Who are identity systems built for? What standards should and should private sector companies adhere to when contracted by governments? How will self-asserted identity changes be handled by organizations? These are some of the topics explored when the United Nations Development Program (UNDP) organized a second roundtable on the interaction between the public and private sectors for identity schemas.
The first session of the Future Technological Progress and Institutional Governance series, held in May 2021, examined the future roles of digital identity versus physical identity and found that partnerships are critical to success. The second invited the public sector – including members of the UN Legal Identity Agenda Task Force – and the private sector to deepen legal identity, privacy and data protection.
The roundtable was chaired by UNDP Policy Advisor for Legal Identity, Niall McCann, who suggested that developments in central bank digital currency rollouts, health passes and the metaverse could lead to a greater demand for digital identities and the infrastructure to support them. He noted that these would likely be centralized identity schemes. If digital identity – beyond legal identity – becomes increasingly important to much of humanity, how will the private sector fare? How will they decide and meet the standards?
Simon Reed of UK firm IrisGuard, whose systems have processed more than $1 billion in humanitarian aid using iris-based biometrics, believes there needs to be a clear separation between an identity that serves as proof of life and several digital identities used for any other purpose. There needs to be a way to decouple different elements of a person’s data from the core identity. Public and private sectors working together have already designed identity systems with very high levels of protection.
People never go out to buy their identity, but use their identity to buy other goods and services, said Nahid Iftekhar of CodeMarshal IT System. This vendor is also not the identity provider. This leads to all sorts of problems and the purpose of identity creation is unclear. Nor how concerned the various actors accessing the data should be about security.
In the countries where CodeMarshal operates in South Asia, there is no GDPR in place. Iftekhar wondered whether data protection regulation should be a UN responsibility.
Simon Reed of IrisGuard said the standards are beneficial for technology development. For example, his company produces mobile devices that comply with GSM standards that are 30 years old.
Irina Stoica of Laxton Group said the company often loses projects due to the addition of certain protection prerequisites. Even the GDPR, with its consent requirement for the use of personal data, does not necessarily protect end users as they sometimes have no choice but to consent to access systems such as finance. The data must be anonymized.
When participants were asked outright who they were developing identity systems forSimon Reed wanted to be deliberately controversial by pointing out the simple reality that private companies are contracted, meaning they develop the system for the entity that pays the bills, that making money is what drives innovation .
Reed believes it is then the responsibility of private companies to fully explain how their systems operate to the public organization or government so that they can be fit for purpose and intelligible to end users.
Iftekhar agreed with Reed and went on to say that in terms of standards, solution providers are starting to play the role of judge, a role that should be played by someone else. Judgment becomes a kind of burden for these companies when they should be able to focus on innovation.
Gabrielle Shea, policy adviser at NEC America, pointed out that it is not in the interest of governments that citizens be unhappy with the way they assert their identity (and that the lack of a national data privacy law data in the United States means their company is more attuned to working in other countries without privacy laws).
Idemia’s data privacy manager, Isabelle Landreau, said biometrics companies will play a key role in the future if states are unable to organize identification systems, which means that private companies will want to be partners with the state.
To summarize the multiple comments from participants, there was a sort of consensus that there must be a strictly defined and very restricted set of data about an individual that would form a legal identity, that that person exists. Beyond that, individuals could choose to provide more data as needed for specific uses.
This could be seen as a split between the fundamental (or digital legal) identifier which can be centralized, and the separate functional identifiers.
biometrics | data protection | digital identification | digital identity | IDEMIA | identity management | IrisGuard | Laxton Group | NECAM | confidentiality | standards | UNDP