Let’s Talk About Digital Identity with Andrew Weaver, Executive Director of Digital Identity New Zealand (DINZ).

In episode 32, Andrew fills us in on the main trends and challenges for digital identity in New Zealand, its national Digital Identity Trust Framework and the importance of interoperability between identity systems. He also gives us an excellent tip for individuals and organisations on reframing identity, inspired by Maori identity validations – trusting and respecting identities as a precious gift.

[Scroll down for transcript]

“The strange thing with digital identity is most of the technology that’s needed is already there – we’re not really inventing anything new. The key to digital identity working is actually in collaboration.”

Andrew WeaverAndrew Weaver is the Executive Director of Digital Identity New Zealand, an organisation whose mission is to create a digital identity ecosystem that enhances privacy, trust and improves access for all people in New Zealand.

Andrew is a strategic specialist with over 30 years hands-on management, consultancy and systems development experience built throughout New Zealand, Australia, Asia and the Middle East.  He is also an active and passionate supporter of social enterprises and charities working in New Zealand and overseas.

Connect with Andrew on LinkedIn.

Digital Identity NZ is a purpose driven, inclusive, membership funded organisation, whose members have a shared passion for the opportunities that digital identity can offer. Digital Identity NZ supports a sustainable, inclusive and trustworthy digital future for all New Zealanders.

Find out more about Digital Identity NZ at digitalidentity.nz.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hi and thanks for joining today. We always are very interested in learning what are the digital identity initiatives around the world. And today, we have a location that is geographically a bit far from where we are in Finland, it’s 10 hours ahead. And today we’re going to talk about New Zealand. And for that, we have a very special guest who is Andrew Weaver. He is the Executive Director of Digital Identity New Zealand, an organisation whose mission is to create a digital identity ecosystem that enhances privacy, trust and improves access for all people in New Zealand.

Andrew is a strategic specialist with over 30 years hands-on management, consultancy and systems development experience built throughout New Zealand, Australia, Asia and the Middle East. He is also an active and passionate supporter of social enterprises and charities working in New Zealand and overseas.

Hello, Andrew.

Andrew Weaver: Kia Ora. [Introduces himself in Māori]

That is just a very brief introduction of me. I’ve just told you my identity. That’s the Māori language, the indigenous people of New Zealand and that’s a traditional greeting. They’ve had that for hundreds if not thousands of years to describe the place that they call home. So, I talked about my mountain, I talked about my river, I talked about the geographic location, then I talked about my family and finally, talked about myself. So, it’s always a good way to start a conversation around identity.

Oscar: Fantastic. Kia Ora, Andrew. Definitely it’s very fascinating talking with you. You started in a very special way. And we want to hear more about you, please tell us a bit more about you how you came to this world of digital identity.

Andrew: OK. My personal background – and I have been working in payments, cards, banking, fraud prevention for too many years to count. And on a couple of occasions I’ve been asked to facilitate some discussions at a conference, banking conference primarily. And then last time I did that, the topic was digital identity. And we had some people across from Canada, Joni Brennan from DIACC, who you’re probably familiar with.

Oscar: Yes, she was here. Yes.

Andrew: Yes indeed. And so she was over and a number of other people talking about this subject of identity, and so with me facilitating, I needed to do a better research and it’s like, oh, this is actually, this is a fascinating discipline, a fascinating area. Obviously, there is a strong relationship with banking and with authentication but that’s just the starting point, the potential is so much wider than that. So yeah, after that experience of meeting some of these great people that are working on some complex challenges and looking to move us forward, it’s like “Yeah, I’d like to be part of that.” The opportunity came up with Digital Identity New Zealand for me to take on a role there, so that’s what leads me here.

Oscar: Great. So you came from mostly payment and banking and that connection to digital identity. And since when you join Digital Identity New Zealand?

Andrew: The organisation is very new. So I’m the first Executive Director, it’s a very grandiose title. But I’m the first person to hold this role. And we started in November of 2018, so just coming out to two years and a month full time. So, yeah, I’ve held the role since it started.

