Who Are You? Digital Identity Management

It’s me…

Bit-by-bit (no pun intended) we are slowly working our way out of the middle ages of pen-and-ink signatures and initials on pieces of paper to symbolize that, indeed, it was us and no one else, who is attesting to our identity. Most people are used to using some form of pin number tied to a debit or credit card; soon (one hopes) that idea will spread to all other areas of our economy and lives. It is not simply a matter of convenience, it is also, as reported below, potentially a much more reliant and secure approach to vouching for our identities.

In the real world people identify themselves mainly by the crude but simple means of showing a government-issued identity document to another human being. In some countries this will be an ID card; in others it can be a passport, driving licence or even a birth certificate.

Verifying online identities is trickier. Confusion is one problem: users find it hard to keep track of the ever-growing number of usernames and passwords they need. That creates vulnerability to fraudsters who can hijack an e-mail account and then request a “lost” password. Security is also at risk when people use a single password for several sites. Hardest of all is ensuring that an online identity is genuinely linked to a real person. Many websites trust their users to be truthful. This is a mistake. One survey says a third of Britain’s nine- to 12-year-olds have Facebook profiles, breaking the firm’s rules.

Links between the online and offline world are often cumbersome and ineffective. E-mailing a scanned copy of a passport, for example, or showing a utility bill, does not really prove identity: the passport may be stolen, faked, cloned or borrowed, and utility bills can be forged. Even genuine documents can be problematic. They provide far more data than necessary, creating another array of security problems: why should everyone at your bank know all the details on your driving licence?

European countries see a simple solution: government-issued electronic ID cards. Finland was the first to provide these in 1999; Estonia followed in 2002 and Belgium in 2003. Some 16 European states offer their citizens electronic ID (though only a few make them mandatory); seven grant the cards equal status to passports. The European Commission wants digital IDs issued by one member state to be recognised by the authorities in another.

Poor countries, where many citizens lack any form of identity, like this approach too. India has registered 275m of its 1.2 billion people in one of the world’s most sophisticated ID schemes (it includes iris scans and fingerprints). The target is 600m by 2015.

Electronic identification typically combines something only you own (like a card, or in some cases a smartphone with an ID app) with something only you know (like a number or password). It may include biometric data too. Once issued, a secure ID enables all sorts of dealings with the state authorities, from e-voting to paying taxes online.

A state-run scheme can also benefit business. Binding digital signatures are useful for e-commerce. Banks and energy companies can identify customers with the government-issued cards, rather than spending money on their own in-house processes. In December Visa announced a scheme that will allow Indians to withdraw money from ATMs using fingerprint readers, verified against biometric data held in the national database. In Estonia, an innovation hotbed, third-party applications are mushrooming. You can use your ID on public transport, to open doors and to collect prescriptions or loyalty points.

But other countries are warier of a single, centrally run identity register. In 2010 Britain’s coalition government binned a highly unpopular planned national ID scheme. An alternative—favoured by America, Australia and Canada, among others, is to use the verification schemes already developed by businesses. Mobile-network operators, banks and retailers can set up shop as “identity providers”. Web users can then call on these companies to vouch for their identity, instantly, either when dealing online with other firms, or when dealing with public services. That is both safer and quicker: they can use these credentials to log into a plethora of sites, rather than register separately.

America’s National Strategy for Trusted Identities in Cyberspace, a government-sponsored talking-shop founded in 2011, aims to nudge several hundred companies into agreeing on common standards to give such an identity market the chance to take off. In September it gave $9m to pilot projects. Jeremy Grant, one of its leaders, hopes that by 2016 half of all Americans will be using multipurpose logins issued by participating firms. Later this year a faster-moving but more limited scheme should be running in Britain: ID Assurance will let citizens use logins from PayPal, Verizon, the Post Office and five other firms to sign into government websites. The firms will earn small fees each time someone logs on with the credentials they have issued, while the state will save money by not having to make the checks itself.

This goes beyond the digital identities provided by web firms such as Google, Facebook or Twitter to their users. These are convenient. But they are not private (the networks mine users’ data for marketing). And they are not credible: only in exceptional cases do these companies verify identities. The new schemes will require tough initial checks—but thereafter will mean less hassle and more privacy.

Toby Stevens, a consultant, sees big money in providing added services. These could include verifying valuable details—such as salary, qualifications, or medical history—without having to hand over the data itself. For example, the question “does he earn more than $100,000?” requires only a “yes”, rather than the actual figure.

Assuming web users accept the changes, the outcome could be more privacy online rather than less. The authorities in America and Britain emphasise that the new identity schemes will be optional, and that users alone will decide which data are shared and with whom.

The cost will be in anonymity. When verification is cheap, secure and easy, maintaining invisibility will be trickier. Consumer review sites, for example, may well find it better for their credibility—and profits—to insist that comments are posted only by people willing to give a real name. Young people wanting to dodge age limits, or foreigners pretending to be locals, will find life a lot harder. So will those hoping to trick their way to a hot date. (from the February 9th, 2013 edition of The Economist)