In March 2021, the prime ministers of Estonia, Finland, Denmark and Germany called on the European Union (EU) to speed up “digital sovereignty” and the creation of the “digital single market”.
The four countries wrote in a letter that “digital sovereignty” means increasing Europe’s technological capacity and its ability to establish values and rules in a technology-centered world that is becoming dominated by other countries: “We call for the European Union to get ahead of the curve in the digital transformation.”1
The prime ministers called on the EU to speed up the digital switchover and to emphasize digital policies involving governments, society and the economy.
“We need to effectively safeguard competition and market access in a data-driven world. Critical infrastructures and technologies need to become resilient and secure. It is time for the digitization of governments in order to build trust and foster digital innovation,” the same letter said.
Since that announcement, the EU itself2, and many EU Nation States have prioritized Digital ID programs/strategies as a first order of action to protect their digital sovereignty.
We defined sovereignty in the previous chapter, so let’s take a stab at defining identity in this one.
Personal Identity is given to you by the Government in a lot of ways; that is, in an administrative sense, and not your philosophical sense of being, and who you are.
In the physical world, many interactions with entities are governed by regulation. Going to a financial institution or a hospital requires one to identify themselves with one of these Government-issued IDs.
The Public Sector Profile of the Pan-Canadian Trust Framework3 defines two types of identities: foundational and contextual:
- A Foundational Identity is an identity that has been established or changed as a result of a foundational event (e.g., birth, person legal name change, immigration, legal residency, naturalized citizenship, death, organization legal name registration, organization legal name change, or bankruptcy).
- Even if foundational identities can undergo changes of state, the chain of provenance of these changes are maintained. For example, on your passport it says where you were born, even though it may not be the country that you’re a citizen of.
- Your foundational identity attributes are rarely changed.
- Your foundational identity is controlled and managed by governments.
- A Contextual Identity is an identity that is used for a specific purpose within a specific identity context (e.g., banking, business permits, health services, drivers licensing, or social media).
- Contextual identities can4 be rooted in foundational identities. Formal recognition can be extended to other sectors where lower assurances can be tolerated and foundational identity is not required.
- You can have as many contextual identities as you want, and you can get rid of them as you choose. As a citizen, you have much more agency and autonomy over your contextual identities.
- Since you can have many of these for various contexts, they can help reduce correlation, an important factor to drive personal sovereignty via privacy.
- Your contextual identities are controlled and managed by you and the entities you enter into contracts with.
Contextual identities, which we will start referring to as “Trusted Digital Identities”5, can be established between you and other entities (e.g., lower-level governments, tech companies, financial institutions, hospitals, online services, etc.) based on what you as an individual consent to. To repeat a point mentioned above, we require that concept of ‘foundational’ identity so we can build on the idea of a trusted digital identity.
As more of us spend most of our time in some digital fashion, Governments must provide the same level of trust online that they do in the physical world (root of trust).
One of the roles of a nation is to provide high assurance identities so that an economy can flourish. In Chapter 4 we look at some needed infrastructure to enhance the digital economy. The key questions to answer are how to establish the identities which can create trust, and how we can monetize those identities in the digital economy (Chapter 5).
If we don’t get digital identity right we’re in deep trouble, which is why a lot of the government initiatives right now globally are doing very similar things. They’re adopting a particular technology stack but aiming towards full interoperability (e.g., cross border digital interactions) that is going to be required to serve their citizens, allowing the country to establish its own digital sovereignty.
There are examples of countries in which the governments have more mature digital ID programs. We often hear of the successes from programs in Estonia, Singapore, etc. These successes have come from smaller countries, with existing high mobile adoption, and a very centralized control/governance of the countries’ ecosystems (e.g., financial, healthcare, etc.). Although they’ve been able to create lots of value for citizens to more easily access services, and cheaper for private sectors to identify/authenticate, this infrastructure doesn’t work on the open Internet.
As Kim Cameron states in his Laws of Identity paper:
“A system that does not put users in control will – immediately or over time – be rejected by enough of them that it cannot become and remain a unifying technology.”6
The Open Internet for one cannot adopt the architecture of private ecosystems that countries like Singapore and Estonia have implemented. It won’t work because it’s a centrally managed model and it doesn’t put users in control.
Here are a couple other quotes from Kim Cameron’s paper which feel highly relevant to this topic of discussion:
“Digital identity is related to context, and the Internet, while being a single technical framework, is experienced through a thousand kinds of content in at least as many different contexts”
“The emergence of a single simplistic digital identity solution as a universal panacea is not realistic.”
So we think we can all agree that creating one identity system for the Internet won’t scale. But using certain governance frameworks can help accelerate the journey to digital trust.
There’s a really good way of managing governance at a really large scale today that a whole bunch of people in different countries in the world have bought into. It’s called governments. So who’s in a stronger position to start issuing highly trustworthy secure privacy preserving digital identities for their citizens, their businesses and for their agencies that they are dealing with? Governments are the root of trust for so many things in life today so just having that root of trust available digitally will accelerate the speed at which digital trust on the internet can be adopted. Governments can provide key inputs and frameworks to empower their citizens to benefit from trusted digital interactions.
We would conclude that it seems like there’s a very critical role to be played by governments in achieving digital trust, which downstream will bring more sovereignty to themselves and to their citizens.
Let’s next expand upon the concept of Digital Trust.
- There is room for identities not rooted in foundational identities. It’s up to the consumer to decide whether or not they want it rooted. There’s nothing stopping you from creating a public-private key pair today to participate in the world of decentralized finance. This freedom brings sovereignty of its own.
- Trust is a loaded term. It’s a human concept, which makes it difficult to categorize as it’s very contextual. In the context of trusted digital identity, we’re saying that just like your physical world interactions often require identity cards that have been rooted in Government-issued foundational IDs (e.g., showing a driver’s license to open a bank account), many digital interactions will require the same.