Trust and Identity—The Economic Landmines

The White House, the Open Identity Exchange (and its member companies, including PayPal, Symantec, Verizon, Google, and AT&T) and others advocate that each Internet user acquire an online ID, a mechanism for establishing one’s identity to Internet-based systems, websites, and services. The ID would also record and share attribute data about an individual (age, address, birthdate, etc.) in order to accelerate the information collection and validation process that so often confronts each of us in establishing a relationship with a new asset.

In nearly every scenario, the ID would include a hardware component, on which additional identifier data could be embedded and communicated as part of each session without any user activity required. Existing userid/password methods of authentication would be abandoned.

The proposed technology solutions have drawn significant attention in terms of the potential for invading privacy (e.g., capturing additional attribute data—such as health history data—and making such data accessible to uncontrolled categories of vendors, retailers or others) or accelerating crime (such as losing a cell phone that enables an ID to be compromised). But all of this consumer-oriented dialogue fails to expose a far more troubling equation—how will each asset (system, website, application, service) score the identifying data and make a positive determination to trust the identity represented by a user? Who bears the economic loss of an incorrect business decision to trust?

From the vendor’s perspective, an online ID solution is intended to reduce the risk of misrepresentations (such as age, required under COPPA and similar rules for information collection from minors), mischief (misrepresenting your neighbor’s identity), or outright fraud (credit cards, mortgage loan applications, etc.). There is also the promise of improved business efficiency. If a vendor’s system can access and download relevant attribute data, there is less time invested by the vendor and the customer in transferring and inputting that data. If the data can be relied upon without further validation, even greater efficiency results, allowing the vendor to accelerate the overall transaction.

But reducing risks and accelerating transactions require someone to pay somebody. The credit card industry, and its evolution, offers some important lessons here. From the beginning, the merchant accepting the credit card (i.e., the identity token) was responsible for, and bore the risk of loss for, the possibility that the bearer of the card was not the person to whom the card had been issued. Moreover, the merchant also had responsibility, and risk of loss, if the card issuer had notified the merchant that the authority to accept the card had been suspended.

This dates me, but I still distinctly remember tendering a credit card and watching the cashier manually look up the card number against a published paper booklet kept at the cash register, listing all disqualified cards. For certain transactions, additional identification was examined, and for certain dollar amounts, the telephone was employed to obtain verbal confirmation of an authorization code. Even in those circumstances when an authorization code was given, the detailed terms and conditions still placed much of the risk of loss, if not all, on the merchant. If there was fraud, the merchant had to be able to document they performed all of the required procedures—something it was almost impossible to prove in a specific transaction.

As systems evolved, and competition developed (and true credit cards, allowing payment in installments, emerged), the merchant discount (i.e., the amount automatically deducted from each retail dollar by the credit card issuer or system representing the merchant’s payment for the services) became the focal point of measuring the value of the competing interests among (a) the convenience of the card as a source of payment for the merchant, (b) the additional revenue stream available to the merchant by accepting credit cards, (c) the value of receiving payment from the card issuer within 30 days (rather than the full term of the installments), (d) the different levels of risk associated with transactions of differing value or transactions involving specific products or services, and (e) the risks of loss otherwise associated with fraud or misuse of the credit card.

As technologies, systems and evolve, the merchant discount has continued to decline, allowing the merchant to keep more of each retail dollar. The card issuers (and associations) have continued to develop technology-enabled processes for lowering the possibility of misuse, and offer different rates when payment methods include more advanced technologies for limiting the potential for fraud.

But the card issuers have also focused on the systems and processes of the merchant, which have moved far beyond the skeptical, reliable eye of a middle-aged cashier questioning the authenticity of the driver’s license tendered by a youth without hair on his chin!

The PCI security standards have established levels of security required for the systems of the merchants, to further inhibit the potential for those systems to be compromised. Compliance with those standards is mandatory, and has been a significant cost for merchants. But once those systems are validated, the risks of loss are more finely balanced than historically, with the issuers and associations required, as a competitive necessity, to minimize the risks of loss.

With any online ID that introduces a token-based component (such as two-factor or three-factor authentication), if a system, device, website, application, or merchant is to rely on the validity of the online ID, someone must bear the economic risks that the online ID is being used improperly.

First, someone must bear the risk that the issuance process (including the information submitted, validation of that information, and delivery of any hardware or hardware-embedded token) was compromised by a fraudulent application, or a diversion and capture of the token into the control of a bad actor.

Second, even if properly issued, someone must bear the risk that the online ID is being used improperly and is not a genuine, authorized use by the intended relevant user.

Third, in either case, someone must bear the potential costs of taking corrective and compensatory action—including developing and pursing criminal and civil remedies, and making a system operator or merchant whole in the event payment for any related goods or services is dishonored by the proper holder of the online ID.

With online ID, of course, evolving with solely the image of a single “merchant” becomes inadequate. With federated systems, distributed networks, and cloud-based services, there emerges an entirely different vision of how the risks of misplaced reliance on an online ID at a point of access can ripple across an entire ecosystem of dependent and reliant systems, devices, applications, and data assets. This type of cascading impact is fairly easy to imagine, and very difficult to think through in terms of assigning and managing the related risks. Perhaps the most agile metaphor in today’s credit card identity system is to imagine that, with a credit card fraud today involving a major purchase (such as a $9,000 bicycle), virtually every supplier of the raw materials, assembly process, packaging, shipment, delivery, set-up and retail sale received a chargeback and lost revenue because of the fraudulent use of the credit card.

Those advocating online identity tools are certainly applying their resources to a genuine problem. But, in their pursuit of a new and lucrative revenue stream, they must also begin to discuss what the economic models are going to look like. As with credit cards, there will be companies that will issue the online ID tools. As the individual banks issuing credit cards combined into associations, so can we anticipate federations of ID issuers to gather together, set standards, and attempt to manage the risks through contractual terms that limit or exculpate them from liability.

But without a full economic model of the risks, the costs, and the means by which those costs will be allocated and shared, online ID discussions regarding privacy are almost serving to deceive and distract us from the core economic questions. If those advocating the solutions do not embrace and advance this dialogue, then surely they are inviting the public sector to assert regulations that do so.

That outcome produces chaos, conflict, and regulatory disorder that collides with the global, systemic efficiency that can be achieved. We saw it from railroad regulation (perhaps the first cross-border physical networks involving safety risks) to privacy today. Online ID’s will thrive if the full economic and risk management model can be developed and launched concurrently. Doing so is the best strategy for minimizing regulation and improving overall trust in the digital infrastructure in which we exist today.