The Ubiquitous Credential - Government-issued Identity in Your Phone

So one of the wonderful things about this conference is that they make sure that they pack in as much sessions as they possibly can. And my other speaker is trying to extract himself from a session that he's in, but that's okay because I can start without him. My name is Heather Flannigan, as they said, and I was very proud to be working on the government issued digital credential in the privacy landscape, white paper. I started back in October, and what we say in the US is that it's, it's not changing slides, change slides. Thank you.

As they say, it was a very character building experience, which, which, which basically means that I'm sure I grew as a person and it was at times it was a bit challenging. Now, why was it challenging? How many of you have actually seen the paper? Fantastic. For those of you, of you that have not, it is not a short paper. It's about 70 pages long. It's got about 166 citations and why, why on earth is it so long? Because the scope is actually fairly big.

This is, we wanted to do a deep dive on specifically the privacy component and yet, well, yes, but are you gonna talk about a specific country and who's your audience? This is the scope of this paper is global. We are looking at Countries around the world and what they're doing with, you know, how the governments are issuing these credentials. We were trying to speak to Policy makers in the government. We are trying to speak to standards developers and technologists, and we're trying to speak to civil society.

That means you have to bring all of these parties who are very knowledgeable in their space up to something of a common baseline so that they, they, once you get to the point where you're actually making recommendations, they all have have a shared understanding of where you're trying to go and what you're trying to do.

So about government issue, digital credentials, about having these levels of identity and about having a co speaker who just walked in the door, mobile credentials, which are what these government issues digital credentials are, are one would argue if one's name was Mike, are the new pockets I would, this is on. Yep. Yeah. Mobile devices I would argue are the new pockets. These things. Why do I say that? I'm not sure because I'm a girl and I don't get to have pockets.

Well, the New York Times addressed this issue actually in 1899. On the next slide, this quote is from 1899 New York Times. It was an article actually arguing for pockets in women's clothing. It said these are all the things pockets can contain. Right?

Letter, a pencil, a bunch of keys, probably a picture of somebody whole list here, right? Some of which apply to you, some of which may not. But I can remember a time, oh, by the way, the New York Times was quoted as saying that no civilization in history has been great since the invention of pockets that didn't have pockets. Another way of saying that is if you want to be a great civilization, you need to have pockets. And I can remember a time when I wanted one of these, right? Because I thought, man, it'd be great to have one device because I'm old. I can remember thinking this with it.

I could take pictures, I could have healthcare. I could remember things like maybe speaking events that I'm late to, you know, who knows, right? The one thing that it hasn't really fulfilled its mission on yet is identity, right? Like we do some facial recognition, which is great in a one-to-one device basis, but it's a little bit a promise waiting to be fulfilled, right Heather? And fortunately the government is here to help.

So where the paper starts is, as I said, looking at that current landscape of what's happening in the world, what's happening with the policies and the standards and the implementations. So I looked at, I mean obviously there's any number of countries to choose from. The ones I chose, I chose for a very good, you know, well, I think it's a very good reason. I wanted to look at all where, what's the biggest way, how big can you get?

Well, if you wanna look at that, you're gonna look at India and the Adhar network. Well, alright, but what if you have a society where they're actually honestly ubiquitous? Well then you wanna see what's happening in Singapore. You cannot talk about government issued digital credentials, mobile credentials without looking at what's happening here in Europe. So we looked a bit at the Eidos 2.0 regulation. Then I wanted to actually see how is it being implemented? And I'm really happy the number of you that sat through the previous session because I wanted to focus on Italy, which is funny.

A number of folks said, but, but Estonia. And I said, no, I love Estonia, but I actually wanna look at a place that's having a bit more in the way of interesting challenges. And you know, so we went to Italy to look at that space there. Nigeria in Africa is probably as far along as any country there, and it's the biggest in terms of population. So their deployment is really interesting to see. And the United States is a, well, it's, it's also having its own character building moments.

It is 50 states acting almost like 50 countries all trying to figure out how they're going to implement mobile driver's licenses. Except there's no common framework like any Oh, so yes.

Well, Right. And as those countries were called out, you can already still think and hear Heather talk about how some of these attempts have gaps and risks that are kind of common threads that run through all of them. There are a couple of main areas at the paper sites. The first one is just simply recognizing why they're doing what they're doing. Right? There are a couple different approaches for these countries. Large buckets like developing countries. They need these government issued credentials as a means of providing access to resources to opportunities.

Whereas if you're a, a more developed country perhaps, then it's more a matter of convenience. Your existing infrastructure may already be functioning. Along with those different motivations comes a, a different approach to how you sell or what your motivation is for these credentials, whether it's mitigating economic risk or convenience of your user base. Technological limits are another challenge. Not only do all the standards that are used in these, in the technology that are used in these approaches, they vary privacy wise. Some of them have issues with things like bias.

Think of facial recognition as a means of identification. You take those two and you combine it with some protection issues in some of the standards and approaches and regulations. Governments have a massive responsibility. Not only do they need to verify and identify people, but they have to secure that data for their citizens in a secure, private way.

And, and that's a very, very challenging standard that many organizations don't have to abide by in the same way. These are all challenges and gaps and risks that the paper calls out Indeed and all is not lost.

But do, do you remember when like GPS's first came out? It's not that you're lost exactly, but it might not quite get you where to where you need to be yet, but you're moving. So the recommendation section is more a recommendation of yes, these are things that you need to do, but they're also questions that you need to think about as you are considering the use, the implementation, the architecture for these government issue, digital credentials. And we organize this into three sections. One was the back to basics.

