shutterstock_1389203015_banner.jpg

Photo: Shutterstock.com / fizkes

How Trust Frameworks Help Implement Digital ID Ecosystems

  • Explainer
  • By Rebecca Leitch (Good ID)
  • 7 December 2020

In this two part series, Rebecca Leitch speaks to major global players using trust frameworks to build digital ID systems across public and private sectors

Fundamental to the success of any digital ID system is the ability to verify a credential, while respecting privacy - in other words being able to trust someone is who they say they are. And one of the most significant ways to achieve this is with a trust framework.

A trust framework enables standards within the authentication process, in order that these systems - and the service they offer - can be trusted, and ultimately, mass adopted.

Countries whose governments have forged ahead with such systems, namely Estonia, Canada, and Singapore, have been able to cope better in the COVID pandemic, and it’s clear that the demand for online public services has rapidly increased as a result, with more and more governments across the globe now turning to digital ID systems to try and make their services more efficient, cost effective, and their citizens’ lives easier.

Trust frameworks set the rules on what is accepted as a valid attribute. They are designed to focus on the needs of the end user first, rather than specific technologies, and are an inherent part of the governance process in order to show that sufficient customer due diligence, Know Your Customer (KYC), and anti-money laundering compliance has been undertaken.

Originally, one of the biggest incentives for trust frameworks was to help enable alliances. This began in the financial sector and allowed a person’s identity, verified with one financial institution, to be used to open a bank account with another institution within the same alliance, without having to be checked again.  

Models of trust framework have now evolved beyond compliance and efficiency, and are being used to enable collaboration across the public and private sectors, in order to implement national, as well as global, digital ID ecosystems to respond to significant societal and economic challenges.

Human-centricity and the trust framework

Cristian Duda, Lead, Digital Identity at the World Economic Forum, explains how trust frameworks help build a foundation based on trust:

“People’s digital contexts are complex. Access to physical and digital spaces - amplified by the new need for touchless and remote interactions - will require us to prove our identity more and more frequently. For example, it will be important to link health claims with our government identity in order to travel or work, to prove who we are when performing payments, applying for jobs, or exchanging health data.  

“With identities stored increasingly on people’s devices and controlled by them, governments and organizations must create ‘handshakes’ in the form of a trust framework. 

“Trust frameworks allow organizations to accept user credentials that have been verified by agreed trust anchors. Not only will people be able to control their identities but also they will be able to use them in a widely accepted way such as for seamless travel or remote work and education. 

“In other words, this interoperability will increase trust, security, efficiency and reduce costs  The emergence of several trust frameworks showcase the fact that governments and the private sector are recognizing this need to collaborate.”

shutterstock_1867098316.jpg
Trust frameworks are a form of handshake between governments and organizations. Shutterstock.com / Rawpixel

Interoperability and the trust framework

It is this interoperability that could be the answer to one of the biggest societal challenges in the USA - its healthcare system. 

The CARIN Alliance is a multi-sector, public-private alliance focused on giving consumers digital access to their health information. One of the leaders of this alliance, Ryan Howells of Leavitt Partners, discusses the significant role its trust framework has played in developing a digital health ID system:

“Given the US healthcare system is extraordinarily decentralized and fragmented, we had to figure out a public/private partnership for developing a federated digital ID process that can be implemented across both sectors. 

“The CARIN Alliance is made up of around 80 organizations, some of the largest payers and providers, major tech companies, third party Apps, and we work with the public sector federal regulatory agencies that oversee healthcare technology in the US. 

“Until recently, very little standards on how that data should be shared with the individual patient, but as of 2021, all of the major government-sponsored healthcare payers in the US, as well as all the major providers who bill the federal government through the Medicare or Medicaid programs, need to have an API infrastructure in place for the exchange of data and information across the ecosystem.

“For an individual to be able to control their own identity - and develop their own digital ID credential which they can use across multiple health systems, the first step was a national digital identity trust framework. 

“While this identity approach would be an option for individuals to use, it would establish the technical framework for how the data will be sent back and forth, as well as the legal framework.      

“So what we did in the CARIN Alliance was to create a private-sector trusted exchange framework managed by private sector entities which could work well with the Trusted Exchange Framework and Common Agreement (TEFCA) - the public side of the US healthcare collaboration.     

“The relying parties have to trust that the National Institute of Standards and Technology (NIST) standards are being followed and the good news is other private sector trust framework organizations have the capability to certify that the identity providers are following the NIST standards.

“But CARIN saw a gap - if one identity provider goes to one  trust framework agency in order to get certified, but another identity provider goes to a different organization, how are they able to trust each other, when the two different trust framework organizations may have followed two different processes?

“This is where the model falls down, so what we are doing is linking them together with the Digital Federated Trust Agreement, with legal terms and conditions for what each of these certifiers should do to oversee, validate and certify that these identity providers are all following the NIST standards.

