What a piece of luck! I was giving a talk at the Callcredit Fraud Summit at The Royal Institution in London and chose to talk about just how broken our identity infrastructure is. Hardly an original theme, but one that’s worth amplifying. As Chris Green (CCO at Callcredit) noted in his introduction to the event, identity fraud is heading towards £200 billion per annum and identity theft is an epidemic.
Pretty bad. Worse still, it looks to me as if no one knows what to do anything about this, particularly the UK government. Given that the Social Market Foundation (SMF) has just issued its report, ‘A Verifiable Success – The future of identity in the UK‘ (August 2017), which notes that identity verification processes in the UK haven’t kept up with either technological or social change, and says that “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion”, I thought I’d talk about how to actually do something about identity in the mass market.
I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger (‘C’, the head of MI6, which is James Bond’s department of the British intelligence services), who explained just how hard it is to be a spy these days. In the old days, it was easy: just grab a fake passport out of the drawer and off you go. But, as the chief spy pointed out, these days social media means it’s far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account. It’s easy, but not very useful to a spy.
To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago. The point is that it’s hard for James Bond to pretend to be me, but seemingly easy for me to pretend to be James Bond on internet dating sites. This is a fun and interesting way to think about some of the issues around identity, and I think the audience liked it!
So what was the piece of luck I referred to at the beginning? Well, I turned up at the event, along with the bestselling author (and former politician) Lord Jeffrey Archer. As we had some time spare, I thought I would be helpful and give Jeffrey a few tips on writing books, having just published one myself. I think he really appreciated my hints and suggestions, but unfortunately had to leave for an urgent meeting so I wasn’t able to go into too much detail with him. Before my talk, I went off to grab a cup of coffee and picked up the day’s Times to read. It had the very perfect story for me featured prominently. Hence, I was able to whip out a copy of the Times and wave it around to great effect at the appropriate point in my presentation!
The point I was making, of course, is that identity isn’t just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to step forward with a vision for a better identity future! Where is this person? I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio a few weeks ago, in a report on the government’s introduction of mandatory age verification for adult sites. When asked how members of the public could gain access to adult services, the minister said that people could use credit cards (which is a terrible idea, see for example Ashley Madison) or show their passport to adult sites (which is an even worse idea). I confidently predict that the widespread adoption of either of these solutions will push identity theft even higher.
So why is identity not fixed yet?
As I tried to persuade the audience, if we’re going to make any progress, we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet, but as the cornerstone of digital relationships (therefore reputation) in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds. I explain this using the three-domain model, as shown in the slide below, and hopefully demonstrated just how powerful this view of identity is.
We need to move our transactions into the authorisation domain as soon as possible. Let’s go back to an example in the newspaper to see why. Imagine I go to the dating site and create an account. As part of this process, the dating site asks me to log in via my bank account. At this point, it bounces me to my bank, where I carry out the appropriate two-factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the dating site, which tells them that I am indeed over 18, resident in the UK and have funds available for them to bill against. In this example, my real identity is safely locked up back in the bank vault, but it has been bound to a virtual identity, which I can use for online interactions. So my internet dating persona contains no personally identifiable information (PII), but if I use that persona to get up to no good, the dating sites can provide the token to the police, the police can see that the token comes from Barclays, and Barclays will tell them it belongs to Dave Birch.
This seems to me a very appropriate distribution of responsibilities. When the internet dating site gets hacked, as they inevitably do, all that the criminals will obtain is a meaningless token; they have no idea who it belongs to and Barclays won’t tell them.
Things always go wrong, right?
One of the key attractions of this architecture (and I’m sure I’m not the only person who thinks this) is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, I would expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any PII.
This is important, because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence, the complete cycle needs to be thought through, because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally, but gives it up when the system fails or when we attempt recovery from failure.
Digital identity gives us a vision of how to do this in our new online world. It’s how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities. A huge thank you to Callcredit for asking me along to share this vision with their audience.
– This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. Read more here.