This is a guest post from Identiq Co-founder, Uri Arad. Identiq is a distributed network that uses the latest cryptographic algorithms and techniques.
Digital identity is at the heart of every transaction we have online – financial, social, romantic or professional. Trust is fundamental: Whether you’re ordering a ride, buying or selling on a store or marketplace, chatting about the weekend, booking a vacation rental, or beginning your first interaction with the person who will become your lifelong partner, you need to know that the person you’re talking to is who they say they are. And there is no way to establish trust without establishing identity.
Just two years ago, the first KNOW Identity conference was attended largely by CEOs, Chief Compliance Officers, and regulators. Digital identity was still a niche interest. Today, KNOW is a meeting place for risk, information security, privacy, marketing, partnerships, business development professionals, and many more. Digital identity has gone mainstream.
Cracking the digital identity conundrum – finding a reliable, scalable, and frictionless way to validate identities online – is a tremendous challenge, but also holds dazzling potential. Today, there is no easy way to establish a user’s identity without inflicting a high level of friction. But with confidence in users’ digital identities, we wouldn’t be calculating risks and the probabilities that someone was a fake. We would know.
Racking Up The Data Points: Third-Party Providers and the Traditional Approach
There are many different types of solutions out there for establishing digital identity, or at least reducing the risk of being tricked. The most common approach is validating identity information with third-party data providers. Companies who need to manage identity risk make requests to these providers, asking for more information about specific individuals or identities. Where information is available, they receive a confirmation of the identity.
There are many sources used for this sort of validation. Some providers focus on specific aspects of our identities (email addresses, credit applications, biometric information, device information, etc.) while others take a more holistic approach. Some are specific to certain industries (e.g. the challenges faced by digital advertising, or e-commerce fraud prevention) while others cater more widely. But until very recently they all had one thing in common. They’re all aggregators of third party data.
Despite the important differences between the available tools and solutions, the underlying premise on which they work is the same. Each provider aims to accumulate and, usually, store as much user data as possible. Some of the data might be purchased, some scraped from the web, and some might come from partners.
In almost all cases, the provider also collects data from the actual requests that companies make when they use the provider to validate identities. The companies using the service both pay for the service and (often unwittingly) contribute information about their own users, which the provider will store and then use to validate future queries. The end-user, of course, typically has no idea that that’s happening.
This model pre-dates the internet, originating from the systems used by creditors, landlords and so on to establish the identity, credit worthiness, and reputation of consumers. At that time collaboration was vital (since no single source of information could be enough to judge a consumer’s reputation) and collaboration necessarily entailed creating a repository. In today’s terminology, you could think of it like creating a huge PII data lake.
It’s obvious why this seemed like the best approach for so long, even online. Aggregate enough data, the logic goes, and you’ll eventually have “seen it all” and be able to answer queries about all but brand new digital identities. This is why so many companies compete over making extravagant claims about the number of data points they possess.
The Disadvantages of Data Point Aggregation
There are two unintended consequences of the hotly-contested data point aggregation competition between third party data providers. Neither are good for businesses or for consumers.
The first is that when you’re focused on maximizing the number of points in your database, the quality of the results you get with it tends to vary. Winning the “biggest database” competition prioritizes quantity over quality. But validating identities accurately doesn’t require more data points – it requires more reliable data points. This is even more important with fraud prevention applications vs. (for instance) marketing ones, since with fraud fighting 90% accuracy is just not good enough.
Additionally, when it comes to digital identity, data degrades; people change jobs (and thus email addresses), move house, get new devices, receive new credit cards. So even data that was valuable two or three years ago may merely be misleading now. Aggregators have no direct relationship with consumers, so it’s a challenge to keep consumer information up to date. (I occasionally experience this as a personal frustration; I used to live in the U.S., but moved back home nine years ago. The credit bureaus, unfortunately, don’t know this. They’ve held on tight to my old address and phone numbers – even though both now belong to other people.)
Moreover, digital identity isn’t just a fact, it’s a fight – you’re up against a highly professional, creative, organized criminal ecosystem. The many massive data breaches over the last several years have highlighted the impossibility of relying on knowledge alone or using any single data point. The user provided an accurate name, address, and phone number? That’s nice, but all that was exposed in a data breach four months ago and has been exploited for attempted fraud multiple times since then. Criminals occasionally even set up accounts with these same third party data providers, checking what’s known about identities or data points they’re planning to exploit.
Data aggregation isn’t going to help that much unless you can keep up with the fact that the data being stored is dynamic and vulnerable. And no matter how many billions of data points a provider has racked up, they still see only a tiny slice of an identity’s online life.
