Digitalized personal identity information (aggregated information containing various attributes about a person such as their name, address, etc.), commonly referred to as one’s “digital identity”, has made it possible for service providers to identify individual users based on their information and thereby provide optimized services depending on user attributes. Nomura Research Institute (NRI), together with NRI SecureTechnologies (NRI Secure) and JCB, jointly issued a report in November 2019 on the latest digital identity trends titled “Digital Identity: Self-Sovereign / Decentralized Identities”. We spoke with Natsuhiko Sakimura and Hideyuki Fujii, who are experts in this field, about the current state of digital identities, the latest developments, and what sorts of discussions Japan should be pursuing in the interest of utilizing this technology.

The history of ID management from common keys to self-sovereign identity

When you hear the word ID, you probably tend to think of more recent examples, related to computers and how they have permeated every aspect of our lives. However, we want you to think about the famous tale of “Alibaba and the Forty Thieves”. In this tale, the thieves recite the spell “open sesame” to gain access to the treasure hidden away in a cave, and this is really no different from the kind of authentication key that is handled in ID management. Since this authentication key was a “weak (short) long-term shared key,” it was divulged to another person (Alibaba), so ID management ultimately failed, and in the end the thieves were dispossessed of all their treasure and perished. However, we ought not to make light of the thieves. In Japan, weak long-term shared keys in the form of “shared passwords” are still sometimes assigned for administrator authority. We believe companies that do this could learn a lesson from this literary work.

Computer-managed IDs first emerged in 1961, with the use of passwords in conjunction with the development of the Compatible Time-Sharing System (CTSS) by MIT. This was referred to as “centralized identity management”, with a management entity other than the system users centrally managing the data.
Then came a movement for ID management to be done in a more user-centric fashion. This development—known as User-centric Identity—allowed users to manage their own accounts to some degree, for instance by managing what sort of information would be registered with Twitter or Facebook. However, it still happens in some cases that user accounts get deleted or frozen at the discretion of the administrators.
There are also cases where governments will freeze an account. For instance, there was a situation in which Myanmar’s Rohingya refugees were denied citizenship. When a government refuses to issue IDs to its people, or wrests their IDs away, and these people become refugees, they lose any means of showing who they are and where they come from. For this reason, the U.N. is engaged in solving this problem, having established a goal (SDG) for everyone to be issued a biometric form of legal identification by 2030. Doing so will make it possible for the international community to offer a helping hand to those who are oppressed in their homelands and whose fundamental human rights have not been guaranteed.

Given all this, IDs that platformers like GAFA or states have the authority to erase do involve some risks, and that is why we are now seeing a new approach in the form of “self-sovereign / decentralized identities”, which allow users to use IDs that they have created themselves so that users can personally control their own data.
Efforts are also actively underway toward standardizing self-sovereign / decentralized identity management. In May 2017, the Decentralized Identity Foundation (DIF) was established as an organization for considering various technical specifications related to decentralized ID coordination. Over 70 companies mainly consisting of US firms have joined as members thus far, and the organization has been holding discussions on the standardization of decentralized IDs. Apart from this, the World Wide Web Consortium (W3C)—which is working to standardizing web technologies—and various other organizations have been looking into ways of implementing self-sovereign / decentralized identity technology.

Pioneering efforts in Canada and the EU regarding digital identities

In terms of initiatives related to self-sovereign / decentralized identities, there is a non-profit organization in Canada known as DIACC (Digital ID & Authentication Council of Canada), whose memberships consists of public organizations and private companies working to develop digital identity and authentication frameworks. DIACC has been conducting proof-of-concept experiments for using the blockchain to link verified identity information involved in banking.

In addition, the World Economic Forum (WEF) launched the Known Traveler Digital Identity project in 2018, the aim being to lessen the burden for airports and airlines in handling passengers as the number of air travelers grows in the future, with Canada and the Netherlands testing out a pilot initiative for travel between the two countries. The goal here is to use digital identities to make things easier both for travelers and for screeners, during visa applications, security checks, and immigration screenings which are required for overseas travel or business trips.
Besides this, self-sovereign / decentralized identities have also been gaining attention in the EU, where strict regulations have been put in place for personal data management. For example, in April 2018, the European Commission established the European Blockchain Partnership (EBP) as a collaboration joining EU member states with Norway and Lichtenstein, and as part of this effort, it set up the European Blockchain Services Infrastructure (EBSI), a project for constructing public services across the EU using the blockchain. The EBSI also designated “self-sovereign identity” as one of its four key use cases for 2019, and has been looking into ways of creating a European-style self-sovereign identity framework.

How digital identity technology can coexist with super cities, information banks, and other initiatives

In Japan, meanwhile, based on the concept of “super cities” which is primarily under consideration by the Cabinet Office, a movement is underway to form links between all manner of services that would support super city development, and to adopt an “urban OS” for the architecture involved, with the ultimate goal being reusability and coordination with other cities.
Efforts are also being made to deploy this concept globally, based on the philosophy that it should be broadly utilized to benefit local populations and new businesses, following the fundamental premise that information security and personal information is to be handled appropriately without letting urban data or urban OS be monopolized by a select few.
In addition, efforts are also being promoted in Japan for third-party depository “information banks”, as a framework for allowing individuals to control their identities. The purpose of this is to enhance effective individuals’ own degrees of participation and controllability, and to promote the circulation and utilization of personal data, thereby allowing individuals—within a certain agreed-upon scope—to entrust trustworthy entities with providing their personal information to third parties.
The philosophy behind self-sovereign / decentralized identities can coexist with these efforts involving super cities and information banks in Japan, and can potentially allow companies to approach target customers other than their own customer segments or those of their partner companies, and thus it could serve as one option for expanding their economic zones.
Compared to countries overseas, Japan is lagging behind when it comes to discussions about self-sovereign / decentralized identities, but we expect these discussions will pick up passed along with efforts involving super cities and information banks.