I had the great good fortune to be asked by the GSMA to chair the Mobile Identity session at this year’s Mobile World Congress in Barcelona. During the absolutely excellent session, which featured input from Telesign, Payfone, Early Warning, Telenor, the UK Cabinet Office and Nok Nok, I happened to mention in passing that I thought that a global mobile-centric authentication push (perhaps using FIDO) was possible and that it would make life easier for many people, but that it wasn’t clear to me at all that a global identification platform was getting any closer.
A couple of people asked me about this afterwards, and so I thought it would make an interesting blog topic to look at real-world, population-scale identification as discussed in the session. I’ll use Pakistan as an example. Pakistan has very strong identification laws around mobile and rigorously-enforced mandatory SIM registration.
[Pakistanis] have to show their IDs and fingerprints. If the scanner matches their print with the one in a government database, they can keep their SIM card. If not, or if they don’t show up, their cellphone service is cut off. [From Pakistanis now need to be fingerprinted to have a cellphone – Business Insider]
This will help to stop criminals and terrorists from obtain mobile phones and operating with impunity in Pakistan because it depends on the integrity of the national identity register. Oh, wait…
The famous green-eyed ‘Afghan girl’ immortalised by the National Geographic magazine on its 1985 cover has been living in Pakistan on fake documents, prompting authorities to launch a probe. Four officials were suspended on Wednesday for allegedly issuing fake Computerised National Identity Card (CNIC) to Sharbat Gula and her two ‘sons’.[From National Geographic Afghan Girl living on fake identity card in Pak : World, News – India Today]
National identity registers are a single source of failure and a natural honeypot for crime and corruption, as Pakistan has discovered.
The National Database and Registration Authority [NADRA] reports that it has deployed a state-of-the-art facial matching system with the capabilities to stop fraud and forgery in identity documents, yet people are still able to obtain forged identity cards. This was very puzzling to understand given the supposed surety, accuracy and privacy of NADRA database that such a scam was still happening even after the introduction of new chip-based identity cards.[From Identity theft persists in Pakistan’s biometric era | Privacy International]
It’s not “puzzling” as at all as far as I am concerned.
Identity theft is more common in single reference systems such as centralised national population registers, as they create a single point of failure, and centralisation increases rather than reduces the potential for fraud. Doppelganger matches also become more likely in large scale databases.[From Biometric Smart ID Cards: Dumb Idea :: SACSIS.org.za]
So while it makes sense for service providers to rely on biometric authentication to digital identities that they themselves will bind to virtual identities (with attributes), it is not so clear that it makes sense for service providers to rely on biometric identities established by third parties. In fact, when it comes to mobile phones, in this case I might go even further and say that it is not at all clear to me that we should be attempting to stop the bad guys from using mobile identities at all!
Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.[From Search Results SIM registration]
There’s a further point to make here, away from the exigencies of national security and the war on terror and in the world of business. As the banks have long understood, the issue of identification is inextricably linked to liability. There’s a world of difference between me as an operator saying to a service provider that “this is subscriber XYZ and it’s the same person who logged in last time and it’s still the same handset and SIM” and saying to a service provider that “this is Dave Birch”. I know I sound like a broken record on this, but it the overwhelmingly majority of interactions, who you are is not the point. The point is whether you are allowed to do something, whether you have credit, whether you are a subscriber or whatever. Trying to work out who someone “really” is means a world of legal pain.
According to the Post, “…sources say Instagram, owned by Facebook, ran into “serious legal problems” over its verification process and has been forced to pause it. Some suspect Twitter, which also has a verification system, had an issue with Instagram’s.”[From Instagram is no longer verifying accounts – Business Insider]
Therefore it seems to me that in business terms, it makes sense for service providers to rely on bank identification since banks already have to comply with know-your-customer regulation. For this work, however, there must be a kind of identity “safe harbour” (i.e., if the person turns out to be using a false identity that the liability rests with the bank but if the bank has followed KYC procedures then it has no liabilty) from zealous prosecutors otherwise the wheels of commerce will become gummed up with identity junk.