The next frontier: From digital identification to digital validation

Introduction and summary

While digital identities are of paramount importance they are normally only part of what is needed or even only attributes like age is what is needed from a full identity. For most digital processes more reliable and proven information is needed as self declared will not be sufficient in many cases both simple and complex.

This can be perceived like a rich mans problem for those where just providing a digital identity seems like a upstream battle, but it is more akin to Marslow's Hierarchy of Needs. Once basic needs coverage are starting to click into place more higher level needs become visible and undoubtedly this pattern will repeat in an never ending cycle.

For a truly deep digital market digital validation built on identification is a crustal first step to succeed as well as in a modern public sector.

"It is therefore imperative to turn the Coronavirus crisis into an opportunity, embracing the complexity of public sector innovation and ensure to move away from what we have warned in our first DIGIGOV Report in 2019, and “differentiate between evidence and hope!" Assessing the impacts of digital government transformation in the EU

The only way to address this in terms of a EU wide digital market and sovereignty is by getting ahead of the curve so that there is a common pattern, common requirements which is seen as facilitation and not as nasty prescriptions from Brussels fueling more resistance toward the European project.

Problems that needs to be solved

There are a myriad of problems that require proven validation beyond identity and some examples are given to add some context to the problem discussion.

• Open an account or apply for a loan in a different jurisdiction
• Settling in another jurisdiction.
• Access to goods or services. Examples are eligibility for health services, student facilities. 
• Changing marital status in a different jurisdiction.
• Applying for jobs requiring background checks in a different jurisdiction.
• Services or jobs requiring proof of professional status or education.

Many of these problems to solve are problematic even within your own jurisdiction in a paperless and digital manner but the problems become multiplied once you try to do this outside the realm and digitally.

Attestation

Like the slogans says nobody knows your a dog, in some cases you may not care but in many cases you do. If you are to be married hopefully your friends will have warned you if you are about to marry a canine but there will also be other areas you should be concerned about and where attested proof is required.

• Is the person currently unmarried ? Back in the days it was far from unusual for sailors to literally have a wife in every port and even cases are known where somebody may have a different wife in a different county.
• Do this person have incurable sexual diseases ? This may or may not influence your decision but you probably would like to know before rather than after the marriage.
• Is the person a carrier of certain deficiencies in the DNA which could prove fatal if having children with somebody with the complementary deficiencies ? Again this may not influence your choice but it should be an informed choice.

As love makes blind you may choose not to require attestation and believe what you are told at face value but the competent authorities will not and will require attestation before granting a license for marriage.

Other cases where attestation is required are.

• Granting a loan. The bank are never going to accept please trust me I am wealthy.
• Opening an financial relationship. Neither the bank or their financial authority will accept self declared information on most items.
• Insurance. The companies in this business will not accept your self declared information in the insurance object nor information relating to you as the client.
• Art dealers. As subject to KYC they will not accept self declared information.
• Real estate mediators. As one of the frontiers of money laundering the same applies here.
• Investment brokers. Again they are obliged to gather information beyond who you are.
• Professional registration. To be licensed to practice as a lawyer, an accountant, a nurse, a doctor and countless other professions the first hurdle will be attested information on your background and education credentials.
• Universities will require attested data on your previous education and eligibility.
• To establish a business relationship most parties would do some wetting. This would entail requiring attested information about you and your business endeavor and may extend into background checks.

The common denominator in this very incomplete list is the requirement for proven information which relates to you but which is not a part of your identity. For some cases self declared would be sufficient but these cases are declining rapidly. Today this would entail getting a stamped document from a relevant authority and potentially getting this via a public notorious. The simple way to digitalize this would be to get a electronically signed document and find a public notorious to counter sign and finally get who ever requires this to accept this form factor.

I think whishes for "good luck to you" would be appropriate and anyway this is digitization of analog processes which is not the goal we are stretching for. This should be done online and initiated at the requestors electronic application solution.

The single internal market in the EU

In Europe this is particularly painful as there is supposed to be an internal market. It should be clear for everybody that this does not work digitally for anything but very basic services requiring little beyond payments to deliver.

This becomes particularly clear for regulated industries but is present to a significant degree outside these industries. The effect is to limit the competition to the nation wide borders and clearly in times where digitization is progressing at warp speed this servers to undermine the whole concept of an internal market.

Notice the hierarchy of needs in this conjunction, once the basics are covered these issues become more and more urgent and omnipresent. To enable a leap one need to have a higher ambition level than just scratching on the lower levels of the needs hierarchy.

Indeed this has been recognized and the latest action plan calls for a deeper and more digital single market . It will be interesting to monitor the progress towards addressing the problems discussed in this article as fixing this is paramount to the future of the internal market. Probably more than any other item in regards to the digital market this can not be expected to be resolved by market forces but has to be resolved trough political initiatives.

Related work

The single digital European gateway

This is an exciting initiative for joining the digital islands of the jurisdiction for public services. This is limited to public sector entities even if there have been considerations to open up for a larger scope including private sector access.

As indicated this builds on electronic identities recognized cross border trough eidas but where there is an recognition of the need for added trustworthy and reliable information beyond who you are.

As sated this is scoped for public services and obviously if we consider the concept of a deeper and more digital internal market you will need to include and find similar mechanisms for the private sector. If you do not one will be left with island of markets with increasing digitization and one will be accelerating towards the abandonment of one internal market all together.

Self sovereign identity

This is a concept that still have a lot of mileage to cover and a lot of moving parts that need to fall into place and being proven robust before it is ready for primetime. However there is considerable interest in this domain and a clear premise is added value.

All of this builds on top of identity proofing and clearly there will be levels of reliability as there is on the identity proofing.

