Mark Carney (and me) and digital ID

The governor of the Bank of England, the Canadian ex-Goldman Sachs economist Mr. Mark Carney, recently suggested that digital ID cards “would make it safer for people to access money online”. He is sort-of-correct. We do indeed need to do something to stop the relentless increase in identity-related fraud and scams (such as, for example, “man receives surprise message purporting to be from Mark Carney offering multimillion-dollar sum”) because we need to make substantial improvements in both the security and privacy of online financial services, as well as a step-change in convenience) and we need it urgently. 

I don’t think that a digital ID card is quite the solution though, because I prefer a more sophisticated solution that is based on digital identities for everything and multiple personae for transactional purposes, but that’s splitting hairs at high level. I am right behind Mr. Carney on the need for a solution, although I think he was wrong when he went on to say that such a scheme could also prove controversial and could “only be introduced by the Government rather than the Bank of England”. In my opinion he is mixing up the controversial idea of a national digital identity card of some kind (and he may well be unaware of the government’s decision to stop funding their gov.verify online identity scheme) with the uncontroversial notion of a some form of secure and convenient identity management for the purposes of interacting with regulated financial institutions.

Only a day after Mr. Carney’s remarks, the Emerging Payments Association (EPA) released its report on money laundering and payments-related financial crime, calling for UK financial institutions and payment processors to create a “national digital identity scheme to tackle these threats”. So let’s take this national digital identity for financial services and digital ID card for online identity checking in Mr. Carney’s terms and call the concept, for sake of brevity, the Financial Services Passport, or FSP.

I don’t know if Mr. Carney has read my 2014 book Identity is the New Money (still available from all good bookshops and Amazon), but in there I wrote that one very specific use of a digital identity infrastructure “should be to greatly reduce the cost and complexity of executing transactions in the UK by explicitly recognising that reputation will be the basis of trust and therefore transaction costs. The regulators should therefore set in motion plans for a Financial Services Passport”.

A few year ago, I spent some time as co-chair (with Ian Jenkins of Deloitte) of the techUK Financial Services Passport Working Group, I was working on the concept of a financial services passport with a bunch of smart people and no-one took the slightest interest in this obviously sensible concept and I do not remember observing any inclination by the UK’s banks to work together on it.

That techUK Working Group, incidentally, was created because of recommendations of an earlier techUK report “Towards a New Financial Services” developed through 2013. Section 3 of this report is actually called “Identity and Authentication: Time for a Digital Financial Services Passport”. The conclusion of that section was: 

There is clearly a need to look again at identity authentication in financial services. In addition to creating inconvenience for consumers, the current approach is expensive to maintain and inadequate in serving an increasingly digital financial services industry. As trusted authenticators of identity, a new standardised approach by financial services organisation could enable wider societal benefits, while also unlocking new opportunities for the industry. However, moving from the current fragmented identity infrastructure to a standardised financial services passport would require overcoming several challenges; from the competitive dynamics in financial services, to the extent and scope of liability, whilst simultaneously maintaining KYC and AML compliance.

In the first instance, the scope of a financial services passport needs to be more clearly defined. This requires a technology roadmap that can match objectives and requirements in managing digital identities in financial services with technical solutions and provide a feel for how trends may already be shaping the market in this space.

So what would a practical financial services passport actually look like? In the techUK discussions, we explored three broad architectures using the technology roadmap referred to above. 

  1. A centralised solution, some sort of KYC utility funded by the banks. This was seen as being the cheapest solution, but with some problems of governance and control. It could also be a single point of failure for the financial system and therefore unwise given that we are now in a cyberwar without end.

  2. A decentralised “blockchain” (it wouldn’t really be a blockchain, of course, it would be some form of shared ledger) where financial institutions (and regulators) would operate the nodes and all of the identity crud (“create, read, update and delete”) would be recorded permanently.

  3. A federated solution where each bank would be responsible for managing the identities of its own customers and providing relevant information to other banks as and when required. 

