What the Romans can teach us about digital identity
Around 2000 years ago, falsely claiming Roman citizenship carried with it a heavy price – the removal of the fraudster’s head with an axe. Fraud may no longer be a capital crime, but there are lessons we can learn from the Romans that are still valid in a digital economy.
Of the more than 50 million people who lived in the Roman Empire, only about five million were fully Roman citizens. Since citizens could vote, avoid certain taxes, and watch gladiators clash in amphitheatres, then proving who you were one was important.
Roman citizens were required to take part in government, either by voting or by holding public office. So if you wanted to know if someone was a citizen, the answer was simple: just ask around. You might not know if someone was a citizen, but it was inevitable that someone would. Even in a society with an official census, identity was essentially distributed.
The problem with enrolment
Identity solutions have four distinct functions: user enrolment, where an identity is verified; authentication, verifying the user using details registered or provided at enrolment; transaction authorisation, often combined with authentication; and finally, processing the authorised transaction – this can mean granting access, storing consent or transferring money.
The first of these is difficult for a number of reasons. It’s not really possible to ask around in the same way as it was 2000 years ago. Instead, it’s far more common to present official documentation – a passport, driving license, birth certificate etc – making this a manual process that requires more from the customer than is ideal. Businesses want to be able to sign up customers immediately, and making them jump through hoops risks abandonment, as the customer often decides the hassle simply isn’t worth it.
The technology to change this and make enrolment and onboarding simple is here, but change is slow. The first legally recognised digital identities were launched in Finland more than ten years ago. Since then digital identities have been available in the Nordics, Baltics, Switzerland, Austria and further afield. These centrally-held identities make it simple to sign up to a service without the need to present documents – as long as you have your digital identity, you can sign up without fuss. But progress is slow, as it demands government action or cooperation with the private sector.
But there’s another problem with enrolment that has been made clear in recent years – data breaches. Businesses ask their customers for identifying information to ensure who they are, and then they lose that information to hackers. These breaches put a business’s customers at risk of fraud and identity theft, and harm the reputation of the hacked business. Critically, businesses no longer know whether existing customers are really who they say they are.
Gaining trust through trust
What if we could go back to how things were? What if a business could, to prove someone’s identity, just ask around? On the face of it this may seem absurd, but this approach may be the future of identity.
When a business is onboarding a customer, there’s a tendency to take exhaustive details of a customer, then ask for proof of identity to back these up – name, address, date of birth, photo etc. But what a business ultimately needs to know is the answer to a yes or no question: Is this person really who they say they are?
When signing up to a new service – for example, a financing for a new car – there are likely several companies with enough data available to answer this question. So instead of asking me to prove my identity, why not ask them? They don’t even have to ask for the data, they just need to get a yes or no to the question of whether that person is who they say they are.
We don’t need a central digital identity system to make this a reality. Nor do we need to create a blockchain for identity, a fashionable idea that’s not 100% clear on who will actually run it. We need to bring those who hold identity data together – whether that’s banks, telecom providers, energy companies or another service – together so they can vouch for individuals.
Regulations such as General Data Protection Regulation (GDPR) are designed to make sure that businesses do not hold too much information of their customers, while anti-money laundering (AML) rules demand that they hold enough to make sure an audit trail is possible if criminal activity is suspected. These two demands will make it more and more difficult to enrol customers. It’s time to stop demanding data, and start asking around instead.
Thomas Bostrøm Jørgensen, general manager, EMEA, AllClear ID