Oscar: Well, excellent. Yeah, I would like to hear for, personally from you and from your perspective being there in New Zealand. What do you feel are the main challenges in digital identity today, and of course, focusing from your perspective there in New Zealand?

Andrew: Yeah, when I came into this role as you typically do, especially from a technology background, you think that it’s technology which is the solution. We need to work on the technology in order to make things better. But the strange thing with digital identity is most of the technology that is needed for it to operate effectively is already there. We’re not really inventing anything new.

The key to digital identity working is actually in collaboration. And when you unpack collaboration, the fundamentals of collaboration involve transparency and trust. And that’s not just between the end-users or the consumers if you like of identity systems. It’s actually between the participants themselves. So, the ability to receive data from another party and be able to trust that data, trust that it’s correct, trust its veracity, trust its origins. So, the mechanisms of trust and collaboration are actually the biggest problems that we have to solve rather than pure technology.

Oscar: Trust and collaboration you mean between organisations and between organisations and people.

Andrew: Yeah. Yeah, exactly that. So, Digital Identity New Zealand itself, it’s a not-for-profit association of member organisations. Basically, it’s a group of stakeholders who have chosen to work together and collaborate. So, we’re not government, we’re certainly not funded directly by government, so we’re an independent organisation. And our members make up these technology providers and developers and the big nationals right through to start-ups, people who are working on your innovative solutions. We have large sort of retail organisations from all of the major banks in New Zealand, Air New Zealand, the national airline and some others with a very large footprint in New Zealand, in terms of customer base but also the number of employees and contractors who are working with them.

And then we have organisations who play the integrator role so they’re either delivering services on behalf of organisations or they’re providing that sort of infrastructure piping of exchanging technology and integration components. And then we’ve got academics as well, we’ve got an academic community so speaking into some of the, I guess the social license, the ethical nature, privacy, those sort of components as well.

So, the organisation itself is a fascinating mix of stakeholders, who have self-identified, they’re all saying we’ve got a role to play in this. And the work of the organisation is helping to collaborate between those organisations to come up with some of those fundamental principles of what does this trust look like and how can we stimulate it, how can we actually get things moving so that we’ve got some action and some real-life examples of digital identity in action in New Zealand.

Oscar: Yeah, definitely. As you said earlier it’s a multidisciplinary collaboration of organisations and people. Excellent. And I know that there’s something that is part of the work you are doing, the organisation is doing is the Digital Identity Trust Framework from New Zealand. Could you tell us a bit about that?

Andrew: Yeah, sure. So, one of our founding members of Digital Identity back two years ago was our Department of Internal Affairs. So they’re the organisation who currently looks after an identity system which is like a portal or gateway to government but they’re also responsible for the birth register and passports and those sorts of things so they’ve got a strong synergy in terms of the authentication and proof.

Now, at the same time, that Digital Identity New Zealand started, there was a team within that department who we’re commissioned with exploring what a digital identity trust framework might look like in New Zealand. So, they’re called the Digital Identity Transition Programme and their role over the last two years has been to gather evidence and to provide advice to government on what government’s role should be in a digital identity ecosystem.

So, the Digital Identity Trust Framework is the mechanism that their group has recommended to government to be implemented. So what that looks like, from a legislative perspective it’s really the start of their journey if you like. The trust framework itself has been approved by our cabinet so it is formal government policy now, although we do have an election coming up, so who knows. But basically what that signals is that next year into the New Zealand Parliament they will introduce a Digital Identity Bill, a piece of legislation which will enable this trust framework.

Now, the framework is about primarily standards and accreditation of entities. So, it’s providing a mechanism for that trust to act and operate. So it’s like the minimum standards of engagement. So, if I’m an organisation who’s wanting to play a role with a self-sovereign digital ID wallet, or if I’m an organisation who wants to integrate my banking service with for instance, information from a government department, then the trust framework and the accreditation mechanism associated with it is the means in which that legally becomes enactable if you like.

