Digital Identity at the G20

Published June 18, 2024

On June 18, 2024 the OpenID Foundation's Executive Director, Gail Hodges, spoke about Digital Identity at the G20 during the Digital Government and Inclusion Workshop. The following are her prepared remarks.

 

Bom dia and hello. I’d first like to applaud the Brazilian Government for your impressive work on Digital Identity here, in Brazil, and your G20 leadership. Brazil is modeling the kind of multi-stakeholder approach we need to enable Digital Public Infrastructure, data sharing and Digital Identity. The G20 is ideal forum to accelerate work in this area globally.

Today I’d like to suggest a vision for Digital Identity. We have a UN Sustainable Development Goal 16.9 for Identity, with the principle that 8 billion people should have access to an identity credential. What should our goal be for Digital Identity? Should 8 billion people also have the right to a digital identity credential? How can we achieve social inclusion if all 8 billion do not have the option to fully participate in the digital economy? 

If we have a Digital Identity for everyone, what should it feel like? I suggest that it should be as easy for people to assert their Digital Identity credential as it is to assert their email or phone number.

It is possible to achieve these goals - the technology is not the barrier. But it will take G20 leadership, national leadership, multi-stakeholder collaboration (like our conversation today), and crucially… it will take global open standards.

The OpenID Foundation is one of the open standards bodies at the center of Digital Identity specification development. We seek to offer secure and interoperable standards that respect domestic sovereignty. Our most popular standard is OpenID Connect, which is currently used by over 3 billion people across millions of applications. The OpenID Foundation also supports 28+ countries that have selected our OpenID for Verifiable Credential specifications, and another 12 countries have selected the OpenID Foundation’s high security profile for data sharing called FAPI. In fact, Brazil is one jurisdiction where FAPI was selected, and the OIDF is proud to supports Brazil’s Open Finance and Open Insurance programs by offering certification to all ecosystem participants.

Last year the OpenID Foundation and 12 other non-profits announced a white paper titled “Human-Centric Digital Identity” in conjunction with the OECD’s Recommendations on the Governance of Digital Identity. In that paper we recognized that countries have a mix of operating models that align to their technical implementations. Some countries lean to centralized modeled others to “decentralized” models. Some countries are government-led and others are private sector-led.  From our vantage point all of these are legitimate models. There is no single way to develop and deliver a Digital Identity program. However, if you want to achieve social inclusion and a human-centric approach, you need to stare hard at your domestic model to ensure no one is left behind.

So what about your country? For those of you in countries at the start of your Digital Identity journey, I suggest you answer one critical question early on in your program development. Will you use global standards or will you develop your own local specifications? It is your choice. But I encourage you to take that decision at the most senior levels. Global standards offer you confidence in the security model, technical interoperability, the ability to scale, interoperability across borders, and it is resistant to vendor and consulting provider lock-in. Local standards could place limitations on the ability of your people and your businesses to thrive outside of the local context, and it could open you up to security threats if you become the “weakest link” relative to your peers. Even if you choose to leverage open source code, I encourage you to ensure that the open source code and your local implementations are certified as conformant to global open standards.

I assure you, the trend is already toward global standards. It was the rallying cry in Cape Town last month during ID4Africa. In recent weeks I was delighted to hear friends focused on the global south countries from the World Bank, UNDP, GovStack, MOSIP, Center of Digital Public Infrastructure all encouraging use of global standards and moving towards certification to global standards. Similarly, the European Digital Wallet program has been shaking up stakeholders in the global north with its Architectural Reference Framework, which leverages global standards that all EU member states will need to conform to so that European countries can interoperate.  

Unfortunately, Digital Identity standards are complicated: there is not a single place or a single playbook to follow at this time. I encourage you to embrace the complexity. The strategy you develop could well include global standards from ISO, the IETF, the W3C, the OpenID Foundation, as well as best practices from other organizations like NIST to help avoid bias in your biometric algorithms - and you might want to consider using open source code to help you accelerate down the adoption curve. Either way, you are likely going to have to embrace some complexity in-house in order for your residents and businesses to benefit from simple user experiences.

