Robust standards can provide a foundation for privacy and trust — the two essential cornerstones of the Canadian data economy. A very promising standards-based solution is the development of Personal Digital IDs, which link physical people in the real world to their online activity. While this concept raises inevitable questions of data security or privacy, Digital ID systems actually enhance privacy “[by putting] greater control of identity back into the hands of the consumer…. unlike physical documents, a digital ID can be standardized and used between entities with the ability to adapt by adding new information. Moreover, only one version of your identity exists, significantly reducing the potential for misinformation, identity theft, or the use of outdated data that does not reflect your current identity….”
Countries like Sweden and Estonia have been using digital IDs for years. According to Sweden’s Agency for Digital Government (DIGG), the “Swedish eID system is a success story. Most citizens have an eID and over 4 billion transactions in various private and public e-services are made every year.”
The Digital ID and Authentication Council of Canada (DIACC) has taken a leadership position on this front by establishing the Pan-Canadian Trust Framework (PCTF). Its mandate is to provide a set of best practices and standards that support open government principles and enable Canada’s full and secure participation in the global digital economy by leveraging Digital Identity and Authentication. In October 2019, DIACC published results from a pan-Canadian survey it conducted on digital identity. One key finding of this survey was that more than 70% of Canadians want to see governments and the private sector come together to collaborate on a joint-digital-identity framework in Canada. Such a collaboration could enable increased and inclusive access to government benefits, healthcare, e-commerce, and financial services.
(Extract from: Imperatives for the Canadian Data Economy, January 2020)
The Digital Identification and Authentication Council of Canada, known as the DIACC, is a non-profit coalition of public and private sector leaders committed to developing a Canadian framework for digital identification and authentication.
The framework is intended to enable Canadians to completely and securely participate in the global digital economy. The objective is to establish a robust, secure, scalable, inclusive, and privacy-enhancing digital ecosystem. Together we can unlock opportunities for Canadians, decrease costs for governments, consumers, and business, improve service delivery, and drive GDP growth.
Recently, Rob Davidson (Director, Data Analytics) of the Digital Think Tank by ICTC had a talk with Joni Brennan (President of DIACC) about DIACC’s Pan-Canadian Trust Framework (PCTF 1.0 — launched in September 2020).
Rob: How would you explain DIACC’s trust framework?
Joni: The PCTF 1.0 is a first of its kind framework, as it has been developed in collaboration with the public and the private sectors to be built around people and the organizations that they represent.
It is the first of its kind for that kind of collaboration. It is the first of its kind also because it is focused on the economic and social-benefits drivers that are important for Canadian prosperity. The framework provides structure and guidance for assurance practices in the verification of information of people, organizations, and the relationships between all parties. The framework itself is technology and model neutral. The framework references different technologies based on the kind of risk profile that is associated to the transactions that would be performed. So, the framework has application, whether you are looking for a classical federated network or whether you are looking at a permissioned network or an operator network like Interac or the Verified.Me solution. And it also provides application to distributed models such as self-sovereign identity. The framework is most powerful for the verification of assurance that information is valid and subsequently how that information gets into a different technology stack.
Rob: Who are the key partners and first movers working with DIACC on the framework?
Joni: The key partners and first movers on the public sector side are provinces including British Columbia, New Brunswick, Ontario, and Saskatchewan. From the federal government side, the Treasury Board Secretariat, and ISED [Innovation, Science and Economic Development] are engaged in the trust framework development and adoption. Key partners from the private sector include our major financial institutions, our payment network, Interac, and the telecommunications sector through Telus. Governments have recognized the value that the framework can bring, and they are seeking to ensure that their capabilities will work within the economy. Public sector stakeholders are signaling delivery of new and enhanced identity related services within the next 12 to 18 months. Also, in the context of smart cities and smart municipalities, we believe that we are going to see more and more investment on that front. What we are seeing in the ecosystem in terms of smart municipalities and smart health connects strategically and operationally to needs regarding COVID-19 and in the context of the related challenges. Ultimately, the Pan-Canadian Trust Framework is not the solution to our challenges, rather it is a critical tool to help to ensure that smart cities, smart health, and AI will respect people’s data while empowering them with the ability to use that data to their own benefit.
As an organization, DIACC is technology agnostic and we work to address the needs of networks built on myriad technologies with specific governance models applied. Our key objectives are listed in the Five Year Strategic Plan that DIACC released in October 2020. Through the next five years, we see that information verification networks will play an important role in the digital transformation. One such example is the emergence of 5G for telecommunications. The intersection of 5G and identity verification will play an important role in ensuring that smart cities are ethical and secure. Making the Canadian Digital Charter real across different networks, using different technologies and enabling identity verification and information assurance are critical pieces of the digital transformation puzzle.
Rob: Outside of the financial industry, are people understanding the importance of assurance?
