UNDP identity roundtable: does the bill payer set the standards for private ID firms?
Who are identity systems being built for? What standards do and should private sector firms adhere to when contracted by governments? How will self-asserted identity changes be handled by organizations? These are some of the topics explored when the United Nations Development Programme (UNDP) held a second roundtable on the interplay between public and private sectors for identity schemes.
The first session in the Future Technological Progress and Institutional Governance series, held in May 2021, considered the future roles of digital versus physical identity and found that partnerships are critical to success. The second invited public sector – including UN Legal Identity Agenda Task Force members – and private sector to go into further depth on legal identity, privacy and data protection.
Chairing the roundtable was the UNDP’s policy advisor for legal identity, Niall McCann, who suggested that developments in central bank digital currency rollouts, health passes and the metaverse could lead to greater demands for digital identities and the infrastructure to support them. He noted that these would likely be centralized identity schemes. If digital identity – beyond legal identity – becomes increasingly important for a large proportion of humanity, how will the private sector cope? How will they decide on and keep to standards?
Simon Reed from UK-based IrisGuard, whose systems have processed over US$1 billion in humanitarian assistance through iris-based biometrics, believes there has to be a clear separation between an identity that serves as proof of life versus multiple digital identities used for any other purpose. There needs to be a way where different elements of a person’s data a can be split off from the core identity. Public and private sectors working together have already devised identity systems with very high levels of protections.
People are never going out to buy their identities, but using their identities in the purchase of other goods and services, said Nahid Iftekhar of CodeMarshal IT System. That seller is also not the identity provider. This leads to all kinds of problems and it is not clear what the whole purpose of identity creation is. Nor how concerned the various actors accessing data should be about security.
In countries where CodeMarshal operates in South Asia, there is no GDPR in place. Iftekhar wondered whether data protection regulation should be a UN responsibility.
IrisGuard’s Simon Reed said that standards are beneficial for the development of technology. For example, his firm produces mobile devices that adhere to GSM standards that date back 30 years.
Irina Stoica from Laxton Group said that the firm often loses projects because of adding certain protection prerequisits. Even GDPR, with its requirement for consent for personal data to be used, is not necessarily protecting end users as they sometimes have no choice but to consent in order to access systems such as for finance. Data needs to be anonymized.
When the participants were asked outright who they are developing identity systems for, Simon Reed wanted to be deliberately controversial by pointing out the simple reality that private firms are contracted, which means they develop the system for the entity paying the bills, that making money is what drives innovation.
Reed believes there is then a responsibility on the part of private firms to explain fully how their systems work to the public organization or government so that it can be made fit for purpose and intelligible for the end users.
Iftekhar agreed with Reed, and went on to say that in terms of standards, solutions providers are starting to play the role of judge, a role that should be played by someone else. The judgement becomes something of a burden to these firms when they should be able to concentrate on innovation.
Gabrielle Shea, a policy advisor at NEC America, pointed out that it is not in the interest of governments for citizens to be dissatisfied with how they assert their identities (and that the U.S.’s lack of a national data privacy law means their firm is more attuned to working in other countries without privacy laws).
Idemia’s data privacy manager, Isabelle Landreau, said that biometrics companies will have a key role in the future if states are not able to organize ID systems, meaning private firms will want to be partners of the state.
To sum up multiple comments from participants, there was something of a consensus that there needs to be a strictly defined and highly restricted set of data on an individual that would form a legal identity, that that person exists. Beyond that, individuals could choose to supply more data where required for specific uses.
This could be considered a split between foundational (or digital legal) ID which may be centralized, and separate functional IDs.