Peter Violaris, General Counsel at Yoti, makes the case for changes in the law to allow digital identities on mobile phones for everyday use. Peter explores what current technology allows users to do with their mobiles, what is currently allowed in the UK and what the law does not allow. The blog concludes with a brief criticism of the current law.
What does the technology currently allow?
Mobile technology is advancing at a prodigious rate. As phone hardware and software continues to get better, so does the ability of apps to provide remote digital IDs. Let’s look at three powerful and recent advancements in mobile phone-based remote digital IDs:
The Yoti system is able to store the personal data of its users in a way that even Yoti itself cannot access. This means organisations can request the data they need and no more. It also means users and organisations have assurance that Yoti cannot monetise or use the data in any way.
Once a user’s details are verified, the personal data is separated and stored in different ‘buckets’ in the Yoti back end, and then encrypted. The only way to join together the personal data that has been encrypted and separated is by using the user’s own private key, which lives on the user’s mobile phone. Storing data in this way means that Yoti needs the user’s mobile phone to view the personal data about that user which Yoti is storing.
Most mobile phones have NFC (near-field communication) readers. The Yoti app, and a few others, are able to read the chips in e-passports and eID cards using the NFC reader. The data on the chips is stored cryptographically. So when Yoti reads the chip it can run a cryptographic check and if there is any data that has been tampered with, the cryptographic check will not work. This gives Yoti full confidence in the data. This system is the same one used by Borders with e-gates and has yet to be defrauded.
Readers familiar with this technology will know that Apple have refused to allow the NFC readers on Apple devices to do this. But Yoti has developed a solution that will allow an Apple iPhone owner to borrow an Android phone from a friend and then securely transfer the data onto their own Apple iPhone (and the data will not remain on the Android phone).
Artificial Intelligence now allows age to be estimated to a fairly high degree of accuracy just by looking at a photo of a person. For people who look under the age of 25, Yoti’s age estimation system can estimate age with a mean error of around 2.6 years. When combined with a robust anti-spoofing solution, Yoti’s age estimation technology allows mobile phones to offer a quick, totally anonymous and accurate proof of age solution. Please see the Yoti whitepaper for more detail.
What does UK law currently allow?
So the technology is already impressive, but how can it be used? In certain fields the UK authorities are embracing digital identities and the power they bring. Let’s look at four particularly interesting examples.
The new Right to Remain app is a digital identity solution to check the rights of European citizens after Brexit. It uses the technology described above, reading chipped passports and identity cards using a NFC reader. It is a good example of how technology can provide a relatively low-friction solution to a difficult problem.
The FCA and the JMLSG (two bodies who regulate and give guidance on good practice for KYC checks by the financial sector) have both embraced remote identification checks. The strong growth of fintechs and mobile banking has demanded that ID can be verified remotely, and the law and the regulators have responded appropriately.
The law and the guidance gives flexibility on how ID is verified, while making it clear that the financial firms themselves remain liable for ensuring they get this right. Firms have to take a risk-based approach and there are no set rules about what technology can or cannot be used. Firms are required to make their own judgment on the adequacy of the technology. This approach has allowed digital ID solutions to flourish whilst maintaining high standards on KYC identity checks in the important and high value financial services sector.
The government of Jersey and the Improvement Service in Scotland are both embracing the power of the Yoti mobile app to verify the identity of their citizens when accessing government services. This is a relatively inexpensive solution for these governments that will both prevent fraud and make the lives of their citizens easier.
Finally, the ill-fated Gov.Verify programme was a bold approach by the government to enable digital IDs in the public sector. Members of the Gov.Verify programme are able to check IDs submitted by users against the DVLA and Passport Office databases so that the claimed identity can be verified. It is a good idea, but was poorly executed and now it looks like it will be quietly disbanded.
The failure of Gov.Verify was ultimately down to the lack of competition permitted by the government, which has led to poor implementation by the providers. Yoti has not been allowed to apply to enter the programme. The ongoing fear of ID verifiers kept outside of the programme is that the government will allow the Gov.Verify to continue to have a monopoly over digital identity checks against the DVLA and the Passport Office, which would continue to stifle competition in the UK’s growing digital identity market. techUK among others are recommending that this access is opened up.
What does UK law not currently allow?
