Curated from Deeplinks — Here’s what matters right now:
In the past few years, governments across the world have rolled out different digital identification options, and now there are efforts encouraging online companies to implement identity and age verification requirements with digital ID in mind. This blog is the second in a short series that explains digital ID and the pending use case of age verification. Upcoming posts will evaluate what real protections we can implement with current digital ID frameworks and discuss how better privacy and controls can keep people safer online. Digital identity encompasses various aspects of an individual's identity that are presented and verified through either the internet or in person. This could mean a digital credential issued by a certification body or a mobile driver’s license provisioned to someone’s mobile wallet. They can be presented in plain text on a device, as a scannable QR code, or through tapping your device to something called a Near Field Communication (NFC) reader. There are other ways to present credential information that is a little more privacy preserving, but in practice those three methods are how we are seeing digital ID being used today. Advocates of digital ID often use a framework they call the "Triangle of Trust." This is usually presented as a triangle of exchange between the holder of an ID—those who use a phone or wallet application to access a service; the issuer of an ID—this is normally a government entity, like the state Departments of Motor Vehicles in the U.S, or a banking system; and the verifier of an ID—the entity that wants to confirm your identity, such as law enforcement, a university, a government benefits office, a porn site, or an online retailer. This triangle implies that the issuer and verifier—for example, the government who provides the ID and the website checking your age—never need to talk to one another. This theoretically avoids the tracking and surveillance threats that arise by preventing your ID, by design, from phoning home every time you verify your ID with another party. But it also makes a lot of questionable assumptions, such as: 1) the verifier will only ever ask for a limited amount of information. 2) the verifier won’t store information it collects. 3) the verifier is always trustworthy. The third assumption is especially problematic. How do you trust that the verifier will protect your most personal information and not use, store, or sell it beyond what you have consented to? Any of the following could be verifiers: Law enforcement when doing a traffic stop and verifying your ID as valid. A government benefits office that requires ID verification to sign up for social security benefits. A porn site in a state or country which requires age verification or identity verification before allowing access. An online retailer selling products like alcohol or tobacco. Looking at the triangle again, this isn’t quite an equal exchange. Your personal ID like a driver’s license or government ID is both on
Next step: Keep your day-to-day compliant and secure—find privacy-forward devices that help you stay protected.
Original reporting: Deeplinks