A Keeper of the Keys


I blogged about a new OIX White Paper we’ve just published, “Exploring the Role of Mobile Identity Assurance”, by Nick Foggin. The paper summarizes the outcomes from the UK’s first mobile network operator alpha trial. Nick’s experience in publishing an OIX White Paper reflected the value of an objective expert’s assessment and an insider’s view of one of the hottest areas of identity.

I’ve talked about how the OIX White Paper approach is more “silver buckshot” than “silver bullets” in that they are always pragmatic and objective. They often times trigger responses from other OIX members or the community at large.

Soon after publishing Nick’s white paper, I received the first of many reviews from Scott Rice, PacificEast COO. Scott is a well-regarded data scientist in the telco space and is Chair of the OIX Telecom Data Trust Framework Working Group.

Scott’s review is an informed and passionate response to Nick’s paper and is in the spirit of OIX’s “silver buckshot” approach to OIX White Papers:

I have just finished reading a whitepaper written by Nick Foggin and published by the Open Identity Exchange that details the recent Digital Identity Assurance trial undertaken by the UK Government. “Exploring the Role of Mobile in Digital Identity” outlines what the UK Government, OIX and the GSMA have learned about using mobile phones to authenticate into a prototype UK Government system. The UK is trying to move as much citizen/government interaction (services, information, taxation, healthcare, etc.) away from face-to-face and paper transactions to digital, semi-automated transactions. While a laudable effort in streamlining and cost cutting little details like how-to-ensure-the-person-trying-to-get-the-government-service-is-the-actually-person-they-claim-to-be can often plague such ventures.

However, in this case, the UK Government is acting more as organizer and general contractor instead of as a primary developer; pulling in commercial expertise so they don’t take all the money they hope to save and just spend it to hire yet another 1000 programmers to re-invent yet another set of wheels. Kudos to the Cabinet Office on that strategy, but also to Nick for a detailed, well-written paper. These are complex issues and even more complex implementations. I look forward to pointing people to this whitepaper who are looking for a summary of the concepts related to one of our company’s passions: telco based identity verification.

A couple sentences especially stood out. “The majority of trial participants were unconcerned about the use of MNO-held data as a means of verifying their identity. Most commonly, trial participants took the view that since the data was to be used solely for the purposes of verifying their identity, the risk of misuse was minimal.”

For many years I have advocated the concept that fraud and ID theft grows, like mushrooms, in the dark. In light of an almost daily barrage of news stories detailing the most recent million or hundred million identities to have been stolen there is an understandable yet very wrong tendency to believe the hiding identity information will keep it safe.

The opposite is actually true. There is information that no one needs to know and information that everyone needs to know and information that just a few need to know.

In the past I have used the analogy of ID being like a key to your house. If you everyone has the key, the house isn’t safe. But if no one has the key, the house isn’t safe either because either everyone can enter or not one can. A key works only if a restricted set of people have access to it. Identity information is like that. If no one has enough information to vouch for whether or not you are who you say you are, then your identity is worthless. But if everyone has that information and can pretend to be you, then your identity is also worthless. The system only works if a few, trusted organizations have access to that information but can be easily queried by those with whom you do business. Your identity is your key. It’s not something you want to lose. But neither is it something you want to hide away so secretly that even you can’t use it.

I was struck by the simplicity of the statement in the white paper… “The majority of trial participants were unconcerned”. Most of the participants understood instinctively that there are organizations, like their mobile carriers, in whom they must place a certain amount of trust just to use their product. It is clear that these test participants appreciated the fact that the carriers were one of those few entities in which they have placed trust. Certainly carriers aren’t always the most popular companies with which consumers conduct business and in whom they must place their trust. But maybe consumer opinion toward these carriers will improve if they demonstrate they can provide these consumer-focused services for little more reward than the knowledge they are being responsible stewards of one of the consumer’s keys.

I look forward to any additional feedback from readers with regard to Nick’s white paper and/or Scott’s response. As always, please let me know if there are any current identity issues that you feel OIX can add value by addressing via a OIX White Paper.

Don

Source: Trusted Transactions