The Mobey Long Take – Post Covid-19 Digital Identity

A Report from Mobey Forum’s Digital ID Expert Group

Co-chaired by:
Jukka Yliuntinen, Giesecke+Devrient and
Jenny Ahlqvist, SpareBank1

Core Team:
Arjen Hollander, Thales Group
Emmanuel Payraud, Thales Group
Mikko Hiekkataipale, Nordea
Dan Johnson, Mastercard

June 2020

Introduction

As the world starts to emerge from regional lockdowns, it has become increasingly clear that returning to ‘normal’ is not a realistic option in a post-Covid-19 world. The sudden increase in people staying at home has triggered an unprecedented acceleration of digitisation across many different sectors and countries, leading to new expectations and routines. As we navigate a ‘new normal’, the role of digital identity must be at the forefront of the discussion; it is critical to the future of the digital economy and is leading to dramatic transformation across sectors such as education and healthcare.

Mobey Forum’s Digital Identity Expert Group has identified that banks are in a unique position to seize the opportunity presented by digital identity, and best placed to lead the discussions and implementation going forward. Throughout the Covid-19 pandemic, banks have played an important role as a distribution mechanism for many of the government intervention and support strategies. There is now an opportunity for banks to take this a step further and lead the development of a fairer, more trusted approach to digital identity.

The Covid-19 pandemic has forced society to digitalise many of its core functions at an unexpectedly fast pace, and has highlighted the urgency for a robust approach to digital identity which can support citizens. Many education and healthcare services quickly rolled out digital solutions to remain accessible in the absence of physical interaction. In these sectors, digital identity and related services, such as user authentication, played a key role.

In this report, Mobey Forum explores the impact of the Covid-19 pandemic on digital identity services to outline why banks are in an optimal position to respond to market demand. The report also analyses the emergence of Covid-19 contact tracing apps and their potential influence on the digital identity landscape.

The need for digital identity with high assurance

The Covid-19 pandemic has highlighted the importance of enabling citizens to prove their identity via digital methods, and to be able to do so with a high level of assurance on its security and reliability.

The pandemic has also revealed an increasing requirement for citizens to be able to prove their identity in relation to their employment. In recent months, a prominent example has emerged in the UK, where healthcare workers were granted priority access to supermarkets during the pandemic. Traditionally, healthcare workers have been able to prove their identity in-person by displaying their hospital badge. However, in recent months, this led to an increase in targeted muggings and made the badges dangerous to carry. A robust form of digital identity could help prevent this type of issue in future by allowing healthcare workers to access such services online.

In Finland, which has a more mature digital identity scheme, the pandemic has also unearthed a number of shortcomings. Important legal services such as power of attorney are not accessible through all digital service providers and often require a physical signature. The same usually applies to the signing of documents.

Across all geographies, citizens without any access to digital services, perhaps due to a lack of accessible technology, face a significant disadvantage. Even if the technology becomes accessible, many digital services rely on some form of digital identity to become useful. This reality has deepened the social divide and is creating another major challenge for modern society.

The ‘Corona Bump’: Increased demand for pre-existing services

The Covid-19 pandemic has impacted the overall demand for digital identity services, increasing the usage of existing platforms and accelerating the creation of new services.

An initial review of the usage figures across a small sample of existing digital identity schemes reveals that demand for pre-existing services increased during the pandemic. This trend was evident in countries including Norway, Denmark, the UK and Belgium, among others.

For example, looking at itsme in Belgium, the far-reaching the effect of Covid-19 on the way we live and work is evident: in March, April and May itsme outstripped the already high expected upward trend in usage by more than 30% and the volume of itsme Sign usage, the qualified electronic signature for signing documents, doubled during the lockdown period.

Similarly, Norway’s BankID scheme experienced a 45% increase in usage during the pandemic. Estonia also saw an increase in demand for its widely deployed digital identity scheme which includes digital identity cards, mobile ID and Smart ID. The overall number of authentications using digital identity in Estonia increased by 27% from February to April and usage of digital signatures increased threefold in the same period.

In the UK, new enrolments to its Verify scheme increased from 30,000–40,000 per week, to approximately 120,000-160,000 per week between mid-March and early April. The Verify scheme had previously struggled to take off, and much of its recent success can be attributed to the fact that online registration for unemployment benefits requires digital identification, and Verify is the only digital option available in the UK.

The pandemic has also increased the breadth of available digital identity services. Norway, for example, has seen an increase in the types of services that utilise remote identification through its BankID scheme. BankID now offers new services to enable access to volunteering, online medical appointments and the home delivery of prescription drugs.

Similarly, in markets where digital identity schemes are still nascent, the potential of digital identity services has caught the interest of new services providers. Verified.Me – the Canadian digital identity network – has reported a significant increase in organisations joining the remote identity verification service including government, health services, insurance, banking and legal services, among other industries.

In some regions, regulation is being relaxed to enable citizens to prove their identity through digital channels. In France, there has been an interesting development involving the supervisory body in digital certificate issuing, which has now approved video conference as a substitute for in-person identification.

Covid-19 contact tracing apps – a push for digital identity

Many governments worldwide have launched, or are planning to launch, a dedicated app to track and trace cases of Covid-19 in their respective countries.

These apps – if designed correctly – could operate as a ‘springboard’ for the creation of digital identity systems. Preventing the spread of infection through a contact tracing app could be the definitive use case to encourage large volumes of people to sign up. At a later date, these apps could be extended to offer additional use cases and digital identity services.

As restrictions related to Covid-19 begin to ease, and the economy starts to recover, it may become necessary for individuals to prove their immunity to Covid-19 (if immunity of an individual to Covid-19 can be reliably proven). This could become a prerequisite for boarding a flight, for example, and could present a natural opportunity to extend the use case of contact tracing apps to include additional services.

