Identity: From Centralised to Federated to User-Centric to Self-Sovereign: https://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html
14. Befreiung aus der digitalen Leibeigenschaft, Prof. Ernst Hafen: https://www.datenundgesundheit.ch/wp-content/uploads/2014/03/Digitale_leibeigenschaft_NZZ_05032014.pdf