Blog article
See all stories »

Open Banking and the DCMS should get a room (banks should verify our identity attributes)

In his address earlier this month to the American Enterprise Institute, the Fed’s Governor Chris Waller described CBDCs as “a solution looking for a problem”.  Time will tell if he’s right.

Many said the same of Open Banking in 2017 when it emerged freshly minted under PSD2.  Commentators at the time (not just bankers) also questioned the sufficiency of consumer demand for Open Banking - “for what?” - and doubted whether personal account holders would trust the process no matter what.

It didn’t start well. In haste to administer its Order, the CMA rolled out a pretty dreadful customer consent flow as I pointed out in 2018.

Four years on, even if you accept OBIE’s claim of “3m active users and more than a hundred regulated TPPs with at least one live application” it’s a world short of the activity levels forecasted for 2022 … of 30m+ active users.

Alongside OBIE’s predictable success claims within closing speeches (as its time is all but done) it’s telling they are also openly sharing fears that if the UK’s Open Banking mission isn’t continued to be propped up by some form of implementation entity AND widened out to become ‘Open Finance’ (where new solutions can be deployed in the credit market for instance) then its very existence may be threatened, and the hard work undone.

Fair to say that Open Banking is still waiting for a killer app … or as Forbes put it back in February “it is possible that the most transformative companies in the space don’t yet exist”.  For the sake of all the investment that’s gone before it, this killer app needs to generate some income, aka a return on the Open Banking investment.

And it’s for this reason that I’m suggesting that OBIE (or its successor) and the Department for Culture, Media & Sport (DCMS) should get together.  The DCMS has a problem that is looking for a solution … and so far they’ve been looking in the wrong place.

The Porn Blocker (entitlement by attribute)

It all started back in the time of the Coalition Government who were being pressured to act on child abuse images appearing online. This graduated to calls for effective proof-of-age checks for adult content. An NSPCC survey claimed that two thirds of 15-16 yr olds had seen porn online, along with nearly a third of 11-12 yr olds, with the majority being violent and non-consensual.

The eventual remedy (provisioned under Cameron’s Government) was Part 3 of the Digital Economies Act 2017.  This made it a legal requirement for Adult Content Providers (aka porn websites) to add a landing page which forced users to first prove their adult status before accessing their site.  This was to be administered by UK ISPs and enforced by the British Board of Film Classification (BBFC) who speedily set about creating standards and writing guides and got itself a web presence as Regulator.

Although no silver bullet (by that I mean it was never going to stop more determined tech savvy youngsters circumventing via a VPN thus avoiding any UK based ISP) or prevent porn on social media like Twitter, Reddit or Snapchat, the emphasis was at least to reduce the risk of minors stumbling across porn websites inadvertently, or being able to access them intentionally before they were so entitled by age.

Honourable and sensible stuff, but the Act stopped short of prescribing the mechanism at the heart of the age check process (widely referred to by that point as “the porn blocker”).  This was, how adult status was actually going to be verified.  They left this to the Content Providers: and as long as they employed some kind of online digital document identity checking service, who (for a click fee) would scan DVLA cards / passports to establish adult status, they were in the clear.

As you can imagine from 2017 to 2019, in the run up to this legal requirment going live, a ‘new’ industry pretty much sprang up overnight seeking a fast buck.  Such companies existed before of course, but this was a sleepy backwater of the Net ... until the gold rush hit town!

Quite soon one of the biggest guns around was ‘AgeID.com’ who were being readied to handle age checks for some of the largest porn sites on the planet, including Pornhub, Redtube & YouPorn.  AgeID.com were based in Cyprus but owned by the Canadian firm Mindgeek.  It didn’t take long for watchdogs to point out that Mindgeek was also the parent of Pornhub, Redtube & YouPorn.  The Government’s approach had inadvertently given those that create porn a free pass to expand into identify verification, thereby creating a data harvesting goldmine.

The Ashley Maddison hack of 2015 which lead to suicides (+ millions of compensation claims) was still fresh and Mindgeek themselves had been hacked in 2012.  So the Government came under fire from children’s charities, watchdogs and privacy groups for leaving age verification methods open to the discretion of the $100bn profit seeking commercial porn industry: “asking pornographers to protect children from porn”.  In January 2019, WIRED (who’d closely followed the porn blocker since inception) described it as “the worst idea ever invented”.

