Blogs & Articles

In our 2023/24 Workplan, the DRCF set out plans to conduct joint horizon scanning work into the future of digital identity, exploring how it may evolve in the medium term. This work reflects one of the core purposes of the DRCF - to ensure coherent, informed and responsive regulation of the UK digital economy through member regulator collaboration.

The purpose of our digital identity project was threefold: to pool knowledge and inform discussions between each member regulator’s internal subject matter experts; to add to that knowledge by seeking further insight from external stakeholders; and to further develop our overall understanding of the regulatory issues which might arise from ways in which digital identity and digital wallets might be used in the future.

This article sets out some of our key findings, including on what digital identity is, the insights gained from our research and potential regulatory implications that may arise depending on how digital identity develops.

NB. This is a landscape review based on findings from stakeholder interviews, this is not DRCF member regulator policy.

WHAT IS DIGITAL IDENTITY?

As the world increasingly moves online, digital identities are becoming more common. Whilst the UK does not yet have a commonly used form of digital identity, the Government’s UK Digital Identity and Attributes Trust Framework provides a set of rules for organisations to follow if they want to provide secure and trustworthy digital identity and/or attribute solutions. Furthermore, during the King’s Speech 2024, the Government announced plans for the Digital Information and Smart Data Bill, which will seek to support the creation and adoption of secure and trusted digital identity products.

For the purposes of the project, we based our definition of a digital identity on the UK Digital Identity and Attributes Trust Framework. This describes it as “A digital representation of a person acting as an individual or as a representative of an organisation. It enables them to prove who they are during interactions and transactions. They can use it online or in person”.

Digital identities are often created from “attributes”. Attributes are pieces of information that describe something about a person and can include things like someone’s name, date of birth, or national insurance number - all of which are personal data. A combination of attributes can be used to create a digital identity. These identities could be provided by private companies as a service, or supported by a government scheme.

Digital identity has the potential to deliver a range of benefits, depending on the digital identity model adopted. Possible benefits include an increase in convenience and efficiency; a potential reduction of personal data processing (as digital identity may allow individuals to provide the minimum amount of data necessary for a particular transaction such as proof that they are over 18, rather than their entire identity every time); an increase in accessibility and inclusion; and environmental benefits, if companies maintain fewer overlapping sets of data. Many of these benefits require further research and exploration. It is also important to note potential risks, including security concerns, risks of misuse of data, and digital exclusion. There may also be issues present in the technologies that might underpin digital identity, such as AI and biometric identification.

KEY FINDINGS

The following themes were identified through our stakeholder engagement. They represent the key factors identified influencing the future development, use, and deployment of digital identity technology across various sectors within the overlapping areas of interest of the DRCF members.

Future development of the technology and markets

Our research indicated that there were several uncertainties which may shape the direction in which digital identity develops:

• Stakeholders noted that digital identity wallets (e.g. on smartphones) may be key to widespread adoption of digital identity by consumers.
• AI already plays a role in digital identity in areas such as facial recognition, and its role is likely to grow as it is implemented more widely. However, AI could be used by bad actors to circumvent authentication and cyber-security systems to commit fraud.
• There was a marked lack of consensus from stakeholders on whether ‘decentralised ID systems’[1] would become the norm, or instead only appeal to a minority.
• Regarding potential future business models, most stakeholders expected that the party that deploys the digital identity system to verify individuals will be most likely to pay the digital identity system cost, rather than the individual whose identity is being verified. However, it was suggested that individuals may have to pay to access certain ‘premium’ features.

Trust, interoperability and standards

There was consensus that people would need to trust digital identity systems if they were to adopt and use them, especially for important services such as financial transactions. The degree of trust that people have is likely to depend on a number of different factors:

• Transparency, including around how data is processed, was viewed as a key element in ensuring consumer trust.
• Stakeholders suggested that standards and vouching[2] are likely to be key to building trust, but there was disagreement among stakeholders on the way these areas might develop.
• There was a lack of consensus on whom the public might trust to operate digital identity systems. Many stakeholders suggested consumer technology organisations with large market shares and brand loyalty may be well placed to gain public trust.

Accessibility / the digital divide

There were mixed views, both positive and negative, about the effect that digital identity could have on accessibility and the digital divide:

• Some stakeholders argued that the digital divide could be widened due to requirements for digital identity in order to access services, particularly for already vulnerable or excluded groups. Views differed however on the extent or speed with which this would happen. Some stakeholders suggested that routes to access services without digital identity may disappear over time, impacting access for those without a digital identity. Some argued this could happen over next few years, whereas others argued it may be decades, particularly for critical services.
• On the other hand, a number of examples of how digital identity could improve inclusion and access to services emerged through our research. For example, the due diligence process to access basic financial services could be streamlined.

Competition and key players

Given the relatively early stage of development of digital identity, it is not yet clear who the most important players will be and whether any barriers to effective competition will emerge:

• Many stakeholders made the case that the strong incumbent position of large technology companies (in particular those with a role in mobile operating systems and existing wallet services) would likely result in them taking a leading role.
• Other key players flagged included the Government, banks, telecoms operators and dedicated digital identity-focused startups. Some stakeholders noted UK-focused startups may be better placed to adapt to the specifics of the UK market, relative to larger international companies.

CONSIDERATIONS FOR DRCF MEMBER REGULATORS

From the insight provided by our engagement with stakeholders, several key considerations for member regulators emerged for future consideration as the industry develops.

