Digital identity

From Wikipedia, the free encyclopedia

A digital identity is information used by computer systems to represent an external agent – a person, organization, application, or device. Digital identities allow access to services provided with computers to be automated and make it possible for computers to mediate relationships.

The use of digital identities is so widespread that many discussions refer to the entire collection of information generated by a person's online activity as a "digital identity". This includes usernames, passwords, search history, birthdate, social security number, and purchase history,[1] especially where that information is publicly available and not anonymized and so can be used by others to discover that person's civil identity. In this broader sense, a digital identity is a facet of a person's social identity and is also referred to as online identity.[2]

An individual's digital identity is often linked to their civil or national identity and many countries have instituted national digital identity systems that provide digital identities to their citizenry.

The legal and social effects of digital identity are complex and challenging.[further explanation needed]

Background[edit]

A critical problem in cyberspace is knowing with whom one is interacting. Using only static identifiers such as password and email, there is no way to precisely determine the identity of a person in cyberspace because this information can be stolen or used by many individuals acting as one. Digital identity based on dynamic entity relationships captured from behavioral history across multiple websites and mobile apps can verify and authenticate an identity with up to 95% accuracy.[3]

By comparing a set of entity relationships between a new event (e.g., login) and past events, a pattern of convergence can verify or authenticate the identity as legitimate whereas divergence indicates an attempt to mask an identity. Data used for digital identity is generally anonymized using a one-way hash, thereby avoiding privacy concerns. Because it is based on behavioral history, a digital identity is very hard to fake or steal.

Related terms[edit]

Subject and entity[edit]

A digital identity may also be referred to as a digital subject or digital entity and is the digital representation of a set of claims made by one party about itself or another person, group, thing or concept.[4][5][importance?]

Attributes, preferences and traits[edit]

The attributes of a digital identity are acquired and contain information about a subject, such as medical history, purchasing behaviour, bank balance, age and so on.[6] Preferences retain a subject's choices such as favourite brand of shoes, preferred currency. Traits are features of the subject that are inherent, such as eye colour, nationality, place of birth. Although attributes of a subject can change easily, traits change slowly, if at all. A digital identity also has entity relationships derived from the devices, environment and locations from which an individual is active on the Internet.

Technical aspects[edit]

Issuance[edit]

Digital identities can be issued through digital certificates. These certificates contain data associated with a user and are issued with legal guarantees by recognized certification authorities.

Trust, authentication and authorization[edit]

In order to assign a digital representation to an entity, the attributing party must trust that the claim of an attribute (such as name, location, role as an employee, or age) is correct and associated with the person or thing presenting the attribute. Conversely, the individual claiming an attribute may only grant selective access to its information (e.g., proving identity in a bar or PayPal authentication for payment at a website). In this way, digital identity is better understood as a particular viewpoint within a mutually-agreed relationship than as an objective property.

Authentication[edit]

Authentication is the assurance of the identity of one entity to another. It is a key aspect of digital trust. In general, business-to-business authentication is designed for security, but user-to-business authentication is designed for simplicity.

Authentication techniques include the presentation of a unique object such as a bank credit card, the provision of confidential information such as a password or the answer to a pre-arranged question, the confirmation of ownership of an email address, and more robust but costly techniques using encryption. Physical authentication techniques include iris scanning, handprinting, and voiceprinting; those techniques are called biometrics. The use of both static identifiers (e.g., username and password) and personal unique attributes (e.g., biometrics) is called multi-factor authentication and is more secure than the use of one component alone.

Whilst technological progress in authentication continues to evolve, these systems do not prevent aliases from being used. The introduction of strong authentication[citation needed] for online payment transactions within the European Union now links a verified person to an account, where such person has been identified in accordance with statutory requirements prior to account being opened. Verifying a person opening an account online typically requires a form of device binding to the credentials being used. This verifies that the device that stands in for a person on the Internet is actually the individual's device and not the device of someone simply claiming to be the individual. The concept of reliance authentication makes use of pre-existing accounts, to piggy back further services upon those accounts, providing that the original source is reliable. The concept of reliability comes from various anti-money laundering and counter-terrorism funding legislation in the US,[7] EU28,[8] Australia,[9] Singapore and New Zealand[10] where second parties may place reliance on the customer due diligence process of the first party, where the first party is say a financial institution. An example of reliance authentication is PayPal's verification method.

