We’re all familiar with Apple Pay and Google Pay and how much easier (and more secure) they make online payments, but if Apple or Google really want to replace my wallet, that means that they have to replace my driving licence, my loyalty cards, my rail discount pass, my blood donor card, my AA membership… well, you get the point. And in the real world, I only have twenty or thirty of those cards but in the virtual world I have hundreds if not thousands. Replacing the payment cards was easy. Replacing the identity cards is hard. But in the long term, it’s much more valuable.
It would be nice if the security and convenience of the digital wallets were to be extended to online interactions of all kinds, not only payments. Perhaps this is not that far away. We already use them to make online access easier. If I’m signing up for new services (eg, when I signed up for the New York Times recently) then I’ll look for the “sign in with Apple” button first and only if the website does not support it will I then select “sign in with Google” (after first remembering to log in to my “John Doe” Google account). But this is about authentication, not identification. Apple told the New York Times that I am “firstname.lastname@example.org”, not that I am David Birch or that I am over 21 or that I am a UK resident or whatever.
The lack of a digital identity infrastructure is a big problem in an online world and it needs to be fixed whether by governments, financial institutions, specialist players or someone else. Since governments, banks, telcos and others have not fixed the problem (at a level of global interoperability comparable to the internet and mobile phones), it looks as if someone else is going to have to do it.
That could be Apple. A couple of years ago Panos Mourdoukoutas predicted that Apple’s next big revenue source wouldn’t be another device, but the “monetization of the ID Apple assigns to its customers”. This prediction, I should stress, was not especially radical or unusual. Indeed, back in 2016 I was working on the strategic assumption that this was an inevitable direction. I wrote at the time that “it is a very short step from Apple Pay to Apple ID, where revocable identification tokens are loaded into the tamper-resistant hardware”.
(Without getting distracted by technical details, it is important to note that what Apple appeared to envisage in their patents is that a device, such as an iPhone, will be storing credentials obtained from a variety of sources. My hope is that Apple, Google and others support an interoperable standard — W3C VC, to highlight the obvious example — so the credential providers and users will move to authorisation-based transactions as soon as possible.)
The idea that the platforms might step in and provide the digital identities that will be crucial to our online existence — because banks, governments and others have not — is not what is new. What is new, and why we are talking about identity now, is the post-pandemic (or, more accurately, inter-pandemic) reset and the extent to which it has both illustrated the problems caused by not having digital identities and accelerated the drive toward workable solutions. Suddenly we had to figure out not only how to shop and bank online but how to work, learn, visit the doctor, vote and access government services online. In the UK, as in the USA, we don’t yet have anything like the infrastructure needed to do this so we end up with costly and imperfect silo solutions.
My point is that we need to put some serious thought into developing a digital identity infrastructure. And we must think about how that infrastructure will evolve and develop. Does the USA want a system, as in China, where you have a single identity that must be used to do everything and the government knows what you are doing at all times?
(That has some interesting consequences! For example, for years, the government there has been trying to stop kids from playing too many video games. Now the Chinese have ruled that anyone wanting to play a game must log in using a state-run authentication.)
We need to think about the problem and make some choices about what we want because if you think that digital identity is just about making it easier to log in to your bank, you are wrong. Should the government know that I have logged in to my bank? Should Apple know that I am playing Fortnite? Should Facebook know that you are voting online? How exactly can we design an infrastructure to deliver both privacy and security? These are serious questions: Digital identity is the foundation of existence in an online society and choices that are made about how those identities work will be fundamental to how that society is going to work in the future. We need to begin this discussion now.