How to Get Carded in 2020 and Other Thoughts on Digital Identity.
A woman walks into a bar. That’s not a joke, but it does set the stage for this article on digital identity. If you’re wondering what the digital version of getting carded looks like, stay tuned. We’ll cover that, and more, shortly.
First things first: what is Digital Identity? In Episode 7 of the Tech on Reg podcast, we take a long, hard look at this concept — and some of the stumbling blocks in its way.
My guest, David Birch, an internationally recognized thought leader in digital identity, defines digital identity as the bridge between real and virtual identities — the things that bridge between things in the real world and their “shadows” in the virtual world. Things in the real world map to digital identities and digital identities map to things in the virtual world. By that definition, a person may have multiple digital identities, with each of those digital identities mapping to multiple virtual realities.
Confused? Chin up. We’ll explore how this plays out with real-world examples in a moment. Before we do so, let’s set the stage.
Digital identity is one of the most significant topics impacting fintech right now. Why? It solves a difficult problem — assigning and recognizing identity, all while keeping people’s (and business’s) private information…private.
When we look at payments, for example, the problem is not the spreadsheet of transactions between parties. That’s cake. The hard part is the digital identity component. That’s not cake. That’s…well…that’s the kink.
Mark Carney, the governor of the Bank of England, pointed to the lack of an effective digital identity infrastructure as the culprit behind friction in both online financial services and, well, online everything.
Despite that warning, fintech — as an industry — has failed to heed the notion, allowing digital identity to fall off the table. The result is a stalemate when it comes to making the financial services industry work better for society as a whole, including lowering the cost of intermediation and providing more inclusive services.
I’d say those are pretty important (and fundamental) boxes to check, so let’s dig deeper into why this is happening.
On the one hand, no one wants people messing around with their money, so regulation is necessary. On the other hand, regulators have a hard time getting out of their own way when it comes to finding a workable, middle-ground solution that provides structure without completely squashing innovation (No one knows how to screw up innovation and delay things like lawmakers and lawyers, amiright? I’m super right.) Right now, we’re in the worst middle ground: smack dab in between regulation from the last century and regulation for the next century.
Take KYC (Know Your Customer), for example. The way this currently works is that we build up a wall to keep the bad guys out while we make the people on the inside file all kinds of reports.
This produces pretty much the worst system imaginable. To illustrate, consider the words of Rob Wainwright, director of Europol, “The banks are spending $20 billion a year to run the compliance regime … and we are seizing 1 percent of criminal assets every year in Europe.”
One. Percent.
I’d say that system is broken. Birch points out that, if we were to start from scratch today, we would build this system entirely differently. The focus would not be on boxing people out to the point where we can’t monitor what they’re doing. All that does is force criminals to work outside of the system — in cash (Fun fact: there are more $100 bills in circulation than $1 bills).
Bringing everyone into the system would allow us to leverage new technology like artificial intelligence (AI) and machine learning (ML) to track the bad guys and get a handle on it.
Achieving the “Goldilocks” Framework for Digital Identity
Right now, we’re face-to-face with an all-or-nothing scenario. So far, no attempts have been made by the US to establish a framework for digital identity. While some private players are trying to address the need, it has been more effective at driving identity theft, rampant fraud, and astronomical intermediation costs than anything.
On the flip side, China has jumped headfirst into wrangling people into a centralized identity framework that is used for everything, which has also led into social credit scoring. Also not ideal.
It seems the strongest approach would be to reverse engineer a framework that supports what we want digital identities to do and leverages existing and emerging authentication and authorization technologies to get us there.
It also means we need to stop pitting privacy and security against each other.
Privacy and security are not an either-or proposition. You can have security without privacy but you cannot have privacy unless you have security. Any infrastructure for digital identity must deliver security while enabling privacy. In other words, people must retain control over their privacy. This requires a bit of education for a public that doesn’t necessarily understand the difference — or relation — between the two, especially when it comes to technology’s role.
If consumers don’t get it, do you think lawmakers do? Spoiler alert: they do not.
Both consumers and lawmakers need a primer on the benefits of cryptography and its capabilities with regard to digital identity, privacy, and security. We need to shift from the uninformed perspective that we are all just information on an index card, flailing around with the breeze. And lawmakers and consumers don’t necessarily need to know what’s happening underneath the hood, so long as they get the gist that we can provide control and convenience.
So, what do consumers think about digital identity?