Authorization[edit]

Authorization is the determination of any entity that controls resources that the authenticated can access those resources. Authorization depends on authentication, because authorization requires that the critical attribute (i.e., the attribute that determines the authorizer's decision) must be verified.[citation needed] For example, authorization on a credit card gives access to the resources owned by Amazon, e.g., Amazon sends one a product. Authorization of an employee will provide that employee with access to network resources, such as printers, files, or software. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data.[citation needed]

Consider the person who rents a car and checks into a hotel with a credit card. The car rental and hotel company may request authentication that there is credit enough for an accident, or profligate spending on room service. Thus a card may later be refused when trying to purchase an activity such as a balloon trip. Though there is adequate credit to pay for the rental, the hotel, and the balloon trip, there is an insufficient amount to also cover the authorizations. The actual charges are authorized after leaving the hotel and returning the car, which may be too late for the balloon trip.

Valid online authorization requires analysis of information related to the digital event including device and environmental variables. These are generally derived from the data exchanged between a device and a business server over the Internet.

Digital identifiers[edit]

Use of decentralized identifiers

Digital identity requires digital identifiers—strings or tokens that are unique within a given scope (globally or locally within a specific domain, community, directory, application, etc.).

Identifiers may be classified as omnidirectional or unidirectional.[11] Omnidirectional identifiers are public and easily discoverable, whereas unidirectional identifiers are intended to be private and used only in the context of a specific identity relationship.

Identifiers may also be classified as resolvable or non-resolvable. Resolvable identifiers, such as a domain name or email address, may be easily dereferenced into the entity they represent, or some current state data providing relevant attributes of that entity. Non-resolvable identifiers, such as a person's real name, or the name of a subject or topic, can be compared for equivalence but are not otherwise machine-understandable.

There are many different schemes and formats for digital identifiers. Uniform Resource Identifier (URI) and the internationalized version Internationalized Resource Identifier (IRI) are the standard for identifiers for websites on the World Wide Web. OpenID and Light-weight Identity are two web authentication protocols that use standard HTTP URIs (often called URLs). A Uniform Resource Name is a persistent, location-independent identifier assigned within the defined namespace.

Digital Object Architecture[edit]

Digital Object Architecture[12] is a means of managing digital information in a network environment. In Digital Object Architecture, a digital object has a machine and platform independent structure that allows it to be identified, accessed and protected, as appropriate. A digital object may incorporate not only informational elements, i.e., a digitized version of a paper, movie or sound recording, but also the unique identifier of the digital object and other metadata about the digital object. The metadata may include restrictions on access to digital objects, notices of ownership, and identifiers for licensing agreements, if appropriate.

Handle System[edit]

The Handle System is a general purpose distributed information system that provides efficient, extensible, and secure identifier and resolution services for use on networks such as the internet. It includes an open set of protocols, a namespace, and a reference implementation of the protocols. The protocols enable a distributed computer system to store identifiers, known as handles, of arbitrary resources and resolve those handles into the information necessary to locate, access, contact, authenticate, or otherwise make use of the resources. This information can be changed as needed to reflect the current state of the identified resource without changing its identifier, thus allowing the name of the item to persist over changes of location and other related state information. The original version of the Handle System technology was developed with support from the Defense Advanced Research Projects Agency.

Extensible Resource Identifiers[edit]

A new OASIS standard for abstract, structured identifiers, XRI (Extensible Resource Identifiers), adds new features to URIs and IRIs that are especially useful for digital identity systems. OpenID also supports XRIs, and XRIs are the basis for i-names.

Risk-based authentication[edit]

Risk-based authentication is an application of digital identity whereby multiple entity relationship from the device (e.g., operating system), environment (e.g., DNS Server) and data entered by a user for any given transaction is evaluated for correlation with events from known behaviors for the same identity.[13] Analysis are performed based on quantifiable metrics, such as transaction velocity, locale settings (or attempts to obfuscate), and user-input data (such as ship-to address). Correlation and deviation are mapped to tolerances and scored, then aggregated across multiple entities to compute a transaction risk-score, which assess the risk posed to an organization.

