It's time for Kiwis to define the meaning of digital identity in Aotearoa
In late September, the government introduced a new bill to parliament that would fundamentally pave the way to digital identity for citizens in Aotearoa, New Zealand.
The Digital Identity Services Trust Framework (DISTF) Bill is the brainchild of Minister of Digital Economy and Communications, David Clark. Last week, the bill passed its first reading. So what is it, and what does it stand for?
Digital identity - an overview
Digital identity is any piece of data or information that helps to identify you as a person through digital services, particularly over the internet. For example, most people will have a digital identity linked to their bank account, Inland Revenue login, passport applications, and online shopping.
In May 2021, Clark said that digital identity is a crucial enabler to the overall Digital Strategy for Aotearoa. This strategy strives to turn New Zealand into a 'world class digital nation'. He believes that New Zealand can bank on its reputation as a nation of 'ethical innovators'.
He notes that other countries with mature economies have pegged the value of digital identity between 0.5%-3% of GDP. In New Zealand dollars, that could be between $1.5 billion to $9 billion.
"Whether it's opening a bank account, sharing our medical history, conducting business online, or applying for Government services like the wage subsidy, it's vital we trust the systems we use, and that service providers know what's expected of them."
But, he admits, it has been hard to roll out digital services because there are no consistent standards that govern digital identity.
"Without these solutions, people will continue to face difficulties sharing information about themselves. They are also more exposed to risks including online fraud and other privacy breaches."
The bill is designed to achieve a clear path to identity regulation and information security both for New Zealanders and the broader digital economy.
"We are working closely with our international partners so that New Zealanders' digital identities are recognised overseas, including places like Australia. A trusted modern digital identity system will help grow our digital economy, transform government services and ensure all New Zealanders can take part in the digital world," says Clark.
The business community also feels that the path to digital identity has been anything but straightforward because there isn't enough collaboration, innovation or interoperability within identity services.
We've had government services like the online verification platform RealMe since 2013, there aren't too many examples of strong digital identity services. However, the upcoming COVID-19 vaccine certificate and passport system will be linked to digital identity and the details are yet to be fully explored.
Clark has a vision in which businesses and individuals can prove more things online, cutting down on paperwork. This is where the proposed legislation comes into play.
A closer look at the Digital Identity Services Trust Framework Bill
The bill aims to take digital identity services further by rolling out requirements for all service providers, both the public and private sectors, who need to use identity verification services as part of their business. The bill works hand-in-hand with the legislation set out in the Privacy Act 2020, and it gives digital identity service providers to opt-in once their systems are ready.
"The Government is committed to enhancing trust and confidence in how organisations handle personal and business identity information. The legislation will ensure that everyone is clear on their rights and obligations," says Clark.
The bill has four aims:
- To help drive consistency, trust, and efficiency in the provision of digital identity services
- To support the development of interoperable digital identity services
- To provide people with more control over their personal information and how it is used
- To enable the user-authorised sharing of personal and organisational information digitally to access public and private sector services.
According to the government, the bill means that Kiwis can have more trust that their data is protected and private, and it also provides more control over how and when they share their information. And, of course, it aims to provide easier access to digital services from from the public and private sector.
The DISTF bill also aims to boost business efficiency and deliver better, more accurate information with higher trust and lower risk, as well as giving businesses more confidence meet regulations as they invest in digital services.
The government also promises to better detect and prevent security and privacy breaches, deliver better services for citizen-consented information sharing, and provide better alignment with international peers.
A vital part of this is the bill is the Trust Framework (TF) - a set of legislation, rules and regulations that all accredited digital identity service providers must follow. A governance board will be responsible for educating, shaping, and monitoring the framework. Some of these board members need to understand te ao Māori approaches to identity, technology, and identity data management. The board will also work with the Office of the Privacy Commissioner, TF providers, and te ao Māori stakeholders to address identity, technology, and identity data management.
It's early days, but feedback is cautiously optimistic
Supporting the push for digital identity is Digital Identity New Zealand (DINZ), a member consortium of New Zealand technology and other businesses including Air New Zealand, Auckland Transport, Callaghan Innovation, Centrality, Google, IBM, Inland Revenue, The Ministry of Business, Innovation and Employment, the Ministry of Education, The University of Otago, and security firms including Okta and Red Hat, as well as many others.
