I have just finished reading a whitepaper written by Nick Foggin and published by the Open Identity Exchange that details the recent Digital Identity Assurance trial undertaken by the UK Government. "Exploring the Role of Mobile in Digital Identity" outlines what the UK Government, OIX and the GSMA have learned about using mobile phones to authenticate into a prototype UK Government system. The UK is trying to move as much citizen/government interaction (services, information, taxation, healthcare, etc.) away from face-to-face and paper transactions to digital, semi-automated transactions. While a laudable effort in streamlining and cost cutting little details like how-to-ensure-the-person-trying-to-get-the-government-service-is-the-actually-person-they-claim-to-be can often plague such ventures.
However, in this case, the UK Government is acting more as organizer and general contractor instead of as a primary developer; pulling in commercial expertise so they don't take all the money they hope to save and just spend it to hire yet another 1000 programmers to re-invent yet another set of wheels. Kudos to the Cabinet Office on that strategy, but also to Nick for a detailed, well-written paper. These are complex issues and even more complex implementations. I look forward to pointing people to this whitepaper who are looking for a summary of the concepts related to one of our company's passions: telco based identity verification.
A couple sentences especially stood out. "The majority of trial participants were unconcerned about the use of MNO-held data as a means of verifying their identity. Most commonly, trial participants took the view that since the data was to be used solely for the purposes of verifying their identity, the risk of misuse was minimal."
For many years I have advocated the concept that fraud and ID theft grows, like mushrooms, in the dark. In light of an almost daily barrage of news stories detailing the most recent million or hundred million identities to have been stolen there is an understandable yet very wrong tendency to believe that hiding identity information will keep it safe. The opposite is actually true. There is information that no-one needs to know and information that everyone needs to know and information that just a few need to know. Identity actually falls into the last category, not the first.
In the past I have used the analogy of ID being like a key to your house. If everyone has the key, the house isn't safe. But if no-one has the key, the house isn't usable so what's the point of having it. A key works only if a restricted set of people have access to it. The same applies to identity. If no-one has enough information to vouch for whether or not you are who you say you are, then your identity is worthless. But if everyone has that information and can pretend to be you, then your identity is also worthless. The system only works if a few, trusted organizations have access to that information but can be easily queried by those with whom you do business. Your identity is your key. It's not something you want to lose. But neither is it something you want to hide away so secretly that even you can't use it.
I was struck by the simplicity of the statement in the whitepaper... "the majority of trial participants were unconcerned". Most of the participants understood instinctively that there are organizations, like their mobile carriers, in whom they must place a certain amount of trust just to use their product. It is clear that these test participants appreciated the fact that the carriers were one of those few entities in whom they have placed trust. Certainly carriers aren't always the most popular companies with which consumers conduct business and in whom they must place their trust. But maybe consumer opinion toward these carriers will improve if they demonstrate they can provide these consumer-focused services for little more reward than the knowledge they are being responsible stewards of one of the consumer’s keys.