What is “digital identity” ?
It’s probably more than you think.
The term “digital identity” is used to describe a multitude of different concepts. This article provides a comprehensive overview of how different actors use the term and highlights aspects, which are relevant for an individual’s perspective.
It depends on the context!
The meaning of the term “digital identity” greatly depends on the context it is used in. In the following I will provide you with seven perspectives of how different stakeholders use the term.
Government stakeholders, but also regulated companies, which use or offer identification processes (“KYC — Know your customer”) primarily use the term to refer to the real world identity of a person. Mostly this is a credential issued by a government authority to a citizen, such as a passport, ID-card or driver licence. The credential contains a set of attributes describing and differentiating a person from another enabling the identification of a natural person.
The identification of a person in an online scenario highly depends on the eID-system, but uses a minimum of two authentication factors:
Inheritance (biometrics): Auto-ident or similar procedures and liveness checks aided by facial recognition
Knowledge: PIN, passwords or one-time factors (SMS) etc.
Ownership: Smart-cards (e.g. the eID-card) or secure elements on smartphones
While some governments recognise that digital identity is more than this single credential, the mental model is very much limited to attributes / credentials in general.
Private sector companies and the traditional identity and access management (IAM) sector use the term to refer to user accounts under control of a single entity. Hence, the identity is an entry within a proprietary database (active directory) of an organisation, which grants identity subjects (customers or employees) rights to perform certain actions within the domain of the organisation.
This is a very limited perspective of a digital identity, which is only valid in the domain of the organisation in question. Every internet user has multiple different user accounts at different organisations, creating a fractured identity landscape for individuals and companies alike. Access to these user accounts is mostly enabled via email and password, single sign-on solutions by big-tech (“Sing-in with google”) or other approaches without password.
The WEB 3.0 community primarily uses the term to refer to user accounts, reputation systems, credentials and assets. The community frequently uses the term “decentralised identity” or “WEB3 identity” to describe their approach and differentiate it to government issued “real world” identities. WEB3 solutions differentiate their solutions by using distributed ledgers (blockchains) with public read and write access as a single source of truth. By using a shared infrastructure, WEB3 solutions aim to avoid centralised and proprietary systems.
When accessing WEB3 identity solutions it’s crucial to differentiate between on- and off-chain identities. On-chain identities are written directly to the ledger and therefore are public by default. Once written to the ledger they can’t be deleted, only declared invalid. These on-chain identities should be handled with great care when dealing with personal identifiable information. Examples are NFTs, Soulbound Tokens (SBT) and the Ethereum Name Systems (ENS).
This is in strong contrast to off-chain identities, for which only the public keys of issuers and other metadata is written to the public ledger. Examples include verifiable credentials and some zero-knowledge proof implementations.
The Self-Sovereign identity (SSI) community uses the term for a variety of perspectives, but focuses on user accounts, credentialing and relationships as well as governance of identity frameworks. These frameworks aim to provide a foundation for digital trust — not only in cryptography, but also in humans, organisations and processes. The community sees SSI as a concept, which provides principles as a guideline to ensure an identity ecosystem in which the individual is empowered and protected. The solutions aim to provide a holistic answer, which is not only user-centric, but also enables people to assert control over their relationships / user accounts.
The community exclusively uses verifiable credentials in combination with decentralised identifiers controlled by the user from within a digital wallet. SSI integrations do work with centralised and decentralised public key infrastructure. Currently, most integration leverage distributed ledgers with permissioned writing and public reading rights to ensure regulatory compliance.
Service providers specialised in identity fraud prevention use the term to refer to the personal data of a person offered by data brokers or databases in the darknet. The data itself can range from email addresses and passwords to income level, postal addresses, credit card information or other behavioural and sensitive personal data. In the majority of cases this personal data is collected and distributed without consent of the person, or even worse without any kind of knowledge or control by the affected person nor watchdogs or governments. According to haveibeenpwned.com 12,485,202,808 user accounts (incl. Email and phone numbers) have been exposed to the darknet in March 2023.
Consulting companies see digital identity as a foundation to increase efficiency of business processes for organisations. Hence, they combine different perspectives, but focus on the needs of an organisation. Furthermore, they differentiate between organisational identities and personal identities, with the latter being a customer of a business, or a citizen of a country.
Advertisement companies and virtual private network (VPN) providers see a digital identity as behavioural data of individuals. While advertisement companies aim to collect vast amounts of behavioural data of individuals, VPN providers try to help individuals to reduce this collection.
It’s noteworthy that not all behavioural data is directly connected to individuals. Some analytics and advertisement providers anonymise behavioural data to a certain extent with cohort models. These models group users who share common characteristics and behaviours in known cohorts to facilitate effective targeted campaigns for advertisers.
Mental Models: Providing a mental framework for different perspectives:
The following five mental models describe what people refer to, when speaking about identity and provide a useful structure of how these models can be executed in a digital environment. The five mental models were published by experts of the RWOT community and are quoted within this paragraph.
Space-time: sees identity as resolving the question of physical continuity of an entity through space and time, answering if the physical body under evaluation has a continuous link through space and time to a known entity.
Presentation: sees identity as how we present ourselves to society, answering if this is how the subject chooses to be known.
Attribute: sees identity as the set of attributes related to an entity recorded in a specific system, answering who this data is about.
Relationship: sees identity emerging through interactions and relationships with others, answering how this person is related.
Capability: pragmatically defines identity in terms of an individual’s capability to perform some task, answering what the subject can actually do.
Overview of aspects of a digital identity
As illustrated in the graphic above, an individual’s digital identity comprises countless aspects from different categories. This includes public services provided by governments, regions or cities, which in most cases require the identification of a person. Identification is also required for some financial services and activities as well as a limited set of activities in the professional, educational, health, travel, home and family categories. Nevertheless, the vast majority of activities in the private sector currently don’t require the identification of a person. The categories data, communication and organisation do not contain any activities for which an identification is required.
Another notable distinction is the frequency of usage within certain categories. While we use tools for the communication and organisation of data as well as social activities on a daily basis, we rather rarely use public services.
Should we stop using the term “digital identity”?
No, however we need to be aware that other people might have a totally different understanding of what it means. Using the term “digital identity” exclusively for a limited sub-set of the above mentioned aspects isn’t wrong, but it neglects crucial parts of being a human. This is especially true for using the term solely for the identification process of a person using a government issued identity credential.
About the author:
Adrian Doerk focuses on providing user-centric digital identity services with digital wallets, which ensure privacy and empowerment of the individual. He co-leads the IDunion research consortium and the software provider Lissi. Opinions expressed in this article solely represent the opinion of the author.