Let’s talk about digital identity with Titi Akinsanmi.
In episode 57, Oscar talks to Titi about the various trust frameworks being developed across the world. Titi also explores how the frameworks could interact with each other across borders, how important the frameworks are to ensuring data privacy is upheld, and about the Good ID movement.
“Digital identity is very much at the core of a lot of the adoption of technology that’s happening.”
Titi Akinsanmi is a Public Policy thought leader on the digital economy focused on shaping an enabling environment for innovation. A thought leader, coach and mentor, Titi has served as a Berkman Klein Fellow (Faculty of Law, Harvard University from 2018 – 2020); an advisory and steering committee Board member at GoodID, with the World Economic Forum’s Global Future Council on the Digital Economy and on the strategy and advisory team on Digital Identity.
Titi is a member of the Technical Advisory Group (TAG) on the 4th Industrial Revolution of the UNDP (Africa) and serves on the Presidential Advisory Committee on the Digital Economy (StartUpBill.NG) for Nigeria. She sits on the board of nonprofits like the Alliance for Affordable Internet, Yemi Shyllon Museum of Arts and Junior Achievement amongst others.
She has spent the last two decades – globally – advising, speaking and delivering on laws and policies connecting the public, civil and private sectors. Her expertise is discerning which, where, and how regulations and policies help harness digital opportunities while mediating its emerging tensions, addressing gaps and building sustainable allies. She is the Global Policy team lead for Google Assistant and Hardware having previously led the cluster for the global tech giant as the Government affairs and Public policy lead for West & Francophone Africa.
She holds a master’s degree in Law specialising in Privacy and Cybersecurity (Osgoode Law) and a master’s in Public Policy & Development Management (Uni. of Witwatersrand).
Find out more about Titi at www.titiakinsanmi.com.
Or subscribe with your favorite app by using the address below
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and welcome to a new episode of Let’s Talk About Digital Identity and the focus of today, this conversation, is going to be about trust frameworks. For that we have an amazing guest who knows a lot about this, who is Titi Akinsanmi.
She is a Public Policy thought leader on the digital economy focused on shaping an enabling environment for innovation. A thought leader, coach and mentor, Titi has served as a Berkman Klein Fellow, the Faculty of Law at Harvard University from 2018 to 2020; an advisory and a steering committee Board member at GoodID, with the World Economic Forum’s Global Future Council on the Digital Economy and on the strategy and advisory team on Digital Identity.
Titi is a member of the Technical Advisory Group (TAG) on the 4th Industrial Revolution of the UNDP (Africa) and serves on the Presidential Advisory Committee on the Digital Economy (StartUpBill.NG) for Nigeria.
She has spent the last two decades globally advising, speaking and delivering on laws and policies connecting the public, civil and private sectors. Her expertise is discerning which, where, and how regulations and policies help harness digital opportunities while mediating its emerging tensions, addressing gaps and building sustainable allies. She is the Global Policy team lead for Google Assistant and Hardware and having previously led the cluster for the global tech giant as the Government Affairs and Public Policy Lead for West & Francophone Africa.
She is a Mama of three and a wifey to one. Hello Titi.
Titi Akinsanmi: Hello.
Oscar: Very welcome. It’s nice having you. It’s a pleasure.
Titi: Thank you very much. Thank you for having me. It’s a real pleasure to be able to join this.
Oscar: Excellent, Titi. So let’s talk about digital identity. I would like to hear more, a bit more about you. So please tell us about yourself and what was your journey to this world of identity.
Titi: Thank you very much again. Telling about my journey in itself is a podcast I think. But the short, short, short version of it is this. I recall that in my final year of university, of my very first degree, my very first university degree, I was in a situation where I realised that yes, I was graduating with a first degree. But I had absolutely no idea how to use technology or navigate the world using technology. At least not at the level I thought I needed to be able to do it.
