On 11th February 2021 the UK Government released its first version of the UK Digital Identity and Attributes Trust Framework.
The framework, created after last year’s Digital Identity Call for Evidence, aims to create a better understanding of digital identity between people using identity products, the organisations relying on the service, and the service providers.
We interviewed our CTO Stuart Fraser about the framework and its implications.
Stuart, what is the UK Digital Identity and Attributes Trust Framework?
This framework is the Government’s first attempt at creating a UK wide trust framework: a set of rules, agreements and specifications for everyone who works with digital identity in the UK.
In this first version, the government has set out four different types of roles:
- an identity service provider
- an attribute service provider
- an orchestration service provider
- a relying party
which all must adhere to requirements: legal, technical and policy requirements.
This is in line with what Digital Identity Scotland (DIS) has looked at in terms of high–level architectural elements.
It is important to note that the framework does not mandate an architecture: they only laid out the principles. The document did point out that distributed ledger services could be an important part of the solution. Like many in the industry we have always seen a digital ledger as part of the orchestration element, and so SICCAR could be classified as an orchestration service provider, specialised in data flows between the roles defined in the framework.
What are the benefits of using Distributed Ledger Technology (DLT) for orchestration?
The use of a distributed network – or distributed single source of truth – allows cooperation between departments and stakeholders in a cyber resilient and privacy preserving way.
DLT being distributed means that you have shared access to data across many stakeholders, avoiding a ‘call home’ problem where data has to be checked with its original provider, which can cause performance and resilience issues.
This becomes a bottleneck, as other parts of the architecture rely on the availability and throughput of this source. As the single element is so critical for the functioning of the wider architecture, it is a vulnerable target of cyber-attacks. Moreover, scaling up the digital infrastructure can be expensive for the organisation involved.
Do you think the availability of this framework is going to speed up the deployment of digital identities in the UK?
Yes, I do, but that very much comes down to what you think a digital identity is.
I am of the view that a digital identity are the attributes about you, as proven by the data owner. That doesn’t mean that you necessarily hold the attributes. It means that you hold the key that allows access to the attributes from all the different sources. In Orchestration of that process, verifiable credentials and the world wide web consortium (w3c) model very much fit in. I would hope that the framework suggests and guides the adoption of such standards to keep things simple for citizens and consumers.
Using verifiable credentials and putting data in a shared space between you and the organisations, and you being able to assert that the data is yours, to share between organisations, will speed things up.
The approach provides transparency, ease of use and a consent–based model, so individuals know data about them exists and that it’s going to be used by these organisations. As an individual, I just want the transparency to see what is getting used and how it is getting used. It makes my life easier.
What do you think is needed to make this framework successful?
Frameworks should be open, so they can be set up in a way that enables an ecosystem that is bigger than just its initial purpose.
For example, a recent project looked specifically at a closed ecosystem for Scotland, where what you’ve got is trusted information between the health service and social care. But there is the third sector too, and there are a lot of other people who could leverage that information for good.
If you’ve got a closed system, it becomes a barrier to entry: there’ll be little innovation and we wouldn’t be able to easily accommodate new priorities, as we’ve learned during the COVID-19 crisis. Whereas if you have an open framework which sets standards for interoperability, but doesn’t necessarily define specific products or specific methods, then what you’ll get is people innovating.
People will have a problem and try to find a better way of doing it, trying to solve the problem and move the whole ecosystem forward. They will start to find ways of making life easier and more inclusive. Innovation begets innovation.
When you design this type of framework, you must make sure that consent, protection and integrity are at the core of its design and architecture.