Identity on the Internet A trusted digital identity ecosystem is a critical component of a trusted Internet. Introduction A trusted digital identity ecosystem is a critical component of a trusted Internet. You unlock the front door of your house with a regular key. But to check your e-mail you often have to use a username and password. How you are verified as being you online, forms your digital identity in that context. Digital identities help users protect their privacy; segregate personal, social, and professional online presences; and engage in trusted transactions with storefronts, banks, medical providers, and governments. A trusted digital-identity ecosystem is a critical component of a trusted Internet.

Digital Identities Electronic Identities 1 Attribute-Based Identities Government issued identification 1 Attribute-Based Identities A specific characteristic (i.e. at least 18 years old) 2 Authentication-Based Identities Login credentials (i.e. username and password) 3 Electronic Signatures Identification which can result in a recognized legal effect 4 Identifiers Any data that identifies information about a device and/or a user 5 Types of digital identities: There are five main types of digital identity, all used in different contexts. We adapt our online identity depending on the context. For example, we likely reveal our “real” identity to access e-government services, but use a fictitious name or pseudonym on social media, and anonymously access public websites for medical information. Electronic Identities Some governments issue their citizens electronic identities for online use. In some cases, the issuing entity or identity provider is an approved organization (i.e. a post office). Attribute-Based Identities Some interactions do not require identification. It is enough that an individual possesses a specific attribute (i.e. is at least 18 years old or is a student). Authentication-Based Identities Users access an account with login credentials (commonly a username and password) which allow the service provider to verify that the user is who they say they are. Unlike government-issued electronic identities, login credentials can be anonymous or pseudonymous. Electronic Signatures Many countries have enacted laws to recognize the legal effect of electronic signatures. In addition to being a means of identification, electronic signatures may have consequences, such as confirmation or acceptance of a contract. Identifiers All Internet interactions involve the use of identifiers. Some help the Internet function (i.e. IP addresses), others identify or recognize a device and/or user (i.e. security at financial institutions), and others track users’ online interactions (i.e. targeted advertising). Information about a device may include type of device, operating system, browser version, browser plug-ins, among other things. Information about a user may include preferences, such as font size, screen colors, and contrast, among other things.

Key Considerations Electronic Identities 1 Attribute-Based Identities generally require proof by presenting government-issued identification. 1 Attribute-Based Identities can include a single attribute or a combination of attributes. 2 Authentication-Based Identities those that require only a username and password and are notoriously insecure; two-factor authentication provides additional protection. 3 Electronic Signatures can confirm that a user adopts the contents of a document, and confirms who wrote the communication. 4 Identifiers can be used to identify a specific device or user, or track a device or device user’s online interactions. 5 Key Considerations: For each of the five main types of digital identities we discussed, there are specific use cases and privacy considerations. Electronic identities To obtain a government-issued electronic identity, citizens typically must prove who they are by presenting a form of government-issued identification. As a result, the two types of identity are linked. Typically the primary use of these digital identities is government services (i.e. filing tax returns and claiming benefits). Secondary uses of these electronic identities are typically services that require a high degree of certainty or assurance that an individual is who he or she claims to be (i.e. banking and medical records). Attribute-based identities One attribute (i.e. age) might not indicate an individual’s actual identity, but a combination of attributes often can (i.e. date of birth, zip code, and gender). Authentication-based identities Authentication mechanisms that require only a username and a password are insecure because: the username is often an email address or other obvious identifier (i.e. a name or nickname), and people frequently reuse passwords or use easily guessed passwords (i.e. 12345). Many service providers offer additional access-control protection via two-factor authentication. Two-factor authentication requires a combination of something a user obtains (i.e. a one-use time-sensitive code sent to the user’s smartphone) and something the user knows (i.e. username or password). Single-sign-on mechanisms (i.e. Facebook) offer users greater convenience, but may expose users to tracking across the connected services. Electronic signatures Electronic signatures can be used to confirm that a user adopts the contents of a document and/or to confirm who wrote the communication. Cross-border legal recognition of electronic signatures is critical to efficient global trade. Identifiers Identifiers can be used to identify a specific device or user, or track a device or device user’s online interactions. Some identifiers are easily observable (i.e. browser features), others are deliberately placed within a device to make tracking easier (i.e. cookies). Identifiers can be aggregated, linked, and used to infer connections.

Challenges and Guiding Principles Privacy on the Internet is the biggest challenge. Most Internet users are more easily identified than ever before. An internet user’s identity can be inferred by someone with enough access to either their data or their attributes. Guiding principles for governments and citizens: Individuals should be able to use pseudonymous and anonymous digital identities. Digital identities need not be government-issued to be trustworthy. Challenges: Most Internet users today can be easily identified. Privacy online is thus the biggest challenge. In many cases, although a user’s actual identity may not immediately be known, it can be determined by someone with enough access to either their data or their attributes (i.e. Facebook friends, geolocation data, time and date stamps). Guiding principles for governments and citizens to consider: Individuals should be able to use pseudonymous and anonymous digital identities, depending on the context and with whom they are interacting. Individuals should have access to reliable, secure, privacy-by-design, trustworthy digital identities for online transactions. These are the characteristics that will support a secure, reliable, and protective consumer environment. Governments should consider offering electronic identification for more-secure access to e-government services and commercial transactions (i.e. banking) that require a high level of authentication. However, digital identities need not be government-issued to be trustworthy.

Guiding Principles It is good privacy and security practice to separate the use of digital identities and the data they are used to access. In considering the principles for an electronic identity system, the following questions are relevant: What form(s) of electronic identity are most useful for their projected use? Is the identity system technically interoperable and legally compatible? Does it collect and use only the data that is necessary? Can the electronic identity be revoked if necessary? Guiding Principles: It is good privacy and security practice to separate the use of digital identities and the data they are used to access. If you are a business or political leader thinking about what form of electronic identification system to use for your own online service, take the following steps: Consider what form(s) of electronic identity are most useful for their projected uses and identify the economic, social, or other issues that could hinder their deployment or use; Ensure that their electronic identity system is technically interoperable and legally compatible with the identity systems deployed by other governments for cross-border transactions; Prevent the issuer and relying parties from tracking the use of electronic identities across services and institutions; Collect and use only the data that is necessary (applying the principle of data minimization in this way enhances consumer trust and choice); Make electronic identities revocable when necessary (i.e. in the event of compromise); and Conduct a thorough risk-benefit analysis before considering the use of biometric data for electronic identities. In the event that biometric data is leaked or compromised, it cannot be revoked (i.e. a person cannot change his or her fingerprint). For this reason, it should not be collected unless absolutely necessary.

Download the Briefing Paper. Thank You: Effective digital identities facilitate trusted Internet communications and business transactions. It is therefore critical that governments: continue to encourage the open development and use of new technologies to express identity on the Internet, whether they are identified, pseudonyms, or anonymous; and refrain from activities that might stifle economic and/or social progress (i.e. mandating the level of identification required to access the Internet activities).