On May 1, 1999, I began my career in the biometrics and identity industry at an unknown, fledgling company called Visionics that was promoting facial recognition in a shrink-wrapped box to allow people to log onto their PCs safely.
Admittedly, it didn’t work very well, but it was amusing when people called to complain that they had scanned their pets’ faces and were consequently locked out of their computers. Two decades later, I had another chuckle when The Wall Street Journal came out with a piece on the use of facial recognition on farm animals.
It’s been a long journey for me, so I have to ask myself: What’s changed in digital identity and security? What hasn’t? Which opportunities still exist and what does digital identity mean today? And why am I still here?
The answers seem to boil down to 3 things:
1. The notion of identity continues to evolve.
Identity is an age-old concept. Until the mid-1800s and through World War I, most people didn’t have or need identifying documents, as transactions were conducted face-to-face. However, with industrialization and increased mobility, reliance on local knowledge and contacts was no longer feasible, and for a long time, proving one’s identity meant producing a physical document. Protecting the integrity of that document and preventing forgeries was the name of the game.
Over time, with advances in online computing and the migration of business to websites and mobile applications, remote identification became more important. But what could someone produce that would prove their identity if not a physical document.
Passwords, tokens, cryptography and physical biometrics became the substitutes, and the idea of layering and fusing all these different factors to reduce error rates took hold. As long as a person could produce these factors, their identity was deemed valid, whether or not that was actually true.
As more and more applications required identity verification, people looked for the easiest way to provide it. In the beginning, passwords could be two characters! Even today, despite the well-known vulnerabilities, most organizations still rely on passwords for authentication, and the most popular passwords remain ‘123456’ and ‘password.’
The fact is, data breaches make all of this moot, and society is struggling to come up with a new construct for identity. One camp is focused on simply digitizing physical documents that are conferred by a central entity, usually a government, while another camp is focused on amalgamating our digital footprints to come up with a consolidated view of each person that represents who they are in the physical world. I suspect both camps will ultimately merge.
2. The pendulum on privacy continues to swing.
There was a major outcry in 2001 when the Tampa Police Department tested facial recognition at Super Bowl XXXV, and I spent many months with our industry association, the IBIA, to educate and promote responsible use policies and discourage hyperbole from overshadowing what was really happening behind the scenes. We coined the phrase “no match, no memory” to emphasize that if a person was not in a criminal database, the system would not be able to recognize them.
Many months of testimony before state legislatures and debates with the ACLU, Electronic Frontier Foundation and others followed – as did death threats – and then 9/11 hit. Suddenly, privacy took a backseat as people tried to figure out how the technology could be used to protect the homeland and catch the bad guys.
Several years later, the pendulum swung back, with the introduction of various data breach notification laws in both the U.S. and Europe, but it wasn’t until Wikileaks became a household name in the late 2000s that the problem of having so much information available online became clear.
A focus on data protection and privacy was back full force, but most of the attention was on notifying people when breaches occurred. Penalties were sparse, banks returned stolen funds and consumers seemed to care more about the online experience than about security. When the Equifax breach happened, I thought for sure it would be a watershed moment, but alas, that has passed and most people just take for granted that someone, somewhere, will protect them from the consequences of identity theft.
The big difference between then and now is that the guardians of personal data used to be the public sector. Today we are seeing a radical departure from a time when the DMV, IRS, Social Security, passport agency, etc. were not only the custodians of personal data but – more importantly from an identity lifecycle perspective – were the starting point to establish and validate that someone was who they claimed to be. This is no longer the case.
Facebook claims 2.38 billion users; Google, 1.5 billion; Twitter, 321 million. There are 5.1 billion mobile phone users in the world, 644 million MasterCard credit cards in circulation globally, and more than 7 billion connected devices. Each of these companies holds vast amounts of personal data, and we’re just starting to feel the ramifications. The truth is, with more than 15 billion records stolen in the last six years and synthetic identity ballooning, we have a digital identity crisis and need a new framework. If we can fix the identity problem, we can fix the privacy problem.
3. Implementation design is still the most critical element of success.
Very early on, the issue of minimizing the equal error rate (the point where the false accept rate and the false reject rate meet) became the measure for how well biometrics would perform, and it was always a trade-off.
Beyond the equal error rate, the real question was what to do when an alarm was generated. There was a lot of concern post-9/11 about slowing down the lines too much but still ensuring that the next Mohamed Atta was properly identified. Managing the thresholds, or entry points, became a major consideration for deployments.
Online, the issue is even more pervasive. As one financial executive succinctly stated recently in an analyst presentation, “There isn’t a lot of appetite to add friction to the process. Most of the business is focused on how to take friction out.”
AI is helping to answer these calls, with the combination of passive technologies like behavioral biometrics and others that can provide a high enough level of accuracy without compromising user experience. Still, the difficulty with identity management is that fraud and risk professionals want perfection and compliance, while most consumers want convenience and simplicity – and privacy.
Balancing all of these priorities involves more than managing thresholds and equal error rates. It requires careful attention to system design, from initial enrollment and building the identity profile in the first place, to maintaining and improving it, and then of course to managing identity storage. Rule engines and policy managers must be extremely flexible and easily adjustable.
It’s obvious that with the emergence of AI and machine learning, identity technologies and frameworks are adapting at lightspeed. Policy needs to catch up. Education is still sorely needed. Expectations between government, the private sector, consumers and other stakeholders need to be redefined.
This is all coming to bear right now as San Francisco officials lean towards banning facial-recognition surveillance, just a few months after authorities in one New Jersey town announced their plans to install cameras to capture both license plates and faces. Identity and privacy are forever intertwined, and as technology evolves, society must decide how to authenticate the former while respecting the latter.
With identity so fundamental to our being, there is still so much work to do to reconcile all the competing requirements and big questions. And that’s why I am still here, now at BioCatch, passionate about the digital identity and security industries even after 20 years.
This blog post also appears on Finextra.