Let’s talk about digital identity with Kalev Pihl, CEO of SK ID Solutions.

In episode 93, Oscar is joined by Kalev Pihl, to answer ‘What are the cultural aspects of digital identity?’  They delve into the role of culture in shaping digital identity and how digital identity is being treated as a detached technology, without considering cultural differences. Alongside discussing the challenges in recognising these cultural aspects, as well as sharing some of the solutions at have successfully prioritised the human aspects of digital identity.

[Transcript below]

“We have to be designing mindfully those digital identity solutions for a specific culture, and I think that this is a value in the world.”

Podcast episode 93 guest Kalev PihlKalev has worked with digital identity over 25 years. Started with the topic in governmental side preparing Estonia for electronic identity on national identity card. Has since worked in financial sector and in Microsoft. Last 15 years he has been CEO of SK ID Solutions – trust service provider that serves digital identities in Estonia, Latvia and Lithuania.

Connect with Kalev on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 93.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining a new episode over Let’s Talk About Digital Identity. What are the cultural aspects of digital identity? So that’s definitely a good question and very relevant questions and this is one of the questions that our guest today is going to answer.

Our guest today is Kalev Pihl. He has worked with digital identity over 25 years. He started with a topic in governmental side, preparing Estonia for electronic identity, or national identity cards. Since then, Kalev has worked in the financial sector and in Microsoft. During the last 15 years, he has been the CEO of SK ID Solutions, a trust service provider that serves digital identities in Estonia, Latvia, and Lithuania. Hello, Kalev.

Kalev Pihl: Hi, Oscar.

Oscar: It’s nice talking with you, Kalev.

Kalev: It’s been a while.

Oscar: Yes, Kalev. So, let’s talk about digital identity. And the first thing we want to hear from our guest is something about yourself and especially your journey to this world of digital identity.

Kalev: I think of the journey to digital identity for me went through this very physical, governmentally controlled national identity. So that was my starting point. And I guess that’s where I’m a bit stuck with my mindset as well, sometimes. And this is my limit. But that’s how it started.

So, it started from the idea that in the world of physical human beings. Governments tend to have this role in society to name, number and identify the residents, they treat as their residents of the country, we are speaking about.

And whilst we have probably different other nicknames in different other societies. And somehow, globally, these governmental-issued identities have become the norm of; How do we know each other across the world. How do we identify the people whom we don’t know beforehand. So, I think from that angle, I’ve stuck with the idea that governments have the role of naming and identifying who we are.

Oscar: Yeah, indeed. I think it’s – I mean, in my view, probably in the constitution in most countries, I’m not a lawyer, but I’m sure it’s written in some of the laws. So that’s one of the functions of the government. And yeah, and that has been translated in our very, let’s say, not very recent time. But talking, especially in the last maybe 20 years that we have such digital identifications, like Estonia is pioneering and in a few other countries as well. It’s pretty digital, pretty well-established.

Kalev: Yeah. I think that the – for the beginning of any country or state in the physical world, some limit, some borders, what is the ground they own. Then we are talking about some legal framework, what is the agreement. Then we need to know; between whom is the agreement? And those are then the human beings in the society, and that’s kind of what every state or country is made of, I would say.

And that’s something that if we go now, from this real-life identity and tried to tackle the digital identity, the idea. Then there are two kinds of attitudes. One is that digital world is borderless, global or universal even. And therefore, doesn’t require and there’s no relation to any, these kind of physical limitations and countries, states and therefore, like no borders, no anything. And then the other is that it is just – it should be, is and will be always a reflection of something that physically makes sense. Only then it becomes meaningful in a larger context when it is physically meaningful.

So, I think that’s one of the staring points if we say that there is point to the cultural differences. Then the culture that we started off is clearly not so much digital, but rather what is the culture before any digital and then definitely, we have different digital cultures as well.

Oscar: Yeah, yeah, that’s true. Every country has internally a different culture while some often several cultures inside a country as well. And this is something that shapes digital identities that we, the ones who are in this industry have been shaping and continue shaping today. So, yeah, tell me more about that role that the culture plays in shaping and influencing the current and the ones that are coming in the digital identity.

Kalev: Yep, sure. That’s the topic for today. So, the culture that we can see in the digital identities is quite a lot, related to, the ways how we culturally trust our own governments. How the government trusts its citizens, residents. And also, it’s very tightly connected to the idea of what is and how the privacy as such is defined in the society. A couple of episodes ago, you discussed heavily again, this kind of ISO standard on the privacy. And privacy is something that is cultural as well, and it’s not globally, universally defined as a value. And where the value kind of lies actually and these cultural differences. How they look in the digital identity is exactly, I would say, let’s take the two extremes.

