Digital identity by experience. José María Anguiano

With the surge in digital relations we are faced with identifications between unknown absentees that are not easily verifiable.

Although the term identity is frequently used, it is not easy to conceptualise. To identify is to link someone with personal details that are recorded in a registry that is endowed with a certain official status, so that consequences of any kind can be attributed or allocated to the person who is linked to the aforesaid details. When the identification is the result of a face-to-face experience, it is clear that the identity is achieved by experience. If you see on various occasions a person with a specific morphology and he claims to be called Peter, you end up linking the name -Peter- with that specific morphology or, if you prefer, with that appearance. This connection has undeniable legal significance. To deny this link when it has an official reflection is sterile, and therefore so is denying it. Years ago, working for the government of the Principality of Andorra, I was surprised that evidence of identity was obtained from the testimony of those who knew the subject being identified. The Principality identified people by asking the neighbours of said person’s ‘parish’ if that person was who they said they were. The foregoing leads us to an initial and important conclusion: Genuine identification is always by experience. However, the procedure is only useful in small communities, when the identity is well-known and agreed upon by those who have a previous knowledge of the identified person. When communities are larger and someone’s identity is not well-known, other procedures are used to identify strangers. Which? By showing a document with personal details or an ID card. This document, which has measures that prevent or hinder its forgery, and includes the photograph of the holder of the document, can be displayed enabling parties to check or verify that the person who displays it bears a reasonable resemblance to the photograph that appears on it and, in this way, to link that particular individual with the personal details that are recorded in the aforementioned official registry. A positive identification of the person who displays it is sufficient to presume said person’s identity and to assign them the legal consequences of all kinds which, in accordance with the law, are applicable thereto.

On the other hand, the peaceful acceptance by the identified person of the mentioned legal consequences strengthens their identity. If every time I meet Pedro, I address him by his name, I ask him for something and he gives it to me, my identification is backed by the acts of the identified person who assumes it to be true.

When the identification is between absentees, things get complicated. The process of comparison or verification referred to above is no longer possible. Even if the person who identifies themselves remotely shows me a document with their personal details, I do not know if the document provided corresponds to the individual who is identifying themselves. Moreover, I also do not know if this document is genuine or if it is a simple copy that said person has obtained. We are facing identification processes between unknown absentees where any type of comparison is impossible for the simple reason that it is not possible to verify the declaration (referral) of the person being identified with previous experience. For this reason, the identification properties of technologies based on asymmetric key cryptography are only effective when the attribution of a private key to a person occurs after they have appeared and exhibited their corresponding identification documents. Only then does the assignment of the private key have an identifying virtuality. Furthermore, as mentioned above, the entire robustness of the procedure is based on the non-transferability of the key. If the key is transferred, either in a consensual or non-consensual manner, we are facing cases of ‘identity fraud’. With the surge in on-line relations we are faced with identifications between unknown absentees. These identifications are not easily verifiable. The alleged identity is merely a statement by the person on the other end of the line. Thus, we can conclude that we are facing a scenario full of uncertainty; not because the contracting is performed on-line, but because it is difficult to identify an unknown person. In these cases, the identification process will depend on the good will of the person being identified. On the truthfulness of their statements.

It is common to use signature procedures based on successfully overcoming a challenge. An operation code is sent to the terminal assigned to a mobile phone number (for personal and private use), the correct introduction of which is checked by the person who generated and sent the code to the signatory. To overcome the challenge, a telephone number is used that is unique and exclusively assigned (no two people are assigned the same telephone number). Moreover, as mobile telephony has become a powerful communication tool, nobody wants this number to change. For this reason, consumers who own telephone lines are endowed with rights such as the right to portability when they want to change operators. Thus, they can change operators without losing their assigned number and, therefore, without suffering the communication inconveniences derived from potential interlocutors not knowing their new assigned number. These characteristics mean that the referral of challenges to mobile phone numbers has an important identification component.

This procedure is valid when the telephone of the person being identified is known beforehand. If this is not the case, in that, as is the case here, we are dealing with identification between unknown absentees, the success of the identification depends on the veracity of the statements of those identified. The problem with consumer financing, especially when it is between absentees, is that the person identified is unknown.

The solution is to check the veracity of these statements. For this reason, at Logalty we have decided to establish a federated identity procedure based on transactional experience. Taking advantage of the fact that for years we have been acting as intermediaries in the transactions undertaken by our clients and the contracts derived therefrom, we have a history of transactions with people linked to specific telephone numbers. If no incidents are reported and the experience is recurrent, we have valuable information for identification procedures. It would suffice with a prior and instantaneous enquiry before carrying out the transaction, in which a ‘query’ (question) would be put forth to a common file that would be governed by a regulation of use approved by the Spanish Data Protection Agency, the legitimacy of which would rest on the prevention and fight against fraud due to identity theft. Thus, to include an individual in this file it would suffice to forward a notification to the person in question indicating that they are to be included in this file. In this manner, consumer finance institutions would have a powerful tool to tackle the increasing number of cases of fraud by identity theft.

José María Anguiano
Vice President of Logalty