When we look forward to 2021, it is no surprise that COVID-19 is the dominant factor. So far as the merchant payments world is concerned, the shape of the post-pandemic new normal transaction environment must be the key strategic consideration for stakeholders and I am desperately keen to hear the variety of informed opinion on this topic that I have come to expect at Merchant Payments Ecosystem every year. At Consult Hyperion we like to contribute to these conversations by providing a useful framework for discussion: our annual “Live 5”, our yearly set of suggestions for strategic focus. This year, we choose to look at the key issue of pandemic transformation and its impact of on the three key domains where our clients operate: Payment, Identity and Transit, together with (as is traditional!) a suggestion as to a technology that the POS world may not be thinking about but probably should be.
Today marks the 10th anniversary of Safer Internet Day in the UK. Each year Industry, Educators, Regulators, Health & Social Care workers and Parents rally to raise awareness and put into action, plans to tackle findings from significant research on the topic of trust and safety on the internet. This year one of the research pieces talks of the challenge ‘An Internet Young People Can Trust’. As a mum of two school age children, I am sat here wondering if the internet will ever be safe … for them or me.
If I think about life BC (before COVID), my eldest used social media for broadcast communications to her friends. She was guided on the appropriateness of certain apps and our acid test on the content she was posting, was always ‘would you go up to a stranger in the street and give him your name, age, location and a photo of you in a bikini’ … her reaction was always ‘err, no’. My youngest had never been online apart from BBC Bitesize for homework assignments. We’re not online gamers so have never had constant nagging to go online. Additionally, you have to remember the internet (and mobile internet) has been significant in my work world since 1990 so I have a heightened understanding of the pitfalls and have seen many fall foul of their online reputation, tarnishing their in-person reputation.
At the (sadly, virtual) Fintech South event the year, I was asked to chair a discussion on identity and privacy with three extremely well-qualified experts who had informed perspectives on the state of, and trends in, those important pillars of a digital society. These were Adam Gunther (SVP, Digital Identity for Equifax), Andrew Gowasack (Co-Founder and President at TrustStamp) and Megan Heinze (President, Financial Institutions, North America for IDEMIA). It was great to talk to a group of people who were not only well-informed on these topics but had some passion for them too.
I won’t go over everything that was discussed, but I do want to pick up on a comment that was made in passing when I was chatting to the panelists: someone said that a guiding principle should be “no scary systems”. Hear hear! But what is a scary system? It is, in my opinion, a system that privileges security over privacy. This is not how we should be designing the identity systems for the 21st century!
When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it. They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews. But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.
This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker. You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction. There is some suspicion that it may have also been uploading session cookies.
What did you think of the US election? I don’t mean the candidates and the outcome. What did you think of the election process? Should it be possible for national elections of this type to be done online? Last week the IET published a paper on internet voting in the UK, led by our good friend at the University of Surrey, Professor Steve Schneider. It’s well worth a read. As the paper explains, internet voting for statutory political elections is a uniquely challenging problem. Firstly voting systems have exacting requirements and secondly, the stakes are high with the threat of state level interference.
Here at Consult Hyperion we tend to go on about the lack of a joined up thinking around government policy on digital identity and source authentication but mostly it doesn’t really affect us personally. I mean, we get this stuff, we can spot a scam a mile off. But sometimes it does get a bit close to home…
I discovered today that my frail but still mentally competent parents have been quarantining for the past week, and a bit, because they received an NHS Test and Trace text warning that they’d been in the proximity to someone diagnosed with COVID-19. As they’re in the very high risk category, you can imagine how worried they were. But here’s the thing – they never give their mobile number to anyone and they wouldn’t know how to download an app even if I spent a year explaining it to them. It was a scam – in fact the text deleted itself, but almost certainly it will have contained “more information” link, which would have downloaded malware onto their phone.
Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.
Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:
Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.
In one sentence I was trying to capture several points:
- Digital identity is a means to an end not an end in itself
- It’s bi-directional – in any transaction both parties need to have confidence in the other party
- It’s about the information you need to share, which will vary considerably between contexts.
- It protects privacy by only sharing the information (or claims) necessary.
The Digital ID & Authentication Council of Canada (“DIACC”) announced the launch of the Pan-Canadian Trust FrameworkTM (“PCTF”) this week, a set of digital ID and authentication industry standards that will define how digital ID will roll out across Canada. Its launch marks the shift from the framework’s development into official operation and will begin alpha testing by public and private sector members in Canada. The alpha testing will inform the launch of DIACC’s PCTF Voila Verified Trustmark Assurance Program (“Voila Verified”), set to launch next year.
The rise of facial recognition technology and the erosion of privacy
In the 2002 movie Minority Report, Tom Cruise’s character has his eyes surgically replaced so he can avoid being identified by the all-pervasive retina scanning system that the state uses to track people… and of course, uses to show targeted ads to people. This is a rather dystopian view of the broad application of biometrics technology. However, judging by a lawsuit targeting Macy’s for their use of Clearview AI’s facial recognition technology in their stores, it seems that staying anonymous in the bricks and mortar world is becoming a little more like the movie. Whilst you may not require surgery, you may soon require something akin to glasses and a fake beard to avoid being tracked. The issue here is that Clearview AI has been scraping images from publicly viewable sources on the web for a while, enabling them to create a database of facial biometrics against which to match captured facial images. Amongst the sources of this data are Facebook, Twitter, LinkedIn, YouTube and Vimeo, with some of these companies having sent cease and desist letters to Clearview AI for breach of their terms of service. The aim it seems is for Clearview AI to create a one-to-many facial recognition solution that can identify an individual from only an image of their face from anyone who is in a photo or video on the web. Based on a report on Buzzfeed, they were working with over 2000 companies as of February 2020, and they are probably not alone, so perhaps we should be concerned.
As if lockdown were not bad enough, many of us are now faced with spending the next year with children unable to spend their Gap Year travelling the more exotic parts of the world. The traditional jobs within the entertainment and leisure sectors that could keep them busy, and paid for their travel, are no longer available. The opportunity to spend time with elderly relatives depends on the results of their last COVID-19 test.
I recognize that we are a lucky family to have such ‘problems’. However, they are representative of the issues we all face as we work hard to bring our families, companies and organizations out of lockdown. When can we open up our facilities to our employees, customers and visitors? What protection should we offer those employees that must or choose to work away from home? What is the impact of the CEO travelling abroad to meet new employees or customers, sign that large deal or deliver the keynote at that trade fair in Las Vegas?