That fuelled a passion in me to one, build up my capacity. When building up my capacity, it became even more obvious that there were a whole lot more people like me who didn’t have the right technical skills and yes, there were a lot more people who didn’t have the right technical skills but there was an endless array of end users who had absolutely no idea around what technology could – you know, the difference technology could make in their life. But more so that there where governments in place that were approaching the adoption, deployment and growth of technology without having the right regulatory environment in place that ensured the user was consistently in the middle of it.
So that’s well quite a bit of work. I ended up in the policy space, the public policy space, the regulatory space, whichever label you want to put on it. And increasingly I began to see for me that you as a user, because of the “non-geographical nature” of the internet and I say that with a caveat. I can hear the technical folks going, “What do you mean it’s non-geographical?”
You could literally adopt a variety of persona, a variety of identities and, you know, concurrent with that was an increase in shift or growth in the use of new technologies that more or less was pulling the world as we used to know it into the digital space. So there was increasing measures around securing your existing personal information, increasing measures around being able to port your data, your personal data so to say, as well as there are human beings who are deciding I’m going to be X, Y, Z in this space but I will be X, Y, Z in that space.
That for me is at the core of all the conversations around data, around privacy. It’s the end user and into the digital space and what they choose to adopt and use it for.
So to some extent, if you are asking, “OK. Tell me about yourself,” I’m a policy wonk. Everything I do resonates and returns to the place of putting in the right structures whether they be policies, regulations, laws, legislations. Find whatever label you want to find for it but ensuring that the digital world cannot just grow and continue to innovate. But that the end user, the consumer, the human being, at least for now, the human being behind it or making use of it does not get lost.
Oscar: Yeah. I think it’s super interesting that even though I think you didn’t study technology, right? But you graduated and you had this interest about knowing more on technology and having this edge. You know, an interest for the ultimate use of end user. So …
Titi: Yes, absolutely. My first degree that I was referencing is not even in technology at all. My first degree is in English, English language with two minors in French and literature. So you can imagine the kind of educational system I was in where yes, I was getting this first degree and I could do amazing things with it. But nobody had thought it was important for me to be equipped, right, with the technological skills that will enable me or create in the years post Y2K and I’m dating myself by saying Y2K.
But that gives you some context. But part of what I did, I am an entrepreneur also. Yes, policy wonk first but I – I’m a Nigerian by birth. So I have the hustle spirit in me.
When that incident happened, kind of what I did was deliberately brought my skills to bear. I made a snack that is very ubiquitous across West Africa – chin chin. I sold those to a plethora of people and I sent myself to evening computer school, which was my first foray formally, post high school where you had to take computer science as part of your course.
So I spent the next what – plus or minus about 18 months in the evenings while working during the day, learning everything I could about the computer – from computer language all the way through to how to be a good hacker, all the way through to the many uses of it. It was in this process that I got connected to what was the World Summit on the Information Society and I actually then led that process from a youth angle and ensured that while policies were being written at the UN level, they were not leaving out – they actually had been. But then they were not leaving out young people who are actually at the forefront of innovating with technology and adopting it and making use of it. Then that’s what has led more or less to this space now.
Oscar: Well, I can see. It’s also entrepreneurial from the very beginning of your professional career.
Titi: Oh, yes. It’s a very deliberate choice. I grew up in an environment with parents, and I’m appreciative of this, they were perfectly imperfect – that consistently demonstrated to us that yes, have an education. But more importantly, and this is the way it’s put in my culture, have skillsets that you can make use of your hands, make use of your physical being, right? To be able to deliver and make sure you can earn and that has paid off for me. So if for any reason this policy side does not really work, I can open up a hair salon. I’d do great with that or I can actually open up a restaurant. I cook great African food.
Oscar: Wow. You have a lot of backups for career.
Titi: Oh, yes. I do.
Oscar: And I’m sure you would enjoy that.
Titi: Yeah, yeah.
Oscar: The way I hear you.
Titi: Don’t worry. When we do eventually meet in person, I owe you a meal.
Titi: Invite me.