Some of you represent countries with mature Digital Identity programs. We applaud you for being early adopters. I have a different question for you. How will you serve your residents and businesses that need to transact across borders? Is it worth investing in capabilities that will allow cross-border interoperability? You might want to ask yourselves, what percentage of your GDP is driven by cross-border trade, how important your global diaspora is, and / or how often your citizens travel abroad. Or you might look at Digital Identity in terms of how it can enhance your national security posture.   With $1.4T lost annually to cybercrime globally, we all have room to improve to better protect our residents, our businesses, and our security posture. I also encourage countries with mature Digital Identity programs to take a leadership role in the work to develop global open standards, and to work on achieving cross-border interoperability of digital identity in practice.   As David said in the earlier panel, the transformation and Digital Identity leadership in the global south is impressive ... but global south representatives and the entities that fund their transformation are much less active in global standards bodies working on Digital Identity.

Earlier, I offered a vision of what good can look like: 8 billion people with Digital Identity, using their credentials seamlessly. But what does it look like when it goes wrong and we do not have global standards? One example is the train tracks where train gauges do not line up and people and goods have to move from one train to another.

In a new project called the Sustainable and Interoperable Digital Identity HUB or SIDI Hub, we are challenging ourselves to tackle the question of cross-border interoperability of Digital Identity. SIDI Hub is a multi-stakeholder community comprised of more than 25 countries from the global north and global south, 25 non-profits, and many of the major multinational organizations. In the last 7 months since we formed SIDI Hub, we held 3 summits on two continents, and we will have three more summit on three additional continents this year. We encourage the G20 to leverage multi-stakeholder forums like the SIDI Hub to ensure that the principles you develop can be implemented in practice, all the way down to the protocol layer, in a way that millions of developers will be able implement against those policies by default. Only then can your residents benefit from digital identity as a “public good”.

I will leave you with one last tip. If you want to achieve domestic or global interoperability, you need to test and certify implementations to a common specification, and then maintain conformance to that specification. When you multiply this by millions of entities — and millions of developers— testing, certification and conformance become pivotal.

Many thanks.

The following comments were made in response to other speakers and the Q&A:

First I’d like to agree with Adam: that the critical path for any jurisdiction is domestic use cases. My ask is to ensure that each G20 jurisdiction reserve some thought for cross-border interoperability. We have heard from Adam about the progress with the EU in cross-border interoperability, and we know in the African Union they also want to enable cross-border trade and interoperability of Digital Identity deployments across Africa. From Husdon’s comments we know that Latin American interoperability is also growing in interest, and if we had an Asian representative on the panel we would probably hear the same from them.

I’d like to elaborate on one of the key ways we need to enable cross border Digital Identity. It starts with identifying use cases. To date with SIDI Hub we have identified 30 potential “champion” cross-border use cases. Let me offer four examples that are bubbling towards the top.

  • In Africa, the most popular use case was “cross-border trade” - helping people living lives along a geographic border, a use case that ranked lower in Europe for obvious reasons.
  • A second use case was “helping people assert their educational and employment certifications across borders” a use case that can serve all migrants whether they are high income or low income.
  • A third example is the “refugee” use case.  UNHCR currently cares for 120 million refugees and they need to deliver on their mission to serve these individuals from the countries they originate from, through the UN system including host countries, all the way to any future destination country or back to their home jurisdiction.
  • The fourth example is “opening a bank account” which can be for students, employee relocations or any other migration use case.

We will not select “champion use cases” until later this year, but we already know that we need these use cases to be able to flesh out the minimum technical requirements to enable cross border interoperability and to map the trust frameworks across borders.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate.
 
Find out more at openid.net.
Tagged