IGF 2025 - Day 1 - Workshop Room 1 - Launch Award 57 Governing Identity Online - Nations and Technologists

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> MILTON MUELLER: Welcome, everyone. This is on digital identifiers, a research project being funded by the Internet Society Foundation, and executed by the Internet Governance Project at Georgia Tech. I want to begin by introducing Upasana Hembram, with the Internet Society Foundation and she will introduce you to the foundation and the way they are supporting research.

>> UPASANA HEMBRAM: Hello, everyone. I thank you for gathering this session, about launching this study on governing online identities. As you all know the fundamental of our digital interaction these days is essentially built on trust. And a lot of it is dependent on authenticating identity, and this involves several complex technical systems that are constantly developed in order to assign and verify identity.

And since these identities profoundly influence how transparent, secure and trustworthy the internet can be, I don't think they should be viewed as merely technologies that run in the background. But as a fundamental instrument of public trust.

At Internet Society and Internet Society Foundation, our vision is an internet for everyone. And we strongly believe that internet should be open, secure, safe, trustworthy, and community-centered.

To our various grant programmes at the Internet Society Foundation, we have been championing organisations and change makers who have been working towards this mission. And specifically, through our research grant programme, we encourage experimentation, innovation and explorations that can help us deepen our understanding of the critical functions that keep the internet running. And also help ID various solutions that can strengthen and safeguard the safe principles of an open and trustworthy internet. We partnered with the Internet Governance Project at Georgia Tech to do just that. Digital identity system, despite the emerging lack of trust in today's digital world happens to be an under studied area of internet governance, but it has deep implications for privacy, security and trust in today's internet economy. Amidst this evolving geopolitical landscape, this study, which has been supported by the Internet Society Foundation's research grant, will examine how private actor led organisations and government, our agencies interact in the global governance landscape to deploy online identity. Our hope for the study it can enhance our understanding of the dynamic that's are involved and what that means for the broader internet ecosystem.

This study particularly looks at RPKI and WebPKI which will be presented by the presenters today. While they aren't eyeball-grabbing headlines, they are particular in shaping some of the most foundational aspects of digital interactions via trust and safety.

Now, why should somebody care about the study and how does it relate to Internet Governance? This study takes a closer look at identity regimes across different jurisdictional contexts and it sheds light how the effects of these different policy options within these jurisdictions have implications on the global internet governance landscape.

The insights are from these different case studies can help us understand why some decisions were made, how they were made, how they were implemented and perhaps what are some of the outcomes they produce.

Which will eventually help us, and especially key decision makers in governments and policy, public policy make decisions on how to allocate resources, investment decisions, et cetera.

Lastly, I would like to close by saying the future of Internet Governance does not mean to be built solely on laws and regulations. It should be to open multistakeholder that truly reflect the public interest and this study tries to go deep into the governance of online identities and does exactly that.

>> MILTON MUELLER: Thank you. Let's go back. That's Karim Farhat up there. He is in the United States and he is a part of the project.

So let me just begin by introducing the basic topic. You see these blobs on the left and that kind of represents objects in Cyberspace. Which could be any number of things. It could be servers, it could be machines, it could be devices, it could be people. And in Cyberspace, you simply don't know what these things are without some kind of identification and authentication system. So we are studying that process and we are looking at it, change the slides, like that?

One of the important things for digital identifiers they require a system of  trust and authority. The interesting thing about Cyberspace is it is changing the authority relationships in new ways.

So where does the authority reside? Who can you trust when you are authenticating online identity?

And so that is three different identifier systems that we have chosen to study. One of them is the RPKI, which is about trusting routing announcements. Another is about

The WebPKI. And another is about Legal Entity Identifiers, a new system being developed by a new international organisation.

I'm going to talk a little about RPKI. We don't have a lot of time. Obviously it's a very complex topic. But RPKI is a way of authenticating routing announcements. Actually authenticating who is actually a legitimate holder of an IP address block. And the Regional Internet Registry issues digital certificates that allow you to authenticate this. And there's been some controversy about how quickly this is being implemented and how effective it is as a method of ensuring routing security.

And so one of the things that interests us is the degree to which governments get involved in requiring or using RPKI. So one of the things we will be looking at is a recent Federal Communications Commission proceeding, which the FCC, for a while, thought it was going to intervene and start requiring RPKI among internet service providers in the United States. And ultimately backed off and decided it didn't have the authority to do that.

