Exclusive: How Singapore is building a privacy-based digital ID
By Shirley Tay
Li Wei Loh, Product Manager for sgID, Open Government Products, Govtech, discussed at GovInsider Live’s Festival of Innovation.
A revolution is brewing in the ranks of internet users. Documentaries like The Social Dilemma, Netflix’s smash hit, show the vast reach of big tech companies, vacuuming up the memories of our lives to sell as pennies on the dollar.
As the inventor of the World Wide Web, Sir Tim Berners-Lee, has warned, the web is “swayed by powerful forces who use it for their own agendas”. A new model is required: giving users back control over their data, and enabling them to specify when and by whom their information can be accessed.
This approach is called a “self-sovereign” ID, and Singapore is one of many countries around the world trialling it out. The Open Government Products unit in Singapore’s GovTech is building a platform to give users greater control over their data. Li Wei Loh, Product Manager for sgID, Open Government Products shared more at GovInsider’s recent Festival of Innovation.
Enter self-sovereign identity
Scientists who built the web prioritised the need to share information quickly, and few imagined its potential for misuse. “We didn’t focus on how you could wreck this system intentionally,” American internet pioneer Vinton Cerf told the Washington Post in 2015.
As it grew organically, “a system evolved where people got onto the internet by giving away personal data for free”, UK’s former cybersecurity chief Ciaran Martin said at the Festival of Innovation this month. Data has become the “price of entry”, he added.
Self-sovereign digital identities aim to challenge this model where internet users are the product. They give users ownership over elements that make up their digital identity - such as their email or phone number - and let them choose how they share their data, and also how to restrict access at any moment. Berners Lee has launched his own proof of concept - Solid - which will sit on the blockchain and provide a completely decentralised identity system to redistribute power away from big tech.
Singapore is building a trial version of this as an “experimental extension” of its National Digital Identity platform, Loh has revealed. sgID will show users what personal data organisations are requesting and allow them to share only the specific details the business requires. The app then encrypts the data and sends it to the business.
Providing an alias
Businesses typically rely on the national identity number as an identifier. But if companies were to be compromised, it'll be easy for a malicious actor “to paint the bigger picture of a person easily”, says Loh.
The sgID app enables citizens to verify their identity without sharing their identity number. It creates a unique ID for every business citizens authenticate with, making it harder to trace what they do online.
The unique ID remains the same every time an individual accesses the same business platform. “Instead of seeing a different ID all the time, you have a consistent ID so that you can provide that consistent experience that a lot of businesses are trying to achieve,” said Loh.
“So you get both the benefits of having a unique ID while maintaining that separation from the common ID … for malicious people to make use of,” he added.
sgID uses a “zero knowledge protocol”, says Loh. This means the platform cannot access, and does not store, any citizen data that passes through its server. Only users and businesses can access the data - and even in the event of a breach, user data remains on their phone, in their control.
As more businesses go online, it’s “not sustainable” for the government to be storing sensitive citizen information, said Loh. That protocol removes the need for sgID to store sensitive information like transaction history, and serve as an “identity broker”.
Tackling fraudulent activity
sgID can help crack down on online scams, he added. Businesses have “very little recourse or very little tools” to track scammers, who can easily create multiple accounts to hide their identity.
sgID “strongly ties a malicious actor to a single verifiable account”, Loh said. That stops scammers from hiding behind multiple fake accounts, and prevents a “chain of new fraudulent activity”.
“For all the good we’ve achieved, the web has evolved into an engine of inequity and division”, Berners-Lee has said. Self-sovereign digital identities could restore power and agency to the people on the web.
Catch up on GovInsider’s Festival of Innovation here: https://www.festival-of-innovation.com/watch