Digital Identity

Why we need tailored identity systems for our digital world 

Digital identity systems are often presented as a means to achieving legal identity for all, which is target 16.9 of the UN Sustainable Development Goals and which in turn supports the right of everyone to be recognized as a person before the law, as per  the Universal Declaration on Human Rights and the International Covenant on Civil and Political Rights. This ambition stems from the premise that it is every individual’s right to have their identity recognized. But in our digital era, the concept of identity has been radically transformed, from a static record in a physical ledger, to a dynamic, multi-faceted construct that interacts with various digital platforms, systems, and institutions. 

Some of these systems, which we will call “total identity” systems, demand extensive and excessive amounts of personal information — yet all too often they are presented as the only option. In contrast, minimalist digital systems, which require only the minimum necessary information for each transaction, have the capacity to respect and protect human rights. In this post, we examine the human rights impact of how both kinds of systems are designed and implemented and consider which approaches allow for the least invasive approach to identification, considering how we manage and verify identity has become central to our digital existence, affecting everything from accessing services to exercising our rights as citizens. 

What are digital identity systems? 

Digital identification or “digital ID” systems use digital technology to establish an individual’s identity. More often than not, they refer to systems that aim to establish the legal identity of a person through processes of data capture, validation, storage, transfer, verification, authentication, and management. This can include different aspects of a person’s legal identity as it pertains to their relationships with authorities, or only a specific aspect of it, such as voting or travel. 

Digital identity systems are now ubiquitous. According to data from ID4D, at least 186 countries have systems that employ some sort of digitalization of their identity records. They’re used to accelerate processes, to keep population registers, and to limit identity duplication and attempts at fraud. Sophisticated databases and algorithms, capable of handling vast amounts of personal data, promise efficiency, convenience, and security —but they also pose varying levels of risk to privacy and individual autonomy.

How do total and minimalist identity systems differ?

Total identity systems are based on the assumption that more data leads to greater accuracy, less fraud, and better identity verification. These systems often require extensive personal information, such as names, dates of birth, addresses, biometric data, or even behavioral data. But the more data a system collects, the more attractive it becomes to hackers. High-profile data breaches have exposed millions of individuals’ personal information, leading to identity theft and long-term reputational damage. Moreover, total identity systems enable pervasive surveillance without individuals’ knowledge, leading to digital profiling and potential discrimination based on collected data.

Such systems also undermine personal autonomy, with individuals compelled to share more data than necessary in order to access basic services. In scenarios where consent over data – particularly biometric data – is required to access basic services, consent can never be truly meaningful, and therefore should be considered void.  This erodes trust in digital systems, leaving people feeling as if they have lost  control over their personal information.

In contrast, minimalist digital identity systems operate on the principle of data minimization, seeking and processing only the necessary information required to authenticate  each specific transaction, that is, if the person is who they are claiming to be in terms of the specific attribute that is being confirmed. For example, to verify the age of someone trying to purchase alcohol, a minimalist system would look to confirm only that the person is over a certain age, without requiring details of their exact date of birth, name, or address.

By limiting data collection to what is essential, minimalist systems reduce the risk and impact of any data breaches, since there is simply less data available to compromise, as well as protecting individuals from identity theft and fraud.

Minimalist systems are more aligned with the human rights principle of autonomy, since individuals get to decide what data to share, with whom, and for what purpose, tailored to their personal boundaries and privacy preferences. 

Finally, using minimalist identity systems can reduce the scope for discrimination and bias in decision-making, by limiting the sharing of data related to race, gender, age, or socioeconomic status. The design of a minimalist system should allow for instances where attribute authentication is not needed or restricted to very minimal and specific data points, including scenarios where absolute anonymity is allowed.

How do both systems help achieve the right to identity? 

The debate between total and minimalist digital identity systems centers on the right to identity, which covers not only an individual’s right to be recognized by the state, but also their right to control how their identity is presented in different contexts. 

By allowing individuals to choose which parts of their  identity are presented or revealed, minimalist systems uphold the rights to autonomy, dignity, privacy, and respect for personal boundaries. 

The right to identity also includes the right to opt for anonymity or pseudonymity. In some situations, people may need to conceal their true identity for safety, freedom of expression, or privacy reasons. Minimalist systems can facilitate this by ensuring that only the necessary information is disclosed, which is crucial in contexts where disclosing one’s identity could lead to discrimination, persecution, or violence.

There are still challenges to implementing minimalist digital identity systems. To ensure  the security and accuracy of minimal data in high-stakes situations like financial transactions or border control, we may need to turn to technologies such as zero-knowledge proofs, which could allow verification without revealing unnecessary information, or decentralized identity frameworks, which  distribute control over their  identity data to the users themselves.

Another challenge is balancing regulatory requirements with data minimization principles. In sectors such as finance or healthcare, legal frameworks often mandate extensive identity verification, meaning that policies have to change at the highest level to support the adoption of more flexible and context-specific approaches to identity verification.

Ultimately, the difference between total identity and minimalist digital identity systems is not merely technical; it comes down to human rights. As we’ve explained above, total identity systems jeopardize the rights to privacy, autonomy, and equality, while enabling pervasive surveillance, data misuse, and digital profiling. By collecting the bare minimum information necessary per transaction, minimalist systems are better placed to protect privacy, empower individuals, and reduce discrimination, while also allowing people  to control how they present themselves in different contexts, through anonymity and pseudonymity. One path prioritizes human rights; the other undermines them — digital identity systems need to evolve in the right, minimal direction.