Every day, we exchange information in countless ways. Some of this interaction happens between people – for instance, attending a panel to discuss policy decisions – while other times it occurs between systems, such as when we buy a specific product online.
At the heart of these exchanges is one key principle: Trust. Do we trust the information being shared? Do we trust the way it’s being shared, and the person or system sharing it? And, perhaps most critically, do we trust how it’s being verified?
Trust is inherently complex — traditionally gained and maintained through repeated, reliable interactions. Yet, in today’s fragmented digital landscape we face significant challenges in understanding and evaluating the provenance of data – that is, the source of the data; how the data has been captured, stored and shared; and whether the data has been modified in any way.
As digital public infrastructure gains popularity, this trust becomes even more critical, with important information of all types being stored – and shared – across national data exchange systems and beyond. While particularly important for sensitive, personal information related to identity (one of the pillars of DPI), trust is the foundation for the functional digital ecosystem promised by a DPI approach.
This is where verifiable credentials can be helpful.
So, what are verifiable credentials?
A verifiable credential is a digital representation of information or an identity that is securely issued by a trusted authority and can be verified independently. It is a way of verifying claims about people, organizations, or objects without needing to rely on a central authority for verification every time the information is shared.
For example, a digital diploma or a digital ID card could be a verifiable credential. Instead of relying on a third party (like a university or government agency) every time someone needs to verify your credentials, the verifiable credential itself contains the necessary information and cryptographic proofs to confirm its authenticity.
For example, a verifiable credential approach might be used to:
- Prove key aspects of a person’s identity, including name, age, and citizenship
- Verify the provenance of a free trade good
- Provide medical information
- Provide proof of being able to rent a dwelling
- Verify academic achievement levels
- Satisfy requirements to open a bank account
- Provide proof of product shipment/reception
- Allow access to a benefit or service
In short, verifiable credentials allow people and systems to exchange trustworthy information securely and efficiently without relying on intermediaries.
What are the benefits of verifiable credentials?
The verifiable credential model provides several important benefits, including those for individuals, organizations, and the entire data ecosystem.
They foster higher levels of trust than paper credentials alone.
Verifiable credentials are secure and tamper-proof, meaning that both holders and reliant parties can have confidence that the credentials are accurate and trustworthy. This can help avoid instances of doubt and protect against the risk of fraud – a benefit for both parties involved.
Verifiable credentials promote inclusion for people across the world.
Verifiable credentials make it easier to distribute important data assets to people across the world – especially important when dealing with sensitive information. Take the European Union’s Covid Green Pass. During the height of the Covid 19 pandemic, this digital credential allowed people from across the EU to securely verify their COVID-19 vaccination records within any country in the bloc – fostering equal access for people across the region.
They are expansive and reusable, leading to greater opportunities.
Verifiable credentials can be created for many different types of data assets – making it easier and more efficient to verify personal information across different levels, sectors, and situations. This can include instances as simple as proving you’ve purchased a movie ticket or as important as providing a citizenship document and health information. In many cases, these credentials – like a driver’s license for example – are reusable and multipurpose, meaning they can be verified across different situations – whether applying for auto-insurance or verifying one’s identity at the airport.
With thoughtful design, verifiable credentials can help preserve privacy.
When a person uses their verifiable credentials, there are privacy benefits. For example, if verifiable credentials were being used to satisfy Know Your Customer (KYC) requirements to open a bank account, neither the government who issued a government ID verifiable credential or the utilities company that issued a proof-of-service verifiable credential know that those are being used to open a bank account, let alone which bank at what time on which day.
In addition, some forms of verifiable credentials support additional forms of privacy. For example, these assets can be designed to share only partial information, like the fact that someone is over the age of 18, without sharing their actual birthdate. Other approaches, such as pairwise-unique identifiers, are also supported to help limit two reliant parties sharing information with each other without the user’s consent.
Along with these benefits, there are also challenges to consider.
When creating good DPI, well-designed technology alone is insufficient; digital systems must be accompanied by effective policy, governance, and safeguarding mechanisms. In this context, verifiable credentials are no different, and there are several key considerations decisionmakers should take into account when using them.