One of those extremes is that digital identity is something that is central, that binds all of the digital actions that one does in a digital world together. And therefore, makes you, in essence, traceable, recognised everywhere. You cannot hide in a digital world, based on that identity. This identity reveals you everywhere.

And then we have the other extreme. We have digital identity that must, in essence by definition, protect you from being recognised from one environment to another. You must have different representation in different contexts. You have to have the right not to be recognised and not to be traced.

So, I would say that, culturally, the need might be on both of those extremes and something in the middle. And that’s I think, something that we are struggling globally now, that we are trying to talk about digital identity and what this identity does. What kind of privacy does it guarantee and what the privacy means to anybody.

And then we – then we are stuck with the fact that we don’t define the digital identity. We believe that everybody understands the identity and digital identity in the same manner. And then we also tried to say that the privacy is preserved. Privacy is granted. Privacy is by default as we like to say, or by definition and by default. But what this privacy means in this context of digital identity and usability also is not defined. So, we kind of use the buzzwords, and we neglect the background from which we come from. And therefore, we don’t understand each other, and we try to regulate that into different places. And well, do a lot of mistakes in that.

Oscar: Yeah.

Kalev: I don’t know if that makes sense to you, Oscar.

Oscar: Of course, a lot of sense. So, one concept, one particular concept you mentioned is privacy, right? Which can – well, not can but means different things in different cultures, in different countries. That’s true. I understand that. And it’s a challenge to try to have a definition and based on that create the laws, create the technologies that support that. Yeah, indeed. It’s a very, very good reflection that you are doing.

Kalev: I think that with the privacy, again, similarly, those extremes. And as I said, one of those extremes is on this identity and the definition regarding that privacy is that: OK, the privacy means that there is no data about me anywhere that I specifically didn’t reveal myself knowingly, giving the consent to that specific data to be revealed about me. Which makes me in the centre of all the transactions about me. And well, gives me a lot of work, let’s be honest, because there are several institutions all the time that work kind of for me. Make my digital life easier, and they need to make decisions. And if those decisions need my data, then therefore I need to make a lot of decisions to reveal or not reveal that data to them.

And the other side of that is and I would say the other way of looking at the same privacy, kind of, from the same concept. Still saying that privacy is preserved, privacy is kind of granted and by default, by definition. Is that whenever your data is used, then you, by nature of the setup, have the control over who and where and for what used your data. And therefore, you can kind of trace back it and say that, well, why did you do one or the other thing? And if they didn’t have the right, didn’t have your permission, didn’t have legal rights to something then they will be punished by the law.

So, it’s kind of – one is preventing anything to happen upfront. The other is giving the privacy through the control that you know everything that has happened with your data. And therefore you are able to take the parties involved and make them responsible for their actions. So, like these are maybe couple of ideas of how to look at the privacy from different angles as well.

Oscar: Yeah, indeed, in the case of privacy, just to give a concrete example. But how this would start if privacy or any other concept has to be defined based on the culture of our country, or our region? So how it has really defined?

Kalev: Yeah, the question then, when we talk about like, building creating digital identity. We kind of often think that this is one type of things to be done everywhere. What I’ve learned over the years, and I’ve really had happy accidents of meeting so many different countries, cultures, in different places talking about digital identity now, really tens of years. Then it still turns out that we are building the digital identity for a specific set of human beings. And those human beings have some connection to a culture, even if that’s a digital culture. Even if we say that digital identity in a social network, like Instagram, is a digital identity. For the people who use Instagram, who have some cultural preferences, otherwise, they wouldn’t use that environment. So, they have kind of agreed to a cultural norm there.

Or if we say that we are looking at the country, somewhere in the world, like Thailand or Mexico. Then we are building the digital identity for that culture that suits the beliefs and traditions of that set of human beings. It’s not a one-size-fits-all. But rather that this one-size-fits-one kind of thinking that I’m now become to believe, more into recent years. That there is not this one single solution that everybody will, kind of, inherently fell in love into. They have so many things in their historical backpack that it will definitely tilt their preference.