Oscar: Thank you very much. Fantastic. Well, fast forward to these times, I know now you are based in Canada and you work with different global initiatives and a lot of it is related to the trust frameworks. So – and these trust frameworks are being developed across the world. So tell us a bit of some insights into what you are seeing right now in terms of trust frameworks.
Titi: I will start by saying this, right, that digital identity has “become increasingly mainstream” over the last what – plus or minus seven years. The conversation has moved away from purely technical spaces or policy-oriented spaces to featuring more in day-to-day conversations and that has meant that there is a plethora of – what do we call it? Digital identity systems that have been developed from Australia to Canada to Sub-Saharan Africa, South Africa, Nigeria, all the way through to Estonia as well.
There have been leaders at the governments or even industries that have developed trust frameworks that enable digital identity. But not all of them have always come from the point of entrenching trust, right, in the digital economy. But before I go here, first, I can hear the listeners going, “OK. So what are you talking about first? What is digital identity? What is a trust framework?”
Digital identity is a set of potentially credentials, things that can be presented in the digital space that helps confirm that you are who you are. So in light of that very simplistic definition, right, we’ve only got so many minutes, a trust framework typically describes a set of auditable, technical or even legal rules that apply to the identification, authentication and authorisation of accessing resources across organisations or across a network, right?
So that such a framework then enables that these systems and the services that they offer can be trusted and ultimately mass adopted, and that’s on the side of those offering particular services.
On the side of the end user, trust frameworks are in place to be able to verify, authenticate that you are who you say you are when you want to access those services. So I will talk real quick around the kind of trust frameworks that we are finding in general, starting with my current home here in Canada.
There’s the Pan-Canadian Trust Framework which is very user-centric in the kind of requirements it has, choosing choice, control. All of it yield on the notion of privacy by design, right? A deliberate inclusion in the design of technology that is privacy focused. Privacy first so to say, which is a foundational element for anything that you’re doing on the platform.
If you look at the PCTF website, that’s the Pan-Canadian Trust Framework website. It says it’s designed for it to be suitable for digital identification, authentication, credential, online credential, authorisation systems, et cetera, et cetera, et cetera and they have put it in place to be used by government entities, citizens or business partners.
So that’s for Canada and I will be very deliberate about not mentioning the likes of the US which has digital identity guidelines and the Federation and Assertions framework, which you can refer. I’m being very deliberate about speaking to other spaces that are not seen as digitally dominant in the digital economy space, right?
We also have the European Union which historically included the UK but, you know, we’re talking Brexit this morning and the EU has what it calls the eIDAS, the electronic identification, authentication and trust services regulation, which has been put in place particularly to regulate electronic signatures, transactions and embeds the processes that provide a safe way for users to conduct business online.
I do know that it was June this year. I believe it was the third of June particularly that they proposed a trusted and secure digital identity which will allow all EU citizens, residents and businesses to be able to link their national digital identities with proof of other personal attributes. So think of your driver’s license, bank accounts, and also be able to access services online without having to use private identification methods or even necessarily sharing any extra personal data.
This is one of the things I’m really gung-ho about when it comes to digital identity and the trust frameworks, is the ability for those who are on the design end of things to put in place technology that then means that I as an end user can pick and choose what credential I’m sharing at any point in time.
The UK has developed its own digital identity and attributes trust framework. Australia has a really advanced one, the trust and digital identity framework. So those are a few that are in place. There are two or maybe three parts of the world I haven’t really spoken to. But there are – so think Latin America, Sub-Saharan Africa and Asia. What’s happening in these spaces around digital identity?
Digital identity is very much at the core of a lot of the adoption of technology that’s happening, a lot of the start-up ecosystem for example that we’re seeing emerge out of Africa. The fintech space is very much built on being able to have what I have defined as the technology behind authentication, verification, access of service, etc.
However, they have not necessarily framed it as, oh, we have a trust framework in place. But the critical elements are being put in place and that for me is really heartening and maybe we will get to it a bit later around being able to ensure interoperability and all of that.
