Banks and digital IDs*

In CapGemini’s “Top 10 Trends in Retail Banking 2018”, they highlight “banks leveraging digital IDs beyond authentication” as their third most important trend. As it happens, I was talking about this earlier in the week in Trondheim at Betalingsformidling 2018, where I was asked to give a talk about the open banking era and the potential responses from incumbent banks.

Trondheim 2018

Photo: Betalingsformidling 2018 / Wil Lee-Wright Photography.

Now, I suppose that to a great many of you this really won’t be any surprise, since anybody who thinks about the mechanics of commerce in a connected age must already have come to the conclusion that digital identity is core to the new economy. That’s a superficial and almost trivial point to make, but it masks great complexity because choices that are being made right now about how digital identity is going to work in the future will have a profound impact on the shape and nature of all of society.

Of course, I don’t what identity is going to look like in the future any more than anybody else does (even if I do flatter myself that I’ve made some reasonably well-informed guesses on the topic) but I do think we ought to apply a kind of precautionary principle here. Since we don’t know how digital identity going to work, surely we should want it do develop under the auspices of institutions that society can constrain and influence. This is why I’m so convinced that banks should be the institutions to play the leading role as we evolve the tools, techniques and even the etiquette of a reputation economy.

An obvious first step, and one that has been apparent for many years, is to federate bank identity so that it can be used in multiple places. We have many years of experience now and have seen how schemes ranging from bank ID in the Nordics to Aadhar in India (and our own dear gov.verify) have performed in practice so we can make some informed decisions about how digital identity ought to work. We shouldn’t start from the technology, from blockchains and biometrics, and then work backwards to see what the technologists will allow us to have or what corporations will impose given the technological constraints of the day. Right now we should be discussing what society wants from a digital identities and then working out what the best way to implement them might be.

To do this, we need a model that can help banks, regulators, service providers and suppliers communicate and connect so that they can develop concepts and propositions to make some form of bank-centric, potentially cross-border, privacy-enhancing, secure “Financial ID” a reality.

3DID Basic Colour ID Taxnomy Picture

Let’s start with the basic “three domain identity” (3DID) model to create a straightforward framework for understanding and discussing digital identity. Now let’s look at a real example of bank doing some interesting work in this field. BBVA, for example, use this kind of model to map “real”, virtual and digital identities to identification, authentication and authorisation processes. BBVA describe the domains as follows (I’ve added my interpretation of what they mean with reference to a standard Public Key Cryprography, or PKC, implementation):

  • Identification: definition of the attributes that confirm, beyond any shadow of a doubt, that the user is who they say they are and not someone different pretending to be them. BBVA mean this in terms of Know-Your-Customer (KYC) of course, so what this means in practice is that the private key must be bound to the correct individual(s).

  • Authentication: verification through credentials that the user is the customer they say they are (username and password, OTP, digital certificates and others).  Obviously with PSD2 this means implementation of some form of 2FA to comply with the RTS on SCA.

  • Authorization: the financial service providers (TPP) with a license to operate must be given authorization by the customers before they can access their accounts. They need to have proof of consent, which can be obtained through access tokens. I would generalise this point away from banking, as per the CapGemini comments, to talk about tokens for access to a wider range of services than simply bank accounts.

Earlier this week I posted about digital identities (as opposed to digitised identities) and made the point that we are interested in electronic transactions, transactions that take place between virtual identities (that is, identities that exist only in the imagination of computers) we are primarily interested in the Authorisation Domain. I’ll come back to this in a moment, but for now let us assume that that Authentication Domain is essentially a solved problem and we don’t need to come back it in this discussion. My assumption is, that banks have strong authentication in place and that they use appropriate standards (eg, FIDO) so that they have device independence. In practical terms, in the world as it is now, this means that I can authenticate my bank Digital Identity (that is, I can demonstrate ownership of that private key) using any smartphone.

