Design Questions + Reflections from the Good ID in Practice Workshop

Earlier this week, @LisaCovington and I had the opportunity to attend the World Bank’s ID4D “Good ID in Practice” Workshop in Washington D.C. Throughout our Prize Design we have had the chance to connect with incredible experts working in the space of identity to help shape our prize direction. We were lucky enough to connect with @Vyjayanti Desai, the ID4D Program Manager, and her incredible team who invited us to participate in the workshop – and to say it was a powerful two days would be an understatement. Thank you to Vyjayanti and team (Seth, Julia, Anna + more!) for an incredible event.

Our primary goal for the trip was to gain insights on where is there a strategic opportunity for an XPRIZE in the space of Identity. While we were at the workshop, it was both comforting and powerful to see that core questions that have challenged our team are also some of the key questions the global community are facing. How do we factor in consent to identity? Does that look different for foundational and functional IDs? How do we design for highest privacy and security levels? Do we make the leap to biometric solutions?

Now that we have returned to Los Angeles are back in design mode, we would love to hear your thoughts and perspectives on a few key areas.

What is needed, both from the supply and demand side, for legally recognized digital ID solutions to scale while ensuring privacy? How do you measure success?
How long would it take teams to design and build a digital ID solution that can hold legally recognized information? This timeframe should account for highest privacy standards.

  • What would a user-centric or user-friendly legally recognized digital ID system look like? What are metrics we could use?
  • Each time we design an XPRIZE, we want to look out into the future, set our preferred future state, and determine how an XPRIZE can bring that future forward. Our preferred future has always been a world in which all children have a legally recognized digital identity that protects and empowers them and helps them to thrive. Looking forward to hearing your thoughts on the questions above and if you attended the “Good ID in Practice” workshop we would love to hear your reflections!

    Sounds like it was a great experience, @BryanNamba and @LisaCovington! @duffus75 @johnedge @marz62 @akb and @Damiano - do you have any thoughts or ideas around these questions, or related experiences around these reflections? Any examples, links, or comments you might have around these ideas would be great to see!

    In respect of privacy, best practice should be adopted for all information storage systems and procedures. For biometric data an even greater effort is recommended.

    We cannot assume that today’s encryption algorithms will remain sufficiently robust in the future. For example, emerging quantum computers in the next decade might be able to break these algorithms. Research is under way to develop more robust algorithms, which might (or might not) turn out to be sufficient over the following decades.

    An alternative approach might be to not store biometric data at all. Instead use biometric scans as input into an algorithm (on the scanning device) that generates a unique hash key (a pseudo-identity code, for a specific defined purpose).

    If biometric data is stored at all then perhaps the only safe place is on a device owned by the user (and that data is only readable by the device for user authentication; no external method can access the raw data). However, a more complex approach might be required to backup the data in case the device is lost or stolen.

    @akb - “…use biometric scans as input into an algorithm (on the scanning device) that generates a unique hash key (a pseudo-identity code, for a specific defined purpose).”

    Yes, exactly, this is what I was hinting at in an earlier post…but I declined to spell it out (even if obvious at this point) because I thought the suggestion was too much like a ‘solution’ (versus a design criterium, or parameter).

    A key resource from the World Bank:
    https://id4d.worldbank.org/guide

    @akb @marz62 Thank you both for sharing your thoughts around the storing of biometric data. We have definitely considered this as many experts had underscored that unlike passwords, biometrics cannot be changed by the user.

    Thank you @BryanNamba
    Yes that’s a great point: we can’t change our biometrics :slight_smile:

    Thanks.

    In regards to your ID4D questions: ‘What would a user-centric or user-friendly legally recognized digital ID system look like?’

    and

    ‘What are metrics we could use?’

    (At the risk of proposing a ‘biblical’ idea, in addition to a solution idea)…

    A sub-cutaneous (millimeter scale) “info-nodule”* – implanted via a needle-free injection system (e.g., CO2 cartridge injector) – may be the most secure form of such an ID. Obviously, an automated (and mobile) nodule ‘printing’ system (to encode personal data) must be designed and tested first, in order for this ID idea to be practical. We have micro and even nano-scale radio transmitters that can transmit (data) over short (foot or meter scale) distances that could enable the identification process (via RF scanning of nodule micro-antennas).

    Caveats: Such implants may be temporary (as new skin layers build from the inside-out, pushing the nodule into the outer epidermis), and, they could potentially trigger an immune reaction in some refugee (e.g., those with already compromised or over-burdened immune systems).

    • This nodule could be a variation on an RFID tag (as used to ID pets). However, RFID tech is not entirely secure; a tuned (to the tag’s antenna RF) radio scanner could ‘steal’ the data on an RFID tag.

    Note: An ID consortium or panel will need to be convened/empowered to determine the type(s) of identifying information – best serving the needs of refugees and their host governments – to be included on any such (implanted) tag or nodule.

    As for the type of (bio) metrics that could be used…

    DNA has been proposed previously by @akb. However, this will require initial sampling from individual refugees, lab-quality equipment (e.g., reagents, centrifuge, PCR, pipettes, etc.), DNA sequence ‘reading’, storage in a secure database, etc. Then (at some point later when identification validation is needed)…an in situ or portable DNA sampler and sequencer (e.g., ‘next gen’ nanopore, or, MinION) and DNA database-accessing computer (to access cloud database or local db).

    Also:* great c* caution must be used here in utilizing this form of biometric data, as genetic information contains much more than an identifying sequence of nucleotides (or key nucleotide markers in lieu of total genome sequencing); DNA sequencing and analysis can reveal mutated genes that carry disease risk than could be used, prejudiciously, to block refugee hosting of some individuals (who may require future public assistance or government funded healthcare due to the genetic disease associated with those mutations).

    Retinal imaging (via a portable retina scanning system) may be an ideal metric (more so than fingerprints, as these can be marred or even erased via accidental or intentional injury to the finger tips). This may be the most viable approach as the technology for doing so already exists, and, theoretically, retinal patterning would be more protected from damage/injury than fingerprints or ear morphology.

    Thanks for sharing @marz62 . Interesting insights, but I do think that a sub-cutaneous info-nodule or DNA sequencing would be potentially problematic ( for some of the reasons you mentioned in your second to last paragraph).

    We’ve been hearing of some success at capturing reliable biometric reads on children as young as one (although more research is needed). If biometrics were included in the prize, I think it would be about accelerating breakthroughs in improving the capturing and reliability of biometrics.

    When we speak about user-friendliness, our intent is around what would a user friendly mobile application look like. We of course would like it to be useable for low-literate populations and children, but how could we measure that and what are the other features of user friendliness should be accounted for?

    Thank you for the great comments here @akb and @marz62! We have now posted our Draft Competition Outline - let us know any thoughts or questions you may have there! Draft Competition Outline — XPRIZE Community Looking forward to seeing everyone’s feedback on the draft outline.