At the time, I thought that the third option was probably best but I’m open to rational debate around the topic. The way that I envisage this working was straightforward: my bank creates a financial services passport using the KYC data that it already has and “stamps” the passport with a minimum set of attributes needed to enable transactions. So Barclays would create an FSP for me. Then, when I go to Nationwide to apply for a mortgage, I could present that FSP to Nationwide and save them (and me) the time, trouble and cost of KYC. Instead of asking me for my bank account details, home address and inside leg measurement, Nationwide can use the stamps in my passport.

As I recall, the technology bit of this was easy but there were two discussions about this that were difficult. One was about liability (I advocate the “Identrust model” of transaction liability) and the other was about payment (I advocate an interchange model where the organisation using the passport pays the passport originator).

Let’s just say for sake of argument though that in response to Mr. Carney’s comments, the FCA decided on a federated solution using the three-domain identity (3DID) model. It would look like this:

3DID Bank Framework

 

All of the standards and technologies needed to make this happen already exist except in one area. The banks already do the KYC in the Identification Domain, we have FIDO and biometrics and mandatory Secure Customer Authentication (SCA) in the Authentication Domain and the tools that we need in the Authorisation Domain.

Let’s imagine that the digital identity is, basically, a key pair. In this case, the virtual identity is then a public key certificate that carries the attributes – the data about a person – that is necessary to enable transactions, as shown below. The attributes are digitally-signed by organisations that are trusted. This is where we need some standardisation to define attributes (eg, IS_A_PERSON, IS_OVER_18, HAS_OVERDRAFT_AGREEMENT or whatever). Were the Bank of England to make the banks get their act together and start doing something about this, maybe they could do what they did for Open Banking and set up an Financial Passport Implementation Entity (FPIE) to draw up the formats and standards for Persona that can be used by developers to start work right away.

Virtual Financial Services

Note that this special case, where the virtual identity is the same as the “real” identity is only one case. Barclays and others might well give me (or charge me for) other virtual identities, with the most obvious example being an “adult” identity that does not contain any personally-identifiable information for use in internet dating and so on.

In 2014, I wrote “what about a financial services passport?”. It is a testament to the power of my writing and my great influence in the financial services community that it has taken a mere five years for this idea to reach the governor and for him to put it forward as a way to “harmonise the various different systems of online identity checking”. Let’s hope that more people listen to him than listened to me.

Digital identity cards, not digitised identity cards

You all know who Marshall McLuhan was, right? And that he predicted not only the internet but its impact on society

Born in Canada in 1911, McLuhan studied at the University of Manitoba and University of Cambridge before becoming a lecturer at the University of Toronto. He rose to prominence in the 1960s for his work as a media theorist and for coining the term “global village”, which was a prescient vision of the internet age.

Half a century ago, he said of the networked world he predicted that “In the new electric world, where everybody is involved with everybody, where everybody is involved in complex processes, the old identity cards, the old means of finding out who am I, will not work”. I wish that more people would take this on board, give up trying to digitise the old identity systems and start building the new digital identity system we need.

Here’s an example. I notice (via my friends at One World Identity) that the Australian state of New South Wales is soon to provide citizens with “digital driver’s licenses, stored on a user’s smartphone, allowing them to ditch their physical ID card”. I read that article and it seems to me that these aren’t digital driver’s licenses or anything like them. They are digitised driver’s licences, nothing more than virtual shadows of their mundane progenitors. They have no functionality beyond their heritage in industrial age bureaucracy and provide absolutely nothing new to the new economy.

We need digital identity, not digitised identity, a point I intend to make loud and clear in Washington on 26th and 27th March, where I will be chairing the 2nd KnowID conference. And I’ll be talking about McLuhan, because McLuhan had this notion of identity as smeared across entities, depending on the relationships and interactions between identities (what Ian Grigg calls “edge” identity). If this is indeed the correct vision for post-industrial online identity (and since he was right about most other things, I’m certainly not going to call McLuhan out on this one) then what would it mean for the driving licence?

