Should Your Organisation/Department Use Digital ID Verification?

Trust is a currency when it comes to online transactions, and digital verification systems are becoming more common in a world where online customers and organisations both want greater certainty. These verification platforms offer increased security in some senses, but the reality is that any platform that asks users to provide biometric data should be carefully considered. 

In this post, we dig into where we’re seeing digital verification crop up, what benefits these platforms offer, as well as the questions you should be asking before implementing these systems in your organisation.

What is Digital Verification? 

Digital verification broadly refers to the process of confirming that a person is who they say they are (or at least that they appear to match their government-issued identification) using digital means. There are a host of platforms that allow organisations to check people’s identity, usually by the person first submitting a photo of their government-issued ID and then submitting multiple biometric images (often their face from multiple angles). 

The goal of these platforms is to increase trust by establishing that the person interacting digitally is who they claim to be. This can reduce the risk of fraud and unauthorised access in the absence of face-to-face interaction. 

Who is Using Digital Verification and Why?

If you’re unsure if you’ve seen digital ID verification in action, you don’t need to look any further than LinkedIn to find a common example. LinkedIn’s verification system relies on digital ID verification. 

Beyond social media, we’re seeing these verification methods pop