On Tuesday we had a very revealing discussion on whether "banks and/or mobile operators should provide the identity infrastructure" at the CSFI's Sixth roundtable in the series on Identity and Financial Services.
Of course we began by discussing what identity actually is - not something that can be isolated or assumed, as was also apparent from the Fifth roundtable.
In this discussion, it was very clear that a bank or telco views identity as a static collection of data about an individual that can be stored or held, with varying degrees of subject access and control. In this entrenched view of the world, institutions - like banks and telcos - can compete for the privilege of 'holding' your identity and enabling you to prove who you are. In essence, those institutions are in control of your identity.
So what's stopping them providing an all-purpose identity infrastructure today?
The fact that identity is not a static concept. It's dynamic, contextual, and defined more by your various sets of activities or behaviours - "routes and routines", as Tony Fish put it - than by a picture, address and date of birth. That collection of behaviours and the data they generate are what makes us unique. Further, Dean Bubley made the point that we over-estimate the degree to which telcos (and banks), actually 'know' their customers in the sense of understanding their customers' end-to-end activities. And we over-estimate these institutions' technological ability to enable their customers to prove their identity at all, let alone conveniently in scenario's of their choosing.
A Finnish delegate also made the point that Finnish banks offer identity services, based on a government database, but make very little money out of them. Which suggests the services are not very useful or compelling.
In any event, static data repositories are vulnerable to attack; and the services that rely on them are apt to be 'gamed' by simply replicating the data held - as in the case of skimming card data or fabricating identity documents to gain control of a bank account. The fact that the individual consumer is ultimately compensated and therefore not 'harmed' in a direct financial sense is beside the point. We all pay for such inefficiencies in the form of higher interest rates, fees and retail prices.
So there are two key problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities. And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.
Given those key problems, the solution cannot possibly comprise an "identity infrastructure" or 'service' that relies on a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded.
Image from Young Lee.
So what's stopping them providing an all-purpose identity infrastructure today?
The fact that identity is not a static concept. It's dynamic, contextual, and defined more by your various sets of activities or behaviours - "routes and routines", as Tony Fish put it - than by a picture, address and date of birth. That collection of behaviours and the data they generate are what makes us unique. Further, Dean Bubley made the point that we over-estimate the degree to which telcos (and banks), actually 'know' their customers in the sense of understanding their customers' end-to-end activities. And we over-estimate these institutions' technological ability to enable their customers to prove their identity at all, let alone conveniently in scenario's of their choosing.
A Finnish delegate also made the point that Finnish banks offer identity services, based on a government database, but make very little money out of them. Which suggests the services are not very useful or compelling.
In any event, static data repositories are vulnerable to attack; and the services that rely on them are apt to be 'gamed' by simply replicating the data held - as in the case of skimming card data or fabricating identity documents to gain control of a bank account. The fact that the individual consumer is ultimately compensated and therefore not 'harmed' in a direct financial sense is beside the point. We all pay for such inefficiencies in the form of higher interest rates, fees and retail prices.
So there are two key problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities. And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.
Given those key problems, the solution cannot possibly comprise an "identity infrastructure" or 'service' that relies on a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded.
Image from Young Lee.