What did porn sites themselves think? Initially warm to the idea of using credit cards to prove age, the Content Providers soon iced up when they realised an entry gate which forced visitors to reveal their true identity, might put off considerable swathes of their existing customer base, who’d never previously had to declare who they were.  

After around 18 months of launch date delays: on 16th October 2019 (just a few weeks before the porn blocker was due to go live in the UK) the Government finally called it off altogether. Then Culture Secretary Nicky Morgan stating, “the objective would be delivered through the proposed online harms regulatory regime”.

Fast forward a further 18 months and in May 2021 the Government pushed out its draft ‘Online Safety Bill’ but the porn blocker (age verification checks for commercial sites, Part 3 Digital Economy Act 2017) was only conspicuous by its absence.  A further boot into the long grass for a hot potato left smouldering in the too-difficult basket because the solution here was DoA.

Dead on Arrival, firstly since the remote checking of documents online, which relies upon user’s own hardware interfaces (scraping and matching images from identity documents) is far from robust, especially when the process is not regulated by mandatory standards. Secondly, since forcing adults to share their full identities and remove their anonymity when browsing porn sites, is simply a ridiculous notion.

WHAT you are, not WHO you are (attribute not identity)

In seeking to solve one problem the DCMS approach here creates quite a few others.  Why share who you are when all that's needed is proof you’re an adult?  The central construct of privacy enhancement is to take a minimalist approach with data sharing on every occasion: being efficient with data by never sharing any more than is needed. 

I’ve some form in this area. Around a decade ago I was co-founder of a UK start-up called ‘Touch2id’ (a few years before Apple introduced ‘TouchID’ btw).  We aimed to free young adults of the burden of taking driving licences and passports on a night out, just to buy alcohol. Our big idea was to harness the emerging tech in smartphones with fingerprint biometrics.  It was database-free and nothing was shared with third parties. It was, by design, privacy enhancing.

We first ran a town POC in Trowbridge (Wiltshire) and then a City trial in Bath (Somerset), the latter in conjunction with the UK Post Office.  The key construct here being "prove your age once but once properly" – take your driving licence or passport along to your local Post Office: where they’d pop it on the same black box scanners you’d find at the airport.  If (i) their document was genuine, (ii) the person's image from the document or passport chip (enlarged on screen) matched the person at the counter and (iii) the scanner established they were 18+, they got a contactless sticker for their phone with a hash of their chosen fingerprint encrypted onto its chip.

The phone sticker worked in conjunction with a chip & pin type reader we made for bars & nightclubs (knowing such tech would soon appear in smartphones which were becoming ubiquitous). The weapon of choice back then for young adults was a Blackberry! See how Touch2id actually worked in a bars here.

The whole thing was offline - essentially just a digital trusted status token which went where your phone went - a persistent identifier linked to a single attribute.

I regret to say that although the young adults thought it was "sick" (they truly loved it), those seeking to sell as much alcohol as possible truly didn’t (despite of course publicly stating the polar opposite). 

As a start-up venture we were too small and underfunded.  Classically, this manifests in an all too brief window of opportunity in which we failed to garner the much needed support from both Bath Licencing Authority and Avon & Somerset Police.  They seemed to put more effort into denying there was any underage drinking problem on their patch.  Quite a different experience to Wiltshire, where we’d successfully proved concept just a few months earlier.  Both Wiltshire’s Licensing Authority and Police openly conceded that underage drinking was rife on their manor, but not only that, they genuinely wanted to do something about it (even funding the trial). Moving across county lines just proved fatal.

A decade on and despite four times the tech capability now in every young person’s pocket, a DVLA card or passport remains the ‘go-to’ for a social night out.  Instead of a 21st century solution, young adults are left with little alternative but to share their names and more frequently than not their addresses with perfect strangers, time and time again.  Acceptable maybe in 1980, a shameful disgrace today is it not?

