40 million — that’s the number of passports Interpol believes have been lost or stolen since 2002. 145.5 million — that’s the number of people affected by the massive 2017 Equifax data breach. Approximately 1 billion — that’s the number of people globally without any form of verifiable identity, digital or otherwise, who are susceptible to human trafficking and other forms of crime.
What is the common thread here? Identity. Why should you care? Because your digital identity may have already been compromised.
Bob Schukai, Global Head of Design for Digital Identity Solutions at Thomson Reuters, presented these staggering statistics to 2,300 audience members during a recent Thomson Reuters/Association of Certified Anti-Money Laundering Specialists (ACAMS) webinar titled, Rethinking Digital Identity. Schukai cautioned the audience: “All of us have the potential to suffer as victims of identity theft.”
But when we talk about identity theft, we should understand what digital identity really means. What comprises who you are and how you are identified? Is it your Facebook or Twitter profile? Is it your passport? Or maybe it is something beyond simply how we represent ourselves on social media or through the legal documents we use.
Schukai delved into this and the importance of determining identity as a fundamental aspect of risk management for transactions, explaining the process and how entities can improve their digital identity requests they make of consumers by moving to a use-case model.
Digital Identity: The Gateway to Commerce and Transactions
Identity is a “two-way street between consumers who wants something and the businesses or government who wants to ensure the security of the transaction,” Schukai described in the webinar.
Whether you are attempting to cross a border or buy a six-pack of beer, a business or government does a risk assessment of the transaction to answer three main questions:
- Are you who you say you are? (Or as he put it, “Is this Bob Schukai or his evil twin?”)
- Do you really exist?
- What is the ultimate risk of enabling this transaction to take place?
For example, every time you cross a national border you are required to produce a passport. Why? So the government can ensure it is you crossing the border and not Bob Schukai’s evil twin, hoping to evade law enforcement detection.
Breaking Identity Down into Four Components
Schukai dug deeper into the definition of digital identity by citing a combination of four components that make up who we are:
- The essence of who we are as human beings;
- The legal documents that prove it;
- Our representations on electronic media; and
- Our behavioral patterns.
Sound complicated? Don’t worry, as Schukai explained, it’s not.
Click here to listen to the entire webinar, Rethinking Digital Identity.
First, there is the essence of who we are that makes up our identity. This is the strongest indicated that you are who you purport to be — for example, hair color, eye color, or hairstyle. Our DNA and biometrics (for example, our fingerprints) also form part of this essence. These attributes combined form the strongest identity proof of an individual. If you have signed up for the Global Entry expedited arrivals process, you will recall that you must have an in-person interview with a United States border agent.
Second, there are the legal documents that act as proxies to help prove identity such as driver’s licenses or passports. While these documents are fallible — they can be stolen (like the Interpol statistics above), forged, or misused — they are part of a digital identity component that helps complete a full picture of who you are.
Next, there is how we portray ourselves on social media. The barriers are very low to create a social media profile or an email address and thus, it is easy to create misrepresentation. “The identities we create for ourselves on the Internet may not always be reliable,” said Schukai. “They are weak as a signal of identity but may be used as a part of the digital identity sphere of an individual.”
Finally, there is the behavioral component of digital identity. For example, what are your spending patterns as analyzed by an algorithm? This is how our credit card companies flag a suspicious transaction — one that is outside of your already known spending patterns.
As technology, such as smartphones, continues to evolve, relying on the four components of digital identity is becoming more important. “Whoever the first person is that can bring all these components together is going to be a long way towards solving the problem of digital identity,” Schukai said.
Demystifying the Digital Identity Quandary
With all this talk of data breaches, Russian bots and compromised identities, it is no wonder consumers are concerned about data privacy. With the potential for fraud, human trafficking and other financial crimes, businesses and governments are consumed with their risk exposure and often collect more information than necessary when verifying a person’s identity, according to Schukai.
Yet, the future is about finding rigorous and robust security measures without impacting the customer experience. Institutions can do this by only collecting the information necessary to complete the transaction. For instance, when you are carded at a bar, do you really need to show your entire driver’s license number which includes your home address? According to Schukai, the answer is no.
In today’s world, it is increasingly important for service providers that require identity to strip back this “sledge hammer approach” as Schukai put it, to identify individuals as needed. They should work out a system that only seeks information which is absolutely necessary to produce an identity-based solution.
It would be “similar to a mobile boarding pass, in the same way that I have a bar code to board an airplane,” he said. “I have been verified and vetted and that is an acceptable form of identity to get on the plane.”
Schukai believes this same procedure could be used to purchase alcohol, cross a national border, or prove the right to work.
Yet he doesn’t believe that digital identity should be a completely frictionless experience. Instead he stresses that there should be the appropriate level of friction, given the nature of the transaction. “There should be a lot more friction to open a bank account or take out an auto loan than to log into my Twitter or Google account,” he said.
If you want to know more, on a broad-range of issues including digital identity, anti-money laundering, threat prevention, human trafficking and more, join us at one of the three 2018 Thomson Reuters Public-Private Partnership Forums.
The Forums are scheduled for March 7 in New York City; April 24 in Charlotte, N.C., and April 26 in Washington, D.C.