Demonstrating the identity of an individual on the internet with certainty is a matter of considerable interest. Devices can be recognized with a high degree of certainty, and the integrity of access credentials can be confirmed with extreme certainty, but to demonstrate that at a precise moment, in a specific situation, we are interacting on the Internet with the person we believe we are it is a lot harder.
How many times during the day do we use a digital identity? We turn on our personal computer or smartphone, look at emails, access a chat, participate in a videoconference, access a subscription service, use a credit card, check our bank account and use a badge to get into the office. It may be consciously or unconsciously, but it does not matter; we must be recognized several times a day.
This means that we are also entering our personal data to create new digital identities all the time. When creating a new digital identity, sometimes only a name and surname, email and mobile phone number is needed. Other times, we need to include our home address, age, gender and countless other pieces of information to create a profile. And this is often unavoidable. People must be recognizable in cyberspace to access services and to demonstrate the lawfulness of their actions. At the same time, the tracks that people leave in cyberspace can be used for illegal purposes, such as the creation of false identities. More than ever, people need control over their personal data, partially due to the principle of need to know. It is essential that when a service ends, the processing of an individual’s personal data is also concluded, or as long as they are used, they are updated adequately to the purposes.
A universal solution for the identification of an individual on the internet likely does not exist. However, it is possible to find solutions that are suitable in certain situations and adopt different ones in other situations. The topic of identification must be seen from various perspectives, including the protection of the interested party and practicality for the service provider. The proposed approach is that of a federation of identity providers. An identity provider is already a federated identity system, but if identity providers began to federate each other, there could be an ecosystem where new business could arise and at the same time the protection of personal data could be strengthened.
What other advantages are there? For example, a public voting system based on a custodian of personal data could be created. There is also the possibility of streamlining the passport control process. There are only a few examples of how the federation of identity providers represents a starting point of a sustainable method of managing digital identity. However, the need to protect personal data requires structuring this federation on two levels. One of extreme trust for the conservation of personal data under management to government bodies and the other of a more operational nature, in charge of private enterprises, to act as an interface to the applications or services that are used.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “How to Digitally Verify Human Identity: The Case of Voting,” ISACA Journal, volume 1 2023.