So, short story, the current situation is quite fragmented. We’ve looked in detail at some things like banking use cases around anti-money laundering. And just the way the regime is written and legislated at the moment, it doesn’t actually allow easily for an ecosystem approach to digital identity. So, the trust framework is really an enabling piece of legislation which will help in establishing a legal mechanism where different entities can provide those trust anchors and trust mechanisms in this country.

Oscar: So yes. So, its vision is to harmonise this you mentioned fragmentation between the services and these trust anchors, so it’s mostly legal, it’s a legal framework mostly.

Andrew: The trust framework is a legal framework. Yes. It has thresholds in terms of those accreditation- it will have thresholds in terms of accreditation, in terms of meeting the minimum standards of security and also good governance. And it also will provide insight on things like liability. So by trust and identity which has been for instance some of the more complex use cases – if I establish an identity for instance in a mobile wallet in a self-sovereign type situation. And then I used that identity to for instance open in a bank account, and subsequently something goes wrong, the identity and proofs weren’t valid or something has happened along the chain, then who is responsible for this?

Is it the bank because they have accepted this digital identity? Is it the provider of the digital identity wallet? Or is it in fact nobody? Have we got a safe harbour type situation where we’re saying that everybody is doing their best, meeting the minimum standards? And if something bad happens then we have rules around recourse which may be a safe harbour type role. So it’s establishing those mechanisms and that’s where a lot of the complexity and the hard work that is still to come has got to be done.

Oscar: Yeah. And just for the benefit of the listeners, and also actually I don’t know those details, what are the main ways of identity for let’s say for people – so there is type of national identity or bank authentication, things like that?

Andrew: Yeah, this is a fascinating discussion amongst the community particularly in Digital Identity New Zealand as a member association. So, New Zealand is one of those jurisdictions like Australia, like United Kingdom, who don’t have a centralised population register which is a natural starting point for a government issued ID, we don’t have that. So, what we have are various proxies to that at the moment, rough equivalents that are considered the highest form of perhaps authentication or validation of identity at the moment.

So that is your passport which is biometrically secure and all of those sort of things and that’s probably the strongest form. We have a driver’s license which has a photograph on it, but the biometrics associated with that aren’t stored anywhere. So it’s just an image. So those two forms of identity really are the cornerstone for establishing anything. Typically, if anybody is asking you for proof of identity, you’re going to come back to one of those two. Now, that creates challenges because obviously not everybody needs a passport because not everybody wants to travel especially at the moment. And more and more frequently not everybody needs a driver’s license.

Or in fact somebody might have had a driver’s license, but then is incapacitated and so no longer can drive. And so no longer holds a license. So we’ve got gaps in that regard. One of the other fascinating arguments and discussions, not arguments, but discussions which has been coming up, is with our indigenous Māori population in New Zealand. So, like a lot of indigenous populations and a lot of colonial situations there have been some historical issues in terms of fairness and justice. There has been issues around land and you’ve got a quite a typical, generally a typical sort of behaviour from colonial powers riding a little bit roughshod over local population.

So, with that comes a questioning of the government’s role. And what is a fascinating aspect in New Zealand with the Māori population just as I said right at the beginning, that introduction at the beginning, that’s called Pepeha. That’s a very short version of who I am. Māori talk about something which is called Whakapapa which is your genealogy or your family line. And interesting in the Māori tradition, it’s traced to back through both parent lines. It’s not matriarchal, it’s not patriarchal, it’s both. And so you have a really rich, primarily oral tradition of whakapapa where individuals can trace back their lineage through their tribal and their family connections through generations and generations.

And so, that’s when you look at it, that’s actually an incredibly reliable form of proving who somebody is. And so we, member organisations, now who are asking the question, you know a government assumes that government is the one that validates identity. So we’ve got people asking the question, “Well who gets to say who I am?” And interestingly in New Zealand context, government is listening to that. So, the starting point in the trust framework isn’t – the government is the only trust anchor, or the government-issued credentials are the only ones that can be validated.