Policy aspects[edit]

There are proponents of treating self-determination and freedom of expression of digital identity as a new human right.[citation needed] Some have speculated that digital identities could become a new form of legal entity.[14][how?]

Taxonomies of identity[edit]

Digital identity attributes exist within the context of ontologies.

The development of digital identity network solutions that can interoperate taxonomically diverse representations of digital identity is a contemporary challenge. Free-tagging has emerged recently as an effective way of circumventing this challenge (to date, primarily with application to the identity of digital entities such as bookmarks and photos) by effectively flattening identity attributes into a single, unstructured layer. However, the organic integration of the benefits of both structured and fluid approaches to identity attribute management remains elusive.

Networked identity[edit]

Identity relationships within a digital network may include multiple identity entities. However, in a decentralized network like the Internet, such extended identity relationships effectively requires both the existence of independent trust relationships between each pair of entities in the relationship and a means of reliably integrating the paired relationships into larger relational units. And if identity relationships are to reach beyond the context of a single, federated ontology of identity (see Taxonomies of identity above), identity attributes must somehow be matched across diverse ontologies. The development of network approaches that can embody such integrated "compound" trust relationships is currently a topic of much debate in the blogosphere.

Integrated compound trust relationships allow, for example, entity A to accept an assertion or claim about entity B by entity C. C thus vouches for an aspect of B's identity to A.

A key feature of "compound" trust relationships is the possibility of selective disclosure from one entity to another of locally relevant information. As an illustration of the potential application of selective disclosure, let us suppose a certain Diana wished to book a hire car without disclosing irrelevant personal information (using a notional digital identity network that supports compound trust relationships). As an adult, UK resident with a current driving license, Diana might have the UK's Driver and Vehicle Licensing Agency vouch for her driving qualification, age and nationality to a car-rental company without having her name or contact details disclosed. Similarly, Diana's bank might assert just her banking details to the rental company. Selective disclosure allows for appropriate privacy of information within a network of identity relationships.

A classic form of networked digital identity based on international standards is the "White Pages".

An electronic white pages links various devices, like computers and telephones, to an individual or organization. Various attributes such as X.509v3 digital certificates for secure cryptographic communications are captured under a schema, and published in an LDAP or X.500 directory. Changes to the LDAP standard are managed by working groups in the IETF, and changes in X.500 are managed by the ISO. The ITU did significant analysis of gaps in digital identity interoperability via the FGidm (ƒfocus group on identity management).

Implementations of X.500[2005] and LDAPv3 have occurred worldwide but are primarily located in major data centers with administrative policy boundaries regarding sharing of personal information. Since combined X.500 [2005] and LDAPv3 directories can hold millions of unique objects for rapid access, it is expected to play a continued role for large scale secure identity access services. LDAPv3 can act as a lightweight standalone server, or in the original design as a TCP-IP based Lightweight Directory Access Protocol compatible with making queries to a X.500 mesh of servers which can run the native OSI protocol.

This will be done by scaling individual servers into larger groupings that represent defined "administrative domains", (such as the country level digital object) which can add value not present in the original "White Pages" that was used to look up phone numbers and email addresses, largely now available through non-authoritative search engines.

The ability to leverage and extend a networked digital identity is made more practicable by the expression of the level of trust associated with the given identity through a common Identity Assurance Framework.

Security and privacy issues[edit]

Several writers have pointed out the tension between services that use digital identity on the one hand and user privacy on the other.[15][16][17][18][19]

Services that gather and store data linked to a digital identity which in turn can be linked to a user's real identity can learn a great deal about individuals. GDPR is one attempt to address this concern using regulation.

Many systems provide privacy-related mitigations when analyzing data linked to digital identities. One common mitigation is data anonymization, such as hashing user identifiers with a cryptographic hash function. Another popular technique is adding statistical noise to a data set to reduce identifiability, such as in differential privacy.

