Spending the last three years building Yoti has made us keenly aware of both the opportunities and benefits that digital identities can unlock for people. But it has also opened our eyes to today’s fraudulent landscape, evidenced by the increasing number of data hacks. It is impossible for us to ignore that an identity platform like Yoti stands to be exploited by the digital underworld.
In order to build the trust and safety of Yoti we need to understand how people may try to game the system. They are likely to exploit loopholes by zig-zagging across national borders, police and legal systems. We are a member of various groups for Identity Document screening and anti-fraud networks. We want to be transparent from the start on how people will be penalised for misuse of the platform. This may deter some opportunists who may not realise, for instance, that a fraud report shared with CIFAS could impact their ability to take out a mobile phone contract. We also want to make it clear of the role we play in terms of determining sanctions on our platform, how we operate with respect to law enforcement, and which bodies we share fraud data with.
If you’re an identity platform – surely you just help people to know who other people are?
Yoti is an identity platform and yes, we do verify identities. However, we are different in that we are one of the first identity providers to provide a consumer focused solution and enable people to share their data with other individuals. For example, if I’m selling a bike second hand or going on a date, with Yoti I can ask the other person to swap verified identity details with me – like their age, gender and a photo to help to recognise them in a public place. Personal details are verified against a government-issued identity document and personal biometrics, so you can be confident that the details shared with you are real. However, we cannot guarantee details about a person’s character. If the other person does not agree to share personal details with you, you can draw your own conclusions as to whether you trust they are who they say they are.
There is an inbuilt deterrent when a person uses Yoti – it reminds people what personal information they are about to share, and afterwards provides a receipt of the transaction which includes the details they shared and who they shared them with. Few criminals will wish to leave an audit trail of meeting someone using their biometric and a verified name from their government-issued identity document. Some however may exploit the confidence built from using the platform and if they do we are prepared for that.
Why do you care if people misuse your platform and how will you know if they do?
Yoti has a clear set of principles:
These core principles help us to stay on track and ensure we do business in the right way. We’re proud to count ourselves as part of the B Corporation network – a group which is only open to those who meet rigorous standards of social performance, accountability and transparency. We often debate ethical issues with our Guardian Council and the issue of how to deal with misuse is one we have debated at length with our Guardians. Minutes of our Guardian Council are published on Yoti.com.
One clear school of thought expressed in our debates was that an identity platform should restrict itself to purely verifying who a person is. However, Yoti has a peer to peer functionality. A criminal may attempt to build the use of Yoti into their modus operandi and lure people to meet in the physical world exploiting the confidence built from exchanging identity details. This was, on balance, deemed to be quite different from the traditional activity of identity platforms with a static database of records. Hence given our community values and as a deterrent, we are laying out that there are clear consequences for misuse of the platform.
Shouldn’t you leave law enforcement to the police and the courts?
We have no intention of replicating any judicial system or authority. There is however an increasing tide of opinion that companies have a responsibility to act in the interests of their users and foot the bill; in the same way that a football stadium pays for local policing. Reviewing information about alleged crimes from different geographies and reviewing those crimes against the UN Charter of Human Rights may not prove to be simple. We envisage that we will need to call upon third parties for expertise.
We have met with a range of civil society organisations – such as Consumers International, Transparency International, Privacy International, Victim Support and Unlock. We are participating in an EU programme looking at ethics framework development across cybersecurity companies with the Compass programme, led by Dr Catherine Flick at De Montfort University. Additionally, we are part of a group of companies prototyping a responsible tech trustmark with Doteveryone.
What kind of a platform is Yoti – trust, reputation or identity?
Yoti is a global identity platform. It is not a reputation system because we do not give people a way to rate others. It is up to a business or an individual to make their decision, based on their judgement and due diligence, as to whether they want to meet up with or work with a person. The data they receive from Yoti may form just part of the picture that enables them to make a decision or trust a person.