In other fields, UK law is a long way behind the available technology. The UK risks being left behind by other countries that are embracing the digital ID, such as the US and Australia. The UK laws were written before digital IDs have the power they do now and are too prescriptive in setting out precisely how identity or proof of age checks should be carried out. This is in contrast to the approach in the financial sector described above.
In England and Wales, the Licensing Act 2003 and the Mandatory Licensing Conditions Order 2014 appear to state that before alcohol is bought, ID with a holographic mark must be checked if that person “appears” under 18 (or under 25 if Challenge 25 is in operation).
Where the retailer considers that a physical check is required, the mandatory condition requirement that a holographic mark must be seen means that neither digital IDs nor accurate age estimation technology can be used. Even if the quality of modern fake IDs means that a digital ID is more reliable than physical checks in store.
It is worth noting that online purchases of alcohol do not require an inspection of a physical document at point of sale, nor does the online or offline purchase of cigarettes, vaping products or knives. Alcohol appears to be an anomaly, but given its frequency in shopping baskets, it is a hugely important anomaly. Further, the upcoming enforcement of the Digital Economy Act, which requires age verification before access to online pornography is allowed, will embrace digital proof of age. The BBFC, who is the regulator of these new porn laws, is likely to allow a range of digital checks of ID.
A change in legislation, or at least a statement by the Home Office saying it will not consider the use of digital ID solutions to be in breach of these rules, will go a long way to encouraging mass adoption of digital IDs, bringing all the benefits to society that that entails (for which see this blog).
Another key area where English law is behind is the Right to Rent and Right to Work checks required by the Home Office in England. These require landlords and employers to physically check the ID of all new renters and employees to ensure they have the right to live or work in the UK. It is an attempt to push visa enforcement onto landlords and employers.
The Home Office guidance (but interestingly not the actual law) states that a physical inspection of an ID must be undertaken and does not allow any digital ID to be used. (For reference, the law states that the offence is renting to someone with no rights to reside in the UK, and that the landlord’s only defence is if they physically inspected a document – the law does not mandate a document check). The onus on landlords and agents to ask for and check ID has created a discriminatory environment, as determined by a recent High Court case on the issue.
The acceptance of digital IDs by the Home Office in Right to Rent and Right to Work checks would benefit consumers, who no longer have to carry documents around and are perhaps less likely to be discriminated against if they can quickly prove residency. It would also benefit landlords and employers who would no longer have to do the checks themselves in person, saving paperwork and the time and effort needed to check the documents. Lastly, it would benefit the Home Office because a proper audit of the scheme could be created.
Yoti strongly believes that allowing digital IDs for alcohol age verification, Right to Work checks and Right to Rent checks would turn the UK into global leaders of digital ID solutions and enhance the lives of UK citizens at the same time.
It seems a little counterintuitive that a person can prove their identity to their bank or prove their right to remain in the UK with their mobile, but cannot purchase a bottle of wine with their mobile.
The case for digital identities
As we have seen the technology is now available for digital IDs to prove identity and proof of age. We have also seen that the Right to Remain app, the financial services sector and some governments are embracing digital IDs. There are also a number of airports and airlines that are either currently trialling digital IDs or planning to in the near future (including some with Yoti).
These are all ‘hard’ use cases that require a high degree of confidence in the verification of the claimed identity. There are also ‘softer’ use cases where the law either requires a lower degree of confidence or doesn’t currently require confidence at all. Some of these ‘softer’ regulatory environments already embrace digital proof of identity, for example gambling, initial coin offerings and cryptocurrency exchanges (though cryptocurrencies will come under the 5th AML Directive and so will be elevated to a ‘harder’ use case).
Further, the law for many age-restricted items has a much more flexible approach to age verification where proof of age using a digital means is accepted, for example cigarettes (though vending machines are not allowed) and energy drinks. And as previously mentioned, the online purchase of alcohol does not require an ID to be checked at the point of sale.
Despite this, the laws regarding the purchase of alcohol in physical stores has a prescriptive approach which is behind the times, and the Home Office have shown no inclination to update it. Worse, the fairly recent Right to Work and Right to Rent laws are requiring physical inspection of documents by people not trained to do so, while not allowing digital checks by technology that could solve this problem quickly.