Collectively, DINZ sees a future in which "people can express their identity using validated and trusted digital means in order to fully participate in a digital economy and society". To do that, a digital identity ecosystem must follow three criteria: It must enhance privacy, it must enhance trust, and it must improve access for all New Zealanders.
When we approached DINZ for this story, several DINZ members contributed their thoughts. However, due to tight deadlines, we quote DINZ in this story based on responses from individual, unnamed members. These responses do not represent a consensus from the membership as a whole.
Overall, feedback on the bill from DINZ members has been positive, but it will need tweaking. That is exactly what the consultation process is designed to achieve.
"It's exciting to see this take shape, and success will come through community and industry collaboration and consultation with government. Several of our members and stakeholders from their organisations took part in the mahi that resulted in the bill's formation. We're eager to keep contributing our members' ideas and experiences to the Select Committee process and what follows from it."
DINZ says the bill is on the right track, although it comes from a more 'government-centric perspective'.
"Some industry observers have already indicated the need for clarity between the role of the regulator providing the guardrails (assumed to be the government) and RealMe's participation in the ecosystem as an identity provider or verifier."
"It's a small market, RealMe is a dominant player, and the government will be acutely aware of not only the need to separate its own interests, but also be open to suggestions that 'counter-balance' the understandable government-centricity."
That means the DISTF's scope needs to be adaptable and support many different use cases - it can't just be limited to government thinking.
DINZ also wants to encourage national and international service providers to get involved in the bill's consultation to ensure it works from an operational and people perspective. That could mean public-private investment partnerships in a similar vein to the Ministry of Business, Innovation and Employment (MBIE), which seeks assistance from IT professionals to understand what skills and experience potential immigrants in IT need to have.
"Members would like to see reflected in a future relationship between government agencies and the digital identity industry - for example, research, information & education dissemination to the private sector and wider community, perhaps extending to some role in the accreditation/certification function. "
Karaitiana Taiuru, a Māori academic, is at the forefront of Māori data sovereignty advocacy and change.
Taiuru says the bill is a great start and has potential, but it needs comprehensive and transparent consultation with communities, as well as Māori, hapū, iwi and Māori organisations.
"In te ao Māori, our identity is our whakapapa – the most sacred aspect of all things that we are entrusting to a government framework."
"For those of us who are connected to the internet, it will be great to not have to fill in the same details multiple times in multiple forms and security checks should be a lot easier in addition to greater individual protections against things like fraud."
"I expect this will create a more streamlined process without the need to physically visit government agencies where staff may not have the cultural knowledge to be able to understand needs or provide the best services," says Taiuru.
How the bill wants to incorporate te ao Māori, values and culture
If there is one thing that sets this bill apart from other countries' digital identity systems: It considers how te ao Māori approaches to identity are considered in trust framework governance and decision making.
David Clark remains committed to ensuring that the digital identity system reflects Māori perspectives.
"Put simply, identity means different things to different people and cultures. That's why, my officials are engaging extensively with iwi to deliver this framework in a way that supports tikanga Māori."
DINZ believes it could be a once-in-a-lifetime opportunity to create a people-centric system underpinned by Te Tiriti (The Treaty of Waitangi) and indigenous values. Not only does it bring a Māori worldview to a discussion about digital identity and the country as a digital nation, but it also opens a door to other values and principles that represent who and what Aotearoa, New Zealand means for all communities.
"It's also important for Māori to be empowered to have Kāwantanga (governance) and Rangatiratanga (self-determination) regarding their digital identity. So it was good to see this aspect explicitly focussed on. Identifying oneself in terms of one's whakapapa, sensitivities and acknowledging 'rangatiratanga' in Article 2 of the Te Tiriti o Waitangi are all woven into the fabric of Māori culture."
"Consider the case of identity-related information form fields when enrolling with a service provider online today. Do they take these factors into account? One of the clearest themes emerging from hui on the digital strategy is that trust in digital services is earned by actively co-creating with communities on these services' design, delivery, and accountability mechanisms. 'Everything happens at the speed of trust.'
However, Taiuru notes, "The COVID-19 lockdowns are a reminder to some that Aotearoa, New Zealand still has a digital divide that primarily consists of Māori and Polynesian families and other low socio-economic groups as well as the elderly and some rural communities. My primary concern is for those in the digital divide and the potential to miss out on government services and benefits."
