Legal Framework of Identify Verification

Abstract: The focus of this Guide is on ID systems that provide proof of legal identity that is often required for — or simplifies the process of — accessing basic rights, services, opportunities, and protections. Historically, governments have operated a variety of ID systems to serve this and other purposes. Primarily, this includes foundational ID systems, such as civil registers, national IDs and population registers, which are created to provide identification to the general population for a wide variety of transactions. An ID system can be considered legal ID system to the extent that it enables a person to prove who they are using credentials recognized by law or regulation as proof of legal identity — i.e., most foundational ID systems. In addition, governments have often created a variety of functional ID systems to manage identification, authentication, and authorization for specific sectors or use-cases, such as voting, taxation, social protection, travel, and more. In some countries — and particularly those that do not have a foundational ID system beyond civil registration — functional identity credentials are used as de facto proof of identity for purposes beyond their original scope. In the United States, for example, social security numbers and driver’s licenses in the United States are issues as proof of authorization for specific purposes but are used as general-purpose credentials. However, functional ID systems are typically not considered to be legal ID systems unless they are officially recognized as serving this purpose.

Introduction

In terms of technology, these ID systems can be paper-based or digitized. Digital ID systems are those that use digital technology throughout the identity lifecycle, including for data capture, validation, storage, and transfer; credential management; and identity verification and authentication. Although the term “digital ID” often connotes identity credentials used for web-based or virtual transactions (e.g., for logging into an e-service portal), digital IDs can also be used for stronger in-person (and offline) authentication.

In addition, these ID systems may or may not uniquely identify individuals within a given population. Uniqueness typically means that (a) one person does not claim multiple identities within the system, and (b) each identity is only claimed by one person. In general, most foundational and functional ID systems are intended to be unique. However, some may have less reliable identity records due to a lack of deduplication, non-unique identifier generation (e.g., recycling ID numbers over time), or weak identity proofing procedures. In other cases, allowing for multiple registration may be a feature of the ID system functionality. For example, the same person can enroll multiple times in the UK’s Verify system, because its focus is on proof of identity, with any issues of uniqueness handled by the relying party, as described in Box 38.

Finally, these ID systems also vary based on the population that they are intended to cover. Because the purpose of foundational systems has been to provide broad (or universal, in the case of CR) coverage within the population, they are typically more inclusive in scope than functional systems, which — by their nature — are often limited to a certain subset of the population (e.g., people eligible to vote, beneficiaries of a cash transfer, people who have passed a driver’s test, etc.). In some cases, however, functional ID systems have relatively broad coverage because their program is intended to be universal (e.g., the US social security number). Similarly, not all foundational ID systems cover the entire population. For example, a country’s civil registry only covers vital events that occur within the territory, and therefore does not cover migrants or (in some cases) nationals born abroad. Similarly, some national ID systems only cover nationals, foreign residents with a valid visa, and/or people over age 18. In contrast other countries have implemented inclusive foundational ID systems that are accessible to all people within a territory or jurisdiction.

Within a given jurisdiction, there are normally many government and private-sector ID systems that together make up the identity ecosystem. As ID systems become digital, these ecosystems may be increasingly complex, with a wide range of identity models and actors with diverse responsibilities, interests, and priorities. The particular path that a country takes to develop a digital identity ecosystem will depend on a variety of factors, including which ID systems and assets already exist, and the identity-related needs of key stakeholders in both the public and private sectors.

As demand for online products and services increases, businesses face
a growing need to verify their users are who they say they are. Many of
them, particularly digital banking and money management apps, must
comply with strict regulations that vary from one country to another.
Others, including ridesharing apps and gaming platforms, see identity
verification as an opportunity to build trust with their users and fight
online fraud – which is growing rampant across industries.

For instance, in the US alone, 47 percent of Americans experienced
financial identity theft in 2020, according to the Aite Group. The group’s report found that losses from identity theft cases cost
$502.5 billion in 2019 and increased 42 percent to $712.4 billion in
2020. Losses are forecast to increase again in 2021 to $721.3 billion.

