ID-fraud is a growing and unsolved problem. Existing solutions for user authentication do not enable Banks to control that the person authorizing a payment is the owner of the account. The current solutions are not good enough. When suspicious transactions are identified, preventive steps are often too late.
It is difficult to re-establish trust in online channels when user identities are compromised or lost. For example when the password is forgotten or the BankID-app is lost because the phone is lost, or any other situation when a user is unable to authenticate. Re-establishing identity is costly and insufficient for the banks, and cumbersome for the users. The bank is dependent on using pre-registered information from the user. Common methods for re-opening access are Q&A, sending of activation codes to SMS or e-mail. These weaknesses are exploited by fraudsters who, often through social manipulation, replace users contact details with fraudsters contact details, that banks use to re-establish identity in online channels.
The user identity consists of passwords and onetime codes (generated by tokens, on-device biometrics or apps). These authentication elements do not identify a person, they only confirm the possession of these authentication elements. A fraudster can gain access disguised as the user without exposing any suspicious information to the bank.
In these attack scenarios biometric data from ID-documents represent an attractive countermeasure. Biometric data in passports has a special significance, because they confirm a verification of identity done by the authorities. In Norway this authority is the police. When we apply for a passport, we are requested to meet up at a police station. At the police, our biometric data is captured in the presence of a police officer on a capturing system controlled by the police (not online or on the smartphone). The data in our passport is digitally signed by the authorities and the integrity of the passport data can be cryptographically proven.
This identity verification is the root-of-trust for our identity, in society. If the banks can re-use this root-of-trust in online channels, it can replace existing solutions for identity verification (the SMS, activation codes to email, Q&A sessions), which have proven insufficient to stop the ongoing ID-fraud.
Can we share (sensitive personal) data and still exercise control of that data? To online entities we cannot trust?
We are users of smartphones and PCs where platform owners and apps collect enormous amounts of personal data about us. We have no control over this data, and often we do not even know what data this is, but still we have to trust them. So, the question of ‘controlling’ data which is not under our protection seems a far stretch.
Current methods for control of data are based on ‘secure storage’. The data is secured by restricting the access to the data, by encryption and by access control. The protection of sensitive personal data is enforced by restricting access even more: By regulation and by technology. For users, the access control is tied to a user account, which is secured by a password and token or biometric authentication issued to us from the entity securely storing our personal data.
Let us now, for a moment, challenge this understanding of ‘control of data’. Let us look at other mechanisms than secure storage and access-limitation for controlling sensitive data. Instead, imagine a situation where you change the data. That is: The sensitive data is modified to maintain the properties needed for a specific purpose but eliminate other information from the data. By this modification you exercise ‘control of data’ and this control can protect your original, sensitive, data. Then, you share the modified data, not the sensitive data. The sensitive data remain in the secure storage, unaccessed.
Now imagine that you repeat the process of modifying your sensitive data, to obtain two separate datafiles of modified data. They have the same properties and the same origin from the (sensitive) data. But the modified datafiles are different from each other. Again, You exercise control by modifying the data, this time by making the data useful for only one recipient. The ability for a recipient to use your data is restricted to its own use. Then you restrict the potential for misuse.
These examples of controlling data by modifying data are possible by the use of cryptology. Through cryptology we can design services that securely process modified sensitive data, in ways that enable you to control, fully and through the lifetime of the service, the privacy of your data. Then we can imagine the concept of controlling data through a ‘secured services’, not ‘secure access’. And enable the sharing of modified data without exposing sensitive data. I such a scenario, the need to trust the online entities we share data with becomes less important, because the risk of loosing sensitive data is eliminated, leading to more resilient digital services.
Our SALT solution is an example of such a secured service. The cryptology we apply is explained in the report: the modification of the data and the use of cryptology to process the data is explained very carefully. And it describes how control of data is exercised and how privacy is maintained for the lifetime of the shared data.
We should use advances in technology to build better digital infrastructures
Mobai is grateful for being selected as a project in the regulatory sandbox. We appreciate the efforts made by Datatilsynet to really understand the underlying technologies and analyze the privacy implications of these technologies. The Sandbox report acknowledges the potential privacy benefits of this technology, and we believe the report is a good contribution to the development of more resilient digital infrastructures.
For users the SALT technology are tools to exercise user control of personal data. It can enable the ‘right to be forgotten’. Safe re-use of biometric identities will reduce attack surface for fraudsters and reduce the risks of being exposed to social manipulation.
For service providers and entities with legal basis to collect and store biometric identities, for example immigration authorities or banks, the SALT technology is an opportunity to safely share identity data while maintaining all privacy rights of the individual persons. This safe sharing of identity data will enable the development of safer, more cost efficient, and more user friendly online services.