In the future, digital identity will not and should not be a one-size-fits-all. By having multiple identity solutions that can be integrated and used together and in parallel, we get a more robust and effective system that protects individual integrity.
Unraveling the Debate: The Dominance of BankID in Sweden's Digital Identity Landscape
Sweden has through BankID one of the digital identity solutions with the highest penetration and usage rate in the world. It’s a private company formed through a cooperation between the largest Swedish banks, and it is based on the Swedish state open persistent identifier Personnummer that ties every Swedish citizen to a unique number based on birthdate and an additional number string. It is therefore in reality a hybrid since the Personnummer is managed by the Swedish Tax Authority and without it, BankID wouldn’t work.
Recently, a debate about whether the domination of BankID in Sweden is altogether a good thing has gained momentum. Last week, Anna Kinberg Batra, a Swedish former politician currently in charge of exploring future payment regulation, wrote an opinion piece in the Swedish daily DN arguing for a new, state-run electronic identification system. Other debate entries followed, one of them arguing that the State should mandate alternatives to BankID for more services and another for an open-source model for digital identity.
BankID suffers from the twin problems of financial exclusion and compromised integrity.
- Financial exclusion: In the current system, you are required to have a bank account in a Swedish bank to get access to BankID (which in essence is a federation of each bank’s KYC process when onboarding new customers). This means that ~500 000 people in Sweden today do not have, and often cannot, get BankID.
- Compromised integrity: The Personnummer that the system is based on is in fact a very sensitive data point from an integrity point of view, since this identifier can be used to monitor and track an individual across almost any database or register in Sweden. Swedes are very peculiar in that they typically don’t care about this infringement of integrity (which for example would be both culturally impossible and unconstitutional to implement in neighboring Germany).
Navigating the Complexities of Sweden's Digital Identity Dilemma
So what is the right solution here? Clearly Sweden reaps enormous benefits in process automation and digitalization in both the public and private sectors thanks to the penetration and network effects of BankID (last year each user made on average >2 transactions per day and almost all adults have BankID installed). And yet the drawbacks in terms of financial exclusion and integrity infringement are clear, as are the problems with e.g. cross-border identification (which is the main driver of EU initiatives in the area).
One could argue that this should be a state-run utility, but given the integrity challenges of an open persistent identifier it requires that the state never abuses its powers if it could monitor any digital transaction that an individual makes where identity is important. Swedes generally trust their government, but IF the state becomes authoritarian, the scope for oppression and control would be virtually limitless (and from the example of China we can see what such a system could potentially lead to).
At Truid, we expect the future to become both more complex technically and simpler for users. We see a new generation of identity solutions being introduced where individuals take back control of their digital identity through encrypted identity vaults and wallets and seamless methods for processing, proving, storing and sharing identity data. (Currently, most of the discussion around user integrity and individual control of digital identity takes place within the blockchain-inspired realm of Web 3.0, but we don’t think that the web needs to move to blockchain for this development to happen).
Embracing Diversity: A Vision for a Multifaceted Digital Identity Landscape
In a world where digital identity is richer and built through combining different evidences, we think it is likely that the typical user can use a whole range of different ways to build their digital identity. Examples include:
- ePassports and eID cards that are uploaded to the wallet and where ownership is proved through a combination of biometrics and unique codes.
- More extensive federation of trusted KYC processes where a user gives consent to share already verified data from a third party, e.g. a financial institution or an employer.
- Integration to registries where individual consent is used to collect data that can then be corroborated with other sources. This can be used to prove e.g. signing rights for companies.
- Document storage and AI-guided reading that can be used to prove e.g. address, certifications, permits where public registries are not available (of course at a somewhat lower assurance level).
There are several advantages to a world with multiple, overlapping digital identity solutions:
- Greater user coverage, since individuals have more methods to choose from.
- Good fit per use case, since a user can onboard a whole set of different identity methods, documents and products and then use whichever is most suitable for the transaction in question
- Personal integrity, since the risk of mass monitoring is reduced when users are not dependent on one system.
- Increased competition between providers, which stimulates technological development and improved functionality, lower cost and better user experiences.
- System robustness, since many overlapping methods will offer redundancy in case of internal and external threats.
We think that it is in everyone's interest to continue to innovate in this area, and that the state should not push for a unified approach. Picking tech winners is always very difficult, especially if the state is going to run the tech itself. And a mandated state system is taking us too close to a tool for massive, authoritarian control. This is not to say that the state should not take an active role, or even offer its own niche product for some use cases. But where the state will deliver most value is likely to be in oversight, enforced integrity regulation and technology-neutral standards.
We should expect that we cannot fully predict what the digital identity solutions of the future will look like. And this is all for the good.