Markets are complex, with many moving parts and participants of various types. The Digital Identity market is no exception. Maintaining order in such complex systems almost always requires oversight of some type, and as a result, market oversight organisations are commonplace.
Whatever the shape of the overseeing organisation, the roles they play tend to be very similar:
- To ensure the market operates in an open, transparent manner
- To protect participants, and consumers
- To ensure technical interoperability, and that standards are followed
As the market in digital identity continues to emerge, the first question arises: does the UK digital identity market need an oversight organisation, and if so, what should its shape and role be?
To answer this, Innovate Identity wrote a paper for the Open Identity Exchange and gathered information from a range of similar organisations operating in a range of UK markets, from financial services organisations, to Gemserv, Nominet and others. This gave a view of the types of roles they undertake, their structure and governance, their sources of funding and membership models, as well as their origin and route to maturity.
These findings were tested amongst a group of regulators, government representatives and private sector associations, to test whether what had been discovered could guide oversight of the digital identity ecosystem.
This resulted in a ‘blueprint’ for how an oversight organisation might emerge, its form and function, and the role it needs to play in the market:
- First and foremost, the organisation would ideally be formed in partnership between the private sector and government.
- Initial funding should also come from both public and private sector, while over time membership fees and other revenue streams can become self-sustaining.
- The oversight organisation’s primary function should be to shape a trust framework which reflects market conditions and needs.
- While the development of standards is not considered a key role for the organisation itself, recognising and undertaking equivalency analysis and forming an interoperability framework for standards is vital, alongside producing accessible guidance to help participants.
- The organisation need not be large – maintaining a slim, minimally necessary functional layer should be the aim, particularly at the outset.
There is clear recognition that a national oversight organisation is needed to orchestrate and govern a digital identity ecosystem in the UK, and that this organisation needs to be representative of all stakeholders across the UK. Representation could come in a number of forms, from membership of the organisation, to advisory panels and user groups. The recommendation is that, through collaboration between the public and private sectors, an independent authority should be established, accountable for oversight of a Government- developed or approved trust framework.
Whilst this study is focused on the immediate need of the UK, the findings around how a digital competent authority might be formed would be applicable in any sovereign state. Our second question is how to drive interoperability across national borders? There may well be a need for oversight and interoperability in the international digital identity market, therefore we need to think about what form this may take.
Digital identity is an enabler of digital inclusion and digital transformation. It provides the missing identity layer on the Internet, and for open data initiatives such as Open Banking. Digital identities have to be trusted not only at a national level but globally in much the same way as a passport or a www top level domain is today. This leads to a conclusion that there will need to be a global organisation to orchestrate and oversee the governance and interoperability of nationally recognised trust frameworks and digital identity schemes across state borders.
Where digital identity schemes currently exist, they are usually bound to a particular national geography, and digital identities are seldom accepted abroad.
The EU has begun to change this – the eIDAS Regulation establishes a trust framework that spans member states. An identity created in one country within a scheme notified under eIDAS can be used (and indeed MUST be accepted) in any other EU state that has an equivalent notified scheme to access public services.
The multi-national political framework that exists in the EU is unique and hard to replicate elsewhere in the world. That said, the EU approach of allowing national determination of how a scheme is developed and focusing on the equivalency of the outcome and level of assurance instead, may be an important lesson for any other cross-national efforts.
Meanwhile, in countries that are developing digital identity ecosystems that are not based on national identity schemes or existing bank-led schemes, notably Australia, New Zealand and Canada, progress is being made to establish trust frameworks at a national level. These are based on a robust approach to the privacy, safety and security of citizens, federated identity models, Open Technical Standards, and a mix of self-certification and independent-certification processes.
What can we learn from other sectors?
We examined how oversight and interoperability is tackled in air travel, telecoms, and the internet. Organisations such as ICAO, ICANN and the ITU have developed over decades, and now enjoy a high level of government recognition, and often UN specialised agency status.
However, they also set standards, something that may not be required for digital identity. And they follow complex multi-stakeholder organisational models which seem disproportionately complex and expensive for an emerging market such as digital identity.
On the other hand, there are organisations such as the FIDO Alliance and Open ID Foundation that set international standards, a vital element of interoperability, and are organised on a much smaller scale.
There may be more representative of a mid-term model for digital identity; a relatively slim international organisation focused on undertaking interoperability assessments, certification and recognising standards that are developed by other organisations.
For the immediate future, the input from international stakeholders involved in the project has been relatively consistent – to begin to build a cross-border framework via bilateral and limited multi-lateral interoperability and equivalency assessments.
Work that is in proportion to the level of systemic importance and risk that the digital identity market currently represents.
Internationally, that importance is growing as more states find ways to solve the digital identity challenge, and people increasingly look to use their digital identity across borders. Whether that eventually grows into the need for a UN mandate and a larger and more complex organisation remains to be seen. In the short term, exploring bilateral interoperability between different regional frameworks could determine what the best approach would be.
Ewan Willars, Innovate Identity, Open Identity Exchange