Is Yoti a peer to peer, business to business, or business to Government platform?
Right now, Yoti has a consumer and peer to peer focus. However, it clearly offers utility to businesses who wish to check the identity or age of people, and similarly to Governments.
Yoti allows a person to initially set up an identity with just their photo, mobile device and a 5-digit PIN of their choice. They then have the option to add a government-issued identity document, such as a passport or driving licence. Over time they may choose to add additional attributes; such as a bank card or a qualification linked to their digital identity.
Yoti allows a consumer to share data, verified against an official ID document with another individual, without having to pay to access data about themselves through the gateway of a traditional identity provider who has built up databases of electoral roll data, or credit reference data.
Yoti provides new options for peer to peer, online dating and sharing economy platforms. They are able to suggest to their users that they can check out who they are talking to online to give them peace of mind and reassurance. If the site wants, they can also integrate with Yoti and offer the Yoti functionality within their site. Yoti allows businesses from many sectors to request an identity check – which may be a supermarket asking if a person is old enough to buy age restricted goods – for instance a 15+ DVD, alcohol or cigarettes, or a recruitment company screening to check that a person is eligible for a role.
Are you taking a leaf from the community approach of social media companies?
Yoti is not providing content or a messaging platform directly to users. However, once users have swapped details with each other they may choose to meet up in person. So some of the guidelines that have been developed by social media and sharing economy companies are also relevant for our users.
Some social media platforms provide identity ‘authentication’ and allow their login to be used to access other sites (e.g. Facebook or Google login). Yoti can provide biometric login solutions however, unlike social media platforms we do not track what a user is doing from day to day. There is a crucial difference in Yoti’s approach: once a consumer is up and running using the system, and after a period of anti-fraud checks, we do not track what a person is doing on a daily basis. We are not selling a person’s history of preferences or online activity.
So what will you do when you detect fraud or misuse?
Where we detect counterfeiting or fraud we reserve the right to report to the relevant authorities. Where we are alerted to repeated criminal misuse of the platform we reserve the right to ban, suspend or restrict that user to certain Yoti services. We have put together a public facing Misuse Policy which describes what actions we might take and when.
Are you assuming a duty of care for all users, giving them a false sense that they are invincible and when they use Yoti all will go well?
In our messaging to consumers we are careful not to overstate the mark. We are letting people share validated details from a government-issued identity document. Identity documents are not infallible, however. They can be lost, stolen, counterfeit or fraudulently obtained genuine documents.
We can provide a deterrent to fraud, however all the existing guidelines from peer to peer and sharing economy sites still are needed when meeting up with new people: to meet in a public place; know your exit routes; and to let a friend know who you’re meeting. There is no utopian silver bullet to 100% protect ourselves against crime and fraud – we must all continue to use our common sense and remain vigilant.
We have publically stated that we will take action if we have evidence of serious financial or physical harm committed by someone who has used Yoti in order to commit such acts. We do not want to give users a false promise that we actively police use of Yoti outside of the platform when people meet face to face. That would not be possible, but equally, we will not stand by and do nothing if we have strong evidence that Yoti is being used as part of someone’s approach to commit criminal offences. In that sense we are seeking to distinguish ourselves from social media platforms.
What responsibility does Yoti accept to those harmed by another user of Yoti?
Yoti provides a digital identity platform and promises to follow its own processes and checks when someone registers with Yoti. However, beyond that if a Yoti user harms another Yoti user, we have promised to look at strong evidence of this and perhaps ban or block the guilty user. Yoti cannot be held responsible if someone abuses a relationship made via our platform or services and then commits a crime – we simply cannot police it and it is unfair to expect us to or be reliant on us.
With that in mind, and with input from numerous experts (see above), we have created a Misuse Policy which describes our approach to banning or blocking services of those users who misuse Yoti, provided we have strong evidence of this misuse. We think it strikes the right balance between protecting users of Yoti, keeping Yoti safe and respecting the rights of the accused.