Trust is a currency when it comes to online transactions, and digital verification systems are becoming more common in a world where online customers and organisations both want greater certainty. These verification platforms offer increased security in some senses, but the reality is that any platform that asks users to provide biometric data should be carefully considered.
In this post, we dig into where we’re seeing digital verification crop up, what benefits these platforms offer, as well as the questions you should be asking before implementing these systems in your organisation.
Digital verification broadly refers to the process of confirming that a person is who they say they are (or at least that they appear to match their government-issued identification) using digital means. There are a host of platforms that allow organisations to check people’s identity, usually by the person first submitting a photo of their government-issued ID and then submitting multiple biometric images (often their face from multiple angles).
The goal of these platforms is to increase trust by establishing that the person interacting digitally is who they claim to be. This can reduce the risk of fraud and unauthorised access in the absence of face-to-face interaction.
If you’re unsure if you’ve seen digital ID verification in action, you don’t need to look any further than LinkedIn to find a common example. LinkedIn’s verification system relies on digital ID verification.
Beyond social media, we’re seeing these verification methods pop up across various sectors, often where trust and safety, or regulatory compliance, are important, eroding or potentially both:
The primary drivers for organisations adopting these systems often include:
The technology isn’t inherently bad. It can offer improved customer onboarding, reduced cost, increased trust, better platform integrity, and streamlined compliance for organisations. From the customer perspective, it can also improve trust and offer faster access to services. So there are some win-wins.
At the same time, the reality is that these customers are submitting their sensitive personal information to establish their identity – usually in the form of their biometric/facial markers. This comes with significant risk to your organisation and the customer since, if this data is breached, the customer cannot change their face. In other words, breaches involving biometric data can have permanent consequences and, as a result, are more likely to attract attention and potentially penalties from the enforcement bodies.
Digital verification systems that use AI to match a person’s biometrics to their government-issued ID also come with a risk of racism. Facial recognition algorithms have been shown to be inaccurate and racist in more than one study.
Generally, it’s a good practice to think about why you’re considering implementing a technology that collects biometric data and brainstorming alternatives. If there’s an alternative that will achieve the same purpose without collecting biometric data, it’s often a good idea to proceed with that option.
However, if digital ID verification is the only method that will achieve the purpose, here are some further considerations:
In cases where the collection is disproportionate to the risks posed, it’s a better practice to avoid the collection if you want to manage organisational risk and avoid harm to your reputation.
It’s worthwhile completing a privacy impact assessment before implementation. This allows you to consider what the risks are and how you will mitigate them before you start building anything. In turn, this can reduce the overall cost of implementing privacy measures while also getting better privacy outcomes.
If you’re going to collect sensitive biometric information, you should carefully consider how you’re going to get opt-in consents from your customers. This is crucial for transparency, and will be a compliance requirement for those organisations subject to the Privacy Act.
Neither the regulatory enforcement agencies nor your customers are going to care if it’s a third-party technology provider that caused the breach. Your organisation needs to be careful to keep biometric data it collects safe. So, what are your options?
While the best solution for you will vary depending on your purpose for collection, measures we would expect to see when it comes to digital ID verification security would be immediate deletion once the user has ‘passed’ verification, or otherwise encryption, data obfuscation, and/or tokenisation.
Where you need to keep that data safe beyond initial verification, on-device storage is generally considered to be a better practice (like many smart phones use today). You should also adopt regular audits to detect and address vulnerabilities.
Deepfake technologies have already bypassed certain digital ID verification systems and the risk of deepfakes passing digital ID verification grows every day. With this in mind, you might consider adoption of systems that require multiple layers of verification (MFA) or continuous authentication.
If your organisation is considering adopting digital verification, reach out for a free consultation to learn how we can help you manage the privacy risks. And if you’d like to receive updates like this in your inbox, subscribe to our newsletter below.
Oops! We could not locate your form.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
