Since the onset of the pandemic, businesses and governments have scrambled to find ways to authenticate transactions remotely, and to securely transfer sensitive information through digital channels. This moment demands solutions that digital identity applications, whether now or in the near future, may provide. While the “last mile” of physically authenticating digital identity — biometrics — is becoming essential during the crisis in transportation hubs and the (remote) workplace, among other use cases, there are still many questions to be answered. Who controls an individual's digital identity? How narrow or comprehensive is the information contained within it? What form does it come in, what can it be used for, and how secure is the information? These questions are essential to any analysis of the rapidly-innovating world of digital identity, especially as it pertains to the challening circumstances brought on by COVID-19.
The crisis came before answers to these questions were truly sorted out. As the potential gatekeeper of the most sensitive data and personal information, these systems take time to vet and implement, and though incremental changes have taken place during the crisis, the real acceleration has been in governments and businesses learning of alternative identity structures — pushing liberal-minded corners of the world on a conceptual level towards a user-centric yet integrated digital identity future.
If the future of identity will be digital, biometrics are the building blocks to actualize it. Biometrics are the link between the digital and physical worlds, and they’re vital to any digital identity security scheme. Especially with a rise in account takeover fraud, the crisis has made remote verification and onboarding of employees, customers, and citizens a necessity; one analysis estimated the crisis will increase digital identity verification checks in 2020 by 15-20%. Know Your Customer (KYC) procedures can’t be properly done in person as is traditionally done among banks. And at high-risk transportation hubs (like airports, train stations, and border crossings) there is the twin need of affirming the health status of individuals while doing so in a contact-free way.
But biometric solutions diverge greatly in terms of what biological data is taken, how it’s stored, and its purpose — and the crisis has revealed some express preferences. The crisis is unsurprisingly tipping the scales in favor of contactless biometric solutions, as contact-heavy solutions fall out of favor, with the NYPD disabling fingerprint identification, condo associations disabling fingerprint access, and IT companies in Hyderabad told to disable fingerprint biometrics with card-based verification or facial biometrics. Biometric companies providing contact-only solutions are scrambling to develop contactless alternatives before contactless competitors take over the market.
But even for contactless biometric solutions, adoption can be slow, and use cases can be controversial. Certainly, biometrics can enable a worrisome surveillance state, and it already is in some places during the crisis, such as in Guanghzou, where Chinese citizens must place their face in front of a tablet on buses and have their picture and temperature taken, tracing their individual movements and possible health status.
Facial recognition technology has faced a backlash lately in response to its use by governments during Black Lives Matter protests, with a recent segment of Last Week Tonight with Jon Oliver detailing instances of abuse and misidentification by surveilling authorities. Andrew Bud, CEO of contactless biometrics company iProov, explicitly differentiates facial recognition from facial verification technology — one of several biometric authentication instruments iProov offers — as facial verification requires consent, is optional, and are for services to users’ benefit (unlike facial recognition).
Some companies keep biometric information on users’ devices to better protect against government incursion, but iProov keeps biometric data on its central servers. Noting that device-held info is prone to physical loss or theft — with no means of recovery — Bud notes that in addition to keeping data on servers with GDPR-grade security, iProov possesses no personally identifiable information (PII) themselves — only anonymous pseudonyms that match the third party’s credential. This practice keeps users protected, even in the event of a breach.
“People’s biometric information is carried around on their faces. If you take a photo in Times Square, you are gathering the biometric information of hundreds of people. But unless you know who those people are, it’s useless.”
Andrew Bud, CEO of iProov
iProov’s technology is already in use by the U.S. Department of Homeland Security at airports, as well as by the U.K’s National Health Service for onboarding, but the crisis has increased the need for biometrics, especially in the health sector. Mirroring a wider push for telemedicine, the NHS app has largely been the only way for British civilians to set up consultations and doctor visits, reinforcing the need to remotely verify patients. High-speed train service Eurostar recently announced an agreement to install facial biometric corridors so customers can complete ticket checks and border exits without any human interactions.