They have some bias to expect something that any other culture would never ever expect from the same solution. And we have to be designing mindfully those digital identity solutions for a specific culture, and I think that this is a value in the world. That we do believe in different things, we do act based in different preferences, culturally and that makes us interesting as human beings. We are not the same everywhere in the world and how to preserve that in the digital world. How not to become culturally one the same. Following one and the same set of rules everywhere, having the same solutions everywhere is an interesting, very interesting challenge, I would say for the humanity.

Oscar: Yes, yes, it is, and I agree with when you said that there shouldn’t be like one solution to be somehow imposed to the globally. That is a reason why they are in practice. I mean, the reason why then – just in the case of the national digital identities. The one from Estonia is different from one from Finland, Sweden, Singapore, et cetera. They are based on similar underlying technologies; open ID connect, publicly infrastructure, et cetera. But in the end, they are – they were designed differently because they’re solving a problem for different cultures. That is correct.

Kalev: Like facial recognition anywhere in the world, fingerprint-based identification somewhere like. Those are things that either are or are not culturally meaningful. I would say Western Europe has some kind of cultural connection in taking, giving and recognising fingerprints, and it’s deeply I would say, related to the criminalistics and then crime. And therefore, this kind of feeling when somebody asks your fingerprint somewhere, well, wasn’t very, very pleasant, I would say. Touch ID and other similar kinds of things have now a bit eased this feeling. But if we’re talking on the national level, fingerprint collection, fingerprint-based recognitions, then this feeling is still there, whilst it isn’t there with a face.

Although like, if we talk technologically then it doesn’t matter based on which kind of biometrics, I recognise you. But the acceptability within the culture, like face versus fingerprint was really, really different, still is a bit different. And the same kind of routing in the criminology didn’t appear in many Asian countries, in some Middle East countries where these fingerprint-based quick recognition tools in physical interactions were introduced. And there was no objection from the society. It was very, very acceptable.

So, all of those, kind of, bits that we are taking from different either literature, or some really historical reference that we take with us. Those too change the way how we are able or not able to roll out any given technology for the digital identity, absolutely.

Oscar: Yeah, that’s a very good example, the one of the fingerprints. I didn’t think about that. But yeah, it doesn’t surprise me that in different parts of the world, the perception is completely different. And it’s just the culture as you said.

Kalev: Yeah, facial recognition in Middle East countries, revealing your face in public for female citizens, well, it’s not very common. And something that again, we from Western Europe don’t recognise easily, but it is, it is a thing.

Oscar: Could you share now some successful examples, or I mean maybe not, it sounds like from these discussion site, like there are not many, at least 100% successful examples. But some, in some extent, successful examples of how these cultural human aspects have been taken into account to deliver good solutions for digital identity.

Kalev: Well, being a CEO for SK ID Solutions. Of course, I have to tell that I believe that we have been able to deliver for at least the Baltic States, Latvia, Lithuania, Estonia, solutions which are relevant for the culture where we are providing those services. And in that regard, we have also faced some clear opposition from the cultural perspective in some areas here. But yeah, that’s one of the things that maybe is possible here and isn’t possible in some other countries. So, our current service that is really used for more than half of the population in the Baltic countries is based on the fact that people know and use their national identity code as a unique identifier for themselves. And it is used in different environments now but is kind of creating unique identifier per any kind of system.

The same pretty much applies to the other countries. But then when we will take that concept, the same concept that is successful in variations also in Finland, in Sweden, in Norway, those are all kind of based on the single one identity. And all of them have like bank ID in Sweden is definitely a success story, from the usability and amount of users behind it. They are based on this idea that there is this one unique identifier, and you can reuse that in different environments. And it’s really serving the culture there and here. So, I would say that this is the way how it has been functionally well rolled out.

And we have to then say that the same ideology would not be allowed, possible, accepted, for example, in Germany. That kind of falls to the pieces in the border, of Germany. Simply isn’t welcomed there, by constitution. Because the constitution in Germany says that: well you shouldn’t, you should never ever create a solution where user is reusing its attributes in a manner that you can trace them. From one, let’s say government institutions to another, from one company to another. You have to be messed up everywhere. Where you try to figure out if that same person came from one institution to another, you are bound to by constitution to be puzzled by that.

Oscar: All right, well, interesting. Well, that’s defined by law in that case.

Kalev: Similarly, it is not allowed in Hungary, for example, to have a unique identifier for a person.

Oscar: And what were the objections or the reactions you had in, you mentioned earlier in the Baltics. So, what, what was not culturally accepted, let’s say there?

