The Balancing Act of Security vs. Privacy
Know Identity Conference panelists explore the future of identity verification and digital trustworthiness
March 26-28, five identity experts will discuss the state of identity technology in a panel moderated by Basis Technology at the Know Identity Conference in Washington, D.C.. This blog post is the third in a series to preview that conversation.
Missed our previous posts? Learn more about the panelists and the current state of identity technology, then come back to learn how the panelists expect to see identity technology improving and changing in the future.
The first step in understanding and managing identities is verifying that a person is who they claim to be, and connecting their various digital identities and aliases back to the physical entity. Currently, governments and companies unify identity data through background checks or matching information on passports or licenses to watchlists and databases.
Although governments and intelligence agencies sometimes share data with one another, overwhelmingly identity data is disparate and difficult to resolve. This difficulty means that known persons of interest can be missed if the right people don’t have access to the relevant data.
According to Staffan Truvé, a threat intelligence expert, the ideal solution would be a comprehensive, globally unified entity database in which every entity has a unique identifier and lists of equivalent names across languages. This database would be updated with open source intelligence (OSINT) data in real-time, and utilize machine learning and artificial intelligence to make connections within that data.
This concept of a master identity database was echoed by several other panelists. While the execution may be impossible, improved data sharing and resolution is achievable and already occurring.
Even in the most advanced and intelligent databases and knowledge graphs, biographic information like ID numbers, names, and birthdates can still be compromised. When accurate identification is most vital, biometric measurements will increasingly become the norm. Global borders expert Tony Smith anticipates a continuing trend towards relying on biometric rather than biographic information to verify identities.
When he served as the Director General of the UK Border Force, Smith discovered a trend where deported expatriate gang members were returning to the country in as little as two weeks. They had been able to bribe or coerce someone at their country’s consulate to provide them with entirely new identity documents. To combat this issue, the Border Force began collecting fingerprints of deported individuals to match at border control as well as names.
Biometric data is far more unique to the individual and far more difficult to counterfeit. Additionally a fingerprint or eye scan is faster than other methods of verifying identity. Already border security agencies are collecting biometric data from members of trusted traveler programs like Global Entry and TSA Pre-check. Smith anticipates a future in which passports no longer exists and only biometric data is used to verify identities at ports of entry.
Resistance to data collection and automation
The challenge isn’t that data unification and biometric verification technology isn’t available and sophisticated enough. The roadblock is perceptions of technology and concerns about data privacy.
Registration in global entry programs is strictly voluntary; travelers provide their data in exchange for convenience and shorter wait times. Any attempt to make biometric data mandatory to enter or leave a country would result in wide public outcry. Furthermore, it would be near impossible to determine who should be the arbiter of a global identity database.
“The problem is privacy laws,” said Glenn Dinetz, an anti-money laundering and financial crimes expert. “The kind of universal system that would be ideal is hindered by people’s right to keep their information private.”
Cybercrime and security executive Bryan Hurd also suspects that the developers and users of verification systems are resistant to systems that involve increased automation. The pervasive fear of computers replacing human jobs applies to any industry.
The security of databases and personal information has been compromised already many times. Examples include the recent exploitation of Facebook data by Cambridge Analytica or the hacking of millions of social security numbers from the U.S. Office of Personnel Management (OPM) in 2015. Individuals have legitimate reasons to distrust how governments and corporations safeguard their personal data.
One word that kept coming up in our conversations was “blockchain.” The technology is too new and untested to be a viable solution right now, but blockchain could be the ideal solution if it proves to be as incorruptible and secure as early adopters claim.
Outside of the intelligence industry, Dinetz believes identity verification is the solution to major online concerns like the spread of fake news on social media and online bullying. He would like to use identity verification technology to “Look behind the digital persona.”
LinkedIn is an example of an online network with very little fraud or false information because it relies on a network of crowdsourced verification. When someone requests to connect with you on LinkedIn, there’s almost always a shared connection to a person you know. There is also a photograph of the person, that you can safely assume is an actual picture of them because your common connection knows this person.
By contrast, users on many online communities like Reddit, 4chan, or Yahoo do not have to provide any information that connects them to their real physical identity. It’s these anonymous profiles that are most frequently guilty of spreading misinformation or hate speech. “People are unwilling to come forward and say ‘This is who I am’ and then stand behind their posts,” said Dinetz.
Attempts to block, limit, or censor online forums runs the risk of violating free speech protections however. Social media providers are attempting to crack down on the spread of dangerous or inaccurate information on their medium with limited success. Dinetz would like to see that initiative taken even further. If everyone was required to have a verified identity before they could post anything online they would no longer be protected by their anonymity.
Looking for the “Amazon” of identity
The fact is current identity solutions don’t eliminate risk; they can only reduce it. Systems assign entities a riskiness score, and we decide what thresholds are acceptable. No infallible identity intelligence technology yet exists.
Diffeo co-founder and CEO John Frank’s analogy is using Legos to fill a curved opening. Right now we have many square pieces, but we’re missing the curved piece that perfectly fits the hole we’re trying to fill. Matching names and creating algorithms are stopgap measures because we have failed to determine trust. All they can do is reduce the chance that we can’t trust someone. Layers of security and verification make sense, but only because we haven’t developed a way to guarantee trust.
Frank compares the current identity market to the retail market just before the dominance of Amazon. We’re waiting for a new company to completely revolutionize the way we approach identity and trust intelligence the way Amazon revolutionized the brick-and-mortar approach to book sales and retail in general. That company could be blockchain-based, but we just have to wait and see.
Hear them live
Have these blogs piqued your interest? Don’t miss the “Beyond the Digital Identity” panel at the Know Identity Conference in Washington, D.C., next week on March 26th.