In October of 2022, the OpenID Foundation contacted me about helping develop a research paper on government-issued digital credentials through the lens of privacy considerations. The scope meant diving into a review of different governments, different legislation, and different technologies, as well as considering how they all come together to form what we have in the credential space today.
The scope was both too broad and not broad enough. Digital credentials are an incredibly hot topic around the world, and privacy legislation is just as hot; technical standards development is trying to keep pace with varying degrees of success. Ultimately, the paper, published in May 2023, serves as a review of what’s happening worldwide but with room for more detail on every level.
The Current Landscape of Policy and Technology
The first third of the paper looks at the more influential privacy regulations and standards and how they are being used in various government systems. We selected the governments described in this paper to represent various characteristics:
- the one focused on international interoperability (eIDAS2.0 in the European Union)
- the largest deployment (the Aadhaar system in India)
- one within the EU that demonstrates interesting challenges with regard to their demographics (SPID in Italy)
- the largest deployment in Africa (eID in Nigeria)
- the most ubiquitous (SingPass in Singapore),
- examples of various U.S. State implementations (Maryland, Arizona, and Utah)
This section also includes a review of the technical standards and frameworks commonly used in the various government implementations, including the highlights of OIDC, SAML, Verifiable Credentials, Biometric guidance, Identity Assurance, and the Open Standard Identity APIs (OSIA).
Gaps and Risks
Reviewing the landscape is useful, but considering what gaps remain open between what governments are trying to achieve, what privacy standards and regulations offer, and what technology can do is potentially far more useful. The second third of the paper focuses on those gaps. Different motivations from one region to the next significantly impact deployments: Cultural and economic realities make achieving global interoperability a huge challenge.
For people looking for an area they can focus on to help make a difference in the identity and privacy landscape, this section on gaps in technology, regulation, and standards might offer some food for thought.
Recommendations for Scaling to the Future
The final third of the paper offers recommendations. Given the overview of the landscape and the existing gaps, suggestions on what to do next are possibly the most interesting part of the paper. The recommendations are divided into four sections: asking governments and organizations to make sure they have the basics of security and privacy built into their services, that they consider the ongoing concerns, such as surveillance, as they design their systems, that we all consider some emerging concerns around digital warfare and AI, and that civil society steps up to help bridge the gap between government legislators and technologists.
The Story Continues
In the weeks since the paper’s publication, several organizations and technologists have asked that more material be added. Later this year, the OIDF and partner organizations will likely publish a v1.1 that includes additional government identity systems, technical standards, and possible additions to the recommendations. The paper is freely available on the OpenID Foundation website, and I hope it spurs conversations around the world with policymakers, technologists, and civil society. Stay tuned for that v1.1!
Heather Flanagan, Principal at Spherical Cow Consulting and Founder of The Writer’s Comfort Zone, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organizations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards or discussions around the future of digital identity, she is interested in engaging in that work. You can learn more about her on LinkedIn or reach out to her on the IDPro Slack channel.