You want my digital identity, I want something in return

Approaching digital identity as a ‘this for that’ arrangement is the only way the private sector and Government can live in cyber harmony, argues Frank Joshi.

Government need not be fearful or resist distributed digital identities. It’s already happening as a by-product of the completely normal and natural way citizens interact in life with public services as well as online.

Neither should private sector firms wince or grumble. People - whether we’re called subscribers, users, or customers - already interact on a commercial basis in exactly the same way as we do with public services, albeit with greater variation.

You see, as people we are willing to consent to certain organisations knowing certain things about us. And that’s perfectly reasonable and normal.

We divulge information about ourselves usually in a something-for-something exchange. Think of it as a “this for that” or quid pro quo.

Without turning theoretical on you, it’s helpful to understand why with a quick recap of the context. Citizens are free to do whatever we want. In the social contract, as citizens we cede a portion of our freedoms to Government in exchange for them keeping us safe. And we cede a further portion of our freedoms to the rule of law in exchange for protecting us and giving us justice.

And it’s this self same principle which characterises how we give consent to organisations wishing to know who we are, what we do, when we were born, where we live, and why we want access to a system, a service or a product. All these things about you, technically termed “attributes”, prove important as we go through our daily lives.

As more of our daily lives become and digitised and conducted online these (and further) attributes need to be stated and restated. We shouldn’t be jumpy about this. We share attributes about ourselves widely to attest to who we are to those we trust.

Whereas the idea of having a digital identity is now quite commonplace, the technology behind it is quite disruptive. It has to be. A digital identity must be resilient enough to thwart misuse by those who don’t exhibit desired behaviours toward it; fraudsters, hackers, black hats. Or use by others unauthorised to do so. Disreputable companies run by disreputable individuals who care nothing for mine or your reputation. You know who I mean.

Or even use by, yes - I said it - by Government, in ways we never consented to or signed up for. I’ll spare you the lecture on the Snoopers Charter.

Do you see now why distributed identity is the only digital identity worth having?

Nitty Gritty

Let’s take an easy one such as renewing your car tax: entering a unique reference number triggers a look-up on DVLA records for a registered keeper of the vehicle, on VOSA records for a valid MOT for the vehicle and on Motor Insurance Database (MID) for a valid motor policy on the vehicle. It also knows who you are. Completing the transaction requires payment information and that means it has to check attributes about you, such as who you bank with. To receive confirmation of the payment and of the car tax, you consent to receiving an email or text message or both, so technically speaking the system can check further attributes about you such as email provider, mobile service operator, etc.

Each of those steps hinge on a validation, usually a yes or a no, checked against the attributes each system holds about the vehicle or about you in its respective dataset.

There’s nothing malicious about any of this. We each have a digital footprint if we perform online transactions like this or any other kind.

Let’s continue this example.

Drive over the QEII bridge on the M25 at Dartford and you’ll have to pay the Dart Charge or expect a Penalty Charge Notice. The ANPR cameras will make sure of that (to quote actor Liam Neeson, “I will find you”).

Drive into central London, enter any Congestion Zone and you’ll have to pay Congestion Charge to Transport for London. It will have a geo-location attribute for where and when you entered a Congestion Zone and the same. Remember, systems operated by TFL are so well developed this organisation is on record as saving it’s a data company not a transport and travel company. So much so they sell their know-how to other cities around the world. But I digress.

Leave the car at home and take the train (if it’s running on time, or at all – oops I said that out loud, didn’t I?)

Buy a train ticket online and pick it up at the station; you’ll obviously pay for it either with bank debit or credit card or a payment provider such as PayPal. Using the tangerine ticket, or better still smart ticketing or even your smart phone, to carry your authority to travel you’ll soon be on your way. You’ll need that to get through the station gates or for when the conductor comes to inspect your ticket.

You can begin to see where a multitude of disparate systems “intersect”.

Let’s continue on our journey.

Buy yourself a flat white and a slice of lemon drizzle cake at the coffee shop. The barista will write your name on the cup (you’re Darth Vadar today – right?) and you enjoy your coffee and cake in exchange for them processing your contactless payment in seconds.

Over your coffee you take out your mobile and go to a price comparison site, search on services that interest you and move the slide-y scales around until you find the deal you want. Maybe you want some motor insurance on that car you left at home today.

Maybe you find a holiday deal and want to check you’re not paying too much. You input destinations, times and dates you’ll be away. It returns results by aggregating multiple sources of data in the background just to be able to display what you want to know on your screen. 17 people are looking at the deal you are (aren’t they always?), so you decide to pounce to secure it, triggering a booking instruction and sales transaction, together with a sequence of data driven events in multiple systems which each save some attributes of what you just bought.

Or maybe you buy Aunt Dorothy a copy of her favourite novel on a popular online store and it will learn your purchasing history, of course try to cross-sell you something else, take your payment and ship to your postal address. The card issuer checks if it’s you and if you’re good for the money, the merchant saves the transaction, their sales order system saves some analysis codes about what was sold, the issuing bank releases the money.

So if it’s alright giving information about yourself to commercial firms, why not to those who provide public services? In fact we already do.

The Register Office records births, marriages/civil partnerships and deaths. The certificates it issues contain vital attributes about you.

Enrol on the electoral register and your local authority will store attributes about you, your postal address, your age (for eligibility) and register you alongside any others who reside at the same address. You can validate or request they amend those details online. Those data and attributes are used by the local authority to estimate demand and to deliver other services, as well as to calculate how you owe them for Council Tax.

Ahead of local authority elections, by-elections or general elections they’ll send you a printed card replete with some of your details including an attribute called your electoral register reference number. Without it you cannot perform your civic duty and vote.

A digital footprint is pretty much inescapable. But it should be down to you to give your consent to anyone, supplier or authority, who wants to know attributes about you. And it should be your responsibility to create a digital identity that they can use to assure themselves you are who you claim to be.

So you can see, it’s all about Give and take. Quid pro quo. This for that. Something for something.

Your digital identity is already more distributed than you might think.

And that is why for GOV.UK Verify to be trusted everyday by us the people, it has to expand to be an everyday part of our lives not just something we use when interfacing with Government for public services.

Frank Joshi is director of Mvine Ltd, an established UK SME specialising in distributed digital identity technologies.

First published in Government Computing, 03 April 2017.

Frank's next post 'Government-assured digital identity has arrived at a pivot point' will be published shortly.