An obscure piece of legislation passed into law in April could allow New Zealanders to finally achieve some level of self-sovereignty when it comes to their digital identity.
The Digital Identity Services Trust Framework Act is modelled on a similar framework in Australia and will introduce a set of standards for providing secure digital identity services. Currently, our way of verifying our identity and accessing services online involves using a confusing patchwork of logins and verification systems.
The banks have their way of verifying our identity and RealMe lets you access government services via a verification system to renew a driver’s licence or pay fines. The Big Tech companies like Google, Facebook, and Amazon have become the de facto verification system for thousands of websites to improve digital systems.
Has the horse bolted?
It means that they collect a treasure trove of information about your movements around the internet. Few Kiwis realise just how widely scattered their data is - and once it is in the databases of those companies, it is no longer their own property, with companies able to mine it for insights which are then sold on to advertisers and market researchers.
You’d be forgiven for thinking that the horse has bolted on digital identity and verification with so many well entrenched schemes now in operation. But there has also been a growing realisation among web users that they have little visibility into or control over the data they generate in the digital world. The new Act is a belated attempt to address the problem.
The new framework is a voluntary system which would seem to give a free pass to digital platform providers to ignore it. But those who adopt the new digital identities' standards will be recognised by a ‘trust mark’ that makes them eligible for streamlined services.
Beyond RealMe
Why not just double down on the RealMe system? The verification system established back in 2007 as a way to simply log onto government websites and which became a verification system two years later, has had patchy take-up across government departments and very little in the private sector.
The government is instead suggesting that any provider can produce their own verification system and get the tick of approval if they meet some minimum standards and obey rules out in place.
We don’t yet know what those rules are.
As law firm DLA Piper explains:
“The [trust framework] rules will instead be set out in Secondary Legislation made by the Minister and will, at a minimum, cover requirements for identification management, privacy and confidentiality, security and risk, information and data management, and sharing and facilitation.”
DLA Piper isn’t convinced the legislation will have much impact:
“In many ways, the Bill is reflective of the slow and usually toothless approach to digital governance in New Zealand to date,” the law firm notes.
But if high-quality standards are put in place along with an effective compliance regime, it could see many organisations sign up to show consumers they care about data security and privacy. Those without a trust mark may eventually be at a competitive disadvantage.
As such, any organisation that seeks to verify customers’ identity should be following developments closely. One way or the other, we will see a revolution in the nature of digital identity and verification in the next decade across the public and private sectors.
Here are 5 trends driving developments in digital identity and trust globally:
1. Self-sovereign Identity (SSI):
Self-sovereign identity is an emerging concept that empowers individuals to have full control over their digital identities. It allows users to store their personal information securely and selectively share it with others, enhancing privacy and reducing reliance on centralised identity providers.
2. Decentralised Identity (DID)
DID is a form of digital identity that is anchored in distributed ledger technologies, such as blockchain. It enables individuals to create and manage their identities without relying on centralised authorities. DIDs provide increased security, privacy, and portability of identity information.
3. Zero-Knowledge Proofs (ZKPs)
Zero-knowledge proofs are cryptographic protocols that allow one party to prove to another that a statement is true without revealing any additional information. ZKPs can be used to authenticate identities or attributes without sharing personal data, enhancing privacy and trust.
4. Verifiable Credentials
Verifiable credentials are digital representations of identity information that can be cryptographically verified. They enable individuals or organisations to issue and present trusted credentials, such as educational degrees or professional certifications, in a secure and tamper-evident manner.
5. Federated Identity
Federated identity solutions enable users to access multiple online services using a single set of credentials. Federated identity frameworks, like OpenID Connect or OAuth, allow for secure authentication and authorisation across different domains or applications.
Where does that leave us with digital identity and trust in New Zealand?
We are probably 6 - 12 months away from learning what standards will be introduced under the new digital identity trust framework. While they are likely to accommodate the trends identified above, they won’t be prescriptive so as to require decentralised identity or self-sovereign identity.
The framework has the potential to spur local innovation in digital identity and verification systems that make the online experience safer and more convenient for millions of Kiwis. It’s crucial that the Government settles on a series of standards that encourage online providers to pursue a digital identity trust mark.
Comments