Digital identity verification and data privacy

December 13, 2019 by Steve Ritter

Data PrivacyDo you know what they know about you, and how they’re using it to identify you?

Remember the TV series Person of Interest, where people were being tracked by an AI program that assigned them each a number? The program displayed live video of street scenes with people going about their business in the normal way, completely unaware that from the program’s point of view, they had numbers emblazoned across them like labels. Although in the series, the AI was originally created with good intent, it still seemed creepy. And, of course, eventually bad guys got hold of it and loosed havoc on the world.

Images from that show came to mind when I read a recent piece on data privacy by New York Times columnist Farhad Manjoo. The author was recruited by The Times’s Privacy Project to be a guinea pig. For several days, as Manjoo engaged in normal, everyday web research and browsing, the Project logged his activity as well as all the web servers that tracked him and the data they obtained. The amount of data collected “in obscene detail,” even from small amounts of web activity, was, in Manjoo’s assessment, “staggering.”

Here’s what really knocked the guinea pig off his wheel: One of the tracking servers had issued him a 19-digit identifier number—Manjoo thinks of it “as a prisoner tag”—which was shared with nearly a dozen other trackers and advertisers, and used by eight different sites.

Now, we’re all aware our privacy is constantly being invaded for the purpose of serving up targeted advertising. But few of us realize detailed data is being collected on us for the purpose of identification. The many ways this is happening are sometimes lumped together under the rubric “behavioral biometrics.” And it’s not just about what we do on the web and in mobile apps. Increasingly, sensors and code layered into web servers, digital devices and apps are also capturing data on how we move—press, swipe, scroll, type, etc.—when we do it.

I’m not saying behavioral biometrics don’t have a place in digital identity verification (IDV). But the problem with how they’re currently being used in many cases is that I, as a consumer, am completely unaware this data construct purporting to represent my identity exists. There’s no transparency because I don’t even know I have a 19-digital identifier number. Nor do I have any reason to trust the issuing organization. (In fact, I don’t even know who they are.) There’s no control because I certainly am not being given the choice of whether or not to provide this number and the data behind it to web sites and vendors.

Compare that to Mitek’s Mobile Verify® solution, where consumers submit a snapshot of a government-issued ID along with a selfie for facial biometric comparison and other AI checks. This is taking something consumers know they have, and giving them the choice of submitting it or not to a particular requestor.

My expectation is that behavioral biometrics may well prove to be a helpful part of the best IDV solutions. I think we’re going to see a technology mix, including additional AI. I’m also optimistic about the prospect of using blockchain distributed ledger technology to improve transparency and control for consumers—so that nobody needs to feel they’re walking around with “a prisoner tag.”

I’ve elaborated a bit more on where I think IDV is headed, and the challenges of getting there, in this white paper on The Future of Identity. For a quick visual summary, take a look at this infographic. We also recently did a webinar on Blockchain as the Next Step to Self-Sovereign Identity, which is available to view at your convenience.