But that's one of these ways in which state authority is mixing with the private sector, self-governance authority in the internet community. So we are going to look at that closely.

The eIDAS is another area in which we will be looking closely at the intersection of government power and internet community self-governance. This is the web authentication process. And recently the European Commission tried to intervene in this by saying, we're going to create a European system of digital certificates, and we will decide who you can trust. And they clashed with the existing platform-based trust hierarchy. Primarily centered in the browser manufacturers, that is to say, Google, Apple, Microsoft and so on.

And there was kind of a big political clash over that. So we are going to be looking at that controversy in detail.

And now, I'm going to turn it over to, we don't have time to go into all of this. Organisational identity. I will turn it over to Vagisha Srivastava who is a Ph.D. student at Georgia Tech. And she is handling part of the research on Legal Entity Identifiers.

>> VAGISHA SRIVASTAVA: I believe my colleague is online. We are looking at the Legal Entity Identifiers, kind of a unique choice in our study. This is one of those organisational entity not created by the Technical Community but a top-down approach created by the FSB, the Financial Standards Board in the G20. One that led to this is post crisis, a lack of transparency and verification needed for financial entities was missing. So there was asymmetric problem, that led to market failure, identification and authentication was very difficult.

So the G20 convened. LEI provide that gap, they provide a standardization of requirement for financial entities so that they can be verified, which goes through a list of procedures and check and then they can participate in local transactions and also cross-border transactions. Not so much if you want to make domestic transactions. So they did improve transparency.

You can see the FSB led to ROC, then GLEIF, local operation units. Next slide.

The current status remains that the uptake is a huge one because it's compulsory for any entity that wants to participate in cross-border transactions. But a problem, there's a lot of lapse certificates. Which basically means these financial organisations don't have the incentive to keep renewing. That means the information associated with these identities gets lapsed and therefore it's not current. Which then leads to a problem, which we began, you cannot verify or authenticate these entities with credible information.

So LEI global standards need not just regulatory pressure, but integration for them to keep going and that's what we are focusing on within this study.

>> MILTON MUELLER: Okay. So next we want to bring up Ben Akinmoyeje from Nigeria.

Ben is not a researcher for us, but he is somebody involved in ICANN from the standpoint of Africa. So he has been working with Digital Identifier Policy. Ben, can you talk about your perspective on this for about five minutes?

>> BENJAMIN AKINMOYEJE: Yes, thank you very much. Can you hear me?

>> MILTON MUELLER: We can hear you. Can we bring his picture up on the screen, or is he not showing video?

>> BENJAMIN AKINMOYEJE: Oh.

>> MILTON MUELLER: There we go.

>> BENJAMIN AKINMOYEJE: Yes.

Is it possible for me to share my slides? I have digital slides.

>> MILTON MUELLER: I don't know whether  --  yes, they say you can share your slides.

>> BENJAMIN AKINMOYEJE: Oh, thank you.

Do you see my screen?

>> MILTON MUELLER: No, we just see you, which is perfectly fine, you look great.

>> BENJAMIN AKINMOYEJE: Thank you.

Good morning, everybody. And thank you for the opportunity to have me here.

So I'm going to be talking about the relevance of Digital Identifier at the governance from the perspective of Global South and from Africa.

This space is really dynamic because almost no innovation going on for primary inclusion, access to services and all of that.

And in order to understand what is happening, we at least, I know the continent 4-5 million are yet to have some legal ID they can build access to.

So from that perspective, this huge push for everybody to go online. And there's so much technology optimism.

There's been an interesting project on the continent. First off, when you look at some around this, you will find World Bank has a huge project, identification for development. And it has 49 countries already onboard. And one Nigeria are participants of this. They are really going hard at this and getting more individuals registered. Providing the guidelines so that we can have credible identifications that can work online as well.

Then there's this project, ID4Africa goes across the continent, different national organisations responsible for national identifiers like identification schemes to be onboard.

And then Africa's union has the digital transformation strategy. And fundamental to this is the identification, legal identification across different countries. So they give like a roadmap.

Also regionally like ECOWAS, national biometric ID cards.

So all of, this I'm just trying to show you how very rapidly moving these things are.

