Facebook’s data fiasco, Wells Fargo’s fake account scandal, the Equifax breach and the onset of the European Union’s General Data Protection Regulation (GDPR): With topics like these dominating headlines, it’s no wonder everyone is thinking about digital identity.
A person’s virtual footprint can affect the ads they see, the digital service they receive, the credit they can access and their ability to buy and sell in digital spaces. So, naturally, many consumers are starting to want greater control over the data that shapes that footprint – and authorities in places like the EU and, now, Mexico are responding with regulations like GDPR and the Federal Data Protection Law.
In spirit, GDPR and similar regulations appear to have consumers’ interests at heart, but some worry that, depending on how consumers respond once it fully goes into play, such regulations could actually end up working against them. Socure co-founder Johnny Ayers is one of them.
GDPR will give consumers the right to be forgotten, also referred to as the right to data erasure. This lets them take back their data from organizations with which they’ve done business so that nothing sensitive or identifying can be stored in that organization’s system.
If that was all there was to it, then GDPR might be a no-brainer — but without that data, Ayers said, organizations may find themselves severely crippled in terms of their ability to conduct know-your-customer (KYC) processes and defend the very same consumers that they’re trying to protect against identity fraud.
“In the private sector,” said Ayers, “you have no control over these regulatory concerns, but they can reshape entire industries and have massive unintended consequences.”
Historic Models Without History
It has become standard operating procedure for many organizations to lean on artificial intelligence and machine learning to catch suspicious interactions before fraudsters can strike. But the machine learning models that are trusted with their company’s security (and that of its customers) are created and trained using historical, ground-truth data.
“It’s very hard to build models using historical, ground-truth data if that data has to be deleted,” Ayers said. He emphasized that, in the aftermath of the Equifax breach alone, “at least twice a day on calls I’m being told that identity theft rates have doubled in Q1. Can you imagine the consumer pain if all fraud companies could not use historical data anymore to train their fraud prediction models?”
The right to erasure could also give fraudsters the tools to cover their tracks, he said, or to erase legitimate customer data that they’ve stolen before using those identities to perpetrate attacks. Without any historic data on how a real customer interacts or has previously behaved, the system won’t be able to tell that something is amiss without extreme customer friction, he said.
The trove of stolen identities available to criminals grows with every data breach, and Ayers said these identities are already being used for nefarious purposes today — foreshadowing the very real possibility that this forest could get darker before it gets brighter.
The Many Hats of Digital Identity
A person’s digital identity factors into identifying someone online using a variety of inputs, as well as authenticating that the identified user truly is who he or she appears to be. It also plays a major role in personalizing delivery of services, and ensuring that customers get offers for the appropriate solutions and product recommendations that are different from what others may want.
Using a credit card application as an example, where Socure comes into play is after the customer has been attracted to the company and after the company has agreed to issue her a $100,000 line of credit — but before the line is actually issued.
At that point, said Ayers, the lender pulls data from credit files, ensuring that the name and address provided match the information in the file. They look at the device being used and the number of times the customer’s Social Security number has been used to open credit card accounts in the last X number of days.
Meanwhile, Socure pulls data from hundreds of traditional and non-traditional sources (i.e., email, phone, social media and IP address).
Using the combined identity intelligence from these methods and machine learning, a decision is made not only for the majority of good consumers to extend the loan, but also for determining which actions to take for further authentication with potentially risky applicants — sending a letter, asking security questions or sending a one-time password, for example — and which limits should be set on data transactions or check deposits.
In short, said Ayers, there are many operational controls where people are using more digital identity elements than ever before to determine downstream operational risks. Giving people the option to erase those data elements could, if widely utilized, leave companies with very little to work with, potentially making the problem, for both consumers and companies, worse instead of better.