Kalev: One of the things was that really this identity code is semantically meaningful, and to use that as user ID at some points definitely was kind of a controversial and needed longer and public debate. In Estonia, I think, 15 years plus, quite long public debate about whether really the identity code as such can be publicly shared. And then it turned out that the reason actually – well, there’s definitely this semantic part that it really reveals your birthdate, which means that well somebody can understand how old you actually are.

But the more practical reason for objecting that was that, and it turned out that and it still is the case. For example, in US a lot of, that kind of identity breaches that we are discussing, and which are like big, big, big fuss around the world. Those are based on the notion that’s kind of user identity, for example, the social security number in US, it is not treated as user ID, but rather as a password. And those are very different things.

So, one is the link like this is who you are. And the other is proof that it is you that the claim is actually correct that this is your user identity. So, when it turned out to be kind of public, then what use cases were hit. And what was discussed quite a lot towards this type of phone-based service when you call in and the operator asks to identify you, your unique identifier. Which is public, which is listed everywhere where you have ever been, which is written into your identity documents. But still, as there was no better alternative then they opted for asking you for the identity code. And therefore, if that was now used publicly everywhere, well, everybody understood that cannot be used anymore.

And somehow the discussion, thankfully, has gone to that direction, at least in this region. that it wasn’t the right thing to do from the beginning to ask this identity code as a password. Because it has never been meant to be secret. The fact that not everybody in the world knows that doesn’t make it a secret.

Oscar: Yeah, yeah. So, what is nowadays, in Estonia, what is the kind of called, the username? Or there is such a username in – for this identity? Tell us a bit on how it works.

Kalev: Yeah, it is like 11 number identity code. It really consists of your, like, six numbers of that represent your birthdate and one of those. Then the seventh one gives the century and the sex you are being given. Then there are four digits that you have to really randomly kind of remember. And it has been long discussion whether those should be or could be changed. And now, in Finland, in Latvia as well. We have had this experiment of introducing another identity code instead of the semantically meaningful one. And this semantically meaningful identity code can be like, in Latvia, you can once in a life, go and replace your meaningful, semantically meaningful identity code to this new identity code, which doesn’t mean anything anymore.

It’s only a couple of years old, this project there so I cannot say how successful it is. But what is interesting with this 11-digit code really that is based on a birthdate is that most of them are able to remember it, because the birthdate is something that you can remember. If a society like Estonia would be able to remember just random 11 digits correctly, I’m not sure. But like bigger populations, I’m even less sure because they should have like more digits remembered, maybe. Then should be based some kind of – and somehow already based in letters and names and so on.

So, in Estonia, it really is semantically meaningful 11 digits which you can easily remember, and people normally do remember their identity code. They are reusing that on a daily basis in different contexts. Therefore, it is something that is not also easy to forget, because the society requires you to remember it. That is also this identifier we are using to allow you to kind of state who you are in the electronic identity context, and the same applies to Latvia, Lithuania.

And then the other, maybe just remember the other part of what was discussed in this context of electronic identity then yeah for the identification maybe the semantical information to recognise person is maybe OK. And then – but is it OK for the signature and then therefore, we have had a discussion of where in the signature this type of information should appear or not appear at all.

So again, something that we are now discussing, not so much on this user identity but still on this, on signature part. You should still uniquely identify who signed something. But do you need anything other than this identification of this unique person? Whether it makes any sense and discussion, culture discussions not happening in all countries in a similar manner. Some countries are more kind of prone to say that it shouldn’t be there. Others say that it is actually well, impossible to do without. It’s very, very different already in those three countries. I don’t know if I answered your question, actually.

Oscar: Yeah, indeed, you have definitely illustrated pretty well how it works in Estonia and also in the Baltics. And that gives us a clearer idea that the –yeah, the problem that you are bringing here is, of course, is big and it continues. As you say, there are some experiments in Latvia, Finland, and there are discussions in Estonia. So, this continues, even though there are good solutions, but this continues, this discussion continues.

So, if we focus now on, let’s say, you and I. We are working in companies who are building digital identity products. There are also, for instance, governmental institutions, who are building also digital solutions or services that rely very heavily on these digital identity solutions. So, from – what is the role of technology developers and designers in addressing these issues, these cultural aspects of digital identity?