The problem then all comes to down standardisation and mutual recognition of credentials in the Authorisation Domain. Let’s take a simple example has been discussed many times recently: IS_OVER_18. Suppose I want to log on and join a Wine Club. The wine club needs to know that I am over 18, so it wants to see a virtual identity that includes the IS_OVER_18 credential (that is, an IS_OVER_18 attribute digitally-signed by someone that the Wine Club trusts – and by “trusts” I of course mean “can take legal action against and recover damages from if the credential is incorrect). The Wine Club would obviously trust banks, so this should be straightforward: provided that we have standardised the Virtual Identity (an X.509 certificate, for example, or an Evernym DID) and that we have standardised the attribute (let’s assume there is an XML dictionary somewhere that defines IS_OVER_18) and that can can recognise the digital signature from an organisation that is on our list of trusted organisations.

As I pointed out in Trondheim, this is a way for banks to participate in transactions, providing a useful service that is unrelated to payments or transaction fees. I, of course, understand that this means it will take sector-wide progress in the Identification Domain, practical implementation in the Authentication Domain and some commitment and co-ordination to get a working set of services in the Authorisation Domain. My question is why haven’t banks taken on board what Cap Gemini said in their report (and I’ve been saying with exhausting repetition for more than a decade) to come together to create the standards and definitions to move forward?

Or, to put it another way, where is the MasterCard or Visa for identity (and is it MasterCard or Visa?).

To the Mooooooooon!

 

I’ll be testing my assumptions and asking these kinds of questions in Singapore at Money2020 Asia, by the way, as I’m chairing the session on Exploring Digital Identities on 15th March and welcoming some old and very well-informed friends – including Victoria Richardson from AusPayNet, Shamir Karkal from Omidyar, Teppo Pavlova from BBVA and Andy Tobin from Evernym – who will help me open up the topic for the audience. Do come along to “The Moon” at 11am and join us.

* Again.

Digital identity cards, not digitised identity cards

You all know who Marshall McLuhan was, right? And that he predicted not only the internet but its impact on society

Born in Canada in 1911, McLuhan studied at the University of Manitoba and University of Cambridge before becoming a lecturer at the University of Toronto. He rose to prominence in the 1960s for his work as a media theorist and for coining the term “global village”, which was a prescient vision of the internet age.

Half a century ago, he said of the networked world he predicted that “In the new electric world, where everybody is involved with everybody, where everybody is involved in complex processes, the old identity cards, the old means of finding out who am I, will not work”. I wish that more people would take this on board, give up trying to digitise the old identity systems and start building the new digital identity system we need.

Here’s an example. I notice (via my friends at One World Identity) that the Australian state of New South Wales is soon to provide citizens with “digital driver’s licenses, stored on a user’s smartphone, allowing them to ditch their physical ID card”. I read that article and it seems to me that these aren’t digital driver’s licenses or anything like them. They are digitised driver’s licences, nothing more than virtual shadows of their mundane progenitors. They have no functionality beyond their heritage in industrial age bureaucracy and provide absolutely nothing new to the new economy.

We need digital identity, not digitised identity, a point I intend to make loud and clear in Washington on 26th and 27th March, where I will be chairing the 2nd KnowID conference. And I’ll be talking about McLuhan, because McLuhan had this notion of identity as smeared across entities, depending on the relationships and interactions between identities (what Ian Grigg calls “edge” identity). If this is indeed the correct vision for post-industrial online identity (and since he was right about most other things, I’m certainly not going to call McLuhan out on this one) then what would it mean for the driving licence?

Well, I (and others) have long argued that shifting to an infrastructure where transactions are between virtual identities and enabled by credentials is the way forward. Hence the right way to see a driving licence is as a bundle of credentials. How would we use those credentials? To make claims that we need in order to enable the transactions. In Phil Windley’s “Self-Sovereign Identity and the Legitimacy of Permissioned Ledgers” he says, if I interpret him correctly, that a claim is the process of providing a credential and authenticating its use in order to obtain authorisation. I like the “claims are processes” way of thinking and it seems like a reasonable working definition, so let’s move forward with that, using my favourite Three Domain Identity (3DID) as the framework.