Although a digital identity allows consumers to transact from anywhere and more easily manage various ID cards, it also poses a potential single point of compromise that malicious hackers can use to steal all of that personal information.[20]

Social aspects[edit]

Digital rhetoric[importance?][edit]

The term digital identity is used in the academic field of digital rhetoric to denote identity as a "rhetorical construction."[21] Digital rhetoric is concerned with how identities are being formed, negotiated, influenced, or challenged in ever-evolving digital environments. Being aware of different rhetorical situations is complex in digital spaces but it is important for effective communication as some scholars argue that individuals’ ability to evaluate rhetorical situations is necessary for constructing an appropriate identity under different rhetorical circumstances.[22][23][24] In addition to that, physical and digital identities cannot be separated and visual affordances shape the representation of physical identity in online spaces.[25] As Bay argues, “what we do online now requires there to be more continuity—or at least fluidity—between our online and off-line selves.”[25] In positioning of digital identity in rhetoric, the scholars pay attention to how issues of race, gender, agency, and power are manifested in digital spaces. Some radical theorists "posited that cyberspace would liberate people from their bodies, blur the lines between human and technology."[26] Other scholars theorized that this ‘‘disembodied’’ communication "could free society from discrimination based on race, sex, gender, sexuality, or class."[27] Even more, the construction of digital identity is also tied to the network. This can be seen from the practices of reputation management companies which work on creating positive identity, so that personal or company's accounts show up higher in various search engines.[21]

Legal issues[edit]

Clare Sullivan presents the grounds for digital identity as an emerging legal concept.[28] The UK's Identity Cards Act 2006 confirms Sullivan's argument and unfolds the new legal concept involving database identity and transaction identity. Database identity is the collection of data that is registered about an individual within the databases of the scheme and transaction identity is a set of information that defines the individual's identity for transactional purposes. Although there is reliance on the verification of identity, none of the processes used are entirely trustworthy. The consequences of digital identity abuse and fraud are potentially serious, since in possible implications the person is held legally responsible.[28]

Business aspects[edit]

Corporations are recognizing the power of the internet to tailor their online presence to each individual customer. Purchase suggestions, personalized adverts and other tailored marketing strategies are a great success to businesses. Such tailoring however, depends on the ability to connect attributes and preferences to the identity of the visitor.[29] For technology to enable direct value transfer of rights and non-bearer assets, human agency must be conveyed, including the authorization, authentication and identification of the buyer and/or seller, as well as “proof of life,” without a third party.[30]

Digital death[edit]

Digital death is the phenomenon of people continuing to have Internet accounts after their deaths. This results in several ethical issues concerning how the information stored by the deceased person may be used or stored or given to the family members. It also may result in confusion due to automated social media features such as birthday reminders, as well as uncertainty about the deceased person's willingness to pass their personal information to the third party. Many social media platforms do not have clear policies about digital death. There are many companies that secure digital identities after death or legally pass those on to the deceased people's families.[31]

National digital identity systems[edit]

Although many facets of digital identity are universal owing in part to the ubiquity of the Internet, some regional variations exist due to specific laws, practices and government services that are in place. For example, digital identy can use services that validate driving licences, passports and other physical documents online to help improve the quality of a digital identity. Also, strict policies against money laundering mean that some services, such as money transfers need a stricter level of validation of digital identity. Digital identity in the national sense can mean a combination of single sign on, and/or validation of assertions by trusted authorities (generally the government).[citation needed]

Countries or regions with official or unofficial digital identity systems include:

Countries or regions with proposed digital identity systems include:

See also[edit]

References[edit]

