Digital Identification Must Be Designed for Privacy and Equity

With growing frequency, the digital world calls for verification of our digital identities. Designed poorly, digital identification can invade our privacy and aggravate existing social inequalities. So privacy and equity must be foremost in discussions about how to design digital identification.

Many factors contribute to one's identity; degrees, morals, hobbies, schools, occupations, social status, personal expression, etc. The way these are expressed looks different depending on the context. Sometimes, identity is presented in the form of paper documentation. Other times, it’s an account online.

Ever since people have been creating online accounts for various services and activities, the concept of the online identity has warped and been reshaped. In recent years, many people are discussing the idea of a “self-sovereign identity (SSI)” that lets you share your identity freely, confirm it digitally, and manage it independently—without the need of an intermediary between you and the world to confirm who you are. Such an identity is asynchronous, decentralized, portable, and most of all, in control of the identity holder. A distinct concept within SSI is “decentralized identifier,” which focuses more on the technical ecosystem where one controls their identity.

There has been a growing push for digital forms of identification. Proponents assert it is an easier and more streamlined way of proving one’s identity in different contexts, that it will lead to faster access to government services, and that it will make ID’s more inclusive.

Several technical specifications have been recently published that expand on this idea into real world applications. This post discusses two of them, with a focus on the privacy and equity implications of such concepts, and how they are deployed in practice.

The Trust Model

Major specifications that address digital identities place them in the “trust model” framework of the Issuer/Holder/Verifier relationship. This is often displayed in a triangle, and shows the flow of information between parties involving digital identification.

The question of who acts as the issuer and the verifier changes with context. For example, a web server (verifier) may ask a visitor (holder) for verification of their identity. In another case, a law enforcement officer (verifier) may ask a motorist (holder) for verification of their driver’s license. As in these two cases, the verifier might be a human or an automated technology. 

Issuers are generally institutions that you already have an established relationship with and have issued you some sort of document, like a college degree or a career certification. Recognizing these more authoritative relationships becomes important when discussing digital identities and how much individuals control them.

Verifiable Credentials

Now that we’ve established the framework of digital identity systems, let’s talk about what actually passes between issuers, holders, and verifiers: a verified credential. What is a verified credential?  Simply put, it is a claim that is trusted between an issuer, a holder, and a verifier.

In November 2019, the World Wide Web Consortium (W3C) published an important standard, the Verified Credential Data Model. 

This was built in the trust model format in a way that satisfies the principles of decentralized identity. The structure of a verified credential consists of three parts: a credential metadata, a claim, and a proof of that claim. The credential metadata can include information such as issue date, context, and type.

..

"id": "http://example.edu/credentials/1872",

"issuanceDate": "2010-01-01T19:73:24Z",

"type": ["VerifiableCredential", "AlumniCredential"],

...

The ID section in this VC gives way to a W3C drafted specification: Decentralized Identifiers. This specification was built with the principles of Decentralized/Sovereign Identity in mind, in the context of portability.

...

"id": "did:example:ebfeb