 The Three Domain Identity (3DID) Model

The attributes that are needed in the Authorisation Domain might be very varied, but for sake of the discussion, let’s assume that in the case of the driving licence there are three claims that should be supported:

  • A policeperson might need to know who you are.

  • A car rental company might need to know that you are allowed to drive.

  • A bar might need to know that you are over 18.

Now the digitised driving licence doesn’t know who is asking, what they are asking for, or whether they are allowed to ask for it. So it shows everybody everything and (in the general case) they have no idea whether any of the claims are true or not. But a digital driver’s licence could know all of these things. So when the policeperson asks your digital driving licence who you are, your digital driving licence can check the digital signature of the request and the authorisations that come with them. The digital driving licence knows that the bar can ask if you are over 18, but not who you are because it’s none of their business – although the licence may return a service provider-specific meaningless but unique number (MBUN) that the bar can use for loyalty (and barring). I cannot stress just how much of a new idea this is not. A decade ago John Elliot, Neil McEvoy and I wrote a chapter called “This Is Not Your Father’s ID Card” for the book “Digital Identity Management”. In it, we said that:

Because computers, biometrics and digital signatures can work together to disclose facts about someone without disclosing their full identity. Your ID card could, for example, send a message to a machine confirming that you are over 18 without disclosing who you are or what your citizen number is.

I’m sure we were not the only people to have realised this. The problem then, and now, is that the people in charge of identity cards, and driving licences, and passports and all of the other identity infrastructure, still see these documents only as dumb emulations of paper and not as what they are: nodes in an identity network. They are nodes and our identities, to go with Ian’s formulation, are the edges between them.

All very well, I can hear you saying. All very nice in theory. But what about deployment? How would will you connect up all of the bars and car rental counters and police cars and so on. What would the person in the bar use to interrogate your digital driving licence? Well, their digital driving licence of course! Surely one of the defining characteristics of the digital age driving licence that has a computer in it and is now a node is that… it can talk to other driving licences. There is a beautiful symmetry to this: no digital driving licence is different from any other digital driving licence, nor privileged above any other digital driving licence. No need to for custom equipment. Every has the same digital driving licence – you, the cop, the barman – but these licenses are loaded with different claims.

So this is how Phil Windley’s claims work in practice then: I want to get a drink so in the Authorisation Domain the barman sets his digital driving licence (a smartphone app) to request a claim for IS_OVER_18 and then via NFC, Bluetooth or QR code interrogates my digital driving licence (a smartphone app). My smartphone app sees that his request is signed by a valid licensing authority and has not expired and checks what credentials it has to hand. It discovers two virtual identities containing the relevant IS_OVER_18 attribute: one from the Driving License Authority and from my car insurance company. It selects the first one and sends it to the barman’s app.

(The virtual identity contains a unique identifier, a public key, a number of attributes and a digital signature.)

The barman’s app checks the signature and recognises that it is valid. Since the barman is using his smart driving licence app it either stores or has access to the public keys of the driving licence authorities, car insurance companies, car rental companies and so on. My smart travel app would have similar information for airlines and car rental companies, hotel companies an so on. The barman’s driving licences sends back a message encrypted using the public key. My app can decode this, because it has the corresponding private key, so in the Authentication Domain it asks for me to authenticate myself. I use my fingerprint or PIN or whatever and the app decodes the message. Then it replies to the barman’s app. The barman’s app now knows that I have the corresponding private key and thus it can accept that IS_OVER_18 applies to me.

