National Digital ID systems - and their trust frameworks - are coming to a country near you.

Without robust trust frameworks (i.e. governance), national digital identity systems cannot, and will not thrive. 

National Digital Identity (NDI) systems are coming to a country near you - slowly, then all at once - as the saying goes.

First, slowly: Estonia is generally credited as first mover in the national digital identity wave, with seeds sown as early as 1996. Their national e-ID has served extremely well as a cornerstone of the country’s e-state for over twenty years now. But Estonia’s e-ID did not spur a spate of imitators. It was very much ahead of its time. It was considered an outlier -  a relatively small country that was re-building its entire national IT infrastructure from scratch.

Not long after, in 2003, Sweden introduced its BankID, as a sort of proxy for a national digital ID. Realising that ‘identifying an entire population and issuing e-IDs is both time-consuming and expensive’, they looked to the banks to leverage their electronic customer base. Just over a decade later, 90% of the population aged 20-40 had at least one BankID, and more than one billion transactions were being made annually with BankID.

India took their first steps toward digital ID - Aadhaar - in 2009, and with some seriously heavy lifting and early adoption of emerging decentralisation technologies, proved that a national digital ID program could be scaled to a population of over a billion citizens, at quite a reasonable cost.

By 2016, twenty years after Estonia began their journey, most countries around the world had taken notice, and had begun strategizing on what their own national digital ID system might look like.

Building on the first generation of national digital identity technologies, Singapore introduced their SingPass App in 2018 (an evolution of their GovTech logon service launched in 2003), and in 2023 Bhutan launched the world’s first Self-Sovereign Identity (SSI) implementation of national digital identity, demonstrating a forward-thinking commitment to privacy, security, and citizen control of their personal data.

Now, in 2024, this next wave of NDI is picking up pace, leading to the fast-approaching ‘all at once’ phase.

Countries including Australia and Ethiopia, Brazil, Papua New Guinea, Philippines, Rwanda, Canada, and New Zealand - and dozens more, are all in the advanced stages of planning or transitioning to national digital identity systems.

And in less than 18 months, 27 EU member states will formally introduce their national digital identity systems - all at once!

But while much of the NDI attention is on the maturing decentralised technologies and evolving and improving biometrics capabilities and solutions, it is important to remember that this shift towards digital ID and digital wallets is not merely a technological upgrade, but a fundamental change in how societies perceive and manage identity.

And this points to the most important pillar of any national ID program, one that cannot be built with technology: trust.

Public trust, citizen trust, business trust. Without that trust, National Digital ID programs cannot be successful.

So how to build trust?

A trust framework is the primary means of establishing trust in a NDI system.

It reflects the legal frameworks, cultural attitudes, and technological readiness of the country in which the NDI program is being considered. According to the World Economic Forum, it ‘defines shared goals or values that inform the concept of digital trust, as well as dimensions against which the trustworthiness of digital technologies can be operationalized and evaluated’.

The importance of a trust framework cannot be underestimated - it is absolutely crucial for public trust and operational success.

But what Exactly is a Trust Framework?

Offering more than a general vision, a trust framework includes a common set of agreed upon standards to be used by disparate entities to establish trust.

Importantly, a trust framework includes the legal framework upon which digital identities  and the documents that accompany them are recognised and utilised, and upon which the technical implementation of the NDI system will be built.

Sometimes known as a governance framework, a trust framework outlines the governance mechanisms which regulate both the underlying technological standards, and the use of digital identity credentials by specific actors in the credential’s life cycle.

A trust framework also includes the policies - such as the vetting and certification process of issuers, for example - which allow ecosystem participants to make a determination concerning trust within specific contexts.

A trust framework for a national digital identity system focuses primarily on the following areas:

• Overall ecosystem objectives and conduct: Ensures that the ecosystem operations are consistent with the values and principles of the implementing country, and are expanded on in the detailed code of conduct, desired outcomes, and other sub-sections.

  
  

• Technical, security, and privacy requirements: Lays out the requirements for NDI architecture and infrastructure as related to security, privacy, protection of personal data, accessibility, Trust Service Providers, incident reporting, and other technical mechanisms necessary for delivering a single source of truth of who/what is trusted.

  
  

• Governing and Administrative Authorities: establishes the formation of, and mandate of a Governing Body and an Administrative Body who are responsible for the technical, security and privacy requirements of the ecosystem architecture, as well as the conduct of members.

  
  

• Compliance and Legal Assurance: ensures the program adheres to national and international laws and details the minimum obligations for verifying the validity of a human identity before binding it to a digital credential.

  
  

• Interoperability and Standardization: establishes a common set of standards to facilitate integration and acceptance of ID credentials and other information easily and seamlessly across different systems and borders.

