Insights & Analyses

In the K(NO)W: How much identifying info is needed? Less than you think, Snowden says

May 15, 2017

As the identity space rushes to verify the next billion users, businesses and organizations probably don’t need as much personally identifiable information about users as conventional wisdom may suggest, whistleblower Edward Snowden believes.

The former U.S. National Security Agency contractor was the keynote speaker for One World Identity’s K(NO)W Identity Conference on Monday, where he tackled the question of how well companies need to know their customers to do business.

While policies and even laws mandate more be known about clients to prevent fraudulent activities, Snowden believes that perhaps the industry is headed in the wrong direction. Instead, he said, systems should focus on verifying only the kind of information that is important to that particular transaction.

“If somebody is just trying to browse for stuff on Amazon, as long as they can assert that they have the funds to pay for this, and you know they’re legitimate because for example they go through an escrow service, it doesn’t really matter to you what their identity is,” Snowden said. “And it should not matter.”

Of course, that is not to say that regulations should be lax on all types of transactions. Even Snowden admits that there are certain circumstances and types of transactions where security — and identification — should be paramount.

But the vast majority of online purchases fall into the category of rather mundane — e-commerce is overwhelmingly people who are buying items more akin to enriched flour than enriched uranium.

Yet security usually takes precedence over convenience. And the net result is inconveniencing users and stifling adoption, rather than actually preventing criminal acts.

“These points of friction are one of the reasons that we’re having difficulty driving internet growth in the economic space, into this last 20 percent of the human population that truly doesn’t even have identity documents,” Snowden said. “They shouldn’t need them.”

“this last 20 percent of the human population that truly doesn’t even have identity documents — They shouldn’t need them.” – Edward Snowden

And what about the truly bad actors — the ones who would actually try to get their hands on enriched uranium? Current rules and regulations regarding identity and the flow of money don’t really deter or catch the most serious threats anyhow, meaning it’s the innocent people who suffer or are steered away from participating in the first place.

Consider Osama bin Laden: The notorious perpetrator of the Sept. 11, 2011 attacks didn’t stop using a cellphone because of federal wiretapping efforts, Snowden said. In fact, bin Laden had already turned to alternative means of communication as of 1998.

“The bottom line is dumb terrorists get weeded out of the system very quickly,” Snowden said. “Dumb criminals get weeded out of the system very quickly. And ‘know your customer’ laws aren’t going to be a reliable safeguard against the sort of social threats that we’re actually worried about.”

The K(NO)W Identity Conference continues this week at the Ronald Regan Building and International Trade Center in Washington D.C.