Future of Identity and getting there

We were recently interviewed by an organisation researching trends in identity. In this blog we publish the questions they asked, and the answers we gave.

Tell us a bit about the reason behind your decision to register a data protection company as a CIC — it’s not very common!

For background purposes, the following is a brief description of the Mydex platform.

• Mydex is designed to the highest data security standards. The entire company has ISO 27001 and FairData accreditation.
• Mydex is a ‘zero knowledge platform’. That means it cannot see the data it holds on behalf of its individual users. Each user has their own encryption key (like a bank card PIN number).
• The resulting database is not a honeypot for hackers: with traditional databases, one hack can access a million users’ data. With the Mydex data architecture, the hacker would have to conduct a million hacks to access the same amount of data.
• Mydex does not make money from the individual’s data. It is not financially incentivised to monetise the data it handles: it makes its money by charging money for data services — enabling organisations to connect to the individual’s data store.
• Mydex does not use the data to provide specific services. It is a specialist neutral platform designed to, and focused only on protecting individuals’ data and enabling safe, permissioned data sharing/portability. Other specialist users access individuals’ data to provide specialist services.
• Mydex is a Community Interest Company whose social purpose is to empower individuals’ with their own data. This social purpose, rather than profit maximisation, drives its decision-making: it has transparent purposes that both individuals and data controllers can see, understand and trust.
• It is nevertheless financial viable and will be profitable because as more organisations connect to an individual’s data store its revenue streams multiply faster than costs.
• Mydex is already live and fully working.
• As one of the first participants in the UK Government’s Verify identity programme, it is designed to and capable of serving the entire UK population. It operates at scale.

We chose CIC status for strategic reasons. Long term, we believe citizens have to be able to trust how their data is collected and used, which in turn means the organisations that help them manage their data have to be trustworthy. By adopting CIC status we are attempting to be, and to publicly signal, ‘trustworthy by design’.

So, for example, the fact that we are legally asset and mission locked — committed to working for individuals and them alone — impacts every aspect of decision-making (we are not tempted to venture into other areas, and we do not recruit people who do). And it is a lasting reassurance to all who use our services: both individuals and organisations.

All other legal forms we looked at did not support the model we needed, we wanted the organisation to be independent of outside pressure, which means it has to be financially sustainable, able to self fund and to support investment from those committed to our mission and purpose. At the same time, we did not want monetisation/profit maximisation to crowd out our core purpose of empowering individuals with their data and enabling a trust-based data economy to emerge.

Being a CIC enables us to kill both birds at the same time: that is being independent and beholden to no outside interests and not having investors breathing down our necks to maximise profits.

We need to provide reassurance, and demonstrable evidence that we are here for the long term and not able to sell out to someone who is not aligned to our mission.

A community interest company is all about serving a community. Ours is massive. It is all human beings. See our community interest statement.

Tell us a bit about the kind of clients who work with you. Do people need convincing about your mission?

We work across all sectors, public, private, third and fourth sectors. We work with all sizes of organisation: global, national, regional, SMEs and start-ups. More and more, we work with organisations working together in clusters who are serving a common cohort of citizens or individuals such as in local health and social care where you have national services, regional institutions from the public sector and third sector organisations working with citizens.

There are two things that take time.

1) Understanding what a person centred approach to identity and data exchange really means. Putting the person at the centre of things is logical but it is also very far from the default way of working today, which is organisation centric. There is lots of talk about being customer centric, citizen centric, patient centric, but almost invariably this is taken to mean ‘understanding customer needs and looking at things from the customer’s point of view in their dealings with this particular organisation’ and not ‘understanding the needs of the individual having to deal with many different organisations in order to get something done.’ Each separate organisation tends to see this broader perspective (of individuals having to deal with many different organisations) as ‘not my problem’.

The result is that ‘customer/citizen/patient centric’ often boils down to little more than apps and portals run by organisations within a limited range of use cases aligned to their business or service interests. This leaves the individual isolated, with fragmented data, and with real challenges and effort in coordinating and synchronising different organisations’ inputs to get things done.

This is precisely the problem Mydex addresses — a problem ignored by almost every organisation.