  1. ^ "What is a Digital Identity? - Definition from Techopedia". Retrieved October 1, 2016.
  2. ^ Global, IndraStra. "Digital Identity – A Gateway to All Other Use Cases". IndraStra. ISSN 2381-3652.
  3. ^ Stachl, Clemens; Au, Quay; Schoedel, Ramona; Gosling, Samuel D.; Harari, Gabriella M.; Buschek, Daniel; Völkel, Sarah Theres; Schuwerk, Tobias; Oldemeier, Michelle; Ullmann, Theresa; Hussmann, Heinrich (July 28, 2020). "Predicting personality from patterns of behavior collected with smartphones". Proceedings of the National Academy of Sciences. 117 (30): 17680–17687. Bibcode:2020PNAS..11717680S. doi:10.1073/pnas.1920484117. ISSN 0027-8424. PMC 7395458. PMID 32665436.
  4. ^ "Digital Identity - Eclipsepedia". wiki.eclipse.org.
  5. ^ Deh, Dragana; Glođović, Danica (September 5, 2018). "The Construction of Identity in Digital Space". AM Journal of Art and Media Studies (16): 101. doi:10.25038/am.v0i16.257. ISSN 2406-1654.
  6. ^ Windley, Phillip J. (2005). Digital Identity. O'Reilly Media, Inc. pp. 8–9. ISBN 978-0596008789.
  7. ^ Federal Financial Institutions Examination Council (July 28, 2006). "Bank Secrecy Act / Anti-Money Laundering Examination Manual" (PDF). www.ffiec.gov. Retrieved June 4, 2022.
  8. ^ "EUR-Lex - 52013PC0045 - EN - EUR-Lex". eur-lex.europa.eu.
  9. ^ "Anti-Money Laundering and Counter-Terrorism Financing Act 2006".
  10. ^ Affairs, The Department of Internal. "AML/CFT Act and Regulations". www.dia.govt.nz. Archived from the original on October 4, 2013. Retrieved October 1, 2013.
  11. ^ Cameron, Kim (May 2005). "The Laws of Identity". msdn.microsoft.com. Microsoft.
  12. ^ Kahn, Robert; Wilensky, Robert (May 13, 1995). "A Framework for Distributed Digital Object Services". Corporation for National Research Initiatives.
  13. ^ Cser, Andras (July 17, 2017). "The Forrester Wave™: Risk-Based Authentication, Q3 2017". www.forrester.com. Retrieved June 4, 2022.
  14. ^ Sullivan, Clare (2012). "Digital Identity and Mistake". International Journal of Law and Technology. 20 (3): 223–241. doi:10.1093/ijlit/eas015.
  15. ^ Camp, L. Jean (2004). "Digital Identity". IEEE Technology and Society Magazine. IEEE. 23 (3): 34–41. doi:10.1109/MTAS.2004.1337889. S2CID 206487368.(subscription required)
  16. ^ Beck, Estee N. (2015). "The Invisible Digital Identity: Assemblages in Digital Networks". Computers and Composition. 35: 125–140. doi:10.1016/j.compcom.2015.01.005. ISSN 8755-4615.
  17. ^ Sullivan, Clare (2013). "Digital identity, privacy and the right to identity in the United States of America". Computer Law & Security Review. 29 (4): 348–358. doi:10.1016/j.clsr.2013.05.011. ISSN 0267-3649.
  18. ^ Holt, Jennifer; Malčić, Steven (2015). "The Privacy Ecosystem: Regulating Digital Identity in the United States and European Union". Journal of Information Policy. 5: 155–178. doi:10.5325/jinfopoli.5.2015.0155. JSTOR 10.5325/jinfopoli.5.2015.0155.
  19. ^ Michael, Salmony (March 2018). "Rethinking digital identity". Journal of Payments Strategy & Systems. 12 (1): 40–57. Retrieved November 8, 2018.
  20. ^ November 22, Tina Orem |; PM, 2019 at 12:31. "Digital Identities Abound & Few Understand How They Work". Credit Union Times. Retrieved February 24, 2020.
  21. ^ a b Eyman, Douglas (2015). Digital Rhetoric: Theory, Method, Practice. University of Michigan Press. p. 78.
  22. ^ Higgins, E. T. (1987). "Self-discrepancy: a theory relating self and affect". Psychological Review. 94 (3): 319–340. doi:10.1037/0033-295X.94.3.319. PMID 3615707.
  23. ^ Goffman, E. (1959). "The moral career of the mental patient". Psychiatry. 22 (2): 123–142. doi:10.1080/00332747.1959.11023166. PMID 13658281.
  24. ^ Stryker, S. & Burke, P. J. (2000). "The past, present, and future of an identity theory". Social Psychology Quarterly. 63 (4): 284–297. doi:10.2307/2695840. JSTOR 2695840.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  25. ^ a b Bay, Jennifer (2010). Body on >body<: Coding subjectivity. In Bradley Dilger and Jeff Rice (Eds.). From A to <A>: Keywords in markup: Minneapolis: University of Minnesota Press. pp. 150–66.