Kalev: I think the biggest responsibility we carry is to be mindful about these phenomena of the cultural differences. And not to sell this kind of digital utopia that, that whenever we go to technical solutions, and your culture doesn’t matter, your infrastructure readiness doesn’t matter. It’s just “Buy my tech and you will be happy.” Promises should be avoided everywhere where it’s possible, even if there is a customer who’s willing to buy that promise. That’s really, I would say, the threat in the world what I see.

And maybe the other thing that is culturally important and must be addressed, I would say. In those, kind of, sales processes and discussions about future tech. Is focus on really the cultural position of government, of public sector, how capitalism and making money is perceived in society. All of those things have different perceptions and therefore, your solution must suit the ideology that this culture is accepting. Either the government is the trusted, and well-meaning party in the society where everybody is welcoming stuff that comes from the government because it’s always for the benefit of the bigger goods. Or the government is perceived as somebody who is sneaky. Who is always spying on you, who you suspect of making you guilty over the things that you maybe did or maybe didn’t. So, basically, being paranoid about the government.

Similarly, you have to be mindful about if the private sector is something to be perceived as innovative, as providing service for the value they are actually getting from the market. If they are actually stealing behind the people who are paying to them, who are overcharging everybody, who are greedy. Or if they are really making the economy work and able to kind of collect the taxes in the country at all.

So, like, these perceptions are also reasonable to know and to remember. When we are offering – what type of setup should a country, should a society, should this bunch of human beings were requiring the digital identity. What they should ask for, what they should build for, what is the way how to fund, how to make that environment sustainable? Me, being a capitalist believer, I’m always kind of telling that, that when we are building digital identities, we have to see if there is a way how somebody can earn something from the fact that digital identity is successful. That it is used, that it is spreading, that it’s actually making sense to people.

And if such, for example, motivation is in the society, then there is a possibility that somebody will go after this benefit and therefore make the digital identity successful. If the, like monetary value is taken away from the system, there is kind of everything is free of charge, paid by this anonymous taxpayer or government. Then there might be that we have an environment where if the government is trusted, if the government’s promotional speeches about take it, use it, it’s for better, good. Those could be trusted and could be a good vehicle for rolling out a digital identity.

But it again, very much depends on like, did we provide the same model that this culture accepts? Or we took a model from some other culture and tried to sell it to a totally foreign environment for that proposal? So, I think that what we have to – the technology providers do, we have to really build for those cultures that we are selling into and building into.

Oscar: Yes, yes, yes, we need definitely to understand very well the cultures and where we are selling or helping with these technologies. As you said in some countries, the government is highly trusted, in others don’t. Then can be the banks are highly trusted in some countries, and in other countries, not at all. And then same can happen with telcos, as you said, also the private sector, some technology vendors from the private sector. So yeah, that’s very important. And the first thing you say is about, yeah, be mindful what you promise. That’s definitely a good reminder.

Kalev: Yeah. I think that this kind of naivety about technology being all good for every different situation still lives on. Similarly, of course, exists this naivety that technology, whatever it is used is evil. So, I think that both exist, but you should never fall into one or the other. It is never so simple.

Oscar: Yeah, definitely. All right. I will ask a final question. So, for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?

Kalev: Yeah, I think that the message I hope has been quite clear that when building and when asking for technical solution, and especially as we are talking now digital identity. If asking for digital identity, ask: What is the fundamental belief of the environment where you are building it to? Don’t try to change culture through technology. It goes the other way around, culture defines technology.

Oscar: Yeah, you said it very clear don’t try to – don’t try to change culture with technology. Yeah, absolutely. Very simply and well said.

While hearing you, your explanations, came to my mind that for business when people are – businesspeople are traveling to other countries, there are some books that I, for every or for most countries say “what is the business etiquette” of every country. So, you should read that before traveling to that country. So, there should be a similar book but for the digital identity, right? We should have for every country, what and how you should – “what is the culture in every country in terms of digital identity and identity?” So, we know before doing business. So that’s something that came to my mind when I was hearing you.

Kalev: It would be nice if those books exist.

Oscar: Yeah, maybe, maybe I think you could be one of the co-authors, at least, you know a lot about this. Thank you very much, Kalev, for this very insightful conversation. So please let us know if people would like to follow this conversation with you, what are the best ways for that?

Kalev: Yeah, you can definitely find me through LinkedIn or write me. Our contacts on the skidsolutions.eu site are quite publicly available as well. So, I’m very public person in a sense, nothing is hidden.

Oscar: OK, excellent. Again, thank you very much, Kalev for joining us and all the best.

Kalev: Yeah, all the best to the listeners as well.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.