Digital identity – a double-edged sword?

We live in a border-less and digital world and privacy cannot be protected by building walls. Today, digital footprints start very young, and it is important to deeply understand how the physical and the virtual realms form the ‘one life’ we live. There was a time when we had to be public by effort; private was our default state. Today and for the foreseeable future, our lives are public by default, private by effort. Not only are we in a default public state, ‘forgetting’ is no longer possible in the open web.

In most of the banking and fintech conferences, identity management has become a hot topic. Managing privacy is linked to managing digital identity. But most of these discussions revolve around how do we authenticate a person. The concept of a digital identity goes beyond that.

Problems with the current identity system

When we think of identity, we usually think of a document like a passport or a driving license. Take a step back and you will remember the days when we had to visit a high government official who had the power to attest your name, age and character. This could then be used in a school or a college which usually accepted the veracity of the letter and thereby our identity. The fundamental concept of identity has remained unchanged. A known authority (usually the government) attests our attributes which become our trusted identity document.

The problem with a physical document is that we cannot carry it around with us. A copy saved in the cloud is of no use either, since in most places the original document needs to be produced. A physical document can be falsified, can get lost or stolen, can get damaged or altered. Besides, it can carry only static and mostly basic information about our attributes.

Most importantly, a physical document is not conducive for online transactions. To further understand the limitations, we must appreciate the difference between authentication and authorization. While authentication is the linking of the user to the stored attributes, authorization is the entitlement of services given to the user basis the authenticated attributes. Given what attributes are getting authenticated, entitlements can vary. In a paperless world, both authentication and authorization require digital data.

Digital Identity

A digital identity system has the same basic structure as the physical identity system except that the attributes are stored and exchanged in a digital format. The attributes go much beyond the typical name, age, email address and phone number. Ever wondered what happens when you write or post something on Facebook, Twitter, Instagram, LinkedIn, or anywhere else in the open web? Every online action adds to our identity.

Other than the usual benefits of security and control, a digital identity allows the flexibility in authorizing entitlements basis attributes.  

Banks and digital identity

Banks have traditionally seen identity as something of a compliance requirement. The KYC norms that are implemented are no more or less than what is required by regulation. This is unfortunately severely limiting in utility.

Identities which are additionally mined from transaction data and social network activity can be used to deliver services in a personalized and efficient manner. A robust digital identity can also help banks mitigate fraud, assess credit worthiness better and win the trust of their customers.

Basic digital identities are also foundational in financial inclusion. As per the World Bank’s 2016 ID for Development (ID4D), 21% of the world’s population cannot prove their identity, which essentially excludes them from accessing any government or basic financial services. Thanks to the Universal ID project, 99% of Indians above 18 years have a digital identity in the form of Aadhaar. This identity system is already being used in financial product innovations with a helpful nudge from the regulator and the government.

Identity has become central to most discussions with the rapid advancement in digitizing bio-metrics like fingerprints, retina, heartbeat waveform, voice and facial characteristics. Start-ups, institutions and governments across the world are conjuring up digital identity models as they realize the limitations of the current analog identity system.

A dangerous thing?

While India has got its act right with Aadhaar, its China which is on a path to creating digital identities in the truest sense. Dubbed as China’s tool for social control by the Wall Street Journal, there is no denying the fact that, in theory, the ‘social credit’ system being piloted by Hangzhou’s local government (and several others) has all the right elements. In addition to the traditional information available in government records (like income tax payments, payments of loan installments, credit card bills and utility bills), they are starting to compile data on infractions such as jaywalking, fare-cheating, violating family-planning rules. And soon, data from internet activity, information posted or re-posted online and shopping behavior will get added.

No one in their awakened state of consciousness will be able to profile themselves the way this kind of data can do. When a government which is known to avert threats to its legitimacy gets into the act of creating the most sophisticated digital profile of its citizen, with the help of the latest technological tools known to humans, it raises important questions on how this data is going to be used.

Closer home, Aadhaar seems to be the only answer to financial inclusion and access to basic services. On May 2nd, the Indian government asserted in the Supreme Court that the ‘concept of absolute right over one’s body part was a myth’. Making Aadhaar mandatory is a good thing. The problem lies in the weak law around this.

Every online transaction authenticated using Aadhaar will leave a trail of data about your health, financial transactions and video-chats creating a rich database for profiling. The Aadhaar Act does not limit how it can be used by third parties. It allows your biometrics to be shared ‘in the interest of national security’. It doesn’t allow revoking the rights to use your data once it has been given. If your data is getting breached, there is no provision to notify you. It doesn’t allow citizens to file cases for data theft or misuse.

Governments across the world have argued that to prevent all manners of risk, they need to collect more data on their citizen. The Indian government’s argument is to build a secure and robust system which can curb black money, drug and terror financing. Despite the known benefits of a digital identity system, one wonders why such a facetious argument needs to be advanced. Irrespective of the reasons this data will be used for, it puts enormous power in the hands of the owner. I am reminded of the famous advice to Spider-Man by uncle Ben Parker: “With great power, comes great responsibility”. Unfortunately, governments are not run by honest and righteous superheroes, but by humans like you and me. The itch to fool around with power is all too human.

I would love to receive your thoughts and opinions in the comments section. 

-------------------------------------------------------------------------------

In case you missed my blogs on Internet of Things:

How the Internet of Things is going to change our lives

Fin-ternet of Things - Where banks and IoT intersect

-------------------------------------------------------------------------------

About the author

Anindya Karmakar has led multiple initiatives at the cutting edge of digital connectivity, robotics, analytics and remote advisory. He is passionate about the digital revolution which is underway. He simplifies and de-clutters digital jargons and concepts and presents it in layman's language.

-------------------------------------------------------------------------------

The views and opinions expressed or implied herein are my own and do not reflect those of my employer, who shall not be liable for any action that may result as a consequence of my views and opinions