This starts with a very fundamental premise of there's, there has already been a lot of work, there are privacy frameworks out there that can apply to both the, the legislation and to technology. So start there. The very basic, don't invent your own when something already exists and don't cherry pick from the ones that exist because you kind of didn't like some of the other ones. They're there for reasons.

And then we split it out into, okay, well I wanna offer some suggestions on things like individual agency and making sure that as you are thinking about how to implement these, that you are implementing them in a way that the individual has agency over the information that is shared. Similarly, making sure that transparency is just systemic, that the things are auditable as as appropriate. That data minimization, I mean this is, this is what we would call motherhood and apple pie. These are all the very, very basic components that we've all talked about.

We all know, and yet we still need to talk about them because they're not being done well from there. You can't talk about government issued things and privacy without starting to go into, well, there are ongoing concerns. There are problems that we are talking about today that we worry about. And top of that list, without a doubt is surveillance. As soon as the someone, a government is saying, yes, we are here to help and we are going to provide you with these digital credentials that you may use, and things will become ever so much more efficient.

If you do, you will then have a privacy person further step up and say, but wait. So there's a lot of questions there that you and reassurances that you need to build into the system.

Similarly, and I didn't go into detail on diversity, equity and inclusion, not because it's not important, but because it's so important. It needs its own paper.

It's, it's an enormous topic that needs to be covered on its own. I wanted to acknowledge it as overlapping privacy in many ways, but it is a separate thing that needs to be considered addressing the fact that many of these implementations essentially offer single points of failure sometimes in some of the days databases and how they're architectured. Long story short, don't do that.

The fact that legitimate actors, organizations that have been approved to consume these credentials or to, to issue them on behalf of a government or something like that, making sure that there are protections in place, that yes, they've been approved for certain thing, but can they then do inappropriate things past what they've been approved to do and making sure there's protections there as well. And last but not least in the ongoing concerns is a wish for sustainable protections.

Now in the us every four years you get to take your politics and throw them up in the air and as they would say, whatever God wants, he keeps and everything else falls back to the ground in kind of a mess. Making sure that whatever protection one administration has offered continues through the next administration. It's a very interesting challenge, and it's not unique, of course, to the us This happens for any liberal democratic society.

As things change over you, the making sure that there are guarantees in place, possibly through international treaty and agreement is absolutely critical for privacy to succeed. There are this, this, this part was quite a bit of fun, or at least it was interesting to put together of, all right, well if you're looking at your back to basics and you're looking at the ongoing concerns that we're all, you know, know, and love today, what else is coming down the pike that we're going to have to start considering real soon?

Now, as the government issues, digital credentials and as they say, yes, this is going to make life ever so much easier and ever so much more efficient. And no, you don't have to use it, but if you do, it will be much, much nicer for you and you'll be able to get your healthcare and your, your government services and all those things. And what you've done in one sense is also created more infrastructure that becomes a great attack surface. If you ever go to war, digital warfare is a thing. And should we then not do these digital credentials? Not saying that at all.

I'm saying that you need to be aware that you're creating an interesting attack surface and protect it appropriately. Deep fakes. Another area of concern, metaverse, how the, how you can actually guarantee the, that people are of an age to do a thing. It's not usually a self assorted item. So government issue, digital credentials come into that, how they're used, the privacy components, all greats concerns. And I don't think we could have a conversation about this and generative AI and how that's a threat to how these credentials are used and consumed.

It's just, it's an obvious thing that's gonna happen. I took your slide, didn't you? But you did great. It was awesome.

No, So we have three minutes, again, there's the URL for that, and if there are any questions, we'll go ahead and take those. I really love that part. I just grabbed it. We could have used a QR code, but that, you know, been sketchy. If there's, if there's no one in the audience, I don't think there's, and there's nothing online. Both three weeks ago we were in a room together in Mountain View, and you were talking about the recommendations and you talked about one of those recommendations then that seemed to be a triggering event.

I'm wondering if you care to share the controversy with this room. Three weeks ago was kind of like last year. Mountain View? Yeah.

No, I don't remember where I was, but I'm trying to remember which thing was triggering. It was the government, the gov, the, the, the government wallet I think was the particular one. Or let me phrase it this way.

If, if you don't want to, if, if your memory's hazy, and believe me, I get that. I'm, I'm travel logged as well. Is there a recommendation you would've liked to make but you couldn't? I have.

Look, there's a soap box. It's right here. Let me stand on it.

Yes, there are a couple recommendations I would, I would really like to make and some, some of the are area the gaps in the technology components, in the policy components. As and I, several of you have heard me whinge about this this week. I would really like for there to be a standard, a specification, a clearly defined thing to tell me what's a wallet.

You know, it's, it's, I I get many people saying, well, you know, it has these kind of characteristics. And I say, do all of them well, no. Okay. The credentials, credentials are absolutely being specified and they're being specified fairly well. There's a lot of active work in there, but as soon as you say, well, but yeah, but the, the thing that's holding them, that's kind of a really important container.

Could you, could you do something there? And that feels like a, a huge gap in the work that I promise find terrifying. One minute. One minute. I'll put you on scene.

Oh, Mike, who here Has read the paper so far? Oh, I asked that there was a handful.

Oh, nevermind. Yeah, it's like it's being late. You read the paper a couple times. I did. And offered comments and then we got into a deep debate on ethics and then we both needed to drink heavily. It's a progression. It's progression. It really is. It really is.

Well, thank you very much for your time. Thank you very much for your attention and thank you for reading the paper.