Countries are working to find answers for billions of individuals worldwide.
Forty million: the estimate that the International Criminal Police Organization (INTERPOL) gives for the number of passports that have been lost or stolen since 2002. One and a half billion: the number of people that the UN estimates have no legal digital identity per their ID2020 initiative. Four billion dollars: the US IRS estimate of tax refund fraud in 2016.
Identity itself is fragmented in terms of its definitions, and in today’s world we are not only worried about identifying humans. We need to understand corporate identity, which obviously has a people component. We also cannot forget that about the identity of the many devices connected to the Internet which make up the Internet of Things (IoT). Ericsson, the Swedish mobile infrastructure vendor, estimates that 29 billion connected devices will be in existence by 2022, with 18 billion of those related to IoT.
While it might seem daunting to take on the challenge of identity verification, for purposes of this article, let’s focus on people.
What do we mean by a person’s identity?
Quite simply, identity is a tool used by people to get things done. Conversely, governments and businesses want to permit transactions to take place but must look at each transaction through a lens of risk. If I allow a transaction to take place, what are the ramifications of making the wrong choice – dealing with the wrong person? Identity is at the heart of global commerce, and the ease with which we can use the Internet to apply for a passport, order a book or buy an airplane ticket means that each use case comes with its own inherent set of risk parameters.
Most of us probably think about identity as reflected in our passport or driver’s license. In fact, there are four facets of identity that have different components and “value” when considering individual identity: my physical attributes (e.g., DNA, biometrics), my legal representation (e.g., passport, driver’s license), my electronic presence (e.g., email, social media) and my behavioral components (e.g., places visited, spending patterns).
When you look at the first three facets, there is almost a natural order of value of identity that becomes evident. My DNA and biometrics are truly representative of me; the odds are that if you have traces of my DNA, then you “have me” as a likely suspect, as we see play out in criminal trials. My passport and driver’s license are used for crossing a national border or flying domestically, but these can be forged. Hence, the reason that you have microchipped passports, which are more secure than non-chipped passports, and REAL ID driver’s licenses which utilize common standards across the nation. Think about the process of obtaining Global Entry at the US border: You subject yourself to a background check, you provide your biometrics and you must complete an in-person interview with a member of Customs and Border Protection. Multiple checks are put in place to verify an individual before permitting them to use the service. This allows greater rigor to verify the identity of a person as opposed to a manual check of the documents.
My electronic presence has varying degrees of value. It’s fairly easy to hack someone’s email account, and Facebook® executives believe 10% or so of their profiles are fake. That blue check next to a Twitter® handle indicates someone has “verified” the user behind it, but what validation is used to ensure it is indeed the person writing tweets versus someone with access to the account? Put another way, while a celebrity or politician might be verified, who’s to say it’s actually them sending the tweets? Electronic forms of identity that we have created in social media or that exist in email addresses may have some limited value, but they are not robust indicators of a person, nor validation of the provenance of the content they have published.
The behavioral component of identity is perhaps the most difficult to define. Many different factors comprise this part of our identification. For example, banks have excellent algorithms to detect potential credit card fraud based on our buying habits and places we visit. Try filling up two cars at the same gas station at the same time, or spending money in two states within a few minutes of each other, and your card will be flagged and/or suspended. Technologies exist today that can even detect whether the person entering the PIN code on their mobile phone is likely the person who owns it, based on behavioral analysis of how the phone is held and the interaction.
No matter how you define it, what is very evident is that identity is a fractured concept.
A global problem
Of course, the problem is global and not confined to the US alone.
When the UK voted to end its initiative to introduce a national register, the debate over the trade-off between convenience and privacy reignited. The people believed the latter outweighed the former. Of the main benefits voiced by the Organisation for Economic Co-operation and Development (OECD) countries for the establishment of digital identities, only the US and Australia openly stated that cybersecurity was the primary reason for establishing a more rigorous drive for adoption. The remainder articulated that their efforts were based on the need to deliver operational efficiencies through the creation of an e-government and that such a program would also enable the delivery of increased private sector innovation.
