Digital identity is at the heart of risk and fraud in the financial system and in society at large. It’s been discussed at conferences for years but last week I heard the best conceptualization yet in terms of where we need to go. (For another great conversation on this topic, check out our podcast with Urzsula McCormack.)
Crime and malignancy can’t be erased, but today the scales in the cyber realm are tipped in favour of the bad guys. We’ve made it easy for people to do bad things with impunity. So we need to tip the scales so that it’s rewarding to be a good actor and risky to be a jerk.
Greg Kidd has spent a lot of time thinking about this. He is a former payments technology analyst at the Federal Reserve. He was an early investor in Twitter, and served as chief risk officer at Ripple Labs. Today he’s running two companies: Hard Yaka, a private equity firm with a track record in many fintechs (Kabbage, Twilio, Square, and others); and globaliD, a San Francisco-based company promoting software to let people manage their permissions and money.
Last week he spoke at a fintech and banking conference organized by The Asian Banker (which also invited me to participate as a moderator). The Asian Banker is using its banking conferences to help expose consumer-banking executives to experts in digital disruption and business models; founder Emmanuel Daniel is trying to get finance executives to take technology seriously. So he gave Kidd some prime time on one of my panels. It was a good idea.
Regulator + techie
Kidd is interesting because he marries experience as a banking regulator with that of a tech investor. His involvement with Twitter has left him feeling troubled. Twitter is one of the biggest platforms being used for spreading fake news and corrupting the media and politics. Kidd defends the notion of anonymous posts but acknowledges it’s become hard to trust what’s published. What’s real anymore? How do you know if someone’s views are credible?
The problem isn’t just Twitter or Facebook. The banking system has been compromised too. For example, the protocols Russian agents used to create fake identities on social media are exactly the same ones used by banks to open accounts. Fake Facebook accounts were funded through PayPal, using four credentials: a name, an address, a date of birth and a tax identity number. All of these can be invented or stolen.
Only the dumbest guys get caught
Greg Kidd, globaliD
“The [financial] system today is based on claims that aren’t verified,” Kidd said. “Ninety-eight or ninety-nine percent of money laundering today goes undetected...Only the dumbest bad guys get caught.” He says financial controls are easy to defeat because banks are spending vast sums on compliance checks to please their regulators, not to actually catch criminals. Banks’ internal silos just make the situation worse.
This is in contrast to the e-commerce industry. Thanks to the creation of the World Wide Web in the early 1990s, the commercial internet became a seamless network. Technically what made this possible was the use of domain name system (DNS), the Yellow Pages of the internet. It meant every website could have only one owner, and that they could be called things in human language, not their I.P. addresses.
What's in a name?
Could a DNS be applied to individuals or entities? Kidd thinks this should be a right, as well as a responsibility. An “INS” would involve a collection of attestations, information that would provide clear evidence that a person (or organization) is who they claim to be. The more, the better: mobile phone numbers, and address books of people you’ve spoken with via that number. Or a bank account number, with evidence you can access it.
These “round trips” of interaction would be the surest way to prove identity. They don’t require actual details of messages or accounts, or sharing any other data – just proof a person can access them. Once that is established, a person can present their details to a bank, or to a hospital, or a voting booth – or to your neighborhood bar.
There is an approach that can work for Twitter and for banks
Greg Kidd, globaliD
There are different models evolving in the world to deal with identity. Corporations like Facebook and Google are meant to control and safeguard privacy, but don’t. In China, there are no anonymous identities, which solves one problem but destroys any chance at privacy.
Instead of relying on corporations or governments, Kidd wants to see a system enable self-sovereignty, so that people can easily prove they are who they claim, and therefore receive permission to access services, or give permission for others to access their information. This kind of protocol of attestations would also make life easy for financial institutions when it came to onboarding and compliance.
Kidd says it’s important that the system not attempt to weed out bad actors. “It’s not for bad guys or good guys, but for everyone together in the database.” It’s better to have spies and crooks participating in digital connections so that banks and others learn how to deny services to fraudsters.
“There is an approach that can work for Twitter and for banks,” Kidd said.
I hope so because it’s depressing to feel resigned to the idea that privacy is dead and cybersecurity a mirage. Things were not always this way. We do not live predestined to become fodder for evildoers. Nor must banks and other organizations forever spend mindless billions upon controls that don’t work. Technology got us into this mess and so technology can get us out. It has to.