We are in the digital era now, where businesses and services are moving more and more of their interactions and processes. Some adopt a simple "lift and shift” - digitizing and eletronizing their current physical and manual experience and process online. Others go slightly further in tailoring a user friendly interface, falling short of service fulfillment experience. Only a limited few go the whole mile, re-engineering their end to end experience for the digital era.

A case I love to cite is always the Inland Revenue Authority of Singapore (IRAS). IRAS has brought income declaration online in a revolutionary way (in my opinion). Instead of the traditional "individuals declare their income", the focus shifted to corporate declaration in the form of "Auto inclusion scheme" (AIS), as well as allowing individuals to simply "do nothing" if there are no changes to any other declarations than those from AIS. This digital process transformation has resulted in enormous amount of time savings as well as cost savings from both the citizens and the government agencies. (I do not know if the initial launch included these features since I was too young to submit any income tax then!)

I was really excited when I see such digital transformations, so when the government announced that they are pushing for national digital id, I decided to just try re-imagining how it could be. I will only focus on one touch-point, specifically on residential address updates.

Opinions, views and thoughts expressed here are solely my own and do not express the views or opinions of my employer, whomever they may be.

Residential Address Update

After I moved in to my new hdb flat, I had to update my Identity Card (IC) with the new address. With that, I took my electrical bill (with my name and new address on the bill) and went to they neighbourhood police post with my wife. The police officer validated the bill, and then proceed to update our IC with the new address pasted as a sticker over the current one.

Now, some thoughts on this process:

1. Honestly I have no idea what validation the policeman might have done prior to updating the IC. Did he actually check with electricity service provider? Or did he simply trust the name and address on the bill?
2. I presume he updated my wife's address as well because she went with me. If I had a family of 6, would I need to be present during update of all 6, along with the bill? Or is my wife with an updated address sufficient?
3. The sticker on the IC is probably a cost effective approach compared to re-issuing a new card. Still, the authenticity of this updated address is questionable. Everyone will trust the address on the sticker on the IC. At least the common public or business will. I wonder if someone else could do this same update on their own as well.

Let us relook at this in two parts:

1. Updating my address with the government authority, and;
2. Updating my card with the new address

Updating my Residential Address with Government Authority

Assuming I bought my flat from Housing Development Board (HDB), the government should know that I am the flat owner. I am also assuming that somewhere in the government, there should be a record of any other properties I own (assuming not all residential properties are from HDB). From there, it should be a simple matter of telling the government at which of those residential properties I stay. I should be able to login to a portal, and choose from a residential address from a list of my properties. It should be that simple and trivial from a user experience perspective.

Now, what if I do not own the property? For example, my children, or I had rent a house. In that case, it should be the flat owner’s responsibility to authorise the update. The flow could be either the flat owner submit an online request to update my children’s residential address to one of my residential properties (by using their NRIC number), after which they might have to approve the update via SMS, email, or logging in to the same portal. An alternative could be my children login and submit a request to update their address, and the property owner approve the update in a similar fashion.

Is this process more efficient or streamlined? Maybe, maybe not. But is this more secure than validating a bill? Probably, since the property owner holds the ‘key’ to the update. Which they rightfully should.

Having an Updated Residential Address on my IC

This is a more interesting problem. How can an online update trigger a ‘sticker’ on the IC?

Let us ask ourselves some questions. Why do we want an updated address on the IC? What do we even use the IC for? What is necessary on an IC?

What could an IC be in the Digital Era?

Today, we look at these few items on the IC (or at least these are the common use cases I can think of): NRIC, photo ID, date of birth (to derive your age). Some people might check the address, gender or race up there. But how far should a person trust the information on an IC? Most authorities would not. They use either the NRIC or the barcode on the IC to lookup a centralized government database on the details. In those cases, the IC is nothing but an identifier for lookup purpose. Any other details become irrelevant. If anything, they are there for the general public, who does not have access to the centralized database.

So now, can we give the public access to those same details on the IC? Bearing in mind PDPA and principle of least privileges, we want to enable sharing of details based on what the other party need, and what I authorised. Can this be done?

Wild Wild Thought - There is an App for Everything

Imagine that I do not have a physical ID, but instead have an app on my phone that acts as my ID. The app could display my NRIC, latest photo, address, gender, age, and allow self-service updates. If anyone asked for my ID, I would select the items I want to share, and show them the data from this app. Sounds like a digital era experience, right? But would you trust what I show you? Probably not. It faces the same problem as a physical ID. Maybe less trustworthy, since people have the general perception that software is easier to hack than hardware (though there is a long long successful history of counterfeit IC and Passports in this world).

Now, what if, on top of what I showed you, the app also generates a QR hash code that contains my NRIC, list of attributes I want to share, and a time-based OTP? Which the other party could use another government issued smartphone app to scan the QR hash code and retrieve from the centralised database what I had allowed to be shared to you. The authentication factor would be the NRIC and a time-based OTP, allowing limited access during a period of time. Now, this becomes harder for fraud or counterfeit to happen.

Back to the Address Update… or Maybe Not

Now, do we really need to update the address on the IC? Do we need a physical IC? Maybe we still do, for those who do not have a smartphone. In that case, maybe it could be an limited form of OTP token? It shows perhaps the basic NRIC, date of birth, race (all immutable content), and then buttons like address, photo ID which combined with the OTP, generates a form of barcode/QR code for the same smartphone app to scan? (alas, OTP token lifespan are typically 5~10 years, while the IC today can last longer. But then again, the photo on an IC probably gets outdated much faster than 5~10 years).

Is this really the Digital Experience of the future?

It could be, but this is purely my own re-imagination. I have painted a rosy picture with little problems and issues, and focused on solving a few user touch-points. There could be other issues like logistic, security, internet connectivity, etc. If anything, I am not proposing an only solution or approach to a digital Identity card. This is my personal thoughts and ideas.

A Challenge for Digital Experience Design to look at End to End Experience and Service Fulfillment

If you had read till this point, what I would like to challenge you is to not solve problems piece by piece and directly. Instead, look to re-design the entire digital experience. Alternative approaches could come up, eliminating entire set of problems and present better ways to do things. Today, we have a lot of technology readily available, technology we could not imagine 10~20 years ago. Sharing of data is something pioneered by Single-Sign-On products and later popularised by Facebook and Google. Time-based OTP and authentication is something that is used by a lot of products today (some probably even tried to add in location based authentication!) None of the technology that I have described above is new.

We just need to be open-minded and challenge the status quo, looking for better ways to the current processes. This is what it means to design for the Digital Era.