Digital Identity: Interview with IDWorks CTO, Ankur Banerjee

June 25, 2020
|
Ankur Banerjee

Personal identity information collection, storage, how it is used and by whom, has come to prominence in recent months as government’s have grappled with how to track and trace the spread of a virus, protecting both people and economies. Centralized versus decentralized? Privacy versus transparency? As the debate continues, Ankur Banerjee of digital identity specialist IDWorks, shares his thoughts.

Who are IDWorks?

We are a London-based start-up with a mission to radically transform the way digital identity of customers is handled by companies.

IDWorks want to make a world possible without passwords and without fraud, where data can be trusted because it is verified, and organisations can be trusted because they have trusted signatures. We believe this can be achieved using an innovative new global standard called decentralised identity.

We are building an entire suite of products that can help an individual store information about themselves in apps they already have, from companies they trust.

As well as enterprise-grade and highly scalable software products that can be easily, cheaply, and rapidly deployed by companies to receive these digitally signed and portable pieces of information from customers and verify that these are untampered and accurate.

Right now, an individual can have credit or debit cards from any bank and use it to spend at any supported storefront. What makes us different from other companies in this space is that our product suite will allow companies and individuals to interact with ANY decentralised identity network.

We see this mission having similarities to how Stripe have revolutionised the payments industry by enabling companies to accept any kind of card with a few lines of code.

I often describe this mission statement as “IDWorks will be the Stripe of digital identity” the scope and ambition of our mission statement.

What is decentralised identity?

Decentralised identity often gets confused for “personal details stored on a blockchain, that becomes a single source of truth”. Let me be very clear: doing this, like some companies in the market are, is a VERY BAD idea.

Storing personal details on a blockchain means those details cannot be deleted or removed in the future, and fundamentally takes away many data privacy rights that individuals have. IDWorks’ product suite is built from the ground-up to embrace emerging standards, while maintaining privacy and security. We don’t store any personal details on blockchain.

What does this mean to an individual, like me?  

Think of it like your wallet or purse. You probably have multiple plastic cards such as a driver’s license, maybe an employee badge, a couple of credit or debit cards.

All of these typically have security features on them, such as a hologram, a barcode, ultraviolet light features etc.

Say you then go to bank to open a new account. A bank would then ask to see a form of ID and verify what’s presented to them from a physical ID document by comparing the security features to well-known standards for what these security elements look like to check the document is untampered.

Decentralised identity is very much like that example of physical document, except it’s all done online.

Individuals can be issued tamper-proof files by organisations they have a relationship with. For example, as a customer or an employee. That they can store safely on their mobile phone, on their laptop, or on paper which contains their information.

These files can be securely backed up and recoverable, say, if they lose their phone.

So, my data is safe and I’m in control of my personal data?

Yes. The individual, in this case you, has complete control over being able to show these details to some other organisation when they need to, and transparently understand what data and which organisations have access to this data.

It is also much simpler for the individual than having to fill out rows and rows of web forms with the same information over and over again whenever they try to sign up for new accounts on apps and online services.

And for companies, there are many registries online where they can publish what their security features (digital signatures look like). This is typically stored on blockchains which makes it extremely resilient to censorship and tampering.

And there’s more! These identities can be issued not just for individuals, but for companies, pets, objects, packages. Ultimately, digital identity underpins everything that is the beating heart and arteries of online services – and decentralised identity will be massively transformative in how these function in the future.

IDWorks provides the software glue that ties all of this together into a simple and easy-to-use package for companies to provide to their customers.

Why is decentralised better than centralised?

Companies currently store individuals’ information in big, centralised database is because this was the easiest way to ensure they have access to all the data and keep it secure. Until now.

This results in our information, as an individual, stored in many different centralised databases owned by different companies. Think your Facebook account, your bank account, your TikTok, your online shopping services, your travel tickets etc – all locked away in databases and entirely fragmented.

Transferring this digital information right now is difficult.

Any company wanting access to another company’s database needs to individually build 1:1 links. This becomes very complex and expensive. Or use a data aggregator, like say, Equifax or Facebook.

The first kind of link doesn’t scale very well either in technology or in logistical terms.

The second is terrible in terms of data control and privacy for an individual. Why do I need to give a company like Facebook all of my information, just to be able to transfer it somewhere else? These data brokers also exert a lot of power, extorting high fees from any company that needs access.

One way to think of decentralised is that it “centralises” the information directly in the hands of an individual, rather that it being fragmented in many different centralised systems. Logically, this gives the individual more control while also making logistics easier for companies in getting data provided directly to them, which eliminates a lot of inefficiencies and fraud.

Where do you see the greatest potential decentralised identity?

