When did you last need to prove your identity? Not just remember a PIN number to use a credit card – though that is, in a way, a proof of identity as the owner of the account – or show a security pass to get into the office, but really demonstrate your legal identity.
The fact that a person living in the UK might not be sure about the answer to this illustrates two points about identity. One is that it is rare, not to say exceptional, to have to prove identity in daily life. The other is that in a jurisdiction where national identity cards have not been issued since the 1950s, many people might wonder exactly what proving identity might mean. Presenting a passport at an airport is certainly a proof of legal identity – that the bearer is a citizen of the issuing country and entitled to its protection when abroad – but the very statement demonstrates that this identity attribute is relevant only in the context of travelling to and being in a different jurisdiction.
The nub of what possessing an identity means, in legal terms, is access and entitlement. For many UK residents the requirement to present a driver’s licence as proof of age to enter a nightclub, or entitlement to be driving a vehicle, are probably the most familiar occasions when this sort of identification is needed. But this immediately highlights the fact that the attributes which are required in proving identity are different on every occasion. Age, citizenship, competence to drive, entitlement to health services, membership of a club or a professional qualification: no single token is able to verify every attribute that might need to be demonstrated. Although a number of EU Member States have introduced forms of electronic identification, or eIDs, they are limited as to their applications. Health entitlement is commonly included, but a range of other applications such as voting or registering changes of address have been incorporated in different countries’ implementations.
It is not surprising, therefore, that self-sovereign identity is among the many other applications now being proposed for the blockchain, or distributed ledger technology. A cache of personal data, continually growing as the individual acquires further relevant attributes – degrees, attestations, parental responsibility for a child – preserved in tamper-proof fashion for as long as the ledger persists, could be referenced on every occasion when verification of the relevant attribute was required. The individual, rather than the government or another institution, controls what data is accessed, when and for what purpose. And being digital, the self-sovereign identity could include associations with avatars (for gamers) or social media accounts which a purely real-world identity tends to exclude. Finally, a global blockchain identity would solve the interoperability problem plaguing even European eIDs, such that citizens from one Member State are still unable to present their eID in another and receive the services to which they are entitled. (Despite the promising title, the European Electronic Identification and Trust Services for Electronic Transactions Regulation (910/2014) does not require Member States to develop interoperable eIDs, it only provides a framework for mutual recognition of those eID schemes which are in fact notified as interoperable. Three years after enactment of the Regulation, only one eID scheme, that of Germany, has been notified.)
It is therefore not surprising that a number of organisations are working on such solutions, including ID2020, a global alliance working with the UN High Commission for Refugees to develop digital identities which could be used by displaced persons. To read the hype, you might be forgiven for thinking the age of physical identity tokens such as passports was coming to an end.
There are obvious but solvable problems: of personal privacy and the need to be able to change attributes – when a passport expires, or a professional qualification lapses. The ledger might need to store pointers to the data, rather than the data itself, though that would undermine the immutability which is much of the attraction of the idea. There is also the question of how such systems would achieve the trust status necessary to be generally accepted as reliable proof of the claimed attributes. But this might be only a question of time, technical credibility and familiarity.
The distributed ledger solution may, however, suffer from a more significant practical problem: the accumulation of so many disparate aspects of an individual’s legal and biographical attributes simply not being necessary. Establishing, verifying and maintaining such an extensive set of data is an administrative burden very few individuals are likely to welcome when it is not an externally imposed obligation. Fundamentally, people are bad at maintaining complex databases: it requires constant attention to detail wholly incompatible with today’s convenience culture. Managing piecemeal, obtaining and presenting the specific token or evidence to verify a specific attribute as and when needed almost certainly takes more effort when the effort is summed over the whole of an individual’s lifetime, but on a daily basis it requires a lot less engagement. And the occasion when an individual is required to verify all of their identity attributes at once, from highest Call of Duty scores to school leaving certificate through to national insurance number and current nursing registration, is never going to arise.
Lorna Brazell is a Partner at Osborne Clarke LLP.