2) Understanding what a Mydex as community interest company is and why it is different from commercial vendors and state actors or charities. We are mission led and that mission is the empowerment of individuals. We work for them. At the same time, by equipping and enabling individuals to work with any organisation in any sector on anything they need, we are an enabler that greatly benefits organisations too: making transactions safe and secure, removing risk, friction and effort for both sides.

By enabling individuals to build ever richer stores of information about themselves and their lives (for example, from keeping a record of their dealings with many different organisations) we enable both the individual and the organisation they deal with to gain greater insight and understanding about how the world around them uses their identity and, critically, the data about them and their lives and gives them the means of controlling that.

There are lots of commercial organisations who make similar claims, but they do not have the legal structure or asset and mission lock. Also, they make money from the identity and data about the people they say they serve — their incentives are not 100% aligned to serving the individual. Mydex is not involved in personal data. Yes, we help individuals collect it receive it, store it, use it and share it, but we never see this data and we cannot access this data. In addition, we do not make money from the data: we make money from providing the data services just described. (This is a fundamental difference in incentive structure that most people still miss.)

Other organisations charge citizens for their services. We don’t. It really is free for them. There is no trade off. We charge organisations a small annual fee to connect to the individuals they wish to exchange information with or rely on their identity they hold. Our goal is sustainability over the long term: as a CIC we reinvest 65% of any surplus we make in to our social purpose and mission. That is not optional. It is part of the legal commitment you make when you become a CIC. There are many who think this is mad but we know it makes sense.

One of the big issues that most identity systems have is the lack of security when it comes to interoperability and data sharing with other apps or systems. We look at data breaches, for example. Like many other systems India’s national biometric programme Aadhaar has also been susceptible to this — repeatedly in fact. What are your security protocols to prevent things like breaches from happening?

Everything Mydex does is encrypted to the highest available standards, including data transmission as well as storage.

On top of this, Mydex’s data architecture is designed to minimise incentives for hackers. Each individual’s personal data store is a standalone data store and is individually encrypted (with only the individual holding the encryption key, so that not even Mydex can look inside it). This means for a hacker to get a million individuals’ data they would have to conduct a million separate hacks. (Whereas, under current data architectures, one successful hack can access a million individuals’ data in one go). Given many hacks include an element of social engineering activity our distributed approach also blocks such an approach being done in any practical manner.

On top of this, many security breaches arise from organisations’ lax processes (including poorly trained or dishonest staff). But because every individual is in direct control of their own data, this vector of attack is also closed off.

There is an important point here. Security is not just a technology issue. It is a system design issue too. Mydex is designing a safer system, not just a safer service. This is one of the reasons why we have always sought and got external certification for our information security management system company wide under ISO27001 certification and FairData.

We are very interested in how governments are taking steps to provide citizens control over the data they hand over. What should governments be thinking about if they want to build ID systems that are robust enough to satisfy your requirements as a partner or client? What should they be thinking about in future?

Before we answer this question we need to clarify a point about identity. It’s a common (and wrong) assumption in the identity world that organisations ‘give’ individuals an identity, which comes as a single thing (‘an identity’). In fact, identities are made up (to varying degrees of certainty) by accumulating a range of different verified attributes. We help individuals create identities they can use with many different organisations, by securely collecting and using multiple different combinations of verified attributes. (For example, one contributor to an identity may be a verified attribute of ‘driving licence’ or ‘passport’. But if an individual does not have a driving licence or passport, we help them gather and use other forms of evidence.)

We think it is easier and more accurate to think of identity as a use case of verified attributes about you as an individual. Different organisations’ processes and transactions need different levels of proof about a person’s evidence.

We don’t think Governments should build ID systems. We think the individual should control their identity. Governments should enable economy/society wide ID systems by

• making the evidence they hold about individuals available to these individuals in an unimpeachable format so that the individual can hold a certified copy of it.
• Encouraging all organisations to accept the identities created by individuals in standardised ways, so that individuals use these verified attributes, combining them where and when they need to prove their identity or entitlement, to whatever level is required.

We have built a platform to enable individuals to do just that. Using this platform individuals can connect into any identity or data ecosystem they need to. The Government is an attribute provider and relying party not an identity provider.

We have to face realities of the modern world which are both good and bad (with most scenarios placed on a spectrum between the two).