“We can then provide these to the federal regulators for inclusion in the TEFCA. This in turn establishes trust at the relying party level. They can go and get a digital credential from any of the identity providers who have been certified by any of these trust framework organizations, tied together through the Digital Federated Trust Agreement. 

“So what we are trying to do is accommodate for this by saying there can be any number of these trust framework organizations, they just need to sign a contract to say they will do it in a certain way - so the relying parties have comfort knowing that, as long as they use one of the identity providers in the trusted ecosystem, they can be trusted within the US health care ecosystem.”

Economic growth and the trust framework

One of the most established and high profile coalitions of public and private sector leaders is the Digital Identification and Authentication Council of Canada (DIACC).

Its president, Joni Brennan, explains how the coalition’s Pan-Canadian Trust Framework (PCTF) is delivering a national, digital ID program centered on driving economic growth with a robust digital ID and authentication ecosystem

“Our mission is to unlock Canada's full participation in the global digital economy - and digital identity is the tool by which to get there.  

“The root of the coalition stems from the 2008 global financial crash. Under the Minister of Finance, a review of Canada's payments system recommended the establishment of a self-governing body where the private and public could come together to advance digital identity and authentication - resulting in DIACC.

“The trust framework recognizes the big commitments that need taking forward to modernize ID systems. DIACC, and the trust framework, allows us all to come to the table with a common framework to talk about the issue, raise questions around interoperability, the capabilities, through this diversity, using the framework as a centerpiece.

“We knew we didn't have the opportunity like Estonia to build from the ground up. We have to work with the legacy and be flexible for the different actors and different technologies in the ecosystem. This process enables the important, and difficult, conversations between the public and private sectors. 

“Our goal is to accelerate digital identity that can work in a user-centric way, across the whole economy. We feel confident that bringing these economic players, public and private sectors to the table, and working in an open approach from a global perspective, is the way forward. 

“The way the world is evolving means that assurance is now the priority - that you can trust the information provided. We are also very interested in the W3C verifiable credentials space, where the data model consistency can be used in different networks. And we are looking at how trust frameworks can be applied to digital wallets. That is what interoperability will look like beyond 2020.”

Crossing national borders

On the other side of the Atlantic, the European Union’s trust framework Electronic Identification and Trust Services (eIDAS) is driving increased access to government and private services across national borders. 

Adopted in July 2014, eIDAS made it possible that an eID issued in one Member State can be used to access online public services in another Member State. This was achieved by establishing an interoperability framework and by enforcing mutual legal recognition of the eID schemes notified by the Member States. 

eIDAS established harmonized rules for the development of a European internal market for trust services recognized across borders with the same legal status as their traditional equivalent, paper-based processes.

In 2020, the European Commission ran an open consultation to evaluate the framework and assess the extent to which it is delivering its intended outcome, in view of technological, market, and legal developments.

This was followed by the European Council Conclusions of 1-2 October 2020 setting a clear mandate for the Commission by calling for:

The development of an EU-wide framework for secure public electronic identification (e-ID), including interoperable digital signatures, to provide people with control over their online identity and data as well as to enable access to public, private and cross-border digital services

The consultation revealed that European citizens expect trusted digital identification which protects data and can be used for authentication with a single sign-on, and the next step will be to work with the private sector in order to achieve cross-border recognition of eID across the EU.

The need to go further

While trust frameworks can clearly be seen as an essential enabler for national, as well as cross-border systems, Nick Mothershaw, Chair and Executive Director of Open Identity Exchange (OIX) cautions that when it comes to user-centricity in the commercial sector, trust frameworks still have work to do:

“Digital identity systems that work for the user have in many cases failed to get mass adoption. It is something that can be hard to achieve when there are so many different protocols on the market.

“There are still organizations who say they can't rely on a third party digital identity - they've got their own brand clout to keep their own identity walls. There are a lot of security reasons for this as well.

“Both parties have similar concerns: Is it safe? What happens when it goes wrong? What redress do I get if it goes wrong? Who's liable for that?

“At OIX we're fleshing out details that will sit behind our overarching Guide to Trust Frameworks on what needs to be done around identity proofing, fraud controls, and technical interoperability, which will include executive good practices to translate protocols and record that you've done that. 

“All of this requires the trust framework to define - so we are working on a guide to putting that at the top of the stack, to ensure both sides achieve true interoperability.”

As all the above attests, trust frameworks are laying the foundations for successful - and trusted - digital ecosystems which promote interoperability and trusted usability.

But given trust frameworks rely on the existence of authoritative sources of identification, how can they help overcome one of the biggest challenges for Good ID - inclusion? 

In part two, we look to the African continent, to see how trust frameworks are now emerging out of a will to not only improve economic development, but also enable inclusion.