The Possibilities of ID Management in a Digital Society
Feb. 18, 2020
Digitalized personal identity information (aggregated information containing various attributes about a person such as their name, address, etc.), commonly referred to as one’s “digital identity”, has made it possible for service providers to identify individual users based on their information and thereby provide optimized services depending on user attributes. Nomura Research Institute (NRI), together with NRI SecureTechnologies (NRI Secure) and JCB, jointly issued a report in November 2019 on the latest digital identity trends titled “Digital Identity: Self-Sovereign / Decentralized Identities”. We spoke with Natsuhiko Sakimura and Hideyuki Fujii, who are experts in this field, about the current state of digital identities, the latest developments, and what sorts of discussions Japan should be pursuing in the interest of utilizing this technology.
The history of ID management from common keys to self-sovereign identity
When you hear the word ID, you probably tend to think of more recent examples, related to computers and how they have permeated every aspect of our lives. However, we want you to think about the famous tale of “Alibaba and the Forty Thieves”. In this tale, the thieves recite the spell “open sesame” to gain access to the treasure hidden away in a cave, and this is really no different from the kind of authentication key that is handled in ID management. Since this authentication key was a “weak (short) long-term shared key,” it was divulged to another person (Alibaba), so ID management ultimately failed, and in the end the thieves were dispossessed of all their treasure and perished. However, we ought not to make light of the thieves. In Japan, weak long-term shared keys in the form of “shared passwords” are still sometimes assigned for administrator authority. We believe companies that do this could learn a lesson from this literary work.
Given all this, IDs that platformers like GAFA or states have the authority to erase do involve some risks, and that is why we are now seeing a new approach in the form of “self-sovereign / decentralized identities”, which allow users to use IDs that they have created themselves so that users can personally control their own data.
Efforts are also actively underway toward standardizing self-sovereign / decentralized identity management. In May 2017, the Decentralized Identity Foundation (DIF) was established as an organization for considering various technical specifications related to decentralized ID coordination. Over 70 companies mainly consisting of US firms have joined as members thus far, and the organization has been holding discussions on the standardization of decentralized IDs. Apart from this, the World Wide Web Consortium (W3C)—which is working to standardizing web technologies—and various other organizations have been looking into ways of implementing self-sovereign / decentralized identity technology.
Pioneering efforts in Canada and the EU regarding digital identities
In terms of initiatives related to self-sovereign / decentralized identities, there is a non-profit organization in Canada known as DIACC (Digital ID & Authentication Council of Canada), whose memberships consists of public organizations and private companies working to develop digital identity and authentication frameworks. DIACC has been conducting proof-of-concept experiments for using the blockchain to link verified identity information involved in banking.
How digital identity technology can coexist with super cities, information banks, and other initiatives
In Japan, meanwhile, based on the concept of “super cities” which is primarily under consideration by the Cabinet Office, a movement is underway to form links between all manner of services that would support super city development, and to adopt an “urban OS” for the architecture involved, with the ultimate goal being reusability and coordination with other cities.
Efforts are also being made to deploy this concept globally, based on the philosophy that it should be broadly utilized to benefit local populations and new businesses, following the fundamental premise that information security and personal information is to be handled appropriately without letting urban data or urban OS be monopolized by a select few.
In addition, efforts are also being promoted in Japan for third-party depository “information banks”, as a framework for allowing individuals to control their identities. The purpose of this is to enhance effective individuals’ own degrees of participation and controllability, and to promote the circulation and utilization of personal data, thereby allowing individuals—within a certain agreed-upon scope—to entrust trustworthy entities with providing their personal information to third parties.
The philosophy behind self-sovereign / decentralized identities can coexist with these efforts involving super cities and information banks in Japan, and can potentially allow companies to approach target customers other than their own customer segments or those of their partner companies, and thus it could serve as one option for expanding their economic zones.
Compared to countries overseas, Japan is lagging behind when it comes to discussions about self-sovereign / decentralized identities, but we expect these discussions will pick up passed along with efforts involving super cities and information banks.