• Populations are mobile. People travel the world. They need to carry their life with them and not be dependent on a state actor or commercial company whose boundaries are limited and whose mission may change at anytime.
• People are dispossessed, lose their country, become refugees and states fall. These people need to be able to prove who they are and secure work based on their qualifications, experience and skills when they move to new countries. Making their life, their identity and their proofs of claim portable reduces the risks of harm and deprivation.
• Data protection, privacy, cyber threats, identity theft and fraud are growing rapidly because the organisation / state centric approach creates a honey pot for fraudsters and criminals. Too much data, biometrics and identity evidence in one place means a breach can be catastrophic for millions or billions of people. We have created an environment that distributes identity and data back to the individual. Only they can control access to it. The security model is distributed, the threat vectors diffused (as explained above).

How do you ensure that the voice of the minority user is always heard in your work?

With Mydex, there are no ‘majorities’ or ‘minorities’: the platform is designed to empower all individuals with their own data. As described above, our approach to identity side-steps processes which exclude some minorities because they don’t have the ‘correct’ information to hand, and is specifically designed to help such ‘thin file’ individuals: including refugees, the homeless, people leaving prison, childrens’ homes etc.

We have learnt through our work with some of the most vulnerable people in society that not everyone can be enabled overnight; that we are on a journey. We focus on helping everyone by addressing issues such as friction, trust, proof of entitlement and reducing effort for everyone.

We are constantly looking at how we can help the largest number of individuals as quickly as possible. We have found that if you address 80% of the common, core issues that routinely arise, this releases resources to work more intensively on the 20% of issues that are more difficult. We are involved in many projects helping homeless people, those suffering significant poverty challenges and those seeking access to services they are entitled to but access is difficult because of friction and complexity.

What are the key issues in the online identity, privacy and data control space that you see as needing more discussion today? Are there any simple things all institutions should be implementing, especially with GDPR in Europe?

Two general issues:

1. the fact that the organisation-centric assumption is a strategic dead-end for a digital economy,
2. the fact that most of those involved in this debate are wrongly focused on ‘monetisation’ as opposed to utility — using data to get more, better stuff done quicker, easier, cheaper and safer.

These two general issues mean that huge amounts of time, energy and effort are being wasted on wild goose chases.

On top of this, the other key practical issues are:

• Interoperability — We need to work with the world as it is today. We have many sectors and systems using diverse protocols. It’s simply not feasible to create one universal standard to rule them all. So interoperability between different protocols is a key challenge. Agreeing protocols and standards to enable open market, lowering the cost of involvement and making access easier are all desirable goals, but to achieve them in today’s circumstances we need interoperability at the data layer. That means being able to map between different data models and being able to map between different protocols in use in one domain with another. We see this issue all of the time. It confirms our belief that making the individual the point of integration of their data is the fastest way to interoperability. Normalised around enabling individuals to collect and use their own data is a technical challenge — repurposing via API’s that can support different protocols. Ensuring the trust between one ecosystem and another is an important part of this.
• Portability — Making data flow is paramount for the success of society, the digital ecosystem, the economy as a whole whether for public, private, third or fourth sector purposes. Ensuring data is structured in a way that delivers maximum flexibility means thinking about it at a new level, such as ensuring there is no more combining of data fields with different information into one data field e.g. a description line of a transaction with location, vendor and category all in one field. This is done for at best the purposes of presentation, at worst to make it unusable by others. Presentation is a different layer. For digital ecosystems to work for APIs, algorithms and services to make use of data we need to transmit the meta data — the data about the data — along with the data. And that data needs to be structured so we avoid the problems of narrow thinking that all too often occurs when data models are designed for a single purpose.
• Adaptability — We need to make sure that data, its provenance, the trust and confidence about it can be adapted and applied to different uses not foreseen by the original attribute provider. This means stripping out the liability models of yesteryear and ensuring that the data carries trust with it as a matter of course. We need simple solutions that enable attribute providers to state unimpeachably that they provided the data using one or processes. By doing this it allows the individual and relying party to understand the quality and reliability of the data make their own risk based decisions about how it is to be used in their own transactions and services. This only makes digital what happens today. These solutions have existed for decades based on cryptographic techniques that are tried and tested, the recent surge of interest in things like block and transaction chains and hashgraphs are just alternative means of doing what can already be done. If we do not do this then we will see another ten years of digital economy held back by the “liability model” defense that has prevented those with data that could unlock the digital economy and make ‘ life easier resist making it available for fear of commercial and legal liabilities. GDPR and Payment Services Directive 2 now make that argument redundant. For those organisations who make a living out providing data verification and identity verification services the future is still open to them through access to new data sources and new extended verification services that go beyond the probability % model of something being true to being able to say here is validated from multiple sources with digital certificates to prove it.
• Person centred model — Putting the individual in the centre, equipped and able to play and active part in building, controlling and distributing their identity and personal data is simply common sense no matter who you speak to. What was missing were the tools and personal agents to make it happen. This is not about adding to the workload of individual’s it is about reducing it, removing friction, effort and risk for them and all those relying parties who need to be able rapidly established trust and confidence about the individual their status, their needs, entitlements and if they want to call it identity so be it but basically it is about enough trustworthy evidence to complete a transaction or provide a service. For all the technology in peoples hands we have failed to provide them with agency or the means to be an active participant, we still ask them to fill in forms or allow organisations to access data held about them with each other, they make it manual, time consuming and complex for people to get in the door and get things done. Duplication of effort time and again is killing satisfaction, efficiency and the security of the digital economy. By integrating around the individual we solve all of those tricky issues on one go.