The claim as process – I want to see a virtual identity that contains a credential that includes this attribute / here is a suitable credential / OK, so prove it is yours / here you go, I decoded your message / Thanks, now I’m happy to serve you – delivers both security and privacy and shows that we use digital identity to create an infrastructure that goes far beyond emulating our broken physical industrial age identity system to provide something so much better,

It’s time to move on from the cardboard age to the communication age, and I hope that you’ll join me at KnowID to discuss all of that latest developments in the digital identity space and to formulate practical strategies for making the long-overdue change to digital identity in the mass market, whether centralised, decentralised, federated or whatever else might work. 

Noted author talks fraud at Royal Institution

What a piece of luck! I was giving a talk at the CallCredit Fraud Summit at the Royal institution in London and I chose to talk about just how broken our identity infrastructure is. Hardly an original theme, but one that is worth amplifying. As Chris Green (CCO at Call Credit) noted in his introduction to the event, identity fraud is heading towards £200 billion per annum and identity theft is an epidemic.

Pretty bad. Worse still, it looks to me as if no one knows what to do about this, particularly the Government. Given that the Social Market Foundation (SMF) had just issued their report “A Verifiable Success — The future of identity in the UK” (August 2017) which noted that identity verification processes in the UK have not kept up with either technological or social change and says that “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion”, I thought I’d talk about how to actually do something about identity in the mass market.

RI

I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger (“C”,  the head of MI6 which is James Bond’s department of the British intelligence services) who explained just how hard it is to be a spy these days. In the old days, it was easy. Just grab a fake passport out of the draw and off you go. But, as the chief spy pointed out, today social media means that it is far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account. It’s easy, but not very useful to a spy. To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago. The point is that it’s hard for James Bond to pretend to be me, but seemingly easy for me to pretend to be a James Bond on internet dating sites. This is a fun and interesting way to think about some of the issues around identity and I think the audience liked it!

So what was the piece of luck I referred to at the beginning? Well, I turned up at the event, along with the bestselling author (and former politician) Lord Jeffrey Archer. As we had some time spare, I thought I would be helpful and give Jeffrey a few tips on writing books, having just published one myself.

RI

 

 I think Jeffrey really appreciated my hints and suggestions but unfortunately had to leave for an urgent meeting so I wasn’t able to go into too much detail with him. Before my talk I went off to grab a cup of coffee and picked up the day’s Times to read. It had the very perfect story for me featured prominently. Hence I was able to whip out a copy of the day’s Times and wave it around to great effect at the appropriate point in my presentation!

RI

The point that I was making, of course, is that identity is not just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to stop forward with a vision for a better identity future! Where is this person! I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio a few weeks ago in a report on the government’s introduction of mandatory age verification for adult sites. When asked how members of the public could gain access to adult services, the Minister said that people could use credit cards (which is a terrible idea, see for example Ashley Madison) or show their passport to adult sites (which is an even worse idea). I confidently predict that the widespread adoption of either of these solutions will push identity theft even higher.

So why is identity not fixed yet?

As I tried to persuade the audience, if we are going to make any progress we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet but as the cornerstone of digital relationships and therefore reputation in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds. I explain this using the three domain model, as shown on the slide below, and hopefully demonstrated just how powerful this view of identity is.

3DID Basic Colour

 

We need to move our transactions into the authorisation domain as soon as possible. Let’s go back to example in the newspaper to see why. Imagine I go to the dating site and create an account. As part of this process, the dating site asks me to log in via my bank account. At this point it bounces me to my bank where I carry out the appropriate two factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the Internet dating site, which tells them that I am over 18, resident in the UK and that I have funds available for them to bill against. In this example my real identity is safely locked up back in the bank vault but it has been bound to a virtual identity which I can use for online interactions. So my Internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch. This seems to me a very appropriate distribution of responsibilities. When the Internet dating site gets hacked, as they inevitably do, all the criminals will obtain is a meaningless token: they have no idea who it belongs to and Barclays won’t tell them.

