Are we asking the right questions about identity?
Alan Mitchell, Chairman of The Mydex Community Interest Company has blogged this view of the Economics of Identity as an alternative to that provided by Heiko Rossnagel and Michael Kubach from Fraunhofer IAO. I am happy that these different ideas can be debated. I am not even sure if just one solution is possible, and if that is the case, can different concepts co-exist? - Jon Shamah
Are we asking the right questions about identity?
As the old saying goes, if you ask a silly question expect a silly answer. For
example, if you ask the question “how to reach the pot of gold at the end of the
rainbow?” you could waste a lot of time and effort in your quest for that gold.
A few weeks back, Michael Kubach and Heiko Rossnagel from Fraunhofer IAO
laid down a gauntlet to the identity community with an article asking whether
economically viable ID ecosystems can be built. The problem is simple: most of
the main actors in identity so far see it as a way to capture a pot of gold for
themselves at the end of the identity rainbow. But not enough people are
prepared to hand this gold over.
Result? A stalemate where, the authors suggest, the only solution may be for the
necessary infrastructures to be permanently subsidised by the state.
An alternative question
There is, however, a different way of thinking about digital identity. It asks
different questions which quickly lead us to some very different answers.
When push comes to shove, identities are assured when enough verified
attributes about an individual can be presented. An identity, then, is not a
separate ‘thing’ in itself - a product to be packaged and sold. It is actually
generated as a by-product of the ability to share verified attributes.
Depending on the situation and context, including who is attempting to verify
the identity for what purpose, the verified attributes in question may vary. In
some cases, more such attributes may be needed with higher levels of security
surrounding them. In others, maybe less are needed. Which means that this
ability to share verified attributes needs to be flexible: customisable, capable of
dealing with a wide range of different requirements.
An alternative answer
As it so happens, the means of delivering such flexible, customisable data
sharing has already been built in answer not to this question of identity but
another question entirely: how to eliminate the huge amounts of friction, effort,
risk and cost that service providers and customers currently incur when trying to
find, present and use the data they need to access and provide the services in
question?
One way of doing this is to provide individuals with their own personal data
stores (PDSs), and to enable service providers to deposit cryptographically
secure verified attributes in these PDSs, so that individuals can reuse them as
and when needed.
It turns out that provision of this safe, neutral, enabling data logistics
infrastructure works just as well for the sharing of verified attributes for the
purposes of identity assurance as for service access and delivery. Which means
that the problem of identity assurance can be solved, not by vast complicated
attempts to create a new ‘identity industry’ but by solving a different problem
instead: how to enable data sharing for the purposes of efficient, effective
service delivery.
The value capture logjam
In their article, Michael Kubach and Heiko Rossnagel rightly point out that the
identity industry’s current commercial logjam boils down to the issue of value
capture. This is how they sum it up: “It is largely unclear how opportunities for
value capture can be realised through various fees without creating adoption
barriers that are too high in view of limited willingness to pay by the other
actors”.
But this value capture logjam only arises if those involved insist on treating
identity as a product to be sold in a market for a profit. In the context of data
sharing for the purposes of improved service provision this isn’t necessary. A
completely different set of economic considerations kick in instead.
Data is shared between individuals and service providers as extensions of their
existing relationships, the legal basis being the data portability provisions of
GDPR (Article 20 in particular). No prices are set for this data, no money changes
hands, and no margins (profits) are made on the sale of any items.
Yet huge amounts of time, effort and money are saved because improved data
sharing eliminates the multiple layers of friction, duplicated and unnecessary
effort, risk and cost that are generated by today’s data systems - data systems
that are organised around separate, isolated organisation-centric data silos that
are designed to hold data close to the organisation’s chest and NOT to share it.
In other words, when identities are assured as a by-product of the sharing of
verified attributes (made possible by the use of neutral, enabling data logistics /
personal data store infrastructure), the ‘value capture’ dilemma is replaced by
the new win-wins of improved data sharing.
A way forward?
We at Mydex CIC first began to realise all this over a decade ago, when we were
chosen by the UK Government to be one of just five companies to pioneer its
‘Verify’ identity assurance programme. It was our experiences in this programme
- including the huge cost savings we saw once we made it possible to easily and
safely share the building blocks of identity (verified attributes) - that led us to
these conclusions.
This is what led us to build our existing personal data platform which is now up,
running and operational 24/7/365, specifically to provide the safe neutral
enabling data logistics infrastructure that this approach needs.
That doesn’t mean all obstacles and challenges are simply waved away. To
ensure its ongoing integrity, a huge amount of thought and effort needs to go
into the design and operation of this infrastructure and its operation. Many
technical interoperability issues need to be overcome.
Collective action problems don’t simply disappear either. While it is in every
service provider’s interests to be able to tap into a system where the data they
need can be provided by individuals instantly and safely, it is in none of these
service providers’ interests to start the systemic ball rolling by populating an
individual’s personal data store with their data. In the short term, all that does is
help other organisations improve their operations while they pay the costs.
So, as Kubach and Rossnagel conclude, some Government intervention may be
necessary. But this intervention doesn’t have to take the form of a permanent
subsidy. All it needs is some initial pump-priming to establish the critical mass
for a system that would quickly do more than pay for itself.
In short, an economically viable ID ecosystem is indeed possible. But it only
becomes possible when we start asking a different set of questions to find a
different set of answers.
Alan Mitchell
Chairman, Mydex Community Interest Company