Rather than doomsday scenarios, it’s perhaps more appropriate to view biometrics utilizing live detection tests (of the sort iProov develops) which ensure the user is a human being and not a deep fake as the ultimate measure in ensuring digital identity trust. But biometrics companies adopt different philosophies when it comes to data security and integrity. iCrypto, for instance, is working on embedding facial biometrics as a security measure above the pin number required for users to access their data, employing blockchain technology to perform distributed enforcement. This security philosophy relies on three components: something you own, like a device, something only you know, like a pin, and something you are — your biometrics.
“In Estonia right now, you can buy a house and sell the contracts remotely with your phone. How do you know if your kid pressed the button and entered the pin and signed the contract? EU law says digital signatures are equivalent to physical signatures. The only thing you need to have is a device and a pin. You think that’s safe?”
Vasilis Polychronidis, CEO of iCrypto
One area of biometrics seemingly primed for the moment — remote Know Your Customer (KYC) checks — has seen its acceleration slowed by regulatory roadblocks. Many countries require KYC checks to be done in person, and in the cases where remote KYC is permitted, it is often only allowed through video, which is less secure and more expensive. There was already some progress on this front pre-COVID when Estonia became the first country to approve a biometric solution to verify account renewals. Rules have yet to really change, but regulators are discussing possible alterations after the Financial Action Task Force (FATF) released its guidelines on digital identity in March, which stated that “reliable, independent digital ID systems with appropriate risk mitigation measures in place may be standard risk, and may even be lower risk.”
Dear Big Brother
As the link between the digital and physical world, responsible biometrics will be the foundation for trusted digital identity ecosystems in the coming years. But how these ecosystems appear will depend on the fundamental structure of the digital identity brought forward, rooted in the question of who has control over user data and how it’s distributed.
While governments scramble to both account for the health status of their citizenry and also seek to distribute relief to its population, national ID solutions are being suggested in some circles, with biometrics largely at the foundation of these systems. In response to the crisis, Argentina enabled the remote application of IDs for urgent situations, building on its digital ID program which began last year. After its supreme court declared its proposed national digital identification system unconstitutional last year, Jamaica’s government has sought to implement a national digital ID system again to help manage and deliver COVID-19 aid to citizens.
Criticism in the West against national digital ID contrasts with the acceptance governments are finding in Eastern cultures, whether in China, where a vast digital ID system already existed before its COVID-related initiatives, or in South Korea, where the government has sought to greatly expand its national ID capabilities so a digital ID can be sufficient to board flights and complete financial transactions, among other options.
Despite benefits of such national ID systems in areas like facilitating government payments, integrating government documents, taxes, and even voting, the risks of both hacking and governmental abuse are manifold, and exclusion concerns remain. Already criticized for requiring biometric verification to distribute aid to India’s poor, India’s Aadhaar national ID system has led some Indians to be excluded from COVID aid, and one provincial government shared the personal data of nearly 20,000 people who were put into home quarantine. Similar issues were found in Ireland, where the poor were excluded from COVID aid and social welfare fraud mounted from its card-based solution. The problems in India follow alarming reports of the Indian government’s plans to transform the Aadhaar system to automatically track every single Indian. Even assuming benevolent intentions from government, a centralized database of citizens’ personal information still poses major risks.
“What happens if someone hacks into the Aadhaar database and then creates synthetic biometrics for your iris and goes in and withdraws money on your behalf? A complete disaster. So biometrics have to be used with great responsibility and trust. The Aadhaar system sooner or later is going to get hacked. I guarantee it.”
Vasilis Polychrinidis, CEO of iCrypto
Unity Through Privacy
Decentralized forms of digital identity offer an alternative from government-run centralized data management systems, and the concept driving the most enthusiasm on this front during the crisis is self-sovereign identity. Self-sovereign identity (SSI) gives users control of their own identity, personal data, and credentials by storing a person’s information in their own device rather than through a third party (which is still needed as a trusted certifying entity). In the COVID fight, SSI has been championed as a possible tool to responsibly share precise personal health records without jeopardizing a user’s privacy.