Digital identity wallets

Stakeholders highlighted possible barriers to development deriving from imbalances in market power, particularly where wallets capable of supporting digital identities were being bundled in with the operating systems of mobile devices. Regulators will need to be aware of any bottlenecks or barriers, so that organisations and the economy can take advantage of possible benefits from the technology.

As well as this, regulators will need to ensure that organisations across the ecosystem are aware of the need for transparency, the appropriate technical measures to secure data and the requirement for privacy by design in digital identity wallets. The need to ensure appropriate protections for the processing of people’s data is a requirement under data protection law, regulated by the ICO.

The use of AI

Other considerations revolved around the use of AI, both in terms of its responsible use in legitimate transactions, and by bad actors who might use it to attempt to circumvent authentication (through the creation of deepfaked identities, for example).

DRCF member regulators have previously issued guidance on the use of AI, around concepts like transparency, explainability and bias. The balance between ensuring AI can be used to enable beneficial innovation, whilst seeking to prevent its misuse and provide support for those impacted will be another key consideration for regulators moving forwards.

Decentralised ID

In decentralised ID systems, users may have greater control over what data is shared and with whom. This may create a greater need for users to understand the nature and extent of that sharing. Regulators will need to ensure that organisations that seek to process personal information as part of that sharing process are supporting users to have sufficient knowledge for users to make an informed decision as to what data they wish to share.

Transparency is a data protection requirement, but its effectiveness is partly dependent on the level of digital literacy in the user, which is relevant to both the ICO and Ofcom. The ICO has previously set out its views on decentralised identity as part of its response to the UK Government’s proposal for a trusted digital identity system. The response noted that the proposed model mitigates many of the privacy risks that would emerge from a centralised scheme, including a lack of autonomy and unwarranted intrusion, but noted that such a decentralised identity system would still have inherent risks. How users can exercise their rights in decentralised systems has been explored previously in the ICO’s Tech Horizons Report.

Another important consideration for regulators is the governance and liability for decentralised systems, in particular who is responsible for the governance, which was a recurring theme in the DRCF’s Web3 Insight Paper. If suppliers of digital identity services fail in a decentralised provision model, regulators will need to understand what that might mean for individual’s data, and how they could be supported.

Commercialisation and business models

Regulators should consider encouraging the development of commercial models which make use of the power of data without compromising data protection rights. This might involve opening up data on how digital identity as a market and technology is being used, without focusing on or disclosing information about individuals. Access to this high-level information on trends and usage patterns may support new market entrants as well as incumbents in identifying market opportunities.

Consumer trust and interoperability

From the ICO’s perspective, in addition to increasing consumer trust, data protection by design and default is a requirement, as is the need for appropriate technological and organisational means to safeguard personal data processed.

It is important that future digital identity systems are transparent, robust and secure to ensure consumer protection. For example, under the FCA's Consumer Duty, firms are expected to act in good faith with consumers. Therefore, the expectation is that the systems that are being used are enabling beneficial outcomes through a transparent and robust approach to support the deployment of financial products and services.

For the CMA, consumer law requires that consumers have sufficient information to make informed decisions and understand the impact of their decisions. More broadly, if use of digital identity becomes widespread, ensuring that individuals can either easily access digital identities, or the services that require them will be critical. DRCF member regulators will need to consider how to support continued innovation and development of this technology whilst ensuring it does not result in a digital divide, where some users are unable to access key services due to barriers such as a lack of mobility, a lack of digital literacy, or a lack of the right device.

NEXT STEPS

The DRCF will maintain a watching brief, engaging closely with internal and external experts to help identify any further emerging cross-regulatory opportunities and issues. Individual member regulators will also continue to consider areas specific to them:

• Ofcom: The Online Safety Act (OSA) has requirements relating to digital identity and age assurance in a number of areas, such as age assurance for child protection and user verification for user empowerment. For example, as set out in its recent Consultation, Ofcom is interested in digital identity as it is a technology that could be highly effective at enabling age assurance.
• FCA: Digital identity could potentially be an enabler for future financial services, with implications for consumer protection, market integrity, and competition. As the boundaries between physical and digital identity blur, and new forms of value exchange emerge, robust and inclusive digital identity solutions may be essential for building trust, combating financial crime, and ensuring fair access to financial products and services.
• ICO: How personal data is processed within digital identity systems is a key consideration for the development of those systems as significant harms may arise from misuse of that data (in the event of a personal data breach for example). Since this is a technology which is fundamentally based on the sharing of personal data with trusted parties, the ICO has had a longstanding programme of work within the space. This includes working with industry and Government departments on how the industry can develop in a way that uses privacy by design and default to create user trust, as outlined in the ICO’s Digital Identity Position Paper.
• CMA: The CMA is interested in how the market for digital identities may develop - particularly regarding the role large technology firms may play and how they might leverage existing market power. This involves understanding the opportunities and harms, as well as the impact on consumer rights and consumer choice.

Through this project, we have connected policy experts from across member regulators and provided them with insight into possible futures, drawing on input from a diverse set of external stakeholders. This will help colleagues across the DRCF to better understand the direction of travel of the digital identity industry, in turn allowing for better co-operation between member regulators.

[1] Decentralised identity is a model for identity management where there is no centralised provider and holder of identity information, instead the individual manages what data is shared with whom, and this is verified by independent third parties.

[1] Vouching is where a trusted organisation or person can attest to the legitimacy of another person’s identity.