Online enterprises in the US have been massively successful in turning the Internet into a well-oiled engine for consumer transactions. By any measure, US companies have been quicker to market, more innovative and have reaped greater financial reward by far than any other economy. Electronic signatures and records have been replacing paper at a healthy clip, and the introduction of mobile devices has led to the inevitability of “digital transformation” of all paper-based processes, everywhere.
After two decades with our foot on the accelerator, maybe it’s time to learn to use the clutch and shift into a higher gear.
The Internet gold rush that began in the 1990’s supported a speculative, high-risk, high-reward mindset among entrepreneurs in the emerging “electronic commerce” industry in the United States. Those with a high risk tolerance, who opted for speed over caution, were handsomely rewarded in an era characterized by exuberance over the digital frontier’s tantalizing possibilities.
The legal system responded in kind, with the introduction in 1999 of a uniform state law designed to cut off attempts by state legislatures to impose technology standards on electronic transactions. The Uniform Electronic Transactions Act (UETA) was a direct response to a Utah statute that prescribed a high-assurancetechnical method of authenticating individual signatories to an online agreement. The UETA went out of its way to ban the imposition of technology requirements that would slow down the e-commerce train. When states began to vary in their enactments of the UETA, Congress jumped in and passed the Electronic Signatures in Global and National Commerce Act (ESIGN), which threatened to preempt any state law that veered from the original version of the UETA.
In particular, ESIGN was promoted by the financial services industry to help them speed up the process of delivering required disclosures. It had little to do with identity and more to do with efficiency, with the built-in assumption that consumers would be the audience. An electronic signature was defined very broadly, so that parties would not be needlessly inconvenienced by arbitrary form requirements but could determine on their own how to execute an agreement.
As with any new invention, the new regime hit a few bumps. Things broke, lessons were learned, and the whole nation became more internet savvy. With each breach, hack, fraud or theft, the victims of “cyber” crimes developed habits and policies to combat the risks that they associated with online transactions. But that was to be expected; the laws, after all, were intended to work that way, remaining stubbornly silent on the means of establishing the identity of the parties. Just as in the paper and ink world, parties needed to be free to make up their own minds about the lengths they would go to mitigate their risks.
And so the methods of identification, authentication, attribution and proof varied widely, depending on the facts and circumstances unique the transaction. Everybody was on their own. That’s just how we do it in America.
And ultimately, it was an unparalleled success. In the ensuing decade, what had been viewed as a niche delivery mode for brick-and-mortar business enjoyed a rapid transition into the mainstream. Consumers have responded positively to the private sector’s emphasis on usability and time savings in the design of their storefronts. Businesses have automated paper workflows and eliminated costly processes.
So what’s the problem?
But now that the lush, green fields of simple online transactions have been tamed, we eagerly begin our inevitable push into the unexplored and peril-fraught badlands of finance, insurance, mortgage, estate planning, and government. But here we face a vexing problem: the piecemeal manner with which we worked to solve the identity puzzle doesn’t scale. The stakeholders in these industries – borrowers, citizens, consumers, lenders, beneficiaries, regulators—have a lot more to lose if their transactions go awry. Just as important is the lack of visibility or control that any one participant has in evaluating his risk, let alone choosing how to address it.
For example, you may be comfortable assessing the safety of a one-time credit card transaction with an online clothing store, but you may not have any clue how to assess the risks of financing a deeded timeshare in a Chinese resort through a blind trust co-owned by a Barbados limited partnership. As the complexity increases, trust and transparency become critical.
It is here that US-based e-commerce faces the prospect of a serious plateau; without a mutually trusted source of identity proofing, e-commerce cannot grow beyond its current state of adolescence.
Imagine going a month without your driver’s license. You’ll quickly discover how often you need to authenticate yourself in your everyday interactions. Your license is your key to boarding a plane, writing a check, buying a beer, or getting a store credit at Home Depot. And, oh yes, it also proves you are allowed to drive a car. Without it, you are prevented—or at least severely limited-- from fully accessing some of the most basic benefits available to you as a customer, taxpayer, member or citizen.
That driver’s license is a physical example of a “federated” identification tool. It’s issued by a third party—in this case, a government entity—and it is a trusted source of key information about you. That information (your age, your name, your motorcycle endorsement) is the basis upon which a “relying party” will agree to complete a transaction with you. The pieces of information conveyed by the license are called “attributes”, and the license itself is a “credential.” Even though it was issued to you for another purpose, the license will normally satisfy the relying party because they have an adequate level of trust that the data is accurate. A similar credential issued by a different third party may be met with a different response. If you want to test that theory, try using your Costco card to identify yourself at the airport.
No online equivalent to a driver’s license
Here’s the problem: for all those transactions you want to do online, there really is no electronic equivalent of a driver’s license. You likely don’t have a federated credential you can pull out of your virtual wallet to give you instant access to all the various transactions you want to undertake electronically. For every online relationship you have, you probably need to go through some kind of identification process, after which each transaction partner (website, merchant, bank) issues you a separate credential – usually a user name and a password. Now, instead of one driver’s license, you’ve got perhaps hundreds of user names and passwords to remember, and none of them can be used for the next merchant, bank or website you come across.
Your inconvenience is only one side of the problem. The parties with whom you are transacting online face an even tougher challenge, since they need to assess the risk associated with every transaction you are requesting, and then come up with a means of mitigating that risk, often without ever meeting you. Then they have to do it over and over again with each individual. This kind of one-to-one identity proofing (as opposed to federated identity management) becomes overly burdensome and subject to unacceptably high rates of error.
Increasingly frequent and noteworthy data breach and cybercrime incidents only add to the concerns about the lack of adequate controls in online transactions. And while the risk of loss faced by regulated industries like money lenders and insurers is very high, the ultimate high-risk profile is in the public sector. Government agencies have been pressured for years to offer paperless alternatives, but concerns about user authentication have driven most digital transformation projects into a brick wall. There is no budget for fraud losses at the Department of the Treasury, nor is there an “acceptable level” of identity theft at the state DMV. The institutional appetite for converting an admittedly imperfect paper process to a digital one decreases as the margin for error approaches zero, so that even the most obvious and available solutions do not get implemented.
Trust is the key
Authentication guidance for both public and private entities has been plentiful, varied, and inconsistent. Conflicting risk models and technical solutions have led to confusion in the market and frequent misapplication of otherwise solid security and authentication principles. The result, for government agencies and regulated industries like financial services and insurance, has been to sit safely in the middle of the pack and wait for a first mover to take the risk.
But that 1990’s style trial-and-error has run its course. The next level of transaction needs more assurance to make it run. Trust is the key. It doesn’t have to be in the form a driver’s license. It does not need to take the form of a government-issued ID at all. But it has to come from somewhere.
By taking advantage of the commercial benefits of online interactions, private companies in the US have pioneered the most significant economic advancements since the Industrial Revolution. And there are many more tremendous opportunities for digital transformation in clear view. But until we have a reliable and widely recognized online identity ecosystem of trust and security, our collective ability to realize and enjoy the benefits of a more digital economy will be stuck in low gear.
K6 Partners can help you change gears from neutral to drive; not just entering the digital speedway, but owning it. K6 offers complete end-to-end digital transformation consultation services to take advantage of the digital age, preparing your business for the next level and beyond. To learn more about digitally transforming your organization, contact K6 Partners.