About 60 identity solutions providers have teamed up during the crisis for the COVID-19 Credentials Initiative, hoping that SSI can facilitate the responsible use of immunity passports. An SSI-driven immunity passport would require three parties in simplest terms. First, a trusted medical institution to act as a credential issuer. This party would conduct a COVID-19 test and provides a digital credential with test results, storing proof of the transaction — not the results itself — on a public blockchain. The individual who took the test would receive and own the digital credential. A third party would act as a credential verifier; after receiving permission to access a particular individual’s credential they would confirm the person’s health status before allowing them into a public space.
Some in the digital identity industry see immunity passports as inevitable — if worrisome — once private health credential firms create new data flows — which has already begun through companies like CLEAR — and necessitate a new digital identity ecosystem to form around it. Others say immunity passports won’t happen at all, finding it impractical for all testing centers to rapidly integrate existing or new identity systems with unified API links. Ethical implications also weigh heavily on the idea, as immunity passports would confer privileges over those who have already been sick, possibly incentivizing people to get sick.
SSI-driven Immunity passports would be a leap forward in the digital identity space compared to the incremental steps seen so far during the crisis. But industry insiders suggest much of the acceleration in the digital identity space taking place so far has been exploratory by nature, highlighting the need for greater data flows between citizens, governments and businesses.
Digi.me is among a few digital identity solutions that desire to return control of personal data from governments and ad tech firms back to the individual, which represents a radical shift from the status quo. Their application fully integrates all the personal information one individual has — birth certificate, driver’s license health records, financial records, social media accounts, transaction records, etc. — all within one device, which is only accessible by the user. Julian Ranger, CEO of digi.me, envisions a massive simplification of digital identity — currently, business owners possess on average about 190 digital identities. Under this model, individuals could have total control over their own personal data for whatever purpose in any field — health, social services, even to sell their personal data if they wish — rather than third parties holding hostage individuals’ personal data for profit or other use.
As a form of encrypted self-sovereign identity, digi.me both protects personal data from hacking or centralized abuse while making it simpler to conduct user-initiated data sharing. This allows third parties to access far richer individual data than before, but now with users’ consent. Ranger envisions government not collecting more of people’s user data, but giving back their core source data in the next few years — it’s simpler, cuts administrative costs, and is more efficient.
Such a digital identity system would more closely resemble the functionality of a physical wallet — albeit with far greater information contained. Governments and companies are only just learning about such models, partly thanks to the crisis. Ranger described a country that had supermarkets reaching out to ask if the government wanted to reserve spots during lockdown to make home deliveries for those with a social need. The program failed to materialize due to privacy issues, however. Ranger argues that under a citizen-centric infrastructure, individuals could possess that information themselves and share it with supermarkets through digi.me’s API.
“As soon as you actually give all the data back to your individual, you just suddenly got rid of data being available as a problem. It shifts to a value proposition — for what will you share your data? Once the technology is there, data is now freed. And it’s quicker and easier and better to reach the individual.”
Julian Ranger, CEO of digi.me
Though possible, a radical transformation in how digital identity is constructed and used on wider scale will likely not take place during this crisis; beyond the knowledge gap on such technologies, a citizen-centric digital identity infrastructure requires an ecosystem of relevant apps and applied use cases to emerge. But Ranger estimates growing awareness through the crisis has accelerated the digital identity space by about 18 months. Incremental steps during the crisis, like increased biometric adoption by governments and businesses or SSI-driven initiatives by vanguard tech companies, are the tip of the iceberg in how COVID is changing individuals’, companies’, and governments’ approach towards what digital identity can be and its future trajectory. The digital identity revolution isn’t quite here, but it’s coming.
Image courtesy of Daniel Lim
Click here to subscribe and receive a weekly Mondato Insight directly to your inbox. do