In this blog, Josh writes about how the DIA are developing a trust framework to create a common set of rules for sharing identity information that everyone can have confidence in, regardless of the system or technology they use.
Let’s say you decide to sign up for bank accounts at two different banks online. The process to show who you are to each bank is almost identical. Usually it requires using a driver's licence or passport.
So why is it that the banks can’t just use the same information instead of you having to hand it over twice? If one bank has already confirmed your identity, shouldn’t the other bank be able to use that confirmation?
A fragmented system
One reason for this is that there is currently no widely agreed way of reusing your established identity with different organisations online.
There are many causes for this but one of the most prevalent is that most systems and processes that are used to establish your identity are tailored to be used by a single organisation, or at best, a small collection of organisations.
This means that when one system confirms who you say you are, say at bank A, that confirmation is not able to be used at bank B because their systems are unable to ‘talk’ to each other.
It’s a bit like getting into a bar. There might be a bouncer at the door who checks your ID to confirm that you’re over 18 and gives you a stamp, which means that the staff inside the bar don’t have to keep rechecking your ID.
However, when you go to a different bar, another bouncer rechecks your ID and gives you another stamp. This simple example can be expanded to enrolling with different services online. You need to keep repeating the same process to confirm who you say you are.
The importance of trust
Being able to trust the accuracy and ownership of information is at the heart of this problem. The bouncers in our example have no trust system for accepting another bar’s stamp so prefer to check IDs themselves because it gives them assurance that the information is owned by you and accurate. The same analogy can be applied in the online world.
Banks and most organisations rely on their own systems and processes to ensure confidence in the identity. That requires different levels of effort depending on what you’re doing. For example, you need a higher level of effort to get a passport than you do to buy a movie ticket online.
What we’re left with is a system that requires you to provide your personal information to the websites and services that you want to use, not because it’s convenient or more secure for you, but because everyone is doing things their own way — not in a joined-up way. That makes it difficult for us to reuse the credentials we have and to share our information when we want.
Why have a trust framework?
At its simplest level, a trust framework is a set of rules and procedures. The purpose of developing a NZ trust framework is to work with organisations, government departments, and other interested groups to develop a common set of rules for sharing personal information that everyone can have confidence in regardless of the system or technology they use.
The idea behind this is to create an environment that lets you choose the service you want to use, what information you share, and who its shared with.
When we talk about sharing information, that doesn’t necessarily mean giving out your actual information. Instead some of the solutions could be sharing the confirmation that your information has been verified by a trusted party. This could allow you to ‘reuse’ a process you went through previously to prove something without sharing specific information about you.
What’s happening?
We're at the very early stages of developing what a trust framework might look like based on the feedback we’ve received.
It’s important that any rules put in place are widely accepted. There’s no point in creating a set of rules that people and organisations are unwilling or unable to follow. People need to be onboard to participate, and for trust to be the end result.
That’s why we’re making sure that there will be plenty of opportunities for input into what the NZ digital identity trust framework might look like.
If you’re interested in being a part of the trust framework reviews, or have a question, get in touch with us at digital.identity@dia.govt.nz
