Digital Identity Series - The Right Environment

While the world is on lockdown and we’re all seeing some of the disruptions that a remote life, confined to the digital realm can bring, it seemed appropriate to share some insight into how creating a digital identity for our citizens can limit some of these difficulties.

I wanted to dig a little deeper than past posts into some of the challenges we face when implementing such a service, and what steps we can take and considerations we need to make to achieve success. In this short series, we’ve looked at why banks can be a valuable asset when it comes to starting a digital identity service, at what to consider when looking to build a user base, and what technologies might best suit the solution being designed. This last post from me in the series tries to look more broadly at the environment all of this will live in, and as a bonus, my colleague, Tobias Koch, from our Data Exchange Technologies department will dive into some real world examples of where we’ve seen the right environment and attitudes lead to successful digital government transformations.

Over the past months, prior to the pandemic, I’ve heard how “digital identity won’t work here, there’s no market”, and “if a digital identity service could turn a profit, there’d already be one here”. It’s understandable to think this if a nation has been trying for years, spending millions, and still nothing happens and no one comes a long and sprouts a successful digital identity business. But what can be the problem is that the government has not created the right environment to enable such a service to flourish, or the environment that has been created has not had the right focus. What I want to express in this short post is how there is more to achieving a truly high population penetrating service that offers value to citizens, government, and businesses, than just the technology or our partners.

The right environment is vital. When I say environment, I’m talking legal and regulatory. It’s the laws and regulations that help build trust and value in a digital identity service, both vital components. They must reference what data makes up a digital identity, and what data can be recorded and stored by the provider. They need to address who has access to this data, what can be done with this data, and what can happen to the service provider themselves (e.g. can they be purchased by a foreign entity?). It’s the answers and outcomes of these questions (and many more) that help to give some semblance of comfort to the end-user, who just wants to know that their data is being handled responsibly and their assets are safe. It’s also worth noting that the answers to these questions can also turn away certain kinds of businesses that expect to make money from personal data, but monetizing person data is often seen as a negative by the general public and can ultimately undo our efforts to build trust in the system.

Setting up the right environment should be done ahead of making any technology based decisions, but it is wise to have an understanding of the technology market, and listen to the experts and vendors in the field, because developing laws and regulations in isolation can potentially create an impossible environment where no existing solution can run. No doubt, this is the case for any scenario where reasonably heavy regulation is required in a technological environment, but it’s good to remember. There’s a fine line between locking every vendor out of the market and creating an environment with unsafe standards.

There is a lot to creating the right legal and regulatory situation. It must enable both the public and private sector to benefit. Of course, when it comes to laws and regulations, the government is taking the lead and making the decisions, and this can lead to too much of a focus on the public sector, and not enough consideration of the needs of the private. As I’ve covered in this series, a digital identity service must overcome the challenge of a two-sided market and create value for both the citizens and the online service providers, and because citizens seldom interact with their government each year, it can be hard to offer significant value with government services alone. Without the right services, we won’t get a good user-base. Without a relatively large user-base, services won’t see value and get involved. This is true, even within government. So, there must be value for both sides and this means bringing the private sector onboard from the beginning.

I’ve previously written about how to build trust and value in digital identity solutions, as they are vital components to aid in creating a high population penetrating digital identity service. But as the threats become more prevalent, more sophisticated, as they evolve to side-step new measures we take, the laws and regulations (e.g. Digital Signature or Personal Data Acts, eIDAS, GDPR, PSD2, AML5, etc.) must ensure the right precautions are being taken to protect the end-user’s data, assets, and sovereignty. If technology and service providers aren’t forced to live up to certain standards, they themselves can get burnt alongside the victims of the latest scams and viruses.

There is so much more to what makes a digital identity service successful, even more than what can be covered in a short blog series like this, but, one I haven’t gone to deeply on in this series is the services. As I said, they can’t just be public sector/government. The private sector must be involved as well, and we need to ensure the regulatory environment makes integrating into such a service attractive. I’ve mentioned in the first post in this series that banks are so very often key, and even in developing countries, links to financial assets, like subsidy claims and distribution, or remote/rural areas and payment between small businesses and customers, are key factors in building value, and with it, interest in the service. This must be considered when creating the rules our digital identity services will have to live by.

As a final point, in order to offer valuable services in banking and government, we must lay down a secure and easily trusted legal and regulatory environment. Without PSD2, we wouldn’t see two-factor authentication being forced on banks, without eIDAS, we wouldn’t be at the beginning of a very advanced Europe, where online interactions with other EU governments will become not only possible, but extremely easy. These are EU wide regulations, but outside of the EU, or within individual countries in the EU, there is opportunity to create scenarios where digital identity can not only exist, but can thrive and benefit everyone in society, while making a profit. There are many examples of profitable digital identity services around the world, with governments that made moves decades ago to create the environment. We should look to these countries to learn and replicate the environment in which digital identity services can benefit everyone in society.

Written by Max van de Poll