Who can you trust?
Digital identities promise to help with the age-old issue of trust in diffuse supply chains says World Economic Forum
Global supply chains involve millions of transactions every day, all around the world, often based on trust. The World Economic Forum has been looking into how this increasingly data-rich digital system operates. How do you make sure that every link in the chain is doing what it is supposed to do? Who can you really trust?
According to a major new report from the World Economic Forum (WEF) called: “Inclusive deployment of the blockchain for supply chains: Part 2 - trustworthy verification of digital identities,” global supply chains are becoming increasingly digital and peppered with a wide range of intricate transactions.
“At the core of each of these digital transactions are trust-based interactions with partners,” says the WEF. So … “organisations need a comprehensive system for the verification and management of digital business identities that is both dynamic and trustworthy”.
Online business moves fast, and companies need to feel confident that they are working with a stable of reliable on-screen partners … people who will bring high levels of certainty, credibility, conviction and dependability.
There is no easy way to do this: “Current digital identity management systems are costly, inefficient, and may not be sustainable,” says the report in its opening pages, which is why WEF has decided to get the bit between its teeth and try to help. Is there a systematic way of working that could help?
The report investigates the possibilities enabled by a digital Global Trade Identity (GTID) for legal entities participating in global supply chains, which it deems “a necessary step in digitising global trade”.
Despite recent improvements in digital identity verification systems, they need further development to support the supply chains of the future, says the WEF.
Big changes are coming. There will be: “New demands on the digital identities of legal entities” and new “possibilities for supply-chain organisations will likely be ushered in by the Fourth Industrial Revolution”. Look out for paradigm shifts “enabled by the Internet of Things (IoT), artificial intelligence (AI) and, in particular, distributed ledger technology”.
According to the report: “The pace of development is faster than ever before, and decision-makers need to re-evaluate the systems they have in place to manage digital identities. As digital business interactions flow across borders in international supply chains, there will be many cases in which parties do not know each other before they conduct business together.”
Of course, businesses work best with partners they can trust and people they know. It’s an age-old truism. The trouble is that online trading means making new networks fast, often in parts of the world that are unknown. This is especially so in times of disruption, such as after the outbreak of the pandemic, when many had to scramble to find new suppliers or transportation partners.
The answer, according to the WEF, lies in a “Digital identity,” which “ensures integrity in connecting the physical and the digital world.”
“In global digital supply chain transactions, it is essential for a legal entity to prove its own identity and check those of other parties, each of which requires a unique, verifiable and authentic digital identity.”
It’s one thing to state this, quite another to do. The WEF focuses on the possibility of: “Digital Global Trade Identity (GTID) systems for legal entities participating in global supply chains.”
A proper GTID should: “Enable any supply-chain partner to dynamically validate the trustworthiness of a legal entity with which it is about to engage in a business interaction.”
The report goes further, suggesting that: “A GTID is (now) a prerequisite for the efficient digitisation of global supply chains and supports the digital era’s increased focus on optimising a business’s environment instead of organisation-centric optimisation.”
In other words, look out into the world and find new opportunities. Use modern technology and don’t focus on your own internal processes.
“Decentralised identity systems hold a unique opportunity for global supply-chain organisations and governments to create GTID systems that cater for future supply chain interactions,” argues the report.
However, WEF is also quick to point out that “decentralised identity systems are not yet ready for general use due to business, regulatory and technology challenges … but both the public and private sector can position themselves for future success.”
According to WEF: “New technologies and current advances in IT are providing new paradigms in understanding how organisations can collaborate without relying on a trusted intermediary.” These changes may well “bring about transformative changes.
“Decentralised ledger technologies such as the blockchain are transferring the authority, risk and reward – of defining and enforcing system rules and record keeping – from a central entity to a group of entities of which none has controlling power”.
Businesses are working in cells, coming together in a common cause, without ever having physically met or talked to each other and each participant needs to be as disciplined and trustworthy as the rest of the chain. There cannot be a weak link.
Transactions and their details are being recorded in multiple places at the same time, without a central database or administrator, and it is the blockchain that effectively provides “trust” between and amongst these unknown parties. Systems like these now “transact business and exchange information without an intermediary, while ensuring data integrity and providing a full audit trail,” says WEF.
According to the report: “The technology underpinning GTID is the foundation for enabling the dynamic validation of trust globally, but there are many other non-technical considerations that contribute to the trustworthiness of an entity, including procedures for issuing and proofing identities, how IT systems are secured, how companies are managed, company ethics/cultures etc.”
These other, “non-technical” factors are just as important, but they are things to be verified over a longer period of time.
“Today, most identity systems exist in isolation,” says WEF. “Different public and private solutions record and maintain identical identity data potentially hundreds of times over, and are not interoperable, creating a significant amount of redundant identity information. This is a waste of resources for the network in question. They are difficult to scale and they are buried in error-prone and paper-heavy processes.”