There is a growing awareness and a questioning of how we can integrate other forms of attestation be they traditional tribal communal or even aspects of social validation as well which may come into that. So not necessarily assuming that it’s always going to be a government-issued credential which is just the starting point of your identity journey. That’s quite a fascinating development here and it’s something which we’ve been observing and fostering the discussion on over the last 18 months in particular, and it’s something we’re not seeing a lot of around the world either.

Oscar: Yeah, that’s a very, very interesting case definitely. And you mentioned for instance the passport, the driving license as well as IDs, but there are also some digital IDs that are widely used even also from the commercial side. So there are let’s say web shops are using some identity that is from New Zealand, or…

Andrew: Yes, there are. I mean there’s reasonably widespread use of things like federated identity in New Zealand, we’ve got login with Google and Facebook just like everyone else in the world does. So those sort of aspects of identity which are on the obviously on the lower end of that of the trust spectrum if you like, you’re not looking for digital proof or biometric proof necessarily in those situations. Yeah, there’s a wide variety of what is being used. The government itself has a digital identity service that’s called RealMe that has been one of the key points that the Digital Identity Transition Programme has been talking about because that’s a government sponsored, government-owned initiative.

And you know theoretically there’s a debate about whether you just keep that one system or whether you open it up effectively for competition. And the way the trust framework has emerged and it’s been working effectively eye opening up the ecosystem in New Zealand so that RealMe system that the government owns is still going to invest in, but it’s not going to be the only identity system which is available.

One of the keys to that then becomes actually interoperability between different systems as well. So there’s a recognition that choice is important from a customer perspective, so their ability to use a mechanism that they know and trust and are comfortable with. But then the onus then becomes on the integrators and the organisations who hold the data to actually make it available in an interoperable fashion – so not building siloes. That’s probably one of the key challenges that we’ve got in terms of opening up the ecosystem here.

Oscar: Yes and you mentioned that about the Digital Identity Trust Framework, one of the next big steps you said is going to be a bill next year as you mentioned.

Andrew: Yes.

Oscar: What would you say are already some of the big achievements, or some of the biggest achievements?

Andrew: I think it’s recognition of the emerging nature of digital identity systems. So, the trust framework has been written to be technology agnostic if you like. It’s designed to not rely on any particular form of technology for you know and I’m talking from the ultra self-sovereign blockchain through to the centralised ubiquitous, we’re going to come out and they control everything spectrum. There’s a recognition in the trust framework that both of those technologies and that’s in a whole lot in the middle as well. You know we talk about distributed ledger and often can place it with blockchain but that’s not true at all. There’s a lot of distributed ledger technology out there which is not blockchain.

So, yeah the framework has been written in such a way that we’re not saying that this is the technology, everybody can build this technology. It’s more talking about the principles of security and trust and interoperability. And then whatever standards are necessary to enable that to work. So the standards are more about interoperability than anything else. It’s the ability to exchange the information in a way that both the recipient and the deliverer are aware of what that looks like.

So the trust framework itself, as I referred to earlier, it will work in a concept where you’ve got somebody who is managing their own identity in whatever form, be that a mobile digital wallet that’s not connected to any centralised database and for them to be able to consent the credentials to be shared, it’s designed for that scenario. It’s designed for a data sharing scenario where you might have one organisation relying on data from another organisation and a mechanism to exchange that, exchange those proofs. So, from that sense, certainly it’s looking like it will be an enduring framework, not something which is going to be out of date in a year’s time.

Oscar: Yeah, I think it’s very, very reasonable – keep it open, open to technologies because many of these technologies you mentioned are evolving, as they’re not, for instance, for self-sovereign identity, there is no solution right now. There are several potential solutions.

Andrew: Yes.

