I was delighted to be asked to present a keynote at the FIDO Authenticate Summit and chose to focus on digital identity governance, which is something of a hot topic at the moment. Little did I know that the day before my session was recorded the European Commission would propose a monumental change to eIDAS, the Europe Union’s digital identity framework – one of the main examples I was planning to refer to. I hastily skimmed the proposed new regulation before the recording but have since had the time to take a more detailed look.
Earlier this year we were delighted to be part of the Consult Hyperion webinar on Request to Pay. A common thread in post-event conversations that followed was an interest in the parallel developments of the UK and European flavours of Request to Pay and how they might work together. With the launch of the European version on June 15th, we thought it an ideal time to signpost the bigger differences.
When we look forward to 2021, it is no surprise that COVID-19 is the dominant factor. So far as the merchant payments world is concerned, the shape of the post-pandemic new normal transaction environment must be the key strategic consideration for stakeholders and I am desperately keen to hear the variety of informed opinion on this topic that I have come to expect at Merchant Payments Ecosystem every year. At Consult Hyperion we like to contribute to these conversations by providing a useful framework for discussion: our annual “Live 5”, our yearly set of suggestions for strategic focus. This year, we choose to look at the key issue of pandemic transformation and its impact of on the three key domains where our clients operate: Payment, Identity and Transit, together with (as is traditional!) a suggestion as to a technology that the POS world may not be thinking about but probably should be.
Today marks the 10th anniversary of Safer Internet Day in the UK. Each year Industry, Educators, Regulators, Health & Social Care workers and Parents rally to raise awareness and put into action, plans to tackle findings from significant research on the topic of trust and safety on the internet. This year one of the research pieces talks of the challenge ‘An Internet Young People Can Trust’. As a mum of two school age children, I am sat here wondering if the internet will ever be safe … for them or me.
If I think about life BC (before COVID), my eldest used social media for broadcast communications to her friends. She was guided on the appropriateness of certain apps and our acid test on the content she was posting, was always ‘would you go up to a stranger in the street and give him your name, age, location and a photo of you in a bikini’ … her reaction was always ‘err, no’. My youngest had never been online apart from BBC Bitesize for homework assignments. We’re not online gamers so have never had constant nagging to go online. Additionally, you have to remember the internet (and mobile internet) has been significant in my work world since 1990 so I have a heightened understanding of the pitfalls and have seen many fall foul of their online reputation, tarnishing their in-person reputation.
At the (sadly, virtual) Fintech South event the year, I was asked to chair a discussion on identity and privacy with three extremely well-qualified experts who had informed perspectives on the state of, and trends in, those important pillars of a digital society. These were Adam Gunther (SVP, Digital Identity for Equifax), Andrew Gowasack (Co-Founder and President at TrustStamp) and Megan Heinze (President, Financial Institutions, North America for IDEMIA). It was great to talk to a group of people who were not only well-informed on these topics but had some passion for them too.
I won’t go over everything that was discussed, but I do want to pick up on a comment that was made in passing when I was chatting to the panelists: someone said that a guiding principle should be “no scary systems”. Hear hear! But what is a scary system? It is, in my opinion, a system that privileges security over privacy. This is not how we should be designing the identity systems for the 21st century!
When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it. They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews. But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.
This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker. You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction. There is some suspicion that it may have also been uploading session cookies.
What did you think of the US election? I don’t mean the candidates and the outcome. What did you think of the election process? Should it be possible for national elections of this type to be done online? Last week the IET published a paper on internet voting in the UK, led by our good friend at the University of Surrey, Professor Steve Schneider. It’s well worth a read. As the paper explains, internet voting for statutory political elections is a uniquely challenging problem. Firstly voting systems have exacting requirements and secondly, the stakes are high with the threat of state level interference.
Here at Consult Hyperion we tend to go on about the lack of a joined up thinking around government policy on digital identity and source authentication but mostly it doesn’t really affect us personally. I mean, we get this stuff, we can spot a scam a mile off. But sometimes it does get a bit close to home…
I discovered today that my frail but still mentally competent parents have been quarantining for the past week, and a bit, because they received an NHS Test and Trace text warning that they’d been in the proximity to someone diagnosed with COVID-19. As they’re in the very high risk category, you can imagine how worried they were. But here’s the thing – they never give their mobile number to anyone and they wouldn’t know how to download an app even if I spent a year explaining it to them. It was a scam – in fact the text deleted itself, but almost certainly it will have contained “more information” link, which would have downloaded malware onto their phone.
Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.
Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:
Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.
In one sentence I was trying to capture several points:
- Digital identity is a means to an end not an end in itself
- It’s bi-directional – in any transaction both parties need to have confidence in the other party
- It’s about the information you need to share, which will vary considerably between contexts.
- It protects privacy by only sharing the information (or claims) necessary.