But so far, lots of identity registries have been set up in Sub-Saharan African, which is my heritage where I am from. I always say that I’m a Nigerian by birth but an African by choice and global citizen. Then in Latin America as well because this is central to a lot of the “solutions” that are in place and of course there are flags around from the privacy folks which includes myself, around if we have this ubiquitous collection of data, digital identity, what does it mean for privacy. But I will hand it back to you and let’s take the conversation forward.
Oscar: Yeah, indeed. It’s interesting to- You have mentioned particularly some countries there but let’s say more advanced than others but you also have said that in other countries, the governments don’t mention the words, “this is a trust framework” but there are the elements of that.
What about most of the trust frameworks are seen in a – maybe with exception of the European Union, most of them are just one country. One country completes the project. So now that we are in a time when there’s a lot of business across borders, how will these trust frameworks interact with each other?
Titi: OK. So I will start from this. I’m putting on my Canadian hat now. Yes, the European Union is not one country. But if you look at Canada, for example, which is a provincial system of governance, the provinces actually operate relatively independent of each other, right? If you dig deep, Ontario has its own work ongoing around digital identity, as does the British Columbia, and these are all provinces within Canada. So in as much as you know one is a collection of countries, the approaches being taken in Canada is very similar to what’s being done in Europe, in that these are independent governance structures coming together and actually looking to put in place an interoperable trust infrastructure that backs all of the digital identity being put in place.
The same in Sub-Saharan Africa, the approach is riding off of the African Continental Free Trade Agreement, the digital aspect of it, to ensure that there’s actually interoperability to put the structures, the legal structures in place to ensure that there’s interoperability, even with the basic identity document that you need to be able to carry to move around across the continent.
So, how would they be able to operate so to say? This is where it is important that conversations are not happening in silos, right? And there are trust frameworks that are being put in place reflective of a common agreement. And this is where the question mark is. I know 2020 has been what it is, but part of the proposals that had been put on the table was that there needed to be more conversations, particularly around what you would call the G20 countries, around digital identity, and the tenants that were being put in place that would ensure that if I have a set of verifiable credentials coming out of the EU, they should be presentable when I come to North America. And the same if I come from Sub-Saharan Africa, or even North Africa, I can present it in Asia.
Now if you allow me, I’ll take a quick pause and say that this would have gone a bit slower. But one of, and this is not in any way good or a sign of that the pandemic has been great, but one of the things the pandemic, the COVID-19 pandemic, has forced us to do is not just sit as individual countries and figure out how you can ensure people are safe and steady while not violating their privacy rights, but also for us as humans on this earth to interact and connect a whole lot more.
So borders are finally opening. And as part of that process, I can take my vaccination certification, right, whether it’s a QR code, or you know, it’s just a PDF document, and I can actually present that in other spaces in other countries. And I’m able to- you know, it’s verifiable, because a set of standards have been agreed. And there’s a saying that there’s nothing new under the sun, right?
And it’s not that this has not been done before. I’ll give you an example particularly around the “contentious” vaccinations certifications, or proof of vaccination. As a West African, as a Nigerian by birth, all my traveling life, which now is almost going to 30 years, I have had to carry with me something called a yellow card, a yellow fever card that actually shows my vaccination history, right, helps identify that I am free of yellow fever, right? And I have had to present this for me to be able to either apply for visas, or even get into certain countries, not just on the African continent, but in Europe, in the US, et cetera. Now, that has been put in place. That is a form of physical identity that I believe precedes what we now see with the COVID vaccination. And that’s on the one hand of digital identity.
On the technical side is the ability to be able to connect with particular services, right? If you’re thinking, OK, I want to be able to access XYZ service being offered, or I want to be able to access on the organisational side XYZ users’ data. The ability to be able to then verify this is very much dependent on a set of standards, right, and a common framework that enables interoperability, right? And that can be a really tough call, because, you know, the interpretations around trust really differs across borders.
