The emergence of a global pandemic has driven the digitalization of services making reliable authentication online a critical need, says Charlyn Ho, a privacy and technology expert at international law firm Perkins Coie, in a new white paper.
We caught up with Charlyn to learn more about her paper, COVID-19 as a Catalyst for Advancement of Digital Identity, and to talk about the future of decentralized identity. This interview has been lightly edited for clarity and length.
Indicio: Tell us about yourself and your work and how it led you to write this paper.
Charlyn Ho (CH): Perkins Coie has a long history with self-sovereign identity beginning in 2016 when we were approached by a pro-bono client that was looking to use digital identity to empower refugees to control their own national papers to help mitigate the risk of physical papers being lost or stolen. These efforts started the Blockchain Technology group’s passion for self-sovereign identity.
In 2017, the Blockchain Technology group authored “Legal Aspects of Smart Contract Applications” a white paper that provided an initial analysis of the legal aspects of five prominent smart contract use cases that included self-sovereign identity. Later that year, Perkins Coie became the first law firm to be selected as a Founding Steward by the Sovrin Foundation, which is when I began my work in this space. In 2018, I co-authored a white paper addressing self-sovereign identity and Distributed Ledger Technology titled “Self-Sovereign Identity and Distributed Ledger Technology: Framing the Legal Issues.” The paper outlined the high-level legal issues and technological challenges that must be addressed ahead of mass adoption of self-sovereign identity. Also in 2018, Perkins Coie began representing Sovrin with whom we co-authored a white paper titled “A Protocol and Token for Self-Sovereign Identity & Decentralized Trust.”
As we watched the COVID-19 pandemic unfold, we became convinced that flimsy paper cards and quick-fix health passes would not provide sustainable solutions. So, we decided to put pen to paper and draft “COVID-19 as a Catalyst for Advancement of Digital Identity,” which we believe lays out the fundamental principles underlying self-sovereign identity. We hope our paper can serve as a framework upon which governments and institutions can build digital identity systems in a way that is both privacy-preserving and widely adoptable.
Indicio: How did you land on the three pillars of digital identity? You mentioned Christopher Allen’s paper “The Path to Self Sovereign Identity,” how influential was that material to the direction of the paper?
CH: Any comprehensive digital identity system is unlikely to garner widespread acceptance without being able to convincingly assuage your average user’s (understandable) concerns about how their data is stored, used, shared, and accessed. Such skepticism can be healthy—it’s your data after all. But if we also believe that digital identity systems hold the potential to not only provide users enhanced security and efficiency of their data but also the ability for nations and institutions to respond quickly to disasters, pandemics, and other threats, then we need to prioritize systems that are crafted with users’ needs and interests in mind if we are to reap these rewards.
One of our primary objectives in writing this paper was to ascertain the fundamental building blocks of any healthy digital identity system. While any number of desirable features may be present in a successful digital identity system, from our review of the relevant literature and existing digital identity systems we determined that trust, user-centricity, and data security are the pillars for any comprehensive system to function effectively and secure users’ confidence.
While many thought leaders influenced this project, Christopher Allen is certainly a pioneer in this space, so his work had a particularly important influence us. I think he put it best when he wrote, “You can’t spell identity without an ‘I.’” Digital identity starts and ends with the user — a concept that was vital to our work, particularly our second pillar (user-centricity). Hopefully we’ve been able to build on the foundation that Mr. Allen has laid.
Indicio: You mention paper vaccination cards and plastic drivers licenses as examples of physical identification cards and cite the problems in offline identification systems being not fully inclusive — with 1.1 billion people being “invisible, discounted, or left behind.” Is a trustworthy, secure, user-centric digital credential system a necessity that governments should pursue with more urgency? What are your thoughts on the urgency of adoption of digital identity at the government-level?
CH: Paper and plastic provide a veneer of security — you can see, touch, and physically move a driver’s license or birth certificate. But those same characteristics create a double-edged sword. If paper and plastic can be seen and touched, they can also be forged. If they can be moved, they can also be lost or stolen. For those fleeing conflict or born into poverty, physical credentials are scarce, which makes proving that you are who you say you are all the more challenging.
For these reasons (and many others), governments absolutely should be exploring trustworthy and secure digital credential systems. Governments around the world have been slow to develop comprehensive digital identity systems, which became all-too-apparent during the somewhat disjointed and on-the-fly approach that various nation states and institutions took to developing credentialing systems during the height of the COVID-19 pandemic.
Indicio: In the paper, you describe Indicio’s digital identity system with SITA as being in Phase ‘3.5’ in evolution for user control of identity. Can you talk about what a Phase 4 system would look like in relation to health credentials? Would a more comprehensive digital identity system need to be adopted at a government level for user-centric digital identity to catch on or will private use cases help push us to Phase 4 evolution?
CH: A Phase 4 (self-sovereign) digital identity system is more of a journey than a destination. As the name implies, Phase 4 is true self-sovereignty, but whether or not true self-sovereignty can ever exist in practice is debatable due to countervailing state interests in having some measure of control over or access to one’s data. A Phase 4 system requires that users be vested with autonomy or sovereignty with respect to their credentials, which would apply to health credentials or otherwise. But what that looks like and the friction that may exist when such a system is put into practice remains to be seen. Without moving through Phase 3.5 (user-centric) we only have limited ways to conceive of what a Phase 4 system could look like in a practical sense. Putting the pieces of the puzzle together remains murky because we are only at the very nascency of Phase 3.5.
Read the paper in its entirety here.