One of the key attractions of this architecture, and I’m sure that I am not the only person who thinks this, is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, then I’d expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any PII.

This is important because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence the complete cycle needs to be thought through because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally but gives it up when the system fails, or when we attempt recovery from failure.

Digital identity gives us a vision of how to do this in our new online world. It is how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities. A huge thank you to Call Credit for asking me along to share this vision with their audience.

Estonia is a real place

My little corner of the internet seems awash with tales of a mythical utopia that goes by the name of Estonia. Since my little corner is the digital identity corner, I’ve been hearing about digital identity in Estonia more and more. At meetings and conferences, on social media and in conversation, I hear people talking about the Estonian national identity scheme that uses a blockchain. The Harvard Business Review, for example, tells us that “since 2007 Estonia has been operating a universal national digital identity scheme using blockchain”. This sort of thing crops up on Twitter from time to time. I’m not sure if some of the people tweeting about the Estonian national digital identity blockchain know that Estonia is actually a real place and that some people (e.g., me) have been there. In fact, here is a picture of me in Tallin to prove it.

 Me in Tallin

The Estonian national digital ID scheme launched in 2002. A decade ago a colleague of mine at Consult Hyperion, Margaret Ford, interviewed Mart Parve from the Estonian “Look@World” Foundation in the long standing “Tomorrow’s Transactions” podcast series (available here). Mart was responsible for using the smart ID service (both online and offline) to help Estonia develop its e-society. If you listen carefully to them talking, you will notice that they never mention the blockchain, which is unsurprising since Satoshi’s Nakamoto’s paper on the subject was not published until more than a year later, in October 2008.

The strangeness of the obsession with Estonia in blockchain circles began to bother me after I was invited along to a blockchain breakfast (seriously) at the House of Lords last year. The invitation came because I had been asked to contribute to the Parliamentary Office of Science and Technology (POST) work on distributed ledger and the purpose of the breakfast was to discuss this report. The breakfast was hosted by Stephen Metcalfe MP, chair of the Science and Technology Committee. Sir Mark Walport, the Government’s Chief Scientific Adviser (GCSA), opened the proceedings. Sir Mark had authored the Government Office for Science report on “Distributed Ledger Technology: beyond blockchain” earlier in the year. In it, he focused on a particular kind of distributed ledger, the Bitcoin blockchain, and attempted to explain it to the general reader and then explore some of the potential uses.

(From here on I insist to sticking to the term that Richard Brown of R3 and I started using a couple of years ago “shared ledger technology” (SLT) as the general description because I feel that the fact that multiple organisations share the ledger is more important than its architecture.)

Personally, I found the report slightly confusing because it was jumping between ledgers, blockchains, the bitcoin blockchain and bitcoin almost on a paragraph by paragraph basis. What’s more, and I realise that I read the document from a very technical perspective and that I may see some of these things therefore in the wrong context, I think the report might have benefited from some more description of shared ledgers, and the reasons why Moore’s Law and falling communications costs have made the core idea of everyone storing every transaction a plausible architecture. Here’s the way that my colleagues at Consult Hyperion and I started to think about the ledger a couple of years ago, the “4Cs” model that has worked rather well.

Consensus Computer Model

I prefer to use this layered approach to explain the key components of a shared ledger and then develop ideas around different choices in those layers. Different choices in consensus technology, for example, lead to a variety of different possibilities for implementing a shared ledger. In order to help categorise these possibilities, and narrow them down to make useful discussions between the strategists and technologists, I use the taxonomy that Consult Hyperion developed to distinguish between different kinds of public and private ledgers. Rather flatteringly, Sir Mark used a simplified version of the this model on page 19 of his report.

