I recently participated in a Treasury Identity Forum organized by the US Treasury Department in Washington, DC. The Forum focused “on the critical role of legal identity for financial inclusion, economic development, and anti-money laundering/counter financing of terrorism (AML/CFT) safeguards, and the development of new technology identification/authentication solutions to help achieve these goals.” It brought together stakeholders from governments, financial service companies, FinTech startups and technologists to better understand how emerging technologies and legal frameworks can help us develop the required digital identity systems.
I was a member of a panel on how government, business and research communities can collaborate in developing workable identity solutions. Let me summarize the points I made in my introductory remarks.
From time immemorial, our identity systems have been based on face-to-face interactions and on physical documents and processes. But, the transition to a digital economy requires radically different identity systems. As the economy and society move toward a world where interactions are primarily governed by digital data and transactions, our existing methods of managing identity and data security are proving inadequate. Large-scale fraud, identity theft and data breaches are becoming common, and a large fraction of the world’s population lacks the credentials needed to be part of the digital economy.
Earlier this year, the World Economic Forum (WEF) published an excellent report, A Blueprint for Digital Identity. The report lays out a framework for the creation of digital identity systems, and discusses the benefits that such systems would bring to their various stakeholders. In addition, it includes a primer on identity which I found to be the most satisfying explanation of what identity is all about.
Whether physical or digital in nature, identity is a collection of information or attributes associated with a specific entity. Identities can be assigned to three main kinds of entities: individuals, institutions, and assets. For individuals, there are three main categories of attributes:
- Inherent attributes are intrinsic to each specific individual, such as date of birth, weight, height, color of eyes, fingerprints, retinal scans and other biometrics.
- Assigned attributes are attached to individuals, and reflect their relationships with different institutions. These include social security ID, passport number, driver’s license number, e-mail address, telephone numbers, and login IDs and passwords.
- Accumulated attributes have been gathered over time, and can change and evolve throughout a person’s lifespan. These include education, job and residential histories, health records, friends and colleagues, pets, sports preferences, and organizational affiliations.
Attributes are used to determine the particular transactions in which the individual can rightfully participate. The attributes needed to certify your identity or permissions will vary with different kinds of transactions. For example, to buy alcohol, all you need is proof that the individual is over the legal drinking age. Approving a moderate financial transaction might require a relatively small number of attributes, but a large financial transactions like the purchase of a house will require many more attributes. Getting a passport or TSA Global Entry involves a different set of attributes from financial transactions, and so on.
These data attributes are generally siloed within different private and public sector institutions, each using its data for its own purposes. But to reach a higher level of privacy and security, we need to establish trusted data ecosystems, which requires the interoperability and sharing of data across a variety of institutions. The more data sources a trusted ecosystem has access to, the higher the probability of detecting fraud and identity theft while reducing false positives. In addition, an ecosystem with a wide variety of data sources can help foster economic inclusiveness by certifying the identities and credit worthiness of poor people with no banking affiliation.
It’s not only highly unsafe, but also totally infeasible to gather all the needed attributes in a central data warehouse. Few institutions will let their critical data out of their premises. But, there are innovative ways to move forward, in particular the identity and data sharing framework being developed at MIT Connection Science, a recently established research initiative led by MIT Media Lab professor, Sandy Pentland.
A few weeks ago, MIT Connection Science published Trust: Data: A New Framework for Identity and Data Sharing, a collection of articles edited by Professor Pentland, Thomas Hardjono and David Shrier. I’m a Fellow in MIT Connection Science, and was a co-author of the book’s first chapter, which summarized the key elements of such a framework.
Robust Digital Identity. “Identity, whether personal or organizational, is the key that unlocks all other data and data sharing functions. Digital Identity includes not only having unique and unforgeable credentials that work everywhere, but also the ability to access all the data linked to your identity and the ability to control the persona that you present in different situations… the work you, the health system you, the government youand many other permutations. Each of these pseudonym identities will have different data access associated with them, and be owned and controlled only by the core biological you.”
Universal Access. Universal access, like open data, is the kind of principle few would disagree with. However, to be effective, universal access requires a legal structure. “The U.S. Government can promote universal access by policies that provide for secure, citizen-controlled Personal Data Stores for all citizens in a manner analogous to current physical Post Office Boxes, and promote their use by making government benefits and interactions such as tax transfers and information inquiries conveniently available by mobile devices and web interfaces secured by the citizens’ digital identity.”
Distributed Internet Trust Authorities. “We have repeatedly seen that centralized system administration is the weakest link in cybersecurity, enabling both insiders and opponents to destroy our system security with a single exploit. The most practical solution to this problem is to have authority distributed among many trusted actors, so that compromise of one or even a few authorities does not destroy the system security consensus… Examples such as the blockchain that underlies most digital cryptocurrencies show that distributed ledgers can provide world-wide security even in very hostile environments.”
Distributed safe computation. “Our critical systems will suffer increasing rates of damage and compromise unless we move decisively toward pervasive use of data minimization, more encryption and distributed computation. Current firewall, event sharing, and attack detection approaches are simply not feasible as long-run solutions for cybersecurity, and we need to adopt an inherently more robust approach. The optimal technology for such an inherently safe data ecosystem is currently being built and tested [in] MIT’s Enigma project.”
Earlier this year, Pentland explained the key elements of Enigma as part of his testimony to a Presidential Commission on Enhancing National Cybersecurity.
Continue reading the full blog, originally posted Nov. 14, here.