AfCFTA Africa Free Trade Agreement, looking to build on digital innovations and trade across the continent. But the major concern is interoperability of this framework with different countries, talking to different vendors, to get the identifiers. So for Nigeria it's been a dynamic, that's where I have this cause, that is my country. There's the national identity management commission. Very big. I have their number, national identity number. Just like the previous speaker said, they weren't motivated. But because of things like security challenges, fraud and all of that, we are mandated for you to have a bank account to mandate register the national identification number. You must have it. Even to have a sim card, you must have this number. On top of that for you to have a bank account you need to have a bank verification card. Over 64 million as of January 2025 have registered. So all of this is important and for it to function you need to have these numbers.

But more interestingly, lately is the Nigerian government just recently talked about digital public infrastructure. This is now bringing everything together. And so there's a framework, I'm going to try quickly. This is the framework. If there's anything I'm trying to say, there are multiple players and there's several incentives for them to participate and to make sure because of the money involved and the bureaus innovation built on this. So now we are beginning to have something called digital identity ecosystems which is putting more things together. And as they build what is it called now, digital technology innovation, to have things happen online. Everybody going online for everything. Examination online and everything. Different things are coming up, even bigger than the banks.

So what are the concerns for people right now is around privacy. There's been some issue. We have the privacy act, cybersecurity laws and all that, and governance sovereignty is huge.

It will keep having more people go online, more identifiers that can be used. These are interesting things we are beginning to see. Recently, the NIBSS, UK-based company to manage the health medical records, create a new identifier. Or patient record. So there's that. Earlier this year there was a big Ponzi scheme where people fell victims and the source of these, the guys who run these systems. So all of this is happening. I think last month the government said they used AI to identify poor people. You wonder which identifier they used. So all of this, going from generally from having ID cards and these ID cards actively becoming online digital tools, I'm sure very soon we are going to be seeing that things that would identify you from your IP address and things like that. I'm sure they are already doing. Really dynamic space. And what everyone is asking for is make all of these interop rate so we use them rather than using multiple layers of this. This is what I think is happening right now and it has great implications for individuals, the economy. Thank you.

>> MILTON MUELLER: Okay. We will go back here to our slides. We are going to open it up for Q&A.

Apparently we have an online question. Karim, can you read the question?

>> KARIM FARHAT: I believe Michael is online. He may be able to chime in directly.

>> MILTON MUELLER: I'm sure he will chime. Michael, keep it short, because we are literally going to get kicked out of here in four minutes.

>> MICHAEL PALAGE: I will keep this short. Elac (?) did a presentation, Carla McKenna who heads GLEIF, she gave a presentation, that's something where your group may want to start some of the research. The second point that I wanted to talk about that I think is very unique about GLEIF, the speaker talked about it being top-down, and it is correct about the original formation. But one of the things that is very unique about GLEIF and Carla, in addition to heading GLEIF USA is also in charge of standards. So most of the work that GLEIF has done from a technical standpoint has been through technical standards bodies. So I think that is something that is important and should be noted. The one other final comment I wanted to make real quick, there was talk about the LEI's. So although an LOU will issue an LEI, when that is issued, it is only issued once to that company.

Unlike in the domain name system, drop catching and people coming back. LEI once issued can never be issued to any other organisation. If that company does not pay its renewal fees they have the ability to get recertified  and then activate that status, all of which is available from the public database. I really think GLEIF and LEI and VLEI is an excellent resource for you to study for this study. Thank you.

>> MILTON MUELLER: Thank you, Michael and we will interact with GLEIF and their principles they are the object of study, not so much the studiers so we will be taking an independent perspective on what they do.

So let me just wrap up here. Are there any other questions?

From the floor here? Anybody?

Let me wrap up, in order to scale in Cyberspace, trust and authority in some sense have to be automated, turned into machine-driven algorithms and decision making. And that means identifier systems are critical to that. These identifier systems are not unified or integrated across all dimensions, including especially the personal.

So when we speak of online identity, sometimes we are labouring under the assumption that there is going to be one identifier that does anything, or everything and anything. And I think what we are learning right off the bat is that different identifier systems are created for different purposes. While in some ways this is messy, in other ways it really does distribute power and allow for more technical diversity and innovation than if you tried to integrate everything into one bit.

So we are in our last 30 seconds here. You really appreciate your attention. Again, this is just the launch of the research project. It really started a few months ago. And we will be doing detailed looks at all three of those identifier systems and trying to understand the underlying political economy of these identifier systems in the context of global authority struggles over Cyberspace.

Thank you very much.

[ Applause ]