“Twelve Million People, One Dataset, Zero Privacy”, that was the shocking headline in a recent New York Times article, where a reporter was sent a file from an unnamed source that revealed the location pings from 50 billion smartphones connected to more than 12 million Americans, as they moved through several major cities. Each piece of information collected over several months didn’t come from a network operator, government agency or giant tech company, it came from a location company. Given the data, The New York Times reporters could accurately pinpoint people’s everyday movements including those private trips to methadone and psychiatric clinics, and even massage parlors.
If you combine this worrying news with the fact that there were 9,705 data breaches between January 2005 and October 2019, an average of 1.8 a day, it’s not really surprising that many consumers are worrying about identity theft. Connecting geo data with personal identifying data such as addresses, social security numbers, driving licenses or passport information is a fraudsters honeypot. With the World Economic Forum predicting that Cybercrime is set to cost the global economy $2.9 million every minute in 2020, we need to act now.
So what can be done?
The fact is that all these privacy scares and data leaks are driving more companies and organizations to carry out deep analysis not only on how they manage customer data, but how they can be better at preventing identity fraud. With all the data leaks, Knowledge Based Authentication (KBA) systems, where you’re quizzed for information about who owns your mortgage, are no longer reliable. To showcase how compromised KBA is in the US, if an end-user is able to answer all 5 security questions correctly to a bank, they will move them to a higher risk bucket because genuine users aren’t typically that good. This has driven the FAFT to release their Digital Identity Guidance document to help create a useful framework for regulatories concerned with the KBA approach to help improve their remote CDD (Consumer Due Diligence) workflows.
The mobile operators in the US have been working on a new identity system for some time, originally named project verify, and now named ZenKey, the system lets your phone become the way to verify your identity. It goes beyond the susceptible two-factor SMS authentication that we’re all accustomed to where you receive a special code by text to confirm your identity. Customers download the ZenKey app and then by providing some personal information including a PIN and biometric such as fingerprint or face, they can more easily and securely share their identity with other apps. The network operators are then able to check multiple streams of identifying data issued from the phone itself at the point of any transaction, such as IP address, SIM card, device details, phone number and phone account type, providing multiple reassurances of an individual’s identity.
And it’s not just the mobile operators that are looking for a solution, banks and financial institutions are also looking at ways to make identity verification more secure and easy to use. Take what SecureKey is doing with Verify.me and some of the leading Canadian banks who are implementing a ‘federated’ digital identity system. Once a customer proves their legal identity with one bank, they can then reuse that identity which is reverified by other participating entities in order to access health records, open accounts at other banks and telephone companies, and get access to government services.
Deloitte, uPort, Evernym and Signicat are working on the portability of consumer identities in the financial services sector. Last April, they were accepted into the U.K.’s FCA Regulatory Sandbox, a group our company is a part of, to test how decentralized identity can facilitate personal data sharing between financial institutions. We’re now coming out of the testing phase of that pilot which has shown great success, validating the consumer demand and financially compliant, interoperable technology in one of the toughest regulatory markets in the world.
In the next few years, I believe that everything we access will be based on our ability to easily and securely prove our legal identity in a remote setting. By putting users in control of their own identity, we’re also safeguarding their privacy by reducing the reliance on these honey pots of data. According to Gartner:
“Decentralized identity is making a debut in 2021, and will disrupt traditional methods of access for many providers, as it will be used for 25% of all bring your own identity (BYOI) logins by 2023.” “By 2023, BYOI [Bring Your Own Identity] will unlock the value in digital identities, leading to a multi-billion-dollar industry, up from a $50 million industry today.”
So in future, with just a phone, a photo of a government ID and a selfie, once onboarded to a digital wallet we will be able to access all services seamlessly — everything from opening a bank account to checking into a hotel and ultimately voting. Fundamental to this convenience is the ability to reuse our verified identity across multiple services. The technology now exists, consumers want it, and the market is ready for it.
People want to gain back control of their digital identity and privacy and our phones may well have the answer.