As you may know, the United Kingdom leads the world in digital identity infrastructure and is a beacon to the nations when it comes to the use of new technology for identification, authentication and authorisation. Just kidding of course. Here’s the identity that I used at Money 2020 in Amsterdam last week when I was asked to prove who I was at the registration desk:
Yes, the gold standard for identity cards, the Southern Railway photocard, issued only to qualified commuters after rigorous KYC (you give them a photo and then write your name on the card yourself).
The truth is that we don’t have a digital identity infrastructure (or in fact any other form of identity infrastructure) and the shambolic approach to identity is manifest in a daily litany of frauds, frictions and fantasies (often from the government). Here is an absolutely typical example: a nightclub is issuing its own identity cards since it can no longer rely on any of the other forms of “identification” that are in use. The nightclub manager says that the number of people presenting fake IDs is crazy, so the nightclub is going to issue its own identity cards with a picture on them. In order to get one of these cards, customers will need to present “two forms of up-to-date official ID” (not entirely sure what this means, since there is no “official ID” in the UK) and then in order to get into the club, customers will need either one of these club cards or a passport or a driving licence.
I’ve written about this at tedious length before, but the core of the issue is that the identification mechanisms that are in use (e.g., driving licences) are impossible to validate and requiring them to be used at all actually leads to more identity fraud because the analogue artefacts employed are stolen, forged and abused in a variety of different ways stop.
Before I continue with this specific example, let me make a general point about how I think these things should work in an always on, connected world. First of all, retailers and other service providers should all have their own virtual identity, or persona, for every customer because they need to be able to communicate and connect with those customers in order to deliver better services and products. In essence, every customer should have a loyalty card. The contents of that card should be unique to each service provider and any compromise of it should not lead to compromise with other service providers. In a digital identity world, this sort of thing is straightforward. You present a virtual identity from an organisation that is acceptable to the nightclub (e.g., a bank) and they send you back another virtual identity that contains things of relevance to the nightclub, such as your customer number and preferences.
In the virtual world, this makes sense because your mobile phone can store millions or billions of loyalty cards. In the “real” world, it will be really annoying to carry around thousands of loyalty cards with you wherever you go, but when those loyalty cards are (essentially) public key certificates then there is no problem.
So let’s go back to the nightclub and see how they might progress on a digital world, by creating a loyalty card based on digital identity infrastructure. Doing things this way has three distinct advantages. First of all, if you are a nightclub then your bar staff may well not be at MI5 levels when it comes to spotting a fake Romanian passport but they might be able to spot a fake version of your nightclub identity. (In practice, of course, they wouldn’t have to because the validity of the card will be checked by their phones). Secondly, by giving every customer loyalty card you are able to interact with them securely (in technical terms you can always send messages encrypted to that persona). Finally, as the nightclub manager himself notes, “we can also ban people and remove the card at our discretion, giving us more control and creating a safer environment”.
On a commercial note. you might wonder why organisations that already spend a lot of money on working out who people are (e.g., banks) don’t take this sunk cost and transform it into a revenue stream. I’ve more than once been told by a bank that there is no business for providing ID as a service to business customers, when clearly this nightclub (to pick just one example) is perfectly prepared to spend money on creating its own identity service when I’m sure the management would much rather that their efforts be directed towards running a nightclub.
Banks should be looking forwards by creating a digital identity infrastructure and then selling products and services based on the infrastructure to, for example, nightclubs. That way, the nightclubs could produce their own branded app (by adding a skin to a generic multi-bank identity app, for example) and pay the bank a pound to testify to the age of the holder rather than waste money having to do it for themselves.