Well, I (and others) have long argued that shifting to an infrastructure where transactions are between virtual identities and enabled by credentials is the way forward. Hence the right way to see a driving licence is as a bundle of credentials. How would we use those credentials? To make claims that we need in order to enable the transactions. In Phil Windley’s “Self-Sovereign Identity and the Legitimacy of Permissioned Ledgers” he says, if I interpret him correctly, that a claim is the process of providing a credential and authenticating its use in order to obtain authorisation. I like the “claims are processes” way of thinking and it seems like a reasonable working definition, so let’s move forward with that, using my favourite Three Domain Identity (3DID) as the framework.

 The Three Domain Identity (3DID) Model

The attributes that are needed in the Authorisation Domain might be very varied, but for sake of the discussion, let’s assume that in the case of the driving licence there are three claims that should be supported:

  • A policeperson might need to know who you are.

  • A car rental company might need to know that you are allowed to drive.

  • A bar might need to know that you are over 18.

Now the digitised driving licence doesn’t know who is asking, what they are asking for, or whether they are allowed to ask for it. So it shows everybody everything and (in the general case) they have no idea whether any of the claims are true or not. But a digital driver’s licence could know all of these things. So when the policeperson asks your digital driving licence who you are, your digital driving licence can check the digital signature of the request and the authorisations that come with them. The digital driving licence knows that the bar can ask if you are over 18, but not who you are because it’s none of their business – although the licence may return a service provider-specific meaningless but unique number (MBUN) that the bar can use for loyalty (and barring). I cannot stress just how much of a new idea this is not. A decade ago John Elliot, Neil McEvoy and I wrote a chapter called “This Is Not Your Father’s ID Card” for the book “Digital Identity Management”. In it, we said that:

Because computers, biometrics and digital signatures can work together to disclose facts about someone without disclosing their full identity. Your ID card could, for example, send a message to a machine confirming that you are over 18 without disclosing who you are or what your citizen number is.

I’m sure we were not the only people to have realised this. The problem then, and now, is that the people in charge of identity cards, and driving licences, and passports and all of the other identity infrastructure, still see these documents only as dumb emulations of paper and not as what they are: nodes in an identity network. They are nodes and our identities, to go with Ian’s formulation, are the edges between them.

All very well, I can hear you saying. All very nice in theory. But what about deployment? How would will you connect up all of the bars and car rental counters and police cars and so on. What would the person in the bar use to interrogate your digital driving licence? Well, their digital driving licence of course! Surely one of the defining characteristics of the digital age driving licence that has a computer in it and is now a node is that… it can talk to other driving licences. There is a beautiful symmetry to this: no digital driving licence is different from any other digital driving licence, nor privileged above any other digital driving licence. No need to for custom equipment. Every has the same digital driving licence – you, the cop, the barman – but these licenses are loaded with different claims.

So this is how Phil Windley’s claims work in practice then: I want to get a drink so in the Authorisation Domain the barman sets his digital driving licence (a smartphone app) to request a claim for IS_OVER_18 and then via NFC, Bluetooth or QR code interrogates my digital driving licence (a smartphone app). My smartphone app sees that his request is signed by a valid licensing authority and has not expired and checks what credentials it has to hand. It discovers two virtual identities containing the relevant IS_OVER_18 attribute: one from the Driving License Authority and from my car insurance company. It selects the first one and sends it to the barman’s app.

(The virtual identity contains a unique identifier, a public key, a number of attributes and a digital signature.)

The barman’s app checks the signature and recognises that it is valid. Since the barman is using his smart driving licence app it either stores or has access to the public keys of the driving licence authorities, car insurance companies, car rental companies and so on. My smart travel app would have similar information for airlines and car rental companies, hotel companies an so on. The barman’s driving licences sends back a message encrypted using the public key. My app can decode this, because it has the corresponding private key, so in the Authentication Domain it asks for me to authenticate myself. I use my fingerprint or PIN or whatever and the app decodes the message. Then it replies to the barman’s app. The barman’s app now knows that I have the corresponding private key and thus it can accept that IS_OVER_18 applies to me.

