Digital identity – a precarious balancing act
According to Research Now, smartphone owners use, on average, six to ten apps every week. Dashlane, a password managing service, says that the number of online accounts is doubling every five years. It estimates that the average Internet user already has over 90 accounts and will have more than 200 by 2020. Moreover, it says that the average number of “forgot password” emails per inbox is 37.
Passwords proliferate, security barriers mount and the user experience degrades, even as more and more data leaks from the myriad of accounts we maintain online. Having one digital identity would make our lives infinitely easier. We could quickly and painlessly gain access to whatever service required us to prove our identity. But who would own that identity? Who would ensure its security?
Potential for abuse
The countless mass data leaks and hacks, Edward Snowden’s revelations of a global surveillance infrastructure, as well as our growing sense that we no longer have control of what we share with strangers and what we don’t have, exploded into a global debate about the ethics of collecting, storing, and sharing citizen and consumer data. Pivotal legal judgments such as the so-called Right to be Forgotten ruling and the CJEU’s invalidations of the Data Retention regulation in 2014 and the US Safe Harbour agreement in 2015 have given regulators and legislators pause for thought. Added to this, the European Data Protection Reform (GDPR) demands the renegotiation of the roles and power balance between civil society organisations, the private sector, and governments.
Digital identity ecosystems
The GSMA has taken a particularly keen interest in digital identities. Since so much digital access now relies on mobile phones, the mobile standards authority is understandably invested in this issue. It has loosely categorised four digital identity systems in place worldwide:
Government-driven centralised systems, where an individual’s identity attributes are stored in government databases and a state-issued e-ID is used for most digital transactions. Examples: Belgium, Germany, UAE, Italy, Pakistan, Malaysia
Semi-centralised, federated systems of multiple, government-endorsed digital identity providers. Here, citizens are free to choose between multiple trusted identity providers (banks, mobile operators, etc.) and use these credentials to access both public and private digital services via an identity gateway that facilitates authentication across multiple platforms. Examples: Sweden, Finland, the UK, Australia
Decentralised, open identity markets without any national scheme. In this system, public and private sector organisations create, utilise and manage their own digital identities on the basis of a self-regulated framework. Example: The US
Self-asserted digital identity ecosystems driven by the largest online players. In this ecosystem, users choose their own digital identity attributes and no verification against official identity documents is required, resulting in a lower level of assurance. Examples: Facebook, Google, Yahoo
Do financial institutions hold the answer?
Financial services companies are particularly well placed to deliver identity as a service, as many have pointed out. Dave Birch, a UK fintech consultant, says that this is a natural move for banks to make. In his 2014 book, Identity Is the New Money, he argues that the question of identity is central to the future online world, and that it would be natural for consumers to have their digital identities managed by a heavily regulated institution that already protects much of their sensitive information – and their money. This prospect would be far more palatable to consumers than having a company like Facebook take ownership, he believes.
A change like this would bring about a large shift in how people view financial institutions. It may encourage greater customer retention, a very attractive outcome for banks, but many consumers will be reluctant to place all their eggs in one basket, so to speak, without certain assurances. It goes without saying that security would be a central concern, but challenges related to interoperability or portability would also need to be overcome. If someone decides to switch banks, how difficult would it be to change their digital custodian?
Co-operation is key
Public sector agencies such as the European Committee for Standardization (CEN), and NIST, as well as private and non-profit organiSations such as the ISO standard body, Open ID Foundation, FIDO Alliance and Secure Identity Alliance are all weighing in on the issue. The goal of these bodies is to increase interoperability and build open and scalable identity ecosystems. It’s widely argued that the answer may well lie in some sort of public–private partnership.
Developing a broad-based digital identity system would undoubtedly benefit consumers, businesses, and governments alike. Governments could deliver, track, and manage services efficiently and transparently. Companies could rapidly deliver very meaningful improvements to the user experience in a consistent manner across multiple channels. Consumers would enjoy how quickly they could move between their various accounts.
The challenge we all face is how to design, deploy, and regulate digital identities in a practical, secure, and equitable way. The scope and impact of something this fundamental to daily life requires that all involved investigate seriously the ethics of the digital future we are building.
Frans Labuschagne is country manager for the UK and Ireland at Entersekt, heading operations and business development in the region. He has over 15 years’ experience developing and managing technology businesses in Europe, the Middle East, Africa, and Asia-Pacific. Frans has broad knowledge of the payments and financial services industries and has participated in a multitude of initiatives across other industry verticals.
The views expressed are those of the author and are not necessarily those of AlphaCode