Apple’s Passport to the Private Sector
Earlier this month, Apple registered several patent claims regarding “verified claims of identity.” The patents detailed multiple methods of recording, transmitting, and verifying identity through numerous different instances of devices, including the iPhone.
While this tech could support a plethora of various forms of identification, the application focuses strongly on passports. This isn’t the tech giant’s first step into identity though – they’ve been chasing this possibility since 2018 (if not earlier), when it published an earlier version of this patent for a system that could import credential data from an identification document using RFID and NFC technology.
While this plays into Apple’s ideal of making the iPhone the only thing one needs to carry on their person, this move goes beyond just user convenience. This fits into a broader discussion surrounding the current nature of public and private sector collaboration. Another recent example is Gov.UK Verify, the UK government’s digital service, to help citizens prove who they are online. Before COVID-19, this had very low public uptake and low use rates, with only two private sector providers remaining on. However, the pandemic’s impact has revived user interest, now putting the application in limbo of being “sunsetted” while also growing. While it’s a good problem to have, the Gov.Uk Verify team is now addressing the challenges of scaling up and actively reducing friction via the new IDV method.
Now, Apple, Gov.UK, and others are revisiting coverage rates as a fundamental determinant of a system’s effectiveness. This leads us to ask — what is the right kind of company to succeed in this space and bring out the best coverage? What builds the right coverage?
The Current Landscape
Like any other development, to understand where public-private partnerships are headed, we need to examine past offerings and where the successes and failures lie.
Based on previous OWI research, in collaboration with the World Bank, critical features of identification systems that private sector players consider when working with the public sector on identity systems are: digitization, a unique ID, and digital authentication, integration, and interoperability. Digitization is typically the most popular feature of focus, as it often presents the most accessible avenue for private players to slot in to immediately improve coverage. The robustness and accuracy of a system are also synergistic factors that affect coverage: the former feeds the latter, which builds eminence, encourages adoption, and stress-tests the former, leading to developments that feed the latter, and so on. The World Bank notes that “[i]n some cases, a customer’s digital identity with a particular private sector institution can be federated—that is, shared with other service providers to access a greater variety of private sector services”. This makes an essential call out of two of the primary incentives for partnership: increasing users and customer bases. Both result from strong digitization, queryability, and private sector cooperation, ultimately bringing people who would otherwise not have access to identity management systems or simply not using them.
This is also reflected in frequent private sector strategies to target issuance and authentication in the “identity management lifecycle” as the easiest points of entry. Such targeting allows for porting over identities and increasing coverage. In addition to Gov.UK, SecureKey in Canada and Verified.me are strong similar examples of private parties issuing verified claims and targeting the aforementioned two points in the identity management lifecycle so that individuals can access government services with their digital identity.
While they’re currently gaining traction and retaining users, these applications have yet to reach the scale they set out to – or should. Where have these parties failed? And from why haven’t they reached scale? Where have the parties failed? Why haven’t they reached scale? If we look at Gov.UK Verify, the answer is clear in terms of coverage: the service has meager and ineffective verification rates. The platform intended to verify 25 million users by 2020. In reality, however, it has only had roughly 5 million users sign up for the platform, and of that, less than 50% were really able to be verified. Beyond that, the application has consistently missed every business case that the platform set out to solve – protecting against fraud, fostering privacy, and more.
The OWI Take
Circling back to where we started: Apple holds a lot of weight as both an influencer and an educator to the masses. Bringing its privacy-oriented strategies and integrations will increase robustness, accuracy, and coverage for users. After reviewing other recent public-private efforts, and putting the Apple IDV patent into the same content, we ask: are they the right private player to be taking this on?
We believe that you should view Apple’s initiatives to innovate on ePassports and digital identity as a model for how Big Tech companies, or a company not wholly focused on IDV, can disrupt the space. While there are industry players focused solely on identity verification (IDV), a giant like Apple has the scale and user base (both end-users and suppliers) to push these changes forward, especially with the breadth of the apple developer ecosystem behind this product. Apple has also traditionally taken the role of an educator for end-users to learn and aggressively onboard new technologies. A great example is Apple’s work with biometric security, which was first implemented on the iPhone and now allows developers to log into their website without entering their username and password. The IDV patent could be similar to this scenario in that it could onboard future users onto essential new technologies that reduce friction but have ground to gain in public perception and use.
Importantly, Apple’s focus on privacy first, while also maximizing convenience and user-friendliness, is critical for setting themselves up as the player to take ePassports or other forms of IDV on. This is what gives them the ostensible advantage in ensuring “robustness” and “accuracy,”:it’s no secret that today’s users are more privacy-conscious than ever, understanding the breadth and impact of data breaches like never before. Unlike some of its Silicon Valley peers, Apple’s user base has developed a deep trust for the brand and its products. Apple has also established the blueprint for ensuring robustness and accuracy for private sector players looking to make a splash in the identity space by targeting all aspects of an identification stack in a wholly Apple-managed system. The Apple Card, launched last year, is an excellent example of such a identity stack they’re moving towards building. While the Apple Card may seem like just another form of payment, its competitive differentiator amongst a sea of credit cards is that no payment history is shared (it’s stored and encrypted in Apple’s ecosystem), and that the user’s phone generates all data locally. Like their Apple Pay product, each transaction creates a one-time card number to foster complete security and privacy. It’s a comprehensive product that can identify customers and promote strong KYC/AML. Moreover, it can provide authorization in a frictionless way, and it can link the digital identity of the AppleID to the customer’s physical identity even better because this process is managed “in-house”.
So, is Apple the right player to take this on? We’re hopeful here at OWI, based on Apple’s positive privacy track record. We’re also looking to Apple’s success in user adoption for not only their consumer products but also their identity-focused products going forward, especially given their past track record working with private-sector partners to build identity solutions. So now, all we can do is wait and see what the next development is and how this potential public-private partnership progresses.