When identity data eclipses digital identity

When I first became involved in the identity space, which was about 10 years now, the definition of ‘digital identity’ was being hotly debated. This debate raged on over the years, but out of it, a stoic pragmatism has emerged. Digital identity is many things, but what it has in common across all definitions, is data. You are what your attributes say you are…well if you have had them verified to a decent degree of probability that is.

Identity data is a valuable commodity. In terms of attractive assets, it has cybercriminals chomping at the bit to get at it. According to a study by the Identity Theft Center, data breaches increased by 40% in 2016 over the 2015 figures. Identity data is also, of course, highly valuable to the individual behind the data, and service that individual wants to access. We need to make the identity data work for the individual, not the cybercriminal. But to do this, we need to start to break the silo barriers down.

Data, data, everywhere, but not a byte to share

Wherever we go on the web, we have to create an account. It’s enough to drive a person insane. I literally cannot remember how many accounts I have now. As a keen online shopper, who avoids B&M shops like the plague, I have truly embraced the idea of having a ‘digital me’. I transact online to do everything from purchasing my weekly groceries to sending money. Each one of those services has my Personally Identifiable Information, financial information and often health data too. The web knows more about me than many family members do.

…But this data isn’t actually me. But it can do jobs for me…

Much of the time, the data shared with the third-party isn’t actually needed. All that is needed is an assurance that I am who I say I am. In my previous article, I talked about the GDPR and how using de-identification techniques could help with compliance. However, there are cases where identity data needs to be expressly shared to carry out a process.

I’ll give you a real world example. According to the Financial Services Authority (FSA), in the UK, up to 57 billion GBP are lost each year due to financial fraud. To counter this, certain procedures are put in place that affects anyone sending money over a certain amount to another person. For example, if you want to give your child a large sum of money, perhaps as a deposit on a mortgage, in the UK at least, you have to show proof of your identity and finances, to the conveyancing lawyer. To do this you have to physically go to a Post Office (not always a local one), show them your identity documents, and have them officially ‘stamped’. They are then posted off to the lawyer.

There are many situations, just like the above, across many sectors, where being able to share identity data to perform a job could be done in a quicker, more efficient, and ultimately cheaper way, if we have the right digital methods in place.

The mutual benefit of the personal identity data store

Regulation like the GDPR is attempting to make the portability of all this identity data allowable but under user control and consent. Companies like Gigya are offering advice for building Privacy by Design into identity platforms, as this is a crucial area of control.

Control and privacy are a fundamental aspect of sharing identity data. Using an identity provider (IDP) to control access to web resources, doesn’t really address the portability and accessibility of data. This is where using an ‘identity data store’ comes in.

Identity data needs a home. I have myriad accounts, some containing verified data, that I can’t access in a usable manner to send my child the deposit for a house. It is siloed. If identity data, instead, has a centralized home, identity data can be used, reused, updated, verified, shared, and made to work for its living.

The GDPR and wannabes like the UK’s Online Privacy Protection Act 2016, place the data subject, squarely in the middle of the data sharing process. This actually makes sense. This was always the hope of Kim Cameron when he developed the ‘Laws of Identity’ – user control and consent being the first law. Identity provisioning services, such as IDPs don’t usually do this, they tend to just assert identity, along with some basic attributes. IDPs have a place in the ecosystem, but their job is constrained.

Let’s go back to that mortgage deposit use case. Imagine this, if instead of having to traipse to a post office 10 miles away, the mother was able to go online and in a few clicks share with the law firm, all of her identification and financial requirements, digitally signed, consented to, and encrypted. That is identity data, being used proactively, between consenting parties to make life easier  – isn’t that what technology is all about?

Changes like the Open Banking Initiative are opening up the capabilities of customer data stores. Others such as digital healthcare open up further use cases. The pivot upon which all of this swings, is that the data store must be based on a verifiable identity. Without that as the mainstay of the system, the rest of the data is meaningless.

Sharing identity data should be under the control of the user, but it is also, often, a two-way process. Just like in real life, sharing information is usually done on a ‘you scratch my back, and I’ll scratch yours’ basis. Giving both the user and the service, tools to communicate using verified data, is the real definition of identity online.

The data planets align

Personal data stores, or life management platforms, are nothing new. The idea has been around for a while, but our appetite has lagged. Finally, the planets of usability, regulation, and use cases have aligned to create a space for the technology to blossom. It has taken a long time, but we have finally entered the age of the customer identity platform, just to see it quickly move on to a new era – the age of ‘Digital Me’. Identity data is not me, but it can carry out jobs for me online with the right tools to do so.