Digital identity: The time is now
Geoffrey Andrews: Creating a digital ID with just one provider won't work
Australia is on the precipice of getting digital identity right. After various attempts at one identity to rule them all with efforts such as MyGov, the rise of open banking, citizen-controlled data, and identity federation means that digital identity is here to stay.
“Creating digital identity with one provider simply won’t work,” says Geoffrey Andrews, the recently-appointed Regional Director A/NZ at Ping Identity. “The key to digital identity in Australia is federation, open standards and interoperability.”
One of the important considerations associated with digital identity is the notion of consumer consent. As the Cambridge Analytica scandal has already demonstrated, it’s very possible to get consent wrong – with broad and long-term implications.
This is an existential issue. Cambridge Analytica has announced its closure, and as a catalyst for the longer term, its impact on Facebook and other tech platforms is still being measured
The CA affair will have ramifications for the way that consent is implemented in Australia, with open banking and (Consumer Data Rights), citizen-controlled data leading the way.
“Managing consent should be as simple as the way we manage settings on our iPhone,” notes Mr Andrews. “It’s either on or off, there’s no middle ground, no lack of information about what organisations can do with the data with which they have been entrusted.”
This means that consumers need a simple way of consenting to share their data, and the ability to change those settings at a later date if they so choose. The rise of open banking, and citizen-controlled data will ensure the mechanisms for this to happen are implemented.
The current state of play means that consumers can share their banking data with, for example, a personal accounting app, but all they are doing is providing log-in details.
The application replays the user credentials to the bank, then screen-scrapes the data, and consumers rely on the third-party provider to have all the necessary security to protect their credentials and personal information that has been provided.
Some banks are inherently distrustful of this situation and won’t provide indemnity against fraud if the consumer’s account details and credentials are compromised.
The Farrell Review of 2017 into Open Banking in Australia recommends a mechanism to solve these problems – and also provides some insight into notions of consent, and what happens when consumers’ own their own data.
By using standards including OpenID Connect and OAuth2, consumers can direct that a financial institution shares their financial data with a third party.
This raw data feed is revokable, secure and provides a path for innovative new services to arise on the back of wealth of data that will become available. The consumer never needs to hand over their personal passwords and credentials again.
“Open banking and giving consumers power over their personal data is a great win for digital identity in Australia,” noted Mr Andrews.
“This is merely the first step in greater consumer rights and innovation in other sectors. With the success of open banking, we should see the rise of open telco, and open energy among others.”
Federation is the key
Mr Andrews noted that previous Government efforts to create single digital identity solutions have met generally with only partial success; and that the best way forward is to evolve an ecosystem of interoperable, federated identity providers. This will best balance the needs of flexibility and trust for all.
This federated identity scheme would build on the various state identities, including the relatively successful Service NSW, in addition to corporate identities such as those provided by Australia Post and Telstra.
“Why can’t I do my tax with a Telstra or Australia Post identity?” asks Mr Andrews. “With federation we would have the ability to pick and choose which identities we wanted to use, as well as have the power to grant and revoke access to those identities as we, consumers, see fit.”
The reality is that people will make selections about the identity they use, as well as the services accompanying that identity, based on the level of control they have.
“In order to get this right, we need to get identity right in partnership between government, corporates and citizens,” he said. “Industry and government needs to come together and federate identity management schemes. Otherwise digital identity simply won’t work.”
The reality for Australia and Australians is that as a nation we’re not far off getting a workable, federated digital identity scheme.
Present examples such as Facebook/Cambridge Analytica, and past ones such as the ill-fated Australia Card initiative, show that digital identity is a complex and sensitive subject.
Today we know that benefits to citizens and consumers of digital business, government and other services are manifest.
A sound approach must fully accommodate the needs of its customers – the users – to ensure trust, manage consent transparently, and provide flexibility to enable future innovators.
Ping Identity will host its Identify 2018 events in Sydney on May 8 and Melbourne on May 10. Identify 2018 is an event by the Ping Community for the Ping Community. You can reserve your seat here. Ping Identity is a valued InnovationAus.com partner.