Right now, they’re confused. A recent Mitek study found that only a quarter (25%) of consumers feel they have a grasp on the concept of digital identity at all. Here’s the kicker: more than half (65%) said they’ve some form of digital identity every single day. So what gives?
It really maps back to the knowledge gap between providers and consumers (and, ahem, lawmakers) that is hindering the rate of adoption. A lot of the uncertainty revolves around security; most consumers do not believe that existing security measures are strong enough to keep their personal information safe.
That’s a major problem. But it’s more than that.
Consumers want convenience. Our goal should be to build an infrastructure that caters to convenience and that ensures security and privacy work properly. Apple’s TouchID is a paradigm here. Prior to TouchID, biometrics was viewed by the layperson as something straight out of a James Bond movie. “Quick, Bond! We need your thumbprint to launch the nuclear missiles!”
Apple was very adept at changing the perception of biometrics from a technology about security to one of convenience. It’s easy to unlock your phone with a fingerprint. It’s convenient to log into your banking app with a fingerprint. The security and privacy are there, but that happens under the hood, without the customer knowing the nuts and bolts behind it.
We need to approach digital identities in the same way.
Consumers also want control. Going back to the Mitek report, consumers appreciate the convenience of digital identities but want much more control over the personal information that ultimately gets shared with apps, particularly biometric information. More than three quarters (75%) said they believed digital identities were faster and simpler than using physical documents. AND YET, only 17% of those same respondents said they preferred biometric identity verification compared to more traditional methods like showing someone a driver’s license.
Interoperability: The Next Frontier
Interoperability is a major sticking point for digital identities. Right now, we lack a global standard in the interoperability of digital identity. Part of the problem is a focus on security “theater.” Take, for example, the simple act of getting into a bar.
If I were to walk into a tiny, corner pub in Ireland and show my Illinois driver’s license, the bouncer in that pub would have no real way of verifying that my foreign ID was real and valid. He simply looks at and makes a game time decision to either say “Enjoy your night, Dara” or “Sorry, I can’t confirm this is real.” If we’re honest, most of the time it ends in the first scenario.
What is that really? It’s what checking boxes looks like. The bouncer knows that he is required by law to verify that anyone who enters is of a certain age. So long as he is “playing his part” in that security measure, all is well. Set aside any curveballs (i.e. my foreign ID).
Regulators and lawmakers are complicit in this theater, too. They’ve grown accustomed to checking certain boxes (this bar adheres to the security measure of checking IDs so no punitive action needs to be taken). As long as the boxes get checked, no one needs to pay attention to whether real security has been achieved.
If we dig down into what we’re truly trying to achieve in the above scenario, we can find a better way to do it. What’s really happening is that we rely on forms of identity founded on relationships. The bouncer isn’t asking me “Are you over XX years of age?” What he’s really asking me is “Do you have proof that you’re over XX years of age so that I can shift accountability elsewhere in the event that you turn out to be lying.”
What happens if we remove the error-prone method of “carding” people and digitize the process? It might look something like this:
- Bar security asks me to verify that I’m over 21
- I pull out my iPhone, which prompts me with a question: “Do you wish to share information with O’Malley’s Pub about your age?”
- I tap “Yes” and press my fingerprint onto TouchID to verify that I, Dara Tarkowski, am giving the bar’s system permission to verify my age
- [Behind the scenes, the following occurs]:
a. The bar’s system (perhaps through the bouncer’s iPhone) communicates to my phone that it needs the credential to prove that Dara Tarkowski is over the age of 21.
b. My phone connects to one of my apps that has information about my age and can provide a cryptographic token (with no personally identifiable information) to indicate I’m over 21.
c. That cryptographic token is sent to the bouncer’s iPhone, which validates the token
5. Bouncer waves me in and says, “Enjoy your night, Dara.”
Cryptography provides a variety of ways to achieve interoperability for digital identity securely and while maintaining privacy. Moving regulators (and everyone else) out of their comfort zone so that new technologies and systems can achieve this will be part of the equation. Universal education will be required. We need to get people comfortable with the idea that checking an Apple Watch or smartphone is the more convenient, more secure, and more objective-oriented approach than the usual box-checking methods. And we must instill in consumers that this will give them optimal control over their privacy.
To listen to Episode 7 of Tech on Reg: Digital Identity, check out Apple Podcasts, SoundCloud, or wherever you like to stream.
