Digital Identity

Digital identity is key to building trustworthy interactions in digital activities and yet, itself, has struggled to win widespread trust. In this chapter, we explore how safe and secure actions, interactions and transactions using digital identity are, and what can be done to improve this.

  • Download

Introduction

Determining an individual’s identity is critical to most of daily life, and this is no less true of our online activities. As our lives increasingly move online, fraud and other criminal activities become more and more sophisticated. Alongside this, our personal data is recorded and stored in ways that mean that the individual is rarely in control of their own information. Securely authenticating the individual is necessary to protect their data, assets, and privacy. By allowing us to identify the actor in online activities, and giving individuals control over their own data, digital identity (“dID”) is the key to digital trust.

Quote

Digital identity is both chicken and the egg to digital trust; we simultaneously need it to trust digital activities but struggle to trust it in the first place.

Digital Identity – safety and security in actions, interactions and transactions

 

While there are solutions beyond dID that are in development to address issues such as online fraud, certain efficiencies offered by emerging technology are impossible to bring to fruition without digitalized processes for identification.

Take RegTech and digital anti-money laundering capabilities: while the technology exists to trace the movement of digital assets through online and on chain transactions, these solutions can only go as far as the analogue world will allow them if there is no digital solution to identifying the sender and benefactor of relevant assets.

There are platforms aiming to digitalize the process of verifying an identity, but at present these do not take a holistic approach to identification. A dID that could be plugged into a trading platform using, for example, a digital wallet could simultaneously hold data that could be used in health care, insurance, education and job applications, or in engagement with councils and other public offices. A sophisticated dID could bring together all information to become a one-stop shop for the user.

On the other hand, having all such identification information held centrally by either a public institution or even a large private tech firm gives rise to concerns as to protection of privacy and over-concentration of power. In light of this, decentralized solutions may offer more comfort for individuals and also provide users with greater control over their own data.

Privacy

As well as safely authenticating who is carrying out a transaction, new dID solutions are being built that allow the user to protect their privacy by giving them discretion as to who sees what, and when. Examples include Zero Knowledge Proof (“ZKP”), which uses encryption to provide proof that data is correct without revealing further information. This is of particular use when there is a lack of trust from both parties: person 1 does not want to interact with an anonymous user, but person 2 does not trust that person 1 will not store their identification data for other uses. If used correctly, ZKP can simultaneously build privacy into the internet while stopping bad actors from remaining fully anonymous.

So, what has held dID back? Legal uncertainty and lack of consistency across solutions provided today leave users, both in Business-to-Business (“B2B”) and Business-to-Consumer (“B2C”) scenarios, unable to trust in the solutions available. As a result, dID is therefore both the chicken and the egg to digital trust; we simultaneously need it to trust digital activities, but struggle to trust in it in the first place.

ID cards in themselves can be a polarizing topic, even in the analogue world. Knowing this, policymakers may hesitate to prioritize policy in this report or direct the market towards one or more types of solutions or providers for fear of creating unnecessary tension.

Security standards

Where legislators have started the drive towards dID, such as in the European Union, complex issues including security standards, the parameters of its functions, and data standards have been cause for long debate. Security standards are clearly crucial to maintaining public trust, given the threat of identity theft or cyberattacks and the inherent tensions with privacy continue to make this a very difficult area.

Leveraging blockchain to address concerns may also challenge existing legislative principles. General Data Protection Regulation (“GDPR”), for example, includes the right to be forgotten, and many blockchains are built specifically to be immutable. So relevant personal data seemingly cannot be held in blockchain-based databases, although on the other hand they may offer helpful decentralized solutions. But such decentralized solutions may also themselves go too far for comfort. Self-sovereign identity via self-custodied wallets may appease those who are skeptical of a centralized authority holding their data, but this opens the same debate as in the digital asset space, where there are concerns over how well individuals can be trusted to safely store their private keys. Transferring the risk of identity fraud from faking documents in the analogue world, to stealing or scamming people into releasing their private keys in a digital one, is no solution at all.

Not only will legislators need to decide on these standards domestically, they will also need to consider dID’s interoperability across jurisdictions. Internationally accepted data standards will be needed, which will be far more complex than existing standards to analogue passports. 

Given the complexity of these debates and decisions, it is likely to take some time before a holistic solution is available. To some degree, given the policy concerns with imposing centralized dID, it is being left up to the market to create alignment and interoperability. However, all too frequently at present, market participants default to analogue solutions in order to come to trusted outcomes which can severely limit functionality. On the other hand, education remains a challenge for some citizens who are still struggling with well-established technology like contactless payments. As such, there is a great need for simple solutions that negate the danger of citizens being excluded from participation (and similarly, overcomplexity might actually encourage misuse and fraud) which will also delay bringing forth dID’s essential contribution to digital trust.

Key recommendations

1

Follow the 3 Cs

Consistency, compliance and communication. Solution providers need to seek high quality legal and compliance advice on toeing the line carefully to retain the trust of its audience.

2

Due diligence

Conduct appropriate due diligence on platforms used by your own business and that of counter parties in B2B settings. Consider matters such as legal and cyber security robustness, as well as user-friendliness and interoperability.

3

Legal clarity and future-proofing

In the absence of clear policy direction and an ever-evolving legal environment as to all matters digital, firms will need to ensure they are aligning to anticipated future required standards so that the arrival of legislation does not trigger an overhaul of plans.

Key contacts

Elizabeth Boisin

Partner

LinkedId vCard download

Elizabeth Boisin

Partner

Leopold von Gerlach

Partner

vCard download

Leopold von Gerlach

Partner

Sara C. Lenet

Partner

vCard download

Sara C. Lenet

Partner

Bryony Widdup

Partner

vCard download

Bryony Widdup

Partner

Luke Grubb

Consultant

vCard download

Luke Grubb

Consultant

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG.  For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.