Joni: Some progress has been made and there is further policy and technology alignment possible in finance as well, especially in terms of fully enabling digital and remote fulfillment of Know Your Customer and anti-money laundering requirements. For government service delivery, there is a delicate art of assurance that was challenging to fulfill with technology alone: progress depends on processes and policy. Our members are keen to demonstrate, implement, to reduce uncertainty by showing how emerging finance-related services and solutions work.
Regarding assurance, we are developing a new module for the Pan-Canadian Trust Framework TM that provides a layer called Vectors of Trust, a model adapted from work happening in the international Internet Engineering Task Force (IETF).
Information Assurance is a complex topic. When models try to consolidate assurance into one-to-four static measurements, the results may have the effect of hiding the weakest parts of a complex transaction. This innovative assurance trust model is an essentially overlay that would create an assurance scorecard that would help organizations that are consuming services, to make informed decisions about whether to accept a transaction that, for example, may be strongly proofed but has a weak credential or, alternatively, a transaction weakly proofed but has a strong credential. The current Levels of Assurance models do not provide that kind of contextualized capability visibility.
Rob: What do you think will be the most important economic impact that digital IDs will bring to Canada?
Joni: Our conservative estimates suggest digital IDs can unlock 3% to 6% of GDP. That is around $48 billion to $97 of unrealized potential. What is the basis of the estimate? It is made up of reduced fraud coupled with process and transaction efficiencies accrued. For example, with secure and privacy-respecting digital ID, the efficiencies of a tell-us-once approach could be fully realized. Pre-pandemic, the most talked about use cases involved conveniences that could be realized through strong identity services for cybersecurity and frictionless identity for consumer interactions with businesses. The pandemic has changed the conversation by bringing forward the importance of identity services for the remote- and tele-workforce. Remote and tele-workforce capabilities have significant economic impact while improving national security protection. Ensuring the economy can adapt in trying times, like the COVID-19 pandemic, is part of the promise of a PCTF.
Rob: In February 2020, DIACC partnered with Canadian cybersecurity cluster organization In-Sec-M to create the Digital ID Lab. Can you tell us about the lab?
Joni: DIACC will launch the PCTF trustmark program “Voila Verified” in 2021. The Voila Verified trustmark program requires accredited information security auditors and an independent laboratory. DIACC co-founded the laboratory to establish an independent body that could provide qualified reports regarding the verification of a product or service’s technology deployment. A PCTF Voila Verified trustmark is issued based on the reports of DIACC Accredited Assessors, including the laboratory. DIACC is our expertise and strategic hub and best practices body. The lab is a critical technical tool that enables entities to sandbox around code that is guided by PCTF among other industry, national, and international standards and practices.
Rob: Last question, what is next for the trust framework?
Joni: We are evolving and refining the next iteration of the framework, guided by member and marketplace priorities. Specifically, some members are working to deliver a PCTF component to guide Digital Wallets implementation. More generally, the PCTF is undergoing alpha testing, performed by the public and private sector. They are testing the framework to make sure it behaves the way that DIACC members had prescribed it to. Based on the alpha testing, DIACC will determine if any adjustments need to be made. We adopted an agile revision cycle based on what we learned to launch the trustmark later in 2021 based on a diversity of public and private sector input.
As President of the Digital ID & Authentication Council of Canada (DIACC), Joni builds on nearly 20 years of experience in digital identity innovations and standards development. She helps DIACC to fulfill its vision of unlocking interoperability of public and private sector capabilities through the establishment of an identity trust framework that will grow Canada’s economy. Joni builds impactful relationships and formalizes strategic partnerships between organizations. She serves as co-Chair of Working Group 1 of the Standards Council of Canada’s Data Governance Standardization Collaboration. She has participated in committees and initiatives around the world, including OECD-ITAC, ISOC, IEEE, OASIS-SSTC, ISO SC27 WG5, and she has testified before the US Office of the National Coordinator for Health Information Technology Security and Privacy (ONC HITSP). Joni is recognized as a One World Identity top 100 global influencers of identity.
Before joining DIACC Joni was Kantara Initiative’s Executive Director driving programs for business, legal, and technology interoperability to connect entities and individuals in a more trustworthy environment. Joni led Kantara Initiative as the United States premiere trust framework provider, delivering value to multiple industry sectors. Joni helped to ensure that Kantara Initiative’s program aligned with multiple eGovernment strategies from economic regions, including Canada, New Zealand, Sweden, and the United Kingdom.
Joni Brennan previously served as the first-ever IEEE-SA Technology Evangelist for Internet Identity and Trust, focusing on issues of governance, policy, and technology development that touch digital Identity, personally identifiable information, and trust services.
When not connecting the digital identity world for the better, Joni can be found creating through future-thinking musical collaborations. She can also be found skiing in beautiful British Columbia, Canada.