The claim as process – I want to see a virtual identity that contains a credential that includes this attribute / here is a suitable credential / OK, so prove it is yours / here you go, I decoded your message / Thanks, now I’m happy to serve you – delivers both security and privacy and shows that we use digital identity to create an infrastructure that goes far beyond emulating our broken physical industrial age identity system to provide something so much better,

It’s time to move on from the cardboard age to the communication age, and I hope that you’ll join me at KnowID to discuss all of that latest developments in the digital identity space and to formulate practical strategies for making the long-overdue change to digital identity in the mass market, whether centralised, decentralised, federated or whatever else might work. 

Noted author talks fraud at Royal Institution

What a piece of luck! I was giving a talk at the CallCredit Fraud Summit at the Royal institution in London and I chose to talk about just how broken our identity infrastructure is. Hardly an original theme, but one that is worth amplifying. As Chris Green (CCO at Call Credit) noted in his introduction to the event, identity fraud is heading towards £200 billion per annum and identity theft is an epidemic.

Pretty bad. Worse still, it looks to me as if no one knows what to do about this, particularly the Government. Given that the Social Market Foundation (SMF) had just issued their report “A Verifiable Success — The future of identity in the UK” (August 2017) which noted that identity verification processes in the UK have not kept up with either technological or social change and says that “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion”, I thought I’d talk about how to actually do something about identity in the mass market.

RI

I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger (“C”,  the head of MI6 which is James Bond’s department of the British intelligence services) who explained just how hard it is to be a spy these days. In the old days, it was easy. Just grab a fake passport out of the draw and off you go. But, as the chief spy pointed out, today social media means that it is far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account. It’s easy, but not very useful to a spy. To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago. The point is that it’s hard for James Bond to pretend to be me, but seemingly easy for me to pretend to be a James Bond on internet dating sites. This is a fun and interesting way to think about some of the issues around identity and I think the audience liked it!

So what was the piece of luck I referred to at the beginning? Well, I turned up at the event, along with the bestselling author (and former politician) Lord Jeffrey Archer. As we had some time spare, I thought I would be helpful and give Jeffrey a few tips on writing books, having just published one myself.

RI

 

 I think Jeffrey really appreciated my hints and suggestions but unfortunately had to leave for an urgent meeting so I wasn’t able to go into too much detail with him. Before my talk I went off to grab a cup of coffee and picked up the day’s Times to read. It had the very perfect story for me featured prominently. Hence I was able to whip out a copy of the day’s Times and wave it around to great effect at the appropriate point in my presentation!

RI

The point that I was making, of course, is that identity is not just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to stop forward with a vision for a better identity future! Where is this person! I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio a few weeks ago in a report on the government’s introduction of mandatory age verification for adult sites. When asked how members of the public could gain access to adult services, the Minister said that people could use credit cards (which is a terrible idea, see for example Ashley Madison) or show their passport to adult sites (which is an even worse idea). I confidently predict that the widespread adoption of either of these solutions will push identity theft even higher.

So why is identity not fixed yet?

As I tried to persuade the audience, if we are going to make any progress we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet but as the cornerstone of digital relationships and therefore reputation in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds. I explain this using the three domain model, as shown on the slide below, and hopefully demonstrated just how powerful this view of identity is.

3DID Basic Colour

 

We need to move our transactions into the authorisation domain as soon as possible. Let’s go back to example in the newspaper to see why. Imagine I go to the dating site and create an account. As part of this process, the dating site asks me to log in via my bank account. At this point it bounces me to my bank where I carry out the appropriate two factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the Internet dating site, which tells them that I am over 18, resident in the UK and that I have funds available for them to bill against. In this example my real identity is safely locked up back in the bank vault but it has been bound to a virtual identity which I can use for online interactions. So my Internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch. This seems to me a very appropriate distribution of responsibilities. When the Internet dating site gets hacked, as they inevitably do, all the criminals will obtain is a meaningless token: they have no idea who it belongs to and Barclays won’t tell them.

One of the key attractions of this architecture, and I’m sure that I am not the only person who thinks this, is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, then I’d expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any PII.

This is important because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence the complete cycle needs to be thought through because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally but gives it up when the system fails, or when we attempt recovery from failure.

Digital identity gives us a vision of how to do this in our new online world. It is how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities. A huge thank you to Call Credit for asking me along to share this vision with their audience.