  26. ^ Marwick, Alice (2013). "Online Identity" (PDF). In John Hartley; Jean Burgess; Axel Bruns (eds.). A Companion to New Media Dynamics. Vol. 1 (First ed.). Blackwell Publishing Ltd.
  27. ^ Turkle, S. (1995). "Ghosts in the machine". The Sciences. 35 (6): 36–40. doi:10.1002/j.2326-1951.1995.tb03214.x.
  28. ^ a b Sullivan, Clare (2010). Digital Identity. The University of Adelaide. doi:10.1017/UPO9780980723007. ISBN 978-0-9807230-0-7.
  29. ^ Ableson, Hal; Lessig, Lawrence (December 10, 1998). "Digital Identity in Cyberspace". groups.csail.mit.edu.{{cite web}}: CS1 maint: url-status (link)
  30. ^ Kameir, Christian (July 13, 2020). "Council Post: Digital Vending Machines And The Question Of Identity". Forbes. Retrieved January 16, 2021.
  31. ^ Tait, Amelia (June 2, 2019). "What happens to our online identities when we die?". The Guardian.
  32. ^ Macdonald, Ayang (March 14, 2022). "China to introduce digital ID cards nationwide | Biometric Update". www.biometricupdate.com. Retrieved January 21, 2023.
  33. ^ Phillips, Tom (March 16, 2022). "China to roll out digital ID cards nationwide". NFCW. Retrieved January 21, 2023.
  34. ^ "On biometric IDs, India is a 'laboratory for the rest of the world'". Christian Science Monitor. ISSN 0882-7729. Retrieved January 21, 2023.
  35. ^ Jarrahi, Javad (March 26, 2021). "Iran unveils new e-government components as digital ID importance grows | Biometric Update". www.biometricupdate.com. Retrieved January 21, 2023.
  36. ^ Sim, Royston (January 20, 2023). "Singapore to roll out measures to help its people better navigate digital services: Josephine Teo". The Straits Times. Retrieved January 21, 2023.
  37. ^ Parsovs, Arnis (March 3, 2021). Estonian electronic identity card and its security challenges (Thesis thesis). University of Tartu.
  38. ^ "Der Online-Ausweis". Bundesministerium des Innern, für Bau und Heimat (in German). Retrieved May 29, 2021.
  39. ^ Ehneß, Susanne. "Die "Digitale Identität" löst den Ausweis ab". www.security-insider.de (in German). Retrieved May 29, 2021.
  40. ^ "Italy's digital identity system: What is SPID and how do I get it?". Wanted in Rome. November 5, 2021. Retrieved January 21, 2023.
  41. ^ "Digital identity in Monaco / Identité Numérique / Nationality and residency / Public Services for Individuals- Monaco". en.service-public-particuliers.gouv.mc. Retrieved January 21, 2023.
  42. ^ Antoniuk, Daryna (March 30, 2021). "Ukraine makes digital passports legally equivalent to ordinary ones | KyivPost - Ukraine's Global Voice". KyivPost. Retrieved June 1, 2021.
  43. ^ "Cabinet of Ministers of Ukraine - Ministry of Digital Transformation: Ukraine is the first country in the world to fully legalize digital passports in smartphones". www.kmu.gov.ua. March 30, 2021. Archived from the original on April 3, 2021. Retrieved June 1, 2021.
  44. ^ "Gov.UK Verify: Late, unnecessary and finally launching this week". www.computing.co.uk. May 25, 2016. Retrieved January 21, 2023.
  45. ^ "Australian Taxation Office defaults agent log in to myGovID from Saturday". ZDNET. Retrieved January 21, 2023.
  46. ^ "AIA Australia adapts, then adopts Digital iD via DocuSign". iTnews. Retrieved January 21, 2023.
  47. ^ PYMNTS (September 10, 2021). "Consent-Based Social Security Number Verification Helps to Reduce Synthetic IDs". www.pymnts.com. Retrieved January 21, 2023.
  48. ^ Kalaf, Eve Hayes de. "How some countries are using digital ID to exclude vulnerable people around the world". The Conversation. Retrieved January 21, 2023.
  49. ^ "European Digital Identity". European Commission - European Commission. Retrieved June 4, 2021.
  50. ^ "Press corner". European Commission - European Commission. Retrieved June 4, 2021.
  51. ^ "NIDS Bill still problematic despite being passed in both Houses — JFJ | Loop Jamaica". Loop News. Retrieved January 21, 2023.