"At first glance, there are a lot of positives to the Bill, and we are increasingly seeing Māori and Te Tiriti being considered into new legislation and bills. Te Ao Māori perspectives have been partially included and the opportunity for genuine co-design and some other Te Tiriti principles are recognised. However, I would have preferred to see a much wider acknowledgement and protection to Māori rights to data including the recognition of tikanga Māori/Māori philosophies than what is currently in the draft bill."
Taiuru believes that the government has missed an opportunity to recognise and legislate for Māori Data Sovereignty Principles.
"Some of the Te Tiriti principles are included in the Trust Framework principles, but not all, and they are not clearly identifiable. The principles do not mention Māori data sovereignty, even in the te ao Māori approaches to identity principle."
"The principles need some major rethinking from a te ao Māori perspective, and the principle should explicitly state that Māori data is a taonga. Instead, it will be left to Māori to at some stage make a Waitangi Tribunal claim to have Māori data recognised as a taonga."
"There is also no mention of the United Nations Declaration on the Rights of Indigenous Peoples, despite it being very relevant here and little consideration of the ongoing consultations of WAI 262 in the Waitangi Tribunal."
Taiuru also touches on another issue that the bill does not clarify: data storage, particularly in cases where data is stored overseas and subject to other countries security and privacy laws.
"It would be beneficial to have it legislated that the data would be stored in New Zealand, recognising Māori Data Sovereignty principles," argues Taiuru.
This brings up an important point about the role of Māori data sovereignty, which is a multi-faceted topic in its own right. It needs to be weaved into any conversation about digital identity.
Taiuru highlights the potential for issues around data use and misuse if the government requires all personal information to be in one place.
"There are risks of passport and driver licence photos being used and then for facial recognition, noting the current biases for Māori and Polynesians. There is also the risk that at some stage further bioinformatics such as Guthrie Cards could be sequenced for DNA and added to the system, noting this would be the safest way to prove the identity of an individual and their family."
"Births Deaths and Marriages are consulting about whether to use Māori individuals' iwi and hapū information on birth certificates. This just adds another complex layer of potential discrimination and Māori identity issues to a government that has intergenerationally not been trusted by Māori."
Trust, data use (and potential misuse) are valid concerns, which leads to another point - how data is used and protected.
What this all means for cybersecurity
As with any discussion about digital identity, there are important questions to be raised about cybersecurity, data privacy, and preventing potentially life-destroying issues such as identity theft and security breaches. The Trust Framework (TF) rules call for minimum security and risk requirements - namely, "ensuring that information is secure and protected from unauthorised modification, use, or loss".
DINZ says cybersecurity is a 'moving target' as attackers go after data at rest, and in transit. On top of that, legitimate businesses are trying to find new ways to use data they've already collected.
"People will need to be able to trust digital systems with their identities. They will need to see robust measures to monitor, notify, and remedy potential abuses of data inside any service provider's system. They will also need to know about specific social risks related to personal identification information such as biometric data capture. Further, the potential abuse of consent within personal relationships and guardianships should also be catered for."
Those participating in the TF must also analyse those within the digital identity scheme based on ensuring security, confidentiality and privacy of their information. That means those joining the scheme will be analysed based on their information and data security. If there are holes in these areas, likely, they would not be accredited.
In cases of identity fraud, economic loss, physical, or emotional harm caused by a TF provider, the TF authority could issue a public warning. However, in the event of security breaches, the TF authority won't post details of any vulnerabilities because people could exploit them.
DINZ also points to potential discrepancies and service levels between providers who adopt the TF within their businesses, and providers that choose not to.
"It's a delicate balancing act between raising the bar high enough to achieve trust through security and privacy, without unduly compromising levels of adoption by service providers in sufficient numbers to ensure the DISTF's success."
"Overseas there are examples of non-accredited/certified service providers typically with significant brand presence having higher adoption rates than accredited/certified service providers. It's in Aotearoa New Zealand's interest to see global brands that already operate here and those that are yet to arrive, be accredited/certified."
DINZ continues, "The interoperability with other Trust Frameworks and standards in force internationally is acknowledged in the bill. This is typically done as a series of mappings that help assessors determine the relative conformance of a service provider's service accredited/certified to one Trust Framework to another, such as the DISTF."
"Developing and maintaining these mappings helps international service providers by reducing the incremental time and cost for compliance with an additional Trust Framework - whether it is international seeking to operate in New Zealand, or a local business seeking to operate internationally. This is another area where members are keen to discuss industry's operational knowledge and experience."
Submissions for the DISTF bill close at 11PM on Thursday, 2nd December 2021. More information here.