The study narrowed the identity theft definition to include only
application fraud, where criminals used a victim’s identity to open a
new account of some type, and account takeover, where an account is
taken so criminals can steal money or access rewards.
Online identity verification is key to building safer, more enjoyable
digital experiences, yet its widespread adoption is still limited. From a
UX point of view, verifying yourself online is often riddled with friction,
and is known to take a toll on account activation rates.
Privacy is another issue, as most of the major players on the market are
cloud-based providers that process sensitive data on their own servers.
Finally, the existing solutions on the market often do not verify if the
user’s ID document is genuine, leaving a gap for fraud wide open.

This whitepaper will explore how National Security Framework’s Identity Verification works to help businesses keep their community safe without adding unnecessary friction to legitimate users. Giact. 2021. U.S. Identity Theft: The Stark Reality. [Online]. [26 Oct 2021].

Role of a foundational ID system

The focus of this Guide is on the design and implementation of foundational, digital ID systems that provide people with proof of legal identity. As shown in Figure 5, inclusive and trusted foundational ID systems can serve two important functions within the identity ecosystem and across a variety of sectors:

  1. Authoritative source(s) of basic identity information. By creating a register of unique, verified identities, a foundational ID system can provide the basis for secure identity verification for government and private-sector users. In any country, having one or more trusted sources of basic identity information is vital to the integrity of the identity proofing process for government functional ID systems and for private-sector ID providers and relying parties (e.g., financial institutions or MNOs conducting KYC). Beyond the verification of identity attributes themselves, a foundational system with unique identity records can also help deduplicate functional systems — e.g., a cash transfer register or public payroll — reducing opportunities for fraud and the need for redundant data collection by the foundational system.
  2. Credential and authentication provider. In addition to establishing an authoritative source of identity information that can be leveraged by other systems, foundational ID systems can also provide credentials that allow people to authenticate their identities for a wide variety of purposes and sectors. As with verification, authentication can be a shared service provided to a variety of public and private sector users. When built as a platform that allows users to leverage the ID systems’ credentials and authentication rather that building their own, this can help reduce costs for government agencies and private companies.

As described in more detail in the Introduction, having one or more interoperable foundational ID systems that serve these functions can improve access and service delivery across a variety of sectors, including health, education, social protection, financial inclusion, etc.

In order further these development goals, however, foundational ID systems must be inclusive, and they must be trusted. In accordance with SDG 16.9 and the Principles for Identification, all people must have access to proof of their legal identity, no matter their age, nationality, or where they were born. CR systems are an important part of this infrastructure and provide the authoritative source of certain attributes as they were at the time of birth or death (i.e., at the moment births or deaths were registered) assuming that they were accurately recorded. Some of this information (e.g., name, legal guardians, and sex) could change over a person’s lifetime, while other attributes (e.g., date and place of birth or death, and birth parent’s identities) are immutable. However, CR systems are not dynamic registers of identity data, and — because they only cover events that occurred within the jurisdiction — they cannot be an authoritative source of information for people who were born elsewhere or who never had their vital events registered.

Providing legal identity for all therefore requires the strengthening of CR systems alongside — and in coordination with — the development of ID systems that can leverage and build on the CR while adding functionality (e.g., identity proofing, online verification and authentication services, portable credentials, etc.). In addition — and as enshrined in Principles 1 and 2, countries must ensure that everyone has access to foundational ID system, regardless of who they are. This requires a conscious and continuous efforts to remove or mitigate barriers to accessing proof of identity that are common among vulnerable populations.

In addition, foundational ID systems will only achieve the benefits described above when they are trusted — both by people and the institutions and companies that rely on them. Where people do not trust the provider of an ID system to manage and protect their data, they are unlikely to participate. Systems with low coverage have limited utility for governments or people and will necessitate parallel business processes to deal with people who are and are not covered. Similarly, where the data or credentials provided by an ID system are known or perceived to be inaccurate or susceptible to fraud or tampering, service providers will not be able to take this information at face value. Effective public engagement, robust legal frameworks, and a privacy-and-security-by-design approach are therefore fundamental to ensuring the overall success of the system.

New models for foundational ID in a digital world

In the past, most foundational (and functional) ID systems were paper-based and operated or managed entirely by governments. With the move toward digital technology throughout the identity lifecycle, however, we have begun to see new models of partnerships or trust frameworks between governments and the private sector to provide digital layers on top of existing legal ID systems that are recognized by the government for official online transactions. Typically, these systems leverage existing government-owned identity registers as authoritative sources of information to provide digital authentication and verification services for both official purposes and private sector applications.

