New Zealand’s Digital Trust Framework: advances and unanswered questions

New Zealand has taken an important step toward digital transformation with the launch of the Digital Identity Services Trust Framework (DISTF), a set of rules that does not explicitly embrace self-sovereignty.

L

ike many other regions, New Zealand aims to modernize how individuals interact with services and validate their identities in different contexts through this initiative. As digital identification becomes a reality, it is essential for citizens to understand its purpose, their rights, and how to prevent potential misuse. 

The New Zealand project features a supervisory authority that plays a crucial role. As we will explore further, it introduces elements that set it apart from the self-sovereign model. 

An ecosystem for digital identity services 

The DISTF framework is part of a national strategy aimed at introducing practical and accessible digital identity services. The planned services include: 

• Digital driver’s licenses, enabling drivers to validate their identities without the need for physical documents. 

• Banking identification, simplifying financial processes such as opening accounts or approving loans. 

• Trade certifications, essential for professionals and technicians who need to validate their credentials quickly and securely. 

All these services will be accessible through accredited digital apps and wallets, offering citizens an efficient way to manage their personal data. 

Rules to Ensure Privacy and Security 

The DISTF establishes a set of mandatory standards for digital identity service providers that adhere to the framework. These rules are designed to protect privacy, empower users, and strengthen security. 

Let’s delve into the key principles officially underpinning the project: 

• The cornerstone rule of the trust framework is that consent is always mandatory. Accredited digital identity service providers must obtain explicit permission from users before sharing any personal or organizational information. This principle is essential and applies to all transactions carried out within the system. 

• Personal information will not be stored in a centralized database. Compared to other national frameworks, such as Australia’s myGovID or India’s Aadhaar, the DISTF emphasizes decentralization and privacy by design, granting users greater control over their data. Each transaction begins with a user-initiated request to access a service or share information, and accredited providers are prohibited from linking data without the user’s explicit consent. 

• The use of digital identity services is voluntary. Individuals can choose not to use digital services, as traditional alternatives, such as in-person or paper-based processes, will remain available for accessing government services. 

• The accreditation of service providers is not mandatory. Digital identity service providers can offer their services without being accredited under the trust framework. However, accreditation allows individuals and businesses to easily identify providers who meet the established standards, serving as a sort of quality seal. 

• There are clear rules on how personal and organizational information can be collected, stored, and shared. The rules cover three main areas: 

1. Collection of information: Accredited services must be transparent about the purpose of collecting information. 
2. Storage of information: Information should only be retained when necessary. 
3. Sharing of information: Technical processes for sharing must follow standards such as encryption and ensure that the parties involved cannot trace the information. Additionally, the amount of data shared must be minimized. 
4. Data deletion: Accredited providers must also have a process in place to securely delete unnecessary information. 

Providers must comply with specific standards, including the Identification Standards, New Zealand’s Privacy Act, and other applicable regulations. Oversight will be handled by the Trust Framework Authority. 

Foundations for the New Zealand framework 

The framework is governed by fundamental principles aimed at ensuring that the digital environment is accessible, secure, private, and respectful of the needs of individuals, organizations, and communities. 

One of the most important principles is that the system must be people-centered, ensuring that the needs and rights of users are always the priority. Participation in the use of digital identity services is completely voluntary, with the option to opt out without any penalty. Furthermore, users retain control over their information, in accordance with applicable laws, including the 2020 Privacy Act. 

The framework strives to be as inclusive as possible, creating a digital environment accessible to all, without social, financial, or technical barriers that hinder access. No individual should be discriminated against, and the system must be capable of reflecting the needs of a wide range of involved parties. In this regard, it ensures that all users can utilize the services without the risk of exclusion. 

The security principle guarantees that personal and organizational information is handled securely at all times. Systems and services are designed to protect information against potential breaches or losses. Additionally, the framework incorporates a proactive approach to privacy, ensuring that data protection is embedded in the design and maintenance of all services. 

In response to the specific needs of the territory, Māori play an active role in decision-making and leadership within the system, ensuring that their approaches to identity and data are represented. 

Sustainability is another key principle, as the digital environment must be designed to ensure its long-term viability, both socially, economically, and technologically. This includes the system’s ability to adapt to changes and support innovation, while simultaneously providing value to all stakeholders involved. 