A shared digital identity is the way to go, suggests the report, adding that: “The case for robust and scalable GTID becomes clear when considering the advance of Fourth Industrial Revolution technologies.”
As things develop, “future supply-chain transactions and business processes might be handled by autonomous software agents (ASA) and IoT, dynamically interacting with various parties on behalf of legal entities, so placing greater emphasis on the seamless verification of identities”.
This new digital era will “require enterprises to rethink many aspects of their business models. Several enterprises in global supply chains have already moved their digitalisation focus outwards towards the business networks of which they are part. A GTID should enable identity verification that can be more efficient, scalable and sustainable and therefore support digital optimisation of business networks”.
Let’s look at some of the identity systems out there:
Centralised identity systems
In a centralised identity system, the provider, such as a government’s trade department, establishes and manages a service consumer’s identity, as well as its related data.
“Digital identities are currently mostly governed centrally, in isolated architectures,” says WEF. “A legal entity, typically, must prove itself to each service provider to create its digital identity.
“Under this system, the service consumer has almost no ability to manage its own identities and related attributes and must abide by the service provider’s terms and conditions in order to establish and maintain its digital identity.
“It must rely on the service provider’s processes and trust the service provider can handle its identity securely, which puts obligations on the service provider and requires investment.”
The trust factor in this model relies on “the service provider guaranteeing the identity of network participants, thereby acting as the central third party that facilitates trust among otherwise unknown entities”.
So, how does this work? “In a business network where supply-chain actors are interacting with multiple digital services, these actors need to repeat their registration activities for any digital service they intend to use.
“For example, if a shipper/exporter uses its third-party logistics provider for documentation management, does ocean freight shipping for one trade lane with ZIM, which uses Wave’s blockchain-based bill of lading solution, and deploys CargoX’s blockchain-based bill of lading solution for all other trade lanes, this means that it should repeat the identity process across all solution providers …” over and over again.
“This is cumbersome,” criticises the WEF, “requiring identity and security experts in place across processes and entities, and duplication of work at each service provider. Handling trust multiple times across all supply-chain solutions results in hidden overhead costs within the supply chain.”
However, it must also be recognised that: “Today, centralised identity systems are mature, with well-defined standards and processes, which is probably why current providers of blockchain solutions mostly depend on centralised identity systems.”
Federated identity systems
Think Facebook and Google on this one - global platforms where “Identities are trusted by many apps through standardised protocols. Federated identity solutions have emerged to reduce the burden of registering digital identities at each service provider. In a federated system, two or more centralised system owners establish mutual trust, either by distributing components of proofing and trust, or by mutually recognising each other’s trust and proofing standards.
“As a result, the identity role is shared among multiple institutions and enables domain-to-domain trust.”
However, the lack of visibility is a real obstacle in a federated system. “The International Port Community System Association (IPCSA),” says WEF. “For instance, has created a Network of Trusted Networks, enabling the Port Community Systems (PCSs) to trust each other, relying on the authentication of a separate PCS to identify a new user. IPCSA’s track-and-trace infrastructure makes it possible to receive information not only from the PCS in the region but globally from other PPCSs.”
Staying legal is key
The legal framework around the question of trust in a global supply chain is in its infancy. There are still a host of problems to overcome.
According to the WEF: “The use of digital identity systems in global supply chains is an inherently cross-border (activity), which means parties operate in multiple jurisdictions.
“At present, national legal regimes take divergent approaches to legislating for /regulating digital identities, (so) several legal issues arise.
“For instance, which law will apply to establish the validity of a contract and to an arbitration clause contained in an email exchange?
“Decentralised systems can encourage the development of digital identity. However, where existing laws and regulations have been drafted to consider digital identities (e.g. the eIDAS regulations in the European Union), they have tended to be drafted with a traditional view of data and digital identity – i.e. based on centralised, rather than decentralised systems.
“This means the regulations are not fully consistent with a decentralised system … therefore organisations could miss out on a potentially promising archetype.
“A possible solution lies in formulating uniform legal rules across jurisdictions on a global scale. Efforts aimed at creating an enabling legal environment for electronic exchanges across borders is work-in-progress. Useful pieces of legislation already exist.
“Some of them may be found in recent free-trade agreements and others in the United Nations Commission on International Trade Law (UNCITRAL) texts.
“At the same time, it is important to update work while considering emerging concepts (e.g. identity management) and emerging technology (such as the blockchain).
“Finally, the liability for systemic failure needs to be clear. Where the identity system is powered by a permission-less decentralised network, there is no single centralised operator of the network. There are also no legal acts or precedents answering the conflicts of law issues inherent in a decentralised system.”
In truth, many organisations use a mix of systems. As that wise old saying goes, never put all your eggs in one basket. That would be putting too much trust in just one way of doing things. As we said at the start of this article: It’s all about who to trust.
For more information on the WEF and the work that it does, please go to: www.weforum.org