The decisions made when designing a contact tracing app are critical to its long-term opportunity as a broader digital identity service. Many countries are creating an app very quickly to respond to the pandemic, and may not consider how the app can evolve to provide additional services beyond track and trace.

CountryCentralised vs decentralisedTechnologyData collected
India – Aarogya SetuDecentralisedBluetooth & GPS Demographics, travel and health related information
AustraliaChanging from centralised to decentralisedBluetooth Full name, post code, mobile number and then tick box for privacy policy
UKDecentralisedBluetooth Postcode, unique ID tagged to phone, personal information (e.g. name only applicable if infected)
Norway - SmittestoppCentralisedBluetooth & GPS Phone number and unique tag to phone (one time passcode), GPS/Bluetooth – acceptance of privacy policy
EstoniaDecentralisedBluetoothPrinciple of data minimisation
FinlandDecentralized BluetoothNo registration, locally collecting data on other apps only

Mobey Forum’s Expert Group has identified three critical design considerations to ensure contact tracing apps can extend to additional use cases in future. Key considerations include whether the data should be centralised or decentralised, how users can maintain control over their personal data, and the flexibility of the app to extend into new services.

1. Centralised vs decentralised data storage

 A major consideration in the development of contact tracing apps is the storage of personal data, specifically whether this is managed through a centralised or decentralised model. Approaches to this vary across geographies and are heavily influenced by cultural preferences. For example, many countries in Asia are typically more comfortable with data being stored centrally and several contact tracing apps, such as the app developed in China, have decided to pursue this route.

Some European countries, such as those in the Nordics, are also receptive to storing data centrally, reflecting a high level of trust in their local government. Finland, for example, has a long history of centralised data collection, including a successful population registry which has enabled many local services and created benefits for both the public and private sectors alike. It is well established and trusted by the local population. At the same time Finland has chosen to use a decentralised model without a need for users to register in the contact tracing app, as this method also allows for effecting contact tracing.

By comparison, the UK market is more apprehensive towards government control over identity data, with a level of cultural resistance towards the idea of centralised data collection.

Some countries, such as Australia and Singapore, had initially started to explore a centralised model for a contact tracing app, but later decided to revert to a decentralised approach.

Typically, there is a higher security risk when storing data centrally. There is also a risk of the data being used for other purposes, without permission, once the Covid-19 pandemic has passed, unless well-established control mechanisms are established. If the data falls into the wrong hands, it could be mis-used.

Some of the leading technology players, such as Apple and Google, are actively supporting contact tracing apps. Both companies have many years of experience in related fields of digital identity and both have introduced APIs that enable interoperability between Android and iOS devices for contact tracing apps. These are only available as a decentralised model.

2. Data collection and user control

The decision around the type of data collected by contract tracing apps is also of upmost importance. Data collection should be determined by the use case of the app, but more importantly, the user of the app must give their permission and have the right to control and decide how their personal data is used. For example, if the purpose of the app is to simply register whether an individual receives a positive or negative test result for Covid-19, there is no need to collect any additional personal information, and the user should have clear sight of the specific data being collected. By comparison, when opening a bank account, a lot of additional personal data will be required.

It is also imperative that individuals are able to choose the type of personal information they want to share. For example, a user could choose to share their location, so that they can be notified if they have been in contact with someone who has Covid-19. Without the element of choice, receiving a notification on this matter could feel intrusive.

If the data is stored in a decentralised model, the user maintains control over how their data is shared with different parties.

3. Flexibility to extend

For contact tracing apps to have longevity beyond the Covid-19 pandemic, the design choices must be robust. In France, for example, the StopCovid app does not collect enough information to enable it to become a broader digital identity service in future. The app only collects data on the user’s infection status and informs other users if there is a risk of infection. By collecting such a limited amount of data, it is a missed opportunity for extending the service into a national digital identity system in future.

Banks as the solution to the problem

Banks have a long history of credibility and trust, placing them in a unique and advantageous position to become the leading providers of digital identity services, particularly during times of global crisis.

As a first step, banks should examine their own operations and aim to digitise all processes which still require either the physical presence of a customer, or the exchange of physical documents. This is particularly important given the ability to access banking services remotely has become a vital enabler for society, and even more important during the pandemic. The pandemic has also served as a valuable reminder that the banking industry needs to transform many of its painful on-boarding processes and reduce the need for in-person interaction in branches. Once banks can offer robust remote access to digital services, they will be well placed to unlock new opportunities through digital identity, and extend this access into other services beyond banking.

Digital identity services provided by a bank would need to operate through a centralised model, which minimises concerns around the collection, tracking and sharing of data, because banks are already a trusted source of identity verification. Many of the broader concerns around the design of a digital identity platform become moot if banks step in and fill the void.

Banks can also make the onboarding process for digital identity services simpler, as customers already have log-ins for their online banking services. This topic was explored in more detail in Mobey Forum’s recent report on digital identity and revealed that banking services often operate as the ‘springboard’ that helps onboard new customers into other digital identity services.

The Covid-19 pandemic presents a unique opportunity to encourage people to sign up to a digital identity scheme to access essential services. With banks leading the way, there are limitless possibilities; it could lead to a framework for storing sensitive healthcare data more easily, or lead to banks partnering with other sectors for a more consistent digital identity experience.

While the need for digital identity was evident long before the Covid-19 pandemic, it has highlighted the many gaps in current digital services within society. As we are likely to emerge from the pandemic as a more digitally literate population, banks have a unique opportunity to facilitate best practice and lead the path forward.

If you would like to learn more about the Mobey Forum Digital Expert Group, or talk to us about membership to Mobey Forum please contact us.