When the report came out I said that it might be considered reckless to disagree with the GCSA, but I just did not (and do not) see cryptocurrency as a sensible government option for digital currency. Anyway putting my nerdy criticisms to one side, Sir Mark’s conclusions (which were essentially that the technology is worth exploring in government contexts) were surely correct. He said that permissioned ledgers (i.e., not the Bitcoin blockchain) are appealing for government applications and I’m sure he was right about this, although I remain sceptical about some of the suggested government uses that are based on costs or efficiency. I think that his suggestions around applications that focus on transparency are the more interesting areas to explore in the short term and they would be my focus if I were looking to start exploratory or pilot projects in the field. I share the Open Data Institute’s view on this, which is that blockchains could be used to build confidence in government services, through public auditability.

House of Blockchain

When it came time for my contribution, by the way, I said that it wasn’t at all clear to me that it was accurate to describe Bitcoin as a decentralised system since almost all of the hashing power resides with a very small number of unaccountable mining pools based in China but, more importantly that

  1. It seems to me that many of the efforts to move shared ledgers into the marketplace have concentrated on shaping shared ledgers to emulate existing solutions in the hope that SLTs will be faster, higher or stronger. These are all unproven assertions. It is possible that a shared ledger replacement for RTGS might be cheaper, or more resilient or more functional that the currency centralised solution, but who knows?

  2. The transparency of the shared ledger, the aspect that most doesn’t work for current solutions in current markets, may well turn out to be the most important characteristic because it allows for ambient accountability and therefore opens up the potential for new kinds of markets that are far less costly and complex to regulate, manage, inspect and audit. This is the “shared ledger as regtech not fintech meme” that I am rather fond of.

  3. Just as the invention of double-entry bookkeeping allowed for the creation of new kinds of enterprise, so it seems to me that the shared ledger will similarly lead to new kinds of enterprise that use the shared ledger application (the SLAPP) as the engine of progress and the focus of innovation. I assume that there are kids in basements experimenting with SLAPPs right now and that this is where the breakthrough use case will come from. As I said some time ago in a discussion about shared ledgers for land registry, turning the ledger into a platform may be the most important reason for shifting to this implementation.

At the breakfast, Sir Mark said that the goal of the POST reports is to demystify technology for policy makers although I have to report that in his closing remarks he said that we had not been entirely successful in this enterprise and I fully concur with his opinion. That’s not why I’m talking about it breakfast at the House of Lords here though. Back to Estonia! At one point, the breakfast discussion moved on to the Estonian electronic identity system. At this point I expressed some scepticism as to whether the Estonian electronic identity system was on a blockchain. The conversation continued on the basis that it was. Then to my shame I lost it and began babbling “it’s not a blockchain” until the chairman, in an appropriate, gentlemanly and parliamentary, told me to shut up.

The point that I was trying to make was that the Estonian ID scheme, launched in 2002, has nothing to do with shared ledgers or mutual distributed ledgers or blockchains. As it happens, a some time after my breakfast with their lordships, I had another breakfast, this time with the new CIO of Estonia, Siim Sikkut

sikkut17 

I asked Siim where this “Estonian blockchain ID” myth came from, since I find it absolutely baffling that this urban legend has obtained such traction.  He said that it might be something to do with people misunderstanding the use of hashes to protect the integrity of data in the Estonian system. Aha! Then I remembered something… More than decade ago I edited the book “Digital Identity Management” and Taarvi Martens (one of the architects of the Estonian scheme) was kind enough submit a case study for it. Here is an extract from that very case study:

Long-time validity of these [digitally-signed] documents is secured by logging of issued validity confirmations by the Validation Authority. This log is cryptographically secured by one-way hash-function and newspaper-publication to prevent back-dating and carefully backed up to preserve digital history of mankind.

Well, there we have it. It looks as if the mention of the record of document hashes has triggered an inappropriate correlation amongst observers and, as Siim observed, it may indeed be the origin of the fake news about Estonia’s non-existent digital identity blockchain.

(This is a revised and edited version of post that first appeared on Consult Hyperion’s “Tomorrow’s Transactions” blog in March 2017.)