Oscar: OK, it’s a good thing that the framework is pretty open, as you mentioned, interoperability is super important. So, definitely it sounds great and wish that this is going to evolve in the way you are planning in the coming years when this is in the hands of people and available for the organisations as well. So I don’t know if you can foresee some interesting use cases that can be also particularly interesting in New Zealand?

Andrew: In New Zealand, well we have the one I referred to earlier where we might have an identity in which the trust anchor for that identity is a tribal authority or a family in Iwi in the New Zealand context. So, an identity which is established on the basis of something which isn’t issued by the government and for that to have equal weight as a government issued credential. I think that’s a fascinating use case particularly when we come into international interoperability, how that’s recognised. And it’s certainly something that we’ve got a number of member organisations who are actively working on that. So that’s something I think we recognise as being a little bit different and a number of our members have had conversations with indigenous communities around the world, around what this might look like in different jurisdictions as well.

Oscar: Yeah, it’s definitely fascinating and really looking promising in the next year when this use case is crystallised, it might be super interesting to know their results and how people really benefitted from that.

Andrew: Cool.

Oscar: Andrew, could you now give us a tip, a practical advice for anybody how we can protect our digital identity?

Andrew: Yeah, absolutely. Actually, what I can do is go right back to my opening, that pepeha. So, it’s really fascinating, and you did it as well when you heard that. You paused, after I said what I said, took it in a little bit and then realised when I explained what it was, it’s like, “Ah, OK, actually that’s quite special.” Now, that happens all the time in a New Zealand context. If that exchange is going on, the pepeha is going on, the very traditional grounding of this is who I am and me sharing who I am. That is given with respect and it’s given with a degree of trust around that.

Now, it’s also received in the same fashion. It’s very rare that you will get an audience or somebody in an audience disrespecting that exchange of information and that’s almost sacred, ritual if you like of establishing who I am and telling you, sharing that information with you. So, it is given with respect and it’s accepted with dignity and respect.

What we talk about here is another, use another Māori word that’s “taonga” which means a precious gift that’s a treasured thing. It’s either a historical artifact but it could be a more ethereal thing. Te Reo, Māori, the Māori language is recognised as a taonga, as a treasure and what we talk about is identity is taonga, identity is a treasure. That’s something precious. That’s something which is deserving of dignity, respect and care and framing it in that way, taking away those sort of ultra-commercial “identity as oil” and all of that sort of language which is used. If we reframe identity as being something which is very personal but it’s worthy of that care, that dignity and respect. it actually changes the attitude of all parties who are involved. That changes the attitude of me as a user and inputting my information. What am I doing with this? What am I giving up by giving up my information here? Is it appropriate for me to do that? Am I taking care of my identity? And by extension my family around me.

And then for organisations, it’s the same thing. How am I caring and respecting for this precious information which is being entrusted to me as a guardian? Am I exploiting that? Or am I actually giving the person who is giving that to me, the agency that trust consenting how that data is used? Am I treating it with that dignity and respect? So, to me, that reframing of what identity is and talking about that identity is taonga, identity is a precious gift. It actually helps us do a better job when we’re making those decisions about what happens in our systems and with the data that we have.

Oscar: Yeah, excellent. Great tip, great reflection definitely, makes me think, I’ll definitely remember this. And thanks for the Māori lessons.

Andrew: No problem.

Oscar: Thanks a lot Andrew for this conversation. It was very fascinating and definitely we like to hear for anybody who is listening this, how people would like to get in touch with you or learn more about the work that the organisation is doing?

Andrew: Absolutely. Well, we try and keep everything up to date in terms of websites that’s probably the best place to start. That is digitalidentity.nz, so that’s reasonably easy to find. I myself am an active LinkedIn user, so happy to connect with anyone who is interested in finding out more. We do publish research. We have our own webinars as well. So yeah, there’s a fair number of ways that people can interact and share in the journey with us.

Oscar: Excellent. Again, Andrew, it was a pleasure talking with you and all the best.

Andrew: You too. Thank you very much for the opportunity.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]