A number of authors — notably from ITU (2018) and WEF (2016) — have developed typologies to categorize these new digital ID ecosystem models, typically based on the role of the private sector in providing digital identities, and the structure of these arrangements (e.g., federation). For the purpose of this Guide, it is also important to distinguish an additional dimension beyond the number and type of digital ID (i.e., credential and authentication providers), which is the type of authoritative source(s) these digital ID use for identity proofing. Using these dimensions, we can classify various models used to provide people with government-recognized or legal identity in a digital form:

  • Centralized: Under the centralized model, there is a single provider for a digital ID system recognized by the government as providing proof of legal identity.
  • In some cases, this may be the same entity that maintains the authoritative source register (e.g., a national ID or population register) on which the digital ID is based (e.g., Belgium’s eCard, Netherlands’ DigiD, India’s Aadhaar, and many others).
  • In other cases — i.e., where there is no foundational ID system — the official digital ID may be provided by an entity that relies on multiple functional or lower-tiered government ID systems as authoritative sources for identity proofing (e.g., the current myGovID system in Australia).
  • Federated: Under a federated model, multiple entities provide a government-recognized digital ID, coordinated or accredited through a trust framework or federation authority.
  • In some cases, these identity providers are public and/or private entities and that leverage a foundational ID system as their authoritative source (e.g., Bank ID in Sweden, Norway, and Finland, NemID in Denmark, Belgium’s Itsme®)
  • In others, they draw from multiple functional systems as well as civil registers through a “broker” or federation authority (e.g., GOV.UK Verify, Canada’s SecureKey).
  • Open-market: Finally, countries could have multiple, regulated entities that provide government-recognized digital ID based on multiple functional IDs and or civil registers as authoritative sources of identity. In contrast to the federated system, however, these providers operate based on bilateral agreements with individual government agencies that provide online services rather than through a central or brokered scheme (e.g., U.S.).

In addition to the government-recognized forms of digital identity discussed above, countries may have a host of other digital ID systems maintained by public or (primarily) private sector entities for their internal use and for unofficial purposes. This might include, for example, private-sector-provided IDs that are derived directly from the government-recognized authoritative sources or digital IDs described above, issued after identity proofing based on non-governmental sources, or self-asserted (e.g., social media, email accounts, commercial platforms, etc.). In addition, there are emerging models of decentralized or distributed-ledger-based digital identity that seek to put people — rather than ID authorities, providers or relying parties — in control and at the center of identity transactions. However, distributed digital identity solutions typically rely on official data sources (i.e., foundational and/or functional government systems) to substantiate basic identity attributes in the first instance. To our knowledge, such models have not yet been accepted as legal proof of identity for use in official (online or in-person) transactions.

Importantly, different models of digital ID can exist within the same jurisdiction — in Belgium, for example, people can log-in to online government services using either the centrally-provided eCard, or the Itsme® digital ID (the first certified credential provider in an emerging federated scheme). This can improve people’s control over their digital identities by offering them a choice of providers (and the ability to switch to more trusted or user-friendly services as needed).

The ideal model of providing a digital, government-recognized ID system is very country-specific, and depends on the country’s historical development, the trustworthiness of existing registers and other authoritative sources of identity information.

In Conclusion

In any ID system, the process of establishing a person’s identity and then using this identity in later transactions involves multiple stages often referred to as the “identity lifecycle”. This lifecycle is vital to creating trust in a variety of transactions between people, identity providers, and public and private sector relying parties.

As the name implies, the identity lifecycle is not a one-time event (see Figure 6 below). Rather, it is a process that starts when a person first registers and their identity is created; continues with authentication of that identity and updates to their attributes and credentials over time; and ends when an identity record is retired or invalidated (e.g., after death, request for removal by the individual, or some other event). As discussed above — and in the section below on stakeholders and roles — the lifecycle may be completed by a single actor (e.g., an ID authority) for a given ID system, or may be split between multiple public and/or private sector actors (e.g., different registration authorities vs. credential and authentication providers).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store