The team put on an excellent webinar this Thursday (May 21st, 2020) in the Tomorrow’s Transactions series. The focus was on Trust over IP, although digital identity and privacy were covered in the round.
The panellists were Joni Brennan of the DIACC (Digital ID & Authentication Council of Canada—full disclosure: a valued customer), long-time collaborator Andy Tobin of Evernym and our own Steve Pannifer and Justin Gage. Each of the panellists is steeped in expertise on the subject, gained from hard-won experience.
Joni and Andy presented, respectively, the DIACC and ToIP layered architectural models (largely congruent) for implementing digital identification services. The panellists agreed that no service could work without fully defined technical, business and governance structures. Another key point was that the problems of identification and privacy merge into one another. People need to make themselves known, but are reserved about making available a slew of personal information to organisations with whom they may seek no persistent relationship or do not fully trust.
At one point, it was mentioned that practical progress has been slow, even though the basic problem (to put one aspect crudely, why do I need so many passwords?) of establishing trust over digital networks has been defined for 20 years at least. It could be argued that Consult Hyperion has earned its living by designing, developing and deploying point solutions to the problem. I began to wonder why a general solution has been slow to arise, and speculated (to myself) that it was because the end-user has been ill-served. In particular, the user sign-up and sign-in experiences are inconsistent and usually horrible.
Therefore, I posed the question “What is the panel’s vision for how people will gain access to personalised digital services in 2030?” The responses were interesting (after momentary intakes of breath!) but time was short and no conclusions were reached.
I slept on the problem and came up with some tentative ideas. Firstly, when we are transacting with an organisation (from getting past a registration barrier to download some info, through buying things, to filing tax returns), everything on our screens is about the organisation (much of it irrelevant for our purposes) and nothing is about us. Why can’t our platforms present a prominent avatar representing us, clickable to view and edit information we’ve recorded, and dragable onto register, sign-in or authorise fields in apps or browsers?
Now, there could be infinite variations of ‘me’ depending on how much personal information I want to give away; and the degree of assurance the organisation needs to conduct business with me (of course, it’s entirely possible there could be no overlap). I reckon I could get by with three variations, represented by three personas:
- A pseudonym (I get tired of typing email@example.com just to access a café’s wifi; there are some guilty parties registering for our webinars too!)
- Basic personal information (name, age, sex, address) for organisations I trust, with a need-to-know
- All of the above, maybe more, but (at least, partly) attested by some trusted third party.
Obsessives could be given the ability to define as many options, with as many nuances, as they like; but complexity should be easily ignorable to avoid clutter for the average user.
I think it’s the major operating system providers that need to make this happen: essentially, Apple, Android and Microsoft, preferably in a standard and portable way. For each we would set up an ordered list of our preferred authentication methods (PIN, facial recognition, etc) and organisations would declare what is acceptable to them. The system would work out what works for both of us. If the organisation wants anything extra, say some kind of challenge/response, that would be up to them. Hopefully, that would be rare.
The Apple Pay and Google Pay wallets are some way to providing a solution. But sitting above the payment cards and boarding passes there needs to be the concept of persona. At the moment, Apple and Google may be too invested in promulgating their own single customer views to see the need to take this extra step.
I sensed frustration from the panellists that everything was solvable, certainly technically. Governance (e.g. who is liable for what when it all goes wrong?) was taken to be a sticking point. True, but I think we need to put the average user front and centre. Focus groups with mocked-up user experiences would be a good start; we’d be happy to help with that!