The second problem with the data aggregation model is privacy. Five years ago this wouldn’t have felt like a weighty problem, but times have changed. Privacy is now a very live, very sensitive issue – and with GDPR, CCPA and other similar legislation already in place and on its way in, privacy suddenly comes with a hefty price tag for anyone who doesn’t take it seriously enough.
Privacy regulation makes each company responsible for the security of the data it collects and holds about its own customers. This makes the relationship with third party data providers a difficult one since sharing data with aggregators means that companies lose control of their own customers’ data.
When it comes to privacy, there’s an in-built problem with the third party data provider model, which has companies sending their users’ data to third parties, such as Equifax for example. In 2015, that sounded fine. Heading into 2020, it should have us posing a question: “Can we do better?”
Recent Alternatives: Going Providerless
Over the last couple of years, a new approach to digital identity validation has evolved which aims to solve the third-party provider problems by removing the middleman from the process. In general it is replaced with a peer-to-peer network of some kind. Often, it’s distributed. Sometimes, it’s decentralized.
These providerless solutions take the spirit of collaboration that has flourished especially in fraud prevention circles to a new level. It’s always been clear that beating hi-tech and tightly connected online fraudsters is far easier when the good guys are working together. With providerless technologies, companies are moving beyond sharing best practices and static blacklists and exploring ways to sync their digital identity knowledge and awareness in real-time or close to real-time.
With providerless options the data is always fresh, because it is always first-party data. That means companies have insight into a more holistic and reliable view of an identity’s online interactions. The results become more accurate, which enables companies to provide a better, smoother user experience, with fewer hoops for users to jump through.
What’s very interesting about providerless possibilities is the fact that they let fraud prevention and digital identity professionals take a completely different perspective on their traditional problems. Instead of focusing on trying to find the bad actors, providerless solutions excel at finding the good users – the ones with real histories, something that shows up very clearly on a peer-to-peer network.
It’s positive validation, rather than negative identification. And that makes user experience incomparably better. It’s no longer true that good users constantly need to prove themselves; the network knows who they are. And it knows who they are now, not who their data points purported to belong to six months ago.
Providerless Is Not Equal To Blockchain
The new development of providerless identity validation has flown largely under the radar, even for many identity professionals, because it has been associated with blockchain. There has been a tendency to assume that the shift is an aspect of blockchain rather than of identity. Providerless digital identity validation has gone unnoticed, overshadowed by the buzzwords, enthusiasm, and controversy surrounding blockchain technologies. This is a mistake.
Firstly, there are providerless options which are not dependent on blockchain. As a personal example, Identiq, the company I co-founded, uses F.A.I.R technology as the basis for its protocol. I have explained in the past why we did not feel that blockchain was the ideal solution for the problem we were solving. The surprise and discussion my blog post generated really brought home to me that blockchain has become a default assumption for many when considering these kinds of new solutions, and that this often prevents people from thinking through both the options and their consequences. Yet we are not alone. Other companies are exploring other non-blockchain dependent solutions.
Secondly, and more importantly in the context of understanding providerless technologies, the blockchain discussion is a sideline that often turns into a red herring, distracting people from the main issue. The truly significant thing about providerless identity validation is not the technologies behind the various solutions, but the providerless approach itself.
Professionals who care about digital identity don’t need to care about (or deeply understand) blockchain, which has many applications and comes in many different flavours. Providerless identity validation options, on the other hand, are deeply relevant to anyone who needs to know whether people online are who they say they are.
Providerless: What You Need To Remember
The key thing to understand about the providerless development is that it represents a new phase in the evolution of online identity validation. Where companies were once unthinkingly dependent on third party data providers in order to collaborate with each other, they’re now exploring alternative solutions. They’re thinking about fresh data and how it can lead to positive validation of good users, rather than the negative identification of bad actors.
It has long been believed that fighting fraud through collaboration stands in contrast to privacy, and that we have to compromise on one to achieve the other. This is no longer the case. Providerless technologies open the gate to a high degree of privacy guarantee, which in turn enhances our ability to collaborate.
The need for accurate user identification and the need to respond to growing privacy concerns have recently become pressing, leading companies to search for new technological solutions that verify identities online without relying on third-party providers. Working together has become something with real business ROI, not just feel-good factor.
This is an exciting development in the field of digital identity, and is still in its early stages. Naturally companies that are involved earlier on will have the ability to affect its progression.
Providerless digital validation is a rare example of when the drive towards improving user privacy is united with the need to improve a key business function.
It will be very interesting to see which companies drive the change, and how innovation, accuracy and privacy interact and impact the growth of providerless digital identity solutions.