The age checking solution the DCMS has come up with so far for the porn blocker shares these same flaws.  In fact it’s worse. In placing the DVLA/ passport at the centre of the checking mechanism, not only does it remain relatively easy for the underage to overcome the remote image-match routine, and not only does it dangerously substitute anonymity for full blown identity disclosure, but by moving the image checking process online – where the checker instead is a computer programme sitting on the world wide web – the data from the scanned ‘ID card’ can be harvested, lost, hacked or sold with efficient ease anywhere around the planet in seconds. At the nightclub at least it’s only one doorman who sees your name and address ... with the porn blocker the number of eyes may be exponential.

So why isn’t there infrastructure for digital identity management on the Net already? (the missing link)

Tierney Ray over at ZDNet provided the answer earlier this month: “The creators of the Internet didn't finish the job, they didn't create a personal protocol to give people control of their identities”. 

Of course he’s right about that.  The analogy I often use is to imagine the grandest of all mansion houses has been built …. it’s a utterly awe-inspiring creation: like no mansion house before it. It has literally thousands of bedrooms and acres of magnificent banqueting rooms: and is resplendent throughout with fabulously high ceilings, beautiful cornicing, tremendous staircases and breath-taking marble work. Yet they forgot to install any central heating and its residents are cold as hell inside.  Try retrofitting now!

Tiernan adds: the simplest explanation for the absence of any form of digital identity infrastructure on the Net is that humans simply weren’t expected to be ON it, just computers. Its creators didn't foresee that it would be used for social activities. They didn't foresee it, so they didn't build it: "I totally missed the entire world of social networks," said Leonard Kleinrock, one of the key inventors of the Internet - Kleinrock sent the first packets of data over the Internet from his laboratory at UCLA in 1969 - "I was still thinking of computers talking to each other, maybe people talking to computers, but not people talking to people".

The problem with retrofitting the Internet with a digital identity infrastructure is a seriously complex one.

A bunch of organisations are having a tilt at this, in various forms.  This includes another of the Internet’s creators. Tim Berners-Lee is back with Solid Inrupt, to enable people to control and store their own data in ‘personal online data stores’ or Pods:  “it’s technology that gives people control of their data, allowing them to choose where their data is stored and who has access to it” says Tim.

Microsoft are busy with Azure AD which is seeking to enable organisations to share people’s proof of claims - such as about employment or education via a consented approach.

There’s growing recognition generally in America that the missing link needs adding fast, to such extent that Patrick Hearn recently described it as a matter of US national security.

In June, the EU embarked on a big bang approach for online identity management putting forward proposals for what they call a European Digital Identity Wallet. The plan is to enable citizens to link national identities and other attributes (eg, driving licences, bank accounts) in a convenient way to access both public and private services.  Its design enables people to choose which aspects of their identity, data and certificates they share with third parties, and to keep track of such sharing.  It’s a long road and the roadblocks from GDPR, bureaucracy and cultures will be many.

In the UK we are of course ploughing our own furrow.  The DCMS has recently unveiled their draft ‘Digital Identity & Attributes Trust Framework’ for the UK, with its consultation period ending this September. 

“Can I check your ID?” (it’s analogue and it’s archaic)

You need ID these days to buy paracetamol, stick a bet on at the bookies, join a gym and (more recently) take your rubbish to the local tip (proving you too are local) or get a PCR test. The in-person checks are rising.  For online activity you need it to use a betting app, Click & Collect in store (or at the Post Office) or receive home delivery of anything age-sensitive from alcohol to cigarettes/vapes, to scissors for the kitchen. I’ve even had to produce my driving licence on my own doorstep for liquor chocolates .... I’ve kids older than 18!

In fact it’s rare to get through the supermarket self-checkout without triggering that red beacon overhead as there’s an energy drink in your basket ... only for someone that looks about 16 to come along with their special key on a chain to let you continue with your life once more ... when they’ve ‘proved’ you’re 18!

The driving licence is preferred for its portabability.  Pretty much all of the security features which make it hard to fake are designed to be checked by those digital ‘black box' readers. Yet for 25 quid 15yr olds can get a couple of fake provisional licence cards from China which look so genuine they'll pass most visual checks.  After all, 990 times out of 1000, visual checks are all this card is actually used for. After that the next task is of course to establish if the card belongs to its apparent holder and that relies on matching that small, grainy, black and white image (that’s actually obscured by a few of those security features just mentioned) to the person before you.