So yeah, to finalise, I must say that any institution that’s looking at any institution, or even the end user, and you’ll notice I’m speaking a lot from the perspective of the end user, because again, I don’t want us to lose the conversation around trust frameworks, just around the infrastructure, the digital infrastructure that needs to be in place. It’s that for any institution, you know, there are predictions that by 2023, any organisation that wants to be able to instil digital trust and wants to participate at the very least a 15% more ecosystem will need to sign up in one way or the other to a digital trust framework. But I do think the technology is in place, we just need to be able to agree.
Oscar: Yeah, exactly. I think with the examples you have you have mentioned, yes, technology, most of technology is available already. It’s a matter of agreeing between the trust framework between the countries. Something else I would like to – jumping a bit off topic but something I like to hear from you is, as you work closely with data privacy, you have mentioned a few times, and now you are sitting on the board on the Good ID please tell us, tell us more what is Good ID and yeah, how is it spreading the word about this project?
Titi: Yes, I must say, I will start from when I first got the call Oscar that when I was told, you know, “Would you please join the advisory board for Good ID?” The first question I had for them is what do you mean by Good ID? How do you define Good ID? Good ID in one context could be terrible ID in another context, right? But you know it was a good way to step forward. And I will tell you this is why I am open and consistent about supporting and continue to be a part of Good ID.
It is, at the very core of it, best practice with respect to identity management, which promotes the principle of privacy and security. So it’s a practice, it is a movement, a series of conversations, a series of standard setting that pushes for the centrality of privacy and security, either on the infrastructure building side, the digital infrastructure building side, on the end user side, or on the governance side, whether the governance from government or from elsewhere.
GoodID is a valuable identity management approach that allows everyone without restrictions to not just participate, but to play an important role in their own identity management. And I think it’s important to emphasise that each one is able to play an important role, a critical role in their own identity management. So you can think of the gamut of being able to fully grasp as an end user, what digital identity is, and how you can manage it as an end user all the way through to the one who is looking to innovate, to provide some services at any of the parts of digital identity for them to have a full understanding of how they can participate.
GoodID uses the principles of inclusion, transparency, and accountability in entrenching public trust in ID management. And some would ask, “Why is this necessary?” Because you know, there has been the biggest fear is that Nineteen Eighty-four by George Orwell will come to pass, meaning Big Brother will constantly be able to control. Some would say that’s already in place. But I would argue that actually it’s not in place, where we have the biggest concern is that we don’t have enough people who care enough to make informed choices. Most people just want to be able to get along with it, just get it done, right?
So that’s what GoodID is. It’s been around for about three, maybe slightly, like three-and-a-half, four years now. And it’s at a phase right now where we are looking to be able to grow further knowledge on the folks who are doing great work around GoodID. But more importantly, also [unknown] around the adoption of laws that enable digital ID across board. And also, just promoting those who are doing great work in terms of organisations or even individuals.
Oscar: As you said, part of this is educating end users how to take control of their good practices of their identity, whichever tools services are using today. And then it goes to, for instance, helping how to design, how to design application services based on data privacy, correct?
Titi: Yes, correct. And all of this is informed by the fact that, you know, context always differs, such that, the design and the development of one technology is not ubiquitous for the entirety of the world, but that adoption and adaptation would need to happen across different spaces. And that’s part of what makes the conversation really tough around the adoption of a trust framework, right, on digital identity. But because it’s tough does not mean it’s not doable.
Oscar: Yeah, yeah, absolutely. Like with trust frameworks, every country has different reality in terms of the services, both public and private. So it’s… Yeah.
Titi: Yeah, it certainly does. It certainly does. And you know, for those who have an interest I would say that they should go spend a bit more time, just walking through what the Pan-Canadian trust framework speaks to as well as the Australian model, I think those are really interesting models that could be potentially adaptable across various economic environments. Nothing against the eIDAS actually, but it can be quite onerous. That’s the EU trust framework.
Oscar: And GoodID – where is it operating the most nowadays? I guess the idea is to be global, correct? But right now where it has more presence?