Interoperability is crucial to ensure that personal and organizational information can be reused securely across different services, sectors, and geographies. This is achieved through common standards, guidelines, and ongoing collaboration between various stakeholders, both at the national and international levels. 

Finally, the principle of transparency and openness establishes that the digital environment must be accessible and accountable. It must be clear how personal and organizational information is stored, used, and shared, and all standards and rules should be available to the public. 

When these principles are consistently applied, they ensure that digital identity services are not only secure and effective, but also fair, accessible, and respectful of privacy and cultural identities. 

Does New Zealand’s DISTF align with the principles of Self-Sovereign Identity (SSI)? 

New Zealand’s Digital Identity Services Trust Framework (DISTF) aims to create a secure and reliable environment for managing digital identity. However, its design reveals significant differences from the core principles of Self-Sovereign Identity (SSI). While both share common goals, such as protecting personal data and fostering trust in digital interactions, the DISTF incorporates centralized elements that limit its alignment with a purely self-sovereign model. 

Provider Accreditation. A key feature of the framework is the possibility for digital identity service providers to become accredited. This accreditation certifies that they meet the established standards for the collection, storage, and secure use of personal and organizational data. 

• Centralized Approach: This process depends on a central regulator (the Trust Framework Authority, or TFA), which grants credibility to the providers. 

• Comparison with SSI: In a pure SSI model, there is no central regulatory authority or intermediaries determining who is trustworthy. Instead, users are solely responsible for managing their data and deciding with whom to share it through verifiable credentials, supported by decentralized technologies like blockchain. 

Role of the Trust Framework Authority (TFA). The TFA is the regulatory entity responsible for overseeing compliance with the framework’s rules. Its functions include: 

• Accrediting digital identity service providers. 

• Monitoring ongoing compliance with regulations. 

• Investigating complaints related to accredited services. 

• Managing the accreditation seal, which identifies providers who meet the established standards. 

The presence of a centralized regulator contrasts with the principle of decentralization inherent in SSI. In a self-sovereign system, trust is not established through an external authority, but through technology and direct user control over their information. 

The DISTF ensures an environment where individuals can share personal information securely, and where businesses can trust the authenticity of the data received. 

This approach aligns with SSI’s goal of ensuring secure and trustworthy digital interactions. However, the DISTF achieves this through an architecture that relies on a regulatory body and centralized standards, whereas SSI uses cryptography and distributed technologies to eliminate intermediaries. 

We could say that the DISTF shares some values with Self-Sovereign Identity, but it diverges significantly on two key points: 

• Centralization: The TFA centralizes oversight and regulates who can participate in the digital identity ecosystem. In contrast, SSI eliminates the need for a central intermediary, relying on distributed networks and user autonomy. 

• Dependence on accredited providers: Users interact through entities that have been previously validated by the TFA, introducing a level of intermediation that does not exist in purely self-sovereign systems. 

The DISTF represents a hybrid model that combines traditional practices with a limited decentralized approach. This can be an effective strategy for promoting the adoption of digital identity in a regulated environment, but it is far from offering the absolute control and independence that are at the core of the SSI model. 

Relying on digital identity frameworks that do not clearly follow the principles of Self-Sovereign Identity (SSI) risks users losing control over their data. If a centralized system, like the DISTF, regulates who can manage our information and how, power remains in the hands of intermediaries and authorities, opening the door to abuses, security breaches, and misuse of personal data. Without a truly decentralized model, citizens are exposed to an ecosystem where decisions about their identities do not always prioritize their privacy or autonomy. 

Key dates 

The trust framework and its accreditation system officially came into effect on November 8, 2024, marking the beginning of a new phase in digital identity management in the country. Additionally, the standards related to biometric authentication, known as the Authentication Assurance Standard, had already begun to be applied from October 1, 2024, laying the groundwork for the adoption of more advanced technologies. 

It will be interesting to see how users receive and adopt these digital identity projects as they roll out. It will be crucial to verify whether all protective measures and respect for individuals are truly upheld, ensuring that security, privacy, and control of personal information are maintained at all times. Public acceptance will depend on how effectively these principles are implemented and whether users feel confident in the system to share their information securely and in a controlled manner. 

Contact our team and learn more about TrustCloud Wallet, based on Self-Sovereign Identity