Simply making it possible for individuals to collect and maintain a certified copy of the evidence that underpins their identity and other claims they may wish to make is common sense, it boosts the economy, it reduces risk, increases trust and strips out billions in cost for everyone

How do you define identity for the purposes of getting a Mydex Personal Data Store? What if a person prefers to be anonymous or chooses to use a pseudonym online? Where is the line between what you as Mydex need to know and what a person wants to share?

• The platform was built with privacy by design in mind and ensuring GDPR compliance and placing the individual in control
• Individuals create their MydexID. Mydex itself only holds an email address for the purpose of service support (password reset, service notification).
• There are no requirements for their MydexID to be their real name it can be anything they want it to be.
• The email address they provide is to allow us to send a service notification or password reset could be just used for that
• As Mydex, we know very very little about our users beyond that we have someone with a personal data store (PDS) under a specific MydexID that is linked to an email address. What they store in their PDS, where they get the data from, or who they share it with may be managed by the platform services but Mydex has no sight of those connections made. We are zero knowledge.

We are not involved in any relationship or transaction they undertake. We provide a platform that enables an individual to share what data they wish in whatever context they wish with whomever they wish to share it with. We cannot track it, log it or intercept it in any way. All traffic is encrypted by them using unique one time keys.

Anonymity — We believe that if an individual simply wants to share a proof of claim or entitlement they should be able to do that without needing to identify themselves in any other way. A good example is age verification coming into law for age related products and services online. People need to say, for example, I am over 18 but they do not want to say who they are as a person or hand over their date of birth — just that they are over 18. We provide the means for them to serve up a verified age without having to reveal who they are. But the service provider knows that the person providing the evidence is in control of a verified identity and credential so they get what they need without getting any more than they need. This is 100% in line with regulations and compliance obligations relating to data minimisation, for example.

There are many examples where individuals want to provide proof of claims as a gateway to something they are entitled to and where they may want to provide further information or reveal more about themselves in a way that is trusted and seamless. Our approach works just as well here. We enable individuals to provide the proof of claim and then automatically deliver the other data required without having to fill out any forms or require the service provider to spend time and money verifying the information provided (because it is already verified). Examples of this are: proving that you have qualifications; experience for a job application; proving your entitlement for, say, a specific state benefit that will give you access to specific services; proving you have a valid driving licence, work permit or a no-claims bonus. The list is endless. It is all about verified data. Identity is just one use-case in an ocean of requirements for trusted data about individuals and their lives.

One the emerging and potentially bigger issue we see for many is about enabling the sharing and use of data linked to pseudonyms rather than identifiable individuals. Of course we can enable someone to say they are “The Mystery Man”, but relying parties (organisations and other individual’s) need to be able accept and trust that there is real person standing behind “The Mystery Man”. We believe there is huge potential here for a) data protection and b) innovative, low-risk services.