Several countries making these claims such as Spain, Germany and Italy already had physical national identity cards; therefore, the move was about migrating identities online. Meanwhile, other countries like Austria, Denmark and Sweden had no such precedent and so found themselves forming digital certificate infrastructures. Approaches differed; Denmark centralized the issuance of identities, while Sweden federated issuance across several organizations that included both banks and telecom companies (Sweden, as well as Norway and Finland, also openly publishes individuals’ tax returns.). Within just a couple of years, BankID would go on to be recognized by over 400 public and private sector services. But the successful creation of services by these countries was coming from the fact that national registers were already in place. Australia, which had neither a national identity card nor a national register, and a landmass considerably greater than many other OECD members, chose instead to create a network of decentralized agencies supported by a centralized real-time Document Verification Service.
Not only did the process of creating digital identities differ between countries, but they then had differing opinions on how those identities could or should be used. The Netherlands, for example, required its DigiD to be strictly regulated for use by the public sector only, while Spain saw the certificates created by its specialist providers as being acceptable for use by both e-government and private companies. Even India has its Aadhaar card with over 1.2 billion people enrolled – locking personal, demographic and biometric information into a highly centralized server architecture. While addressing the problem, this architecture also has been seen by many as not secure, given the centralized system architecture.
Leading the way in Estonia
While the UK abandoned its plan for a national ID scheme, other countries like Estonia have implemented one with great success. Estonia can now claim first place as the most digitally advanced government in the world as its citizens reap significant benefits ranging from ease of access to government-run, single sign-on websites to rapid credit approvals and near one-click tax filings.
But how was this possible? Right place, right time: Estonia managed to take advantage of new digital technology just as it was regaining independence and setting itself up – a bit like a start-up not having to worry about years of legacy infrastructure. The system could be designed from the ground up to deliver efficiencies for government and to allay understandable concerns of the people. The e-Estonia solution combines both photo and biometric aspects, with a built-in chip containing two certificates, one for verifying identity and the other for a digital signature, each protected by a four-digit personal identification number.
So while the debate continues over centralization versus decentralization – and with new technologies such as blockchain tempting further exploration into decentralization – one could argue that the majority of countries observed have really only digitized existing processes and that their populations have seen relatively little increase in convenience. For example, individuals still need to produce a physical, government-issued form of identification to open a bank account. So, what is next for digital identity and how could this evolution drive greater utility for the identity owner rather than the establishment?
Authentication on the go
Looking at the most-promising new technologies arriving on the market, the trends seem to point to broad adoption being initiated from developments at the intersection of authentication and location. More specifically, it includes the use of mobile devices as a mechanism that provides portability of the necessary components to store a digital identity and perform authentication for the use of local services (e.g., requiring care at a hospital, collecting a rental car, boarding a plane, checking in to a hotel). In all of these scenarios, the individual is making a claim as to their identity and then they need to substantiate that claim by providing physical documentation that supports it. A mobile device would be the ideal medium for enabling verification of those claims, especially given increased availability of biometric technology in these devices. If governments enable their citizens to have a portable digital identity, “smart cities” will allow for the provision of local services such as transportation, communication, healthcare, economic systems, energy systems and waste handling with less friction. They will also have the ability to redesign and improve services by capturing significantly more data about a city’s inhabitants and their behaviors; for example, the Transport of London recently gathered information by monitoring mobile phone Media Access Control (MAC) addresses as commuters moved across its network.
However, it will be up to governments to support the implementation of digital identity. Private organizations with detailed insight into transactions, such as banks and telecom companies, can play an important role in ongoing identity verification as a by-product of their activities. Nevertheless, it will take a national – or even international – effort that focuses on the individual and utility for the individual, rather than focusing on the government process, for an initiative to be successful.
And while there are few if any global standards, there are new tools, big data and analytics that can help to algorithmically validate whether a person or organization is who or what they say they are. But gathering and curating this data, connecting it together and assigning a confidence score to the conclusion is still challenging.
Raising a red flag
In fact, a more likely scenario to emerge will simply consist of using algorithms to send “red/amber/green” flags to businesses and governments faced with an identity decision. Those flags will actually enable businesses and governments to speed along transactions (green flags), halt transactions for likely bad actors (red flags) and spend time further assessing those individuals flagged with amber.
It’s becoming clear that there needs to be a platform solution to this that will only work if standards are harmonized and tightened, and potential implementation of new national ID schemes are sponsored and run by government entities. But where are we on that journey – and what are the forces at play that could enable, or limit deployment of, such nationally sponsored schemes? For the foreseeable future, expect to see a very fractured landscape with strong focus on data aggregation, algorithmic confidence scoring and grouping of transactions trying to solve for the common question of any identity transaction: What is the risk to my business, to my government and/or to my nation of allowing this transaction to take place?