Titi: Oh, GoodID is definitely global. You cannot go to a particular office and identify “Oh, this is where GoodID is.” And that’s why I said it’s also a movement. And one of the things I’m really appreciative of is that we’ve had the privilege of being able to curate conversations and influence conversations across the world. So you know, you will find GoodID, if you go to the website GoodID, you will find conversations, you will find articles. You will find resources for Asia, for Sub Saharan Africa, for Europe and for North America, and also for Latin America.
And that’s one of the things that I think demonstrates the need for us to be able to take this conversation and not just have it amongst ourselves, but also help guide those who make the laws, right? I mean, as much as the private sector or even the civil society can be at the forefront of conversations, if we don’t have the requisite laws and regulations in place, or the institutions that are tasked with guarding this, you know, we’re still all just having a conversation and operating outside “the law”. So yeah, you will find GoodID online, you will find GoodID everywhere.
Oscar: Excellent. Just one more thing about trust frameworks, how important are the trust frameworks to ensure data privacy?
Titi: Right. That’s a really good question. A key reason why you would set up a trust framework, right, is to protect data, right? To put privacy practices at the core of it. The goal is to be able to protect the personal information of individuals across boundaries, across digital ecosystem. So if digital identity systems are being designed without an agreed set of standards or principles, right, an agreed set of processes that specify how data should be handled, then we are going to have the big brother state, right?
So I’ll go back to the PCTF. It’s again around instilling confidence of end users that there is protection in the disclosure use of the identity and personal information, while ensuring that secure and privacy enhancing services are readily available, right? So the trust framework is around ensuring that there’s efficiency, that effectiveness is happening, meaning you can do what you exactly you set out to do, either as a service provider, an authenticator in the process, and that, you know, there’s ongoing confidence in digital services being provided. It’s an ongoing work. I don’t think it’s one that you start. It’s about having the right processes and systems in place to ensure that this does not change, and being able to state in really simplistic terms, not just in technical terms.
Oscar: A final question for all business leaders listening to us right now, what is the one actionable idea that they should write on their agendas today?
Titi: Amazing, all business leaders, meaning across sectors not specific to one, it’s this. And you know, this is known, you know, there’s the – it’s not an idea or a thought that they – I assume they would not have had. If you’re going to write anything into your agenda, it’s this: Privacy, data privacy, particularly around personal information is not an issue that will go away. So if there’s any actionable thing you can do, it’s this. The core of innovating either an idea, or a new technology, or delivery of a service, that you put privacy first. That’s one.
How do you put privacy first? It means that you need to be able to sit in the seat of the end user. And that end user could be an individual or actually be another organisation or an institution, and design in a way that trust is strengthened. Meaning I am confident enough as an institution or an individual that when we are having this transaction, when I’m giving you my data, it will only be used for what it’s meant to be used for. It will only access what it needs to access. That’s actionable.
So innovate, design with privacy first in mind, not by design only, but that it’s consistently, iteratively checked against how personal information is being used. Don’t design just for your local context, design in a way that anybody anywhere across the world would be looking to be able to engage with what you’re designing or what you are looking to sell or what you are offering in terms of service or platform. The world is global. There are physical boundaries. But remember, with the internet, the boundary is only as much as we set it.
Oscar: Yeah, I couldn’t agree more, Titi. Fantastic and I agree that privacy first, of course. Thank you so much for this super interesting conversation, knowing more about you, your fascinating stories and the work you are doing about trust framework and privacy. For people who like to continue the conversation with you or learn more about your work, please let us know how we can find you.
Titi: Oh, yeah, you can find me – I will say that for the longest time I hid from the rest of the world behind pseudonyms. But you can find me across all platforms @titiakinsanmi, so that’s @ my first and my surname. And I will tell you, I am a policy wonk. Yes, you will find me speaking of policy but you will also find me sharing about the totality of who I am in different spaces in different ways. You can also find me if you want to have a chat a bit more professionally, yes on www.titiakinsanmi.com. Thank you, Oscar.
Oscar: Fantastic. It was a pleasure talking with you, Titi, and all the best.
Titi: Thank you very much, Oscar. Have a really great one. Thank you, listeners.
Oscar: Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]