A whole-of-ecosystem approach is needed to ensure trust and mitigate transactional risk.
As the stakes in any given transaction increase, the associated risk increases. All participants want to have confidence the exchanged data is correct. The subject wants to know with whom the information is being shared and for what purposes. Laws and policies (such as GDPR) play a key role in understanding and managing these risks.
However, there needs to be a confluence of technology, policy, regulation, and enforcement for these risks to be properly and appropriately addressed.
Increased responsibility requires digital literacy.
When systems hand people more control over their own data, there are a lot of potential benefits. At the same time, this also creates new responsibilities for people. As data holders, they must make decisions about how much data should be shared – and with whom.
These responsibilities and considerations foisted upon the holder, especially when sharing sensitive personal information, can create an increased cognitive load. And, at an even more basic level, a base digital literacy is needed to effectively interact with these technologies in an informed manner.
Some schemes approach this issue by hiding as much of the details as possible from the holder of the technology. In some cases, such as quick age verification, this works just fine. However, the more details that are hidden from the holder, the less control they actually have. So, there’s a delicate balancing act that needs to be maintained.
Policy and regulation are needed to protect against power differentials.
We exchange information with different types of reliant parties every day, including shopkeepers, online service providers, our employers, and more. In real-life interactions, we are generally only asked for information that is both reasonable and necessary. To ask for anything beyond that would slow down or potentially block the transaction.
A vibrant verifiable credentials ecosystem potentially tears down these barriers to asking for too much information. When a reliant party has a reasonable expectation that the holder can easily provide information that wasn’t previously available, there is an incentive to do so. We’ve seen this happen with large scale national identity systems such as Aadhaar, where companies have sometimes asked (illegally) for their patron’s Aadhaar number without a sanctioned need for that information.
If not properly protected against through both regulation and enforcement, this can create a situation where those with less power and choice are taken advantage of by a system meant to provide them with more autonomy and control.
Technology and infrastructure barriers can inhibit uptake.
Some of the largest barriers can be in infrastructure and the cost and availability of technology. While there are techniques that allow for verifiable credentials to operate in low-resource environments, most tools assume a certain level of connectivity both in terms of power and Internet. The more advanced features of verifiable credentials cannot be run directly on many feature phones due to the requirements needed for the advanced cryptography that makes them possible (though that functionality might be handed to a third-party like the telecom with some loss of holder control).
These requirements vary based on the exact form of verifiable credential that is used and will need to be considered for the specific use cases and context of the project.
What might the future look like with verifiable credentials?
By capitalizing on the benefits that verifiable credentials offer – while also mitigating the risks, these assets can promote a future that supports individuals, governments, and markets.
For people, verifiable credentials can foster increased opportunity, allowing individuals more control over their personal data. For example, a recent graduate moving to a new country would be more easily able to verify her academic and professional certifications – potentially making it easier to secure a job.
For governments, verifiable credentials can promote greater ease and efficiency, resulting in better public service delivery. In practice, this might look like a government agency issuing identity documents digitally, making it easier to distribute aid following a natural disaster or provide public benefits.
For markets, verifiable credentials can be important boosters of innovation, increasing GDP and reducing friction. For example, verifiable credentials can advance cross border trade, making it easier for a company to prove authenticity of itself or its products, thus speeding up clearance processes and cutting down on transaction costs.
Together, these innovations can advance a more interconnected future – where verifiable credentials make life easier and better for people across the world.
Verifiable credentials can be useful across sectors and situations, especially in the context of DPI.
Verifiable credentials offer a powerful tool for issuing and sharing data in a distributed manner, while respecting rights and privacy. As with other innovations, the technology in and of itself is not sufficient to generate the desired outcomes. It requires a coordinated effort across the technology, policy, regulation, and enforcement to have effective governance and positive outcomes.
As governments undertake their DPI journeys, verifiable credentials offer a pathway toward maximizing the value of data for people – across sectors, use cases, and regions. Further research and learning are needed to understand their full impact in the context of DPI.
