Guest blogger David Birch, author and advisor on digital financial services, writes about how we need to refocus on keeping digital and real identities safe.
I recently gave a talk at the Callcredit Fraud Summit 2017: The Cost of Digital Fraud, at the Royal Institution, London, about how our identity infrastructure is broken. Whilst it’s hardly an original theme it’s one worth amplifying. As Chris Green, CCO, Callcredit, noted in his introduction to the event, identity fraud is heading towards £200billion per annum. It’s fair to say identity theft is epidemic without being accused of hyperbole.
Is our digital identity infrastructure broken?
In my opinion our identity infrastructure is broken and worse still, no one seems to really know what to do about this, particularly the Government. Given that the Social Market Foundation (SMF) had just issued their report (August 2017) which notes that identity verification processes in the UK have not kept up with either technological or social change and states; “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion,” it was a good topic to expand on in front of an informed and engaged audience.
I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger. In the feature ‘C’, the Head of MI6 which is James Bond’s department of the British intelligence services, explains how hard it is to be a spy these days.
In the old days, it was easy. Grab a fake passport out of the draw and off you go. But, as the spy chief pointed out, social media now makes it far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account but ultimately it’s not very useful to a spy. To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny. If you wanted to pretend to be someone now, you would have to have started building a fake LinkedIn profile a decade ago.
Meeting Lord Archer
So what was the piece of luck referenced in the headline? Well, one of the other event speakers was bestselling author and former politician Lord Jeffrey Archer. During some of the downtime I thought it would be helpful and give Jeffrey a few tips on writing books, having just published one myself.
(I think) Jeffrey really appreciated my hints and suggestions. So I went off to grab a cup of coffee and picked up the day’s Times which contained the perfect news story that allowed me to whip out a copy of the paper and wave it around to great effect at the appropriate point in my presentation!
Real identity has complexity and depth
The point that I am making is that identity is not just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to deliver a vision for a better identity future.
I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio recently on a report on the government’s introduction of mandatory age verification for adult websites. When asked how members of the public could gain access to adult services, the Minister said that people could use credit cards (a terrible idea, see for example Ashley Madison) or show their passport to adult sites (an even worse idea).
As I tried to persuade the audience, if we are going to make progress we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet but as the cornerstone of digital relationships and therefore reputation in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds.
I explain this using the three domain model that hopefully demonstrates just how powerful this view of identity is and that we need to move our transactions to the right of the model.
We need to move our transactions into the authorisation domain as soon as possible
Let’s go back to story about the fake spy in the newspaper.
Imagine I go to the dating site and create an account. As part of this process, the dating site asked me to log in via my bank account. At this point it bounces me to my bank where I carry out the appropriate two factor authentication to establish my identity to the bank’s satisfaction. The bank returns an appropriate cryptographic token to the Internet dating site, which tells them that I am over 18, resident in the UK and that I have funds available for them to bill against. In this example my real identity is safely locked up back in the bank vault but it has been bound to a virtual identity which I can use for online interactions. My Internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch. This seems to me a very appropriate distribution of responsibilities.
However, when the internet dating site gets hacked all the criminals will obtain is a meaningless token: they have no idea who it belongs to and Barclays won’t tell them.
One of the key attractions of this architecture, and I’m sure that I am not the only person who thinks this, is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, I’d expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any of my Personal Identifiable Information.
This is important because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence the complete cycle needs to be thought through because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally but gives it up when the system fails, or when we attempt recovery from failure. Digital identity gives us a vision of how to do this in our new online world. It is how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities.