21 Mar 2018

The Shape of Identity Technology

Know Identity Conference panelists explain what identity means in a digital world

Identity is a word we use to talk about the physical entities behind something: real-world people, places, and organizations. However every entity many have many aliases and digital representations that all refer to the same core identity. As more industries and processes become digitized, quickly and accurately connecting virtual identities back to their physical entity has become a pivotal objective of artificial intelligence. Furthermore, once an identity has been verified, we need to be able to determine if the entity in question is trustworthy.

Next week, Basis Technology is bringing five identity experts together to discuss the state of identity technology at the Know Identity Conference. This blog will give you a sneak peek of their thoughts on the importance identity technology and the state of current identity solutions. Want to learn more about the panelists? Check out our last blog post first.

Beyond identity verification: determining “trustworthiness”

Identity resolution is critical for border and passport controls. Travelers carry identity documents such as visas, permits, passports in order to travel between most countries, but different countries have different documents and different thresholds of difficulty to obtain those documents.

Understanding that a person is who they say they are is just the first step however. Beyond verifying identity, border security agents also must determine if the entity is safe or dangerous. Tony Smith, former Director General of the UK Border Force, calls this “de-risking” an entity. It entails gathering as much knowledge as possible about an entity and searching for connections to known dangerous entities.

Diffeo cofounder and CEO John Frank was similarly concerned with validating the relative riskiness of various entities. He refers to this process as “trust intelligence.”

He echoed Smith’s interest in gathering information related to the entity in question. “Trust is about networks,” he explained. “If you don’t know who is connected to a person, it’s harder to trust them. Additionally, trust and distrust flows through these networks. Once you know one person’s trustworthiness, it influences the trustworthiness of all the entities connected to them.”

Challenges to understanding digital identity

Understanding identities is deeply important, but in practice not easy to do.

Staffan Truvé, the CTO and cofounder of Recorded Future, makes threat intelligence software. For his team, the first challenge is simply determining if an entity is ambiguous or known. Commonly referred to as “ghosts” in the intelligence community, an entity that an agency has never seen before can be very dangerous. They don’t know to look for it, and even if they find it, they can’t determine whether the entity is dangerous.

Another fundamental challenge to accurately understanding identities is name variation. Multiple spellings, typos, and translations of the same name mean that digital identities may not be connected back to the same entity. Smith noticed this firsthand in the UK Border Force. One person’s name may be spelled one way in an internal intelligence database, a different way on their passport, yet another way in open source media. Connecting those names to a single entity requires intelligence fuzzy name matching across many languages.

Furthermore, Glenn Dinetz, an anti-money laundering and financial crimes expert, stressed that people with bad intentions will go to great lengths to mask their identity. The most dangerous individuals are the most likely to have spread conflicting information about themselves. To stop them, identity management systems need to be able to resolve all these false positives.

Like any data management system, identity intelligence also suffers from the growing pains of data integration. For instance in government, each branch of intelligence has multiple data sources and data formats unique to their missions that are gathered independently. Making sure that data is shared between them in a consumable way is a huge challenge in itself.

How have identity technologies improved?

In one area, many panelists agreed: the most significant improvement to identity intelligence over the past decade is the ubiquitous availability of open source data.

For Truvé, open source databases like Wikipedia, Geo-names and GRC names lists are cornerstones of risk intelligence, supplemented by the databases Recorded Future creates in-house.

“The amount of information available for free is tremendous.” said Dinetz. “It’s almost too much. You can sift through basically anything you want from open source systems.” Harnessing that data is a separate challenge, but the fact it is available in the first place is a huge first step.

Bryan Hurd, a cybercrime and security executive, added that we no longer debate the importance of data. The universal agreement is that more data (assuming it’s good, clean data) is better than less, so now the conversation has moved on to how to build databases that offer the right functions are are flexible enough to do what users need.

How analysts access and utilize all of this data has also improved. We’ve transitioned from using computers only for data storage, and started to trust machine learning and artificial intelligence algorithms to assist in the research process.

“Even just five years ago a lot of the human-computer interactions were very one way and static.” explained Frank. “Humans say ‘Give me this’ to the computer, then analyze the results, then ask again.” Autonomous algorithms can now proactively see things we can’t. Instead of only a ‘pull model,’ we now have software that enables a ‘push model’ in which the machine opens the drawer of the virtual filing cabinet for the user.

More to come

Identity technology has improved vastly over the last decade, but there is more to come. Check back Friday to learn where our panelists see identity technology continuing to grow and improve in the coming years. Spoiler: yes, buzzy words like blockchain and biometrics will be used.