The embarrassing truth is that relying on these analogue documents (permits to drive or fly) to perform such an important 'identity' function in today's fully digital world, is not only painful for all those involved but massively flawed. The visual matching process isn’t really about authenticity, in practice it’s actually little more than security theatre.  What’s needed is a fully digital solution: using modern banking technology which happens to be here already, hiding in plain sight …

Baby steps not big bang (a digital solution)

The Government’s idea for the so called porn blocker is to mandate age checks before accessing adult content sites.  That idea is laudable, but adults need to be able to prove they are entitled to buy alcohol, place a bet or engage with adult content sites online without sharing their identities.

To resolve the DCMS headache and enable Open Banking to generate some payback on their investment, whilst also taking a gentle step into identity attribute management, let’s consider the following solution:

Following the same path they’ve been forced down with Open Banking, imagine if all UK registered banks got together again and created their own single TPP.  An accredited AIS in which they all held a single share say. As a working title let’s call it ‘Verified.adult’. 

An existing bank account holder could then download the Verified.adult app and opt into it via their bank app (or whatever) just like any other TPP in the current Open Banking consent flow. This enables their bank to verify they’re an adult without sharing any of their identity details, even their age.  As long as they stayed opted in, they would have a persistent identifier on their phone linked with that single attribute which they could use online AND in person, face to face.

Here’s one example of how I see this might work (of several alternatives):

An existing bank account holder downloads Verified.adult from their App Store and completes the bank consent flow to ‘Opt in’.   The bank then checks they are 18+ (against their DoB held on file at account opening) and if they’re an adult Nat West (or whoever) sends a ‘Consent’ confirmation through to Verified.adult which is the go ahead to activate their app. 

Any customer with an active Verified.adult app can then use it to do two things: generate an OTC on demand or fetch up a QR code. To do either requires 2FA, the kind of authentication routine we’re all getting used to when logging onto bank apps, for example. Strong authentication as its called, eliminates the transferability risk where adult’s phones are ‘borrowed’ by minors.  

To complete the age checks for adult content the landing page could just ask for a Verified.adult OTC and when the visitor copied that in from their app, it’s sent directly to www.verified.adult which checks the OTC is legit and records the check being made by the site (and the bank click charges the Content Provider). 

For those that need to prove their adult status in person in the pub say, every app download includes a QR authenticator so the 18+ fire up their app (complete 2FA with Face ID or whatever) and show their short lived one-time QR code to the bar/door person who, with the Verified.adult app on their own phone scans the QR code which comes back with a green/red.  This system could also work offline.

Using strong customer authentication and the API rails of Open Banking, banks could easily solve this pain point around adult verification AND get some payback on their investment.  Instead of paying Mindgeek et al in the Wild West, every Content Provider would pay Verified.adult instead.  This banking cooperative might be run as an Not-for-Profit after costs and make an annual donation to the children’s charities involved in keeping our kids safe online.

We could then all leave our driving licenses and passports safely in a drawer.  Around 75% of UK adults have a driving licence and this rises to around 83% with a passport, yet the unbanked in this country is just 1.4m. This means inclusivity is greater, via this mechanism, up at around 98%.

If banks took a step into identity attribute management – and proved they were good at it – then it’s not hard to foresee a future where your bank, acting as your agent (not just your wealth manager) passes tokens out to prove your entitlement or aspects of your identity on demand (lives in Newcastle, is a mortgage holder …) .  

It could also represent the start of an online identity infrastructure retrofit that’s badly needed on the Net, which is centred on attributes rather than identity and based upon minimalist, privacy-by-design principles.

 

6465

Comments: (0)

Giles Sergant

Giles Sergant

Director

Consultant

Member since

09 Jan 2018

Location

Newcastle Upon Tyne

Blog posts

2

Comments

6

This post is from a series of posts in the group:

Banking Strategy, Digital and Transformation

Latest thinking in respect to Banking Strategy, Digital and Transformation. Harnessing our collective wisdom to make banking better. Ambrish Parmar


See all