I see a couple of different use cases, with different pain points, that show the greatest promise:

1. Long, complex forms with lots of information that need to be verified to a high degree of certainty.

Examples of this are opening bank accounts, mortgages, investor anti-money laundering checks, insurance claims, healthcare records, employee background checks, visas for international travel etc.

Any use case with well-known regulations is a prime example, because companies spend resources and incur cost – and for an individual is painful to collate the right kind of information together from many different sources.

2. Short, quick interactions where some fact about an individual, needs to be checked quickly

Examples of this include getting your ID checked for restricted products at a supermarket, picking up a parcel from a post office, building control access, music festival passes, travel discount cards on public transport, and so on.

These are scenarios where an individual might typically flash their driving license or a physical document for a quick check. For companies, their risk in these interactions is that enforcement of these checks is very inconsistent and could result in fraud. This is also a market that is extremely price sensitive with tight margins, and where speed is massively valued.

In both these contexts, decentralised identity solves pain points for both customers as well as companies, from speed, efficiency, cost. It will capture market share in contexts where digital ID checks are already in place, and vastly expand the market in industries where such checks are not yet commonplace.

Is it expensive for a business to move to a decentralised model?

It’s a common misconception that businesses will need to entirely scrap their existing identity software to adopt decentralised identity. Far from it! There will still be a place for existing IT systems and software that businesses already in place, as well as existing customer relationship management record systems.

This could because of regulations – a financial services company does need to hold on to customer information – or more often because companies DO need to hold information about a customer to provide the services they do.

Decentralised identity thus sits in addition to, rather than replacing, centralised systems entirely. It acts as a handy virtual wallet that allows individuals to hold on a copy for themselves.

A good example is a driving license: you have a physical copy, but the driving license agency also has a digital copy they store in their own database. A digital copy issued and controlled by the individual then becomes easy way for them to safely share that information to other companies. They also allow companies to hold less information than they normally would if the regulations allow and thus reduce their exposure to risks presented by potential data breaches.

What value is there for the consumer, so you or me?

We, as users of the internet, are stuck in this perpetual hell of having to fill the same information over and over again, every time we sign up for a new service, or having to compromise and give up rights to our data being aggregated by shadowy data brokers.

At a very basic level, what I care most about as a consumer is that I wouldn’t need to deal with manually entering information and the admin hassle of collecting random copies of paper documents. That’s a very powerful proposition.

Consumers are also increasingly vocal and aware of how their data is being collected and used. Many organisations have been moving to “mobile-first, digital-only” services and being able provide consumers transparent assurances of how their data is used removes another layer anxiety for us on how our data is used.

How do I know my data is safe?

The standards IDWorks builds its software on is determined by international non-profit bodies, to which we ourselves contribute and collaborate on. Part of this is extremely strong cryptographic techniques on assuring issuing organisation signatures can’t be tampered. When stored on a phone or laptop, these can be stored encrypted directly in the secure chips on the device – the same secure chips where biometrics and payment information is stored on these devices.

The security of what’s offered on mobile devices has been tested in very public cases where even law enforcement agencies have tried to break into phones and have been unable to do so. As long as these devices are protected either with biometrics or strong passcodes, the data stored is incredibly safe from opportunistic hackers.

Contrast this with the constant stream of data breaches that have happened – it’s a question of when, not if, a company will be breached. There’s a useful public data breach service run by reputable cybersecurity researchers that can show what known breaches your data has been leaked in. It’s always eye-opening to look at: https://haveibeenpwned.com/

“Centralising” the data directly with the individual means it’s that much harder for bad actors to collect personal information en masse. IDWorks doesn’t itself have an app or store data for companies. We build the software toolkits that companies need to integrate this innovative functionality into their own apps. As a consumer, you would interact still directly with the companies you choose to have a relationship with.

I strongly believe in ensuring the products that we build at IDWorks are secure as well as interoperable, and welcome working with industry partners to constructive collaboration for secure standards.

Lastly, what is the outlook for IDWorks in 2020?

I’m particularly excited over the next few months at IDWorks about our plans for building a radically new way of making commercially viable decentralised identity not just for us, but organisations in the identity ecosystem as well. I believe the way we are tackling this will be fundamentally different due to new intellectual property we are creating within the company.

Our roadmap for this year is also full of complex engineering to ensure our product suite can offer even better interoperability to companies and users. I’d love for this software to reach more users and make a small and measurable improvements in their life. We want digital identity to be so seamless that individuals don’t even have think or be anxious about it, secure in the knowledge they can trust their data is kept safe.

Lastly, I’m excited about an exciting range of new use cases and companies we have planned partnerships coming up with – stay tuned and get in touch with us!

Media Contact: Louisa Bartoszek

BACK TO NEWSROOM