National Digital Identity Trust Frameworks in the Wild

Below are a few examples that illustrate the essential role of a trust framework in the establishment and development of an NDI system.

• Estonia: "Principles of Estonian Information Policy" in 1994, was drafted almost a decade before their e-ID was officially launched in 2002. As Estonia was a forerunner, their trust framework took much longer to develop than what’s possible today.

  
  

• Sweden: It took two years for a consortium to outline the general infrastructure for e-IDs (eventually BankID) that would meet the requirements of authorities and banks and be acceptable to both the public and companies.

  
  

• India: Some of India’s biggest challenges on their NDI (Aadhaar) journey were related to the legal and governance aspects. Multiple petitions in the Supreme Court questioned the constitutional validity of a national digital ID, particularly regarding privacy concerns and potential infringement of fundamental rights. Data security concerns were also an issue. For several years, Aadhaar operated without proper legislative authorization and it was only in 2016 that the Aadhaar Act was passed, giving it statutory status, and boosting adoption.

  
  

• Kenya: In Kenya, the High Court paused the roll-out of a proposed digital ID system due to a “lack of a data protection impact assessment”. The high court considered that the NDI system’s trust framework did not include sufficient measures to ensure data protection safety on the eCitizen platform which is used by many to access digital government services, nor did it address concerns that historically marginalised groups could be excluded from the digital ID scheme. Kenya is now working to implement a successful digital ID system after four failed previous attempts - by focusing on its trust framework.

  
  

• Bhutan: In Bhutan, the NDI system could not be introduced until passage of the National Digital ID Act. The NDI Act of Bhutan, passed in July 2023, is an Act of the Parliament and establishes the legitimacy of Bhutan NDI to provide for “an innovative National Digital Identity Infrastructure to encourage the use of secure, privacy-enhancing digital credentials and / or data, support development of digital trust between digital economy participants, while adhering to the kingdom’s environmental, social, governance, and sustainability objectives.” The technological architecture and NDI implementation is reflective of the Act’s mandated self-sovereign principles.

  
  

• EU: In Europe there is a huge amount of excitement over national digital ID and identity wallets, but that has only come since eIDAS 2.0 legislation - i.e. the trust framework - was approved in June 2024. eIDAS 2.0 lays out the GDPR, regulatory and compliance mandates which determine how the NDI systems will be developed and implemented.

  
  

• Australia: Australia is taking a slow and steady approach to NDI, still working through the governance aspects and developing a trust framework that’s acceptable to its population and legislators. Despite the technological advances that make an Australian NDI system possible, it will be the trust framework which determines whether and how it moves forward.

  
  

• UK: The UK has been slow to adopt NDI, with little public appetite for it, but … momentum is slowly building at the governance level. In the most recent King’s Speech in July 2024, King Charles mentioned the Digital Information and Smart Data Bill, which gives a statutory footing to innovative uses of data and which supports the creation and adoption of secure and trusted digital identity products and services from certified providers. The interest surely comes in part from estimated £600 million per year in economic benefits should secure digital identities come into widespread use.

  
  

• New Zealand: The Digital Identity Services Trust Framework Act 2023 came into effect on 1 July 2024 as the legal framework for digital identity services in Aotearoa New Zealand. The framework includes rules and regulations for how digital identity services that are accredited should work, while protecting information and privacy. With the trust framework in place, we can expect to see fairly quick development of the technical aspects of an NDI system.

  
  

• USA: The US does not have a national ID system, relying instead on Driver’s Licences to serve as official identity documents. The American Association of Motor Vehicle Administrators (AAMVA) is promoting the mobile driver's license (mDL), i.e. one that is on a user’s mobile phone, i.e. a digital driver's licence, as the future of licensing and proof of identity. mDLs are being actively implemented in almost half of the 50 states, while the mDL Digital Trust Service (DTS) system supports all member jurisdictions in delivering successful mDL programs to their stakeholders. The decision to offer mDLs is determined by each State, based on legislative research and study, particularly in regards to privacy and security aspects.

The few examples above show the interdependent relationship between a trust framework and a national digital ID program - and illustrate the risks of leaving governance and the trust framework as an afterthought. A trust framework ensures that digital identity regulation matches the pace and scope of  national identity's digital transformation. The lesson to any government working towards a national digital identity program is to start working on the governance aspect now!

Because while Europe might be in the middle of its summer of the wallet, we must recognise that this has been preceded by several years building up to the governance which is now finally taking shape.

To recap: National Digital Identity (NDI) systems are rapidly becoming integral components of countries' digital transformation efforts worldwide, with trust frameworks playing a crucial role in their success. As these systems evolve, establishing robust governance frameworks is paramount to ensure security, privacy, and public confidence. The future of digital identity hinges on these frameworks, fostering trust and enabling the widespread adoption of secure, efficient, and reliable NDI systems.