Once the term reliability comes to play attestation becomes important which I have covered in an earlier article. For some cases it is not very important but for other cases it is crucial like getting married it would be important to provide attested proof that you are currently not married to somebody else, at least in most jurisdictions.

The concept would be that these proofs should be digital and under the full control of the user who explicitly chooses to share these.

The difference to the cases we will discuss next is merely a question of custodianship or personal data store.

Until we have all of this in place we would have to have custodians who based on instructions will produce such proofs and share with authorized parties as instructed by the owner. One obvious advantage is the expected professionalism that be expected by sharing only with authorized parties which can not be expected if this is stored under the sovereign control of the average user.

National solutions

In Norway this journey has started

• Access to the population register.
• Access to tax data (link in Norwegian)

Which are exactly what is needed on top of proven identity for solve the problems that needs solving. This should be appreciated but one question should also be asked:

Does this cater for a deeper single digital market or is this an entrenchment of national markets ?

I think the answer is obvious but this is a question of gravity. This will happen within the national domains and as long as there are no common European requirements and patterns and they will become digital islands market wise. Simply put the problems to be solved are there, efforts to solve them will happen sometimes by national level entities and by GAFA actors. As long there is a void where solutions are needed solutions will appear. It would be naive to hope that those would be aligned with strategic directions of European sovereignty in any or all relevant matters.

The only way to address this in terms of a EU wide digital market and sovereignty is by getting ahead of the curve so that there is a common pattern, common requirements which is seen as facilitation and not as nasty prescriptions from Brussels fueling even more resistance toward the European project.

Proposed solution space

Much of this is built upon my never ending quest in eKYC which I have covered in previous articles.

If possible to line up the ducks before generalizing I will revisit the pattern suggested for eKYC before making a generalized proposal suited for any x-border attested added value validation.

Revisit the road established by PSD2

This image outlines how a distributed communication model is regulated between banks and authorized over the top providers under PSD2.

Only eligible entities will get qualified certificates from eIDAS trust service providers. These certificates will contain custom attributes determining exactly the entitlements this actor has as there are many over the top roles and different regimes for being authorized.

The basis and responsibility of the trust service providers are to validate the authorization and to issue certificates accordingly.

Certificates will be recalled and invalidated should they be lost or if the authorization is recalled by the competent authority.

User consent is proven by having the Bank performing and requiring a strong customer authentication of the user.

In the eKYC case the differences would be small and would amount to.

• Different certificate attributes indicating entitlements for KYC data.
• Issued based on eligibility from the appropriate competent authority.
• User consent explicitly granted trough a electronically signed artifact validated by the party holding the data.

Generalized proposal

The basic pattern is still based on qualified certificates issued to the parties authorized to do queries on behalf of the end user and possibly qualified certificates for the parties entrusted of custodianship of the data in question.

On top of this explicit proof of user consent normally would be required which could take the form of an digitally signed artifact to that effect using eidas signatures.

This belt and suspenders approach safeguards privacy from rough authorized parties and the principle of requiring explicit proof of authorization safeguards against fishing and masquerade towards end users. Certificate revocation provides a robust and easy way of propagating de-authorization to an operational reality.

This the same pattern which can be used for any value added service and which can also be used for self storage in a self sovereign identity case. This assumes that the self storage user agent used in such scenarios will have authorization if it is to receive attested claims. This is crucial to maintain data sovereignty and for sensitive data protection toward the average users of such solutions.

Score card

• It is cross border by design.
• It is privacy centric by design.
• It is generic.
• Technology neutral.
• Neutral on purpose and problem to solve.
• No single point of failure.
• Infinite scalable in volume and usage.
• Can be roll out gradually
• Based on proven patterns, legislation and components. (P2P pattern, W3C based infrastructure, Eidas legislation).
• Has a strict and simple governance model as well as a mature security model.
• Enforces European data sovereignty.
• It is future proof. Can be used directly for future more user centric solutions (Self Sovereign identity or similar).
• Can be implemented quickly.
• Not magic, scope and data standards needs to be defined.
• No inherent auto discovery. This or “yellow pages” for look up must be defined for scalability and ease of use.

Hopefully this places this solution pattern into what will be considered to solve the problems that needs solving. Needless to say there will be other proposals or variants similar to this that can and will be proposed and evaluated against a scorecard.

Summary

In this article I have discussed a problem domain that needs to be solved for digitization and a deep single market to happen. The approach has been evolution and not revolution in terms of suggested remedies which hopefully will be appreciated and evaluated.

If nothing else I hope to have raised awareness on this subject trough this article. This is not ready for consumption based on this article but should be ready for a broader discussion in which hopefully some part of my suggested solution space will be seen as an valuable contribution.

I have also suggested a solution pattern which I believe would be a good way of approaching this but where I assume there will be other proposals and ideas in this area and still there are areas to be covered in case this proposal should be operationalised fully.

So let the discussions begin and I am more than happy to interact and take part on this new journey.

About the author

Ronny Khan is an IT and Business development specialist within the Norwegian financial sector, who is involved in standardization effort on remote natural person identification targeting trust level high as part of a shared effort by the Banking association with public sector stakeholders as well as member of the EU expert group on electronic identeties and KYC.

He is currently working full time seconded to the banking association as liaison with key players in the public sector to ensure deployment at scale of remote on boarding for electronic identities. 

He is also participating in ISO standardization, national standardization with focus on biometrics and security in retail banking , a keen follower of the are of identity, identity proofing , KYC and always looking for new interesting domains. Currently he is focused on digital validation as a natural evolution of digital identities.

Previously he has been working within a broad field covering digital identities, internet bank authentication/authorization, card security and telecommunications.

More information on Ronnys homepage