This blog was updated on September 28, 2023 to include an updated link that includes the session recordings.
OECD hosted a launch event on September 26, 2023 on the Recommendation on the Governance of Digital Identity, (note the session recordings at the bottom of the page) as adopted by the OECD Council in June 2023. The Recommendations guide its Adherents to develop and govern digital identity systems as digital public infrastructure. The launch event drew upon government officials in Japan, Brazil, Canada, India, and Italy, as well as experts from the OECD, UNDP, the EU Digital Identity Wallet Consortium (EWC) and the OpenID Foundation (OIDF) to comment on the Recommendations and the path ahead.
In OIDF Chairman Nat Sakimura’s comments, he applauded the comprehensive approach of the OECD Recommendations and the compass the Recommendations offer to digital identity standards bodies. Nat also announced the “Human-Centric Digital Identity: for Government Officials” whitepaper (cobranded by twelve non-profits) as a paper grounded in the OECD Recommendations and human rights that:
- Explains the current global landscape and the values underpinning emerging models
- Provides insights on how to enable inclusion, equity, privacy and security
- Encourages a shift in the focus of design from organisations to humans
- Offers a starting point on how the OECD recommendations may be delivered technically and operationally, while respecting domestic sovereignty
Furthermore, Nat called upon the OECD to be transparent in the scope of its role, and he called upon the global community to collaborate:
“We call upon the global community to participate collectively in a global dialogue to deliver on the OECD Digital Identity Recommendations, and close policy and standards gaps through coordinated plans and shared goals. Together we hope to see Digital Identity reach its full potential to be of service to 8 billion people, and not the privileged few.”
The OECD provided a link to the whitepaper for reference. Nat Sakimura’s interventions from the panel discussion can be found in full below.
As context, the OECD Recommendation supports its Adherents’ efforts to ensure reliable and trusted access to digital identity for natural and legal persons that is portable across locations, technologies and sectors:
“Being able to prove who you are underpins access to a variety of essential services across the public and private sectors. As these services move online, digital channels have emerged to handle identity verification processes, proofs, and authentication of verified identity claims. As people increasingly access essential services online and even across borders, improving the governance and implementation of digital identity systems in line with user needs becomes ever more important.”
The Recommendations also advise officials to future-proof policies, promote cross-sector coordination, pursue international collaboration, and facilitate a healthy market for identity solutions among these key pillars
- Develop user-centered and inclusive digital identity systems
- Design and implement digital identity systems that respond to the needs of users and service providers
- Prioritise inclusion and minimise barriers to access to and the use of digital identity
- Strengthen the governance of digital identity
- Take a strategic approach to digital identity and define roles and responsibilities across the digital identity ecosystem
- Protect privacy and prioritise security to ensure trust in digital identity systems
- Align their legal and regulatory frameworks and provide resources to enable interoperability
- Enable cross-border use of digital identity
- Identify the evolving needs of users and service providers in different cross-border scenarios
- Co-operate internationally to establish the basis for trust in other countries’ digital identity systems and issued digital identities
The OIDF Foundation thanks the OECD Council for inviting Nat to participate in this important discussion, as well as moderator Allen Sutherland and fellow panelists, Michael Goit, (Director of Policy, Treasury Board of Canada Secretariat) and David Magård (Coordinator of the EU Digital Identity Wallet Consortium and Senior Advisor at the Swedish Companies Registration Office).
OpenID Foundation Chairman Nat Sakimura’s Intervention During OECD Panel
Introduction:
Thank you, chair. Let me first congratulate OECD for the launch of this excellent recommendation and praise the secretariat for putting much effort into it. I am Nat Sakimura, the chairman of the OpenID Foundation.
OpenID Foundation is a standardisation organisation in the field of digital identity. We are not a consumer brand, so you may not be aware of it, but the likelihood is that you are using standards we have developed without knowing. Industry giants like Apple, Microsoft, and Google use them in consumer and enterprise identification, enabling billions of people to assert their identity and gain access to services online. Similarly, many governments offer identity and open data systems using our protocols. In fact, the FAPI family of security profiles are the most commonly selected by governments and private sector leaders of Open Banking and Open Data.
Our members are spread across the world and build standards by consensus. They are open standards that you can access freely and use without any licensing fee. We strive to make them globally relevant and interoperable. They may be selected and deployed for a single implementation, a national ecosystem, or enable national systems to interoperate globally.
Currently, we are developing a new generation of identity protocols for wallet-mediated identity transactions, among other things. This OpenID for Verifiable Credentials family of specifications have been adopted as the remote presentation method of verifiable credentials in the EU Digital Identity Architecture Reference Framework, TrustedWeb demonstration experiments that the Japanese government is backing, and the NIST NCCoE project on Accelerate Adoption of Digital Identities on Mobile Devices Project. That said, the OpenID foundation recognises that no one standards body, country, company or non-profit will be able to lead the world to a globally interoperable digital identity on their own. We recognise it is vital to bring the public and private sectors closer together with a shared vision and approach.
To that end, the OpenID foundation has developed a series of whitepapers, many of which are co-branded and developed with partner organisations. Today I am proud to announce the “Human-Centric Digital Identity: for Government Officials” published in partnership by 12 non-profit partners. The paper takes the OECD Digital Identity Recommendation and expands it by
- explaining the current global landscape and the values underpinning emerging models
- insights on how to enable inclusion, equity, privacy and security
- encouraging a shift in the focus of design from organisations to humans
- offering a starting point on how the OECD recommendations may be delivered technically and operationally while respecting domestic sovereignty
We hope this paper will serve as a key input to the Digital Identity Interoperability Summit November 28th amongst non-profit and government thought leaders. The whitepaper is available now at OpenID.net.
We are fully aligned with the OECD Digital Identity Recommendations and it’s vision. We call upon the global community to participate collectively in a global dialogue to deliver on the OECD Digital Identity Recommendations, and close policy and standards gaps through coordinated plans and share goals. Together we hope to see Digital Identity reach its full potential to be of service to 8 billion people, and not the privileged few.
Nat shares his views on how the OECD Recommendation can help bridge issues with interoperability across borders:
I will start at a 10K meter altitude view, then come to more specifics.
When creating a globally interoperable standard, the first hurdle is to come to a consensus on the comprehensive requirements. What I like about the OECD Recommendation is that it is really comprehensive and it achieved consensus among OECD members. Appendix B of the Human-centric Digital Identity whitepaper maps recommendations from several digital identity reports and highlights how the OECD Recommendations contain all the current global best practices. Such a comprehensive framework achieving consensus among OECD nations will be our guiding light when creating standards for cross-border identity transactions.
Specifics:
- Every subclause of clauses VI, VII, VIII is spot on, but I would like to first Highlight subclause VI-2 to demonstrate how it helps.
VI.RECOMMENDS that Adherents align their legal and regulatory frameworks and provide resources to enable interoperability.
2. Ensure that digital identity solutions are technology and vendor neutral as long as they comply with all relevant security requirements, and promote the use of internationally recognised technical standards and certification;
- To achieve this goal, it is vital for public and private entities to adopt robust, global standards that have been formally and mathematically analysed to be secure and that offer test suites and certification.
- Our experience tells us that formal analysis finds holes in protocols. So, it is better to do it proactively identify and fix security gaps before standards move to final, and the installed base is too entrenched to migrate to more secure protocols. The importance of security analysis led the Australian government to co-fund some of our FAPI security profiles to support their Consumer Data Rights objectives.
- Furthermore, test suites and certification are essential. Implementors often claim that they are compliant with standards when they are not. A test suite can demonstrate conformance to standards very quickly, and self-certification can do so at a low cost. Without a test suite and certification scheme, it is extremely difficult to achieve interoperability at scale, and our shared goal of globally interoperable digital identity.
- To push member countries towards these directions, the recommendation helps a lot.
- There is a related subclause II-1. It says: Take into account the domestic context, including digital maturity and existing digital identity developments when considering the design, implementation or iteration of a digital identity system;
- It is important to note that all jurisdictions will not choose the same standards and architectures and will continue to do so. However, like a passport, people will expect their digital identity credentials to work when they cross borders in person or conduct online transactions. This means there will probably be a need for the global community to come together to do a few concrete things
- Agree on global, shared goals in the model of an OECD Recommendation and a shared target in the model of a UN Sustainable Development goal
- Consider the minimum viable requirements to enable global interoperability and governance across diverse domestic implementations.
- Consider how to enable capacity building and close geographic gaps to ensure no country is left behind.
- The rest of clause II guides us in this respect.
- It is important to note that all jurisdictions will not choose the same standards and architectures and will continue to do so. However, like a passport, people will expect their digital identity credentials to work when they cross borders in person or conduct online transactions. This means there will probably be a need for the global community to come together to do a few concrete things
Nat’s responses to the questions, “What do you consider being the biggest challenges and opportunities ahead for realising the full potential of digital identity worldwide? What is the role of the OECD?”:
Opportunities: In the Human-centric digital identity whitepaper, we have categorised the opportunities and benefits into three buckets.
- Access to economic opportunities: McKinsey estimates that 3 to 13% of GDP can be unlocked by it, removing friction from everyday lives and allowing those on the fringes of society to participate in the formal economy more easily.
- Access to government resources: for those who were challenged to access government resources physically, digital identity can facilitate equity and inclusion.
- National security: The EU Cybersecurity Act and US National Cybersecurity Strategy cite DI as a key enabler, and more recently at FedID, US Treasury/ FinCEN attributed $212B in 2021 financial crime to flaws in identity infrastructure.
Challenges:
- Coming to an agreement at the policy level
- Technology is the easy part. Ensuring that, as appropriate, domestic policies, laws, rules and guidelines for the digital identity system cover issues such as governance, liability, privacy, resilience, inclusion and security, to encourage and facilitate interoperability and portability in terms of location, is hard.
- Tweaking of standards seems to be very attractive.
- I have seen many jurisdictions trying to do so. Even though the tweak seems small, at the technical level, it breaks the interoperability. If you want to tweak, then do not do it on your own, but come to the standardisation organisations and find the common solution.
Role of OECD
- Foster multi-stakeholder dialogue
- As the OECD Recommendation testifies, OECD is very good at creating consensus. Building further consensus as divergent details emerge is expected.
- Monitor the progress.
- A framework is only as good as it is implemented.
- Develop the processes, guidance and tools to support the implementation of this Recommendation
- It may be unrealistic for OECD to do everything. In this case, I am pretty sure that many entities are there to help. So, to be transparent and pragmatic on what the OECD can take a leadership role on and what it will not in the next 3-5 years and sharing the work with other organisations may be a good idea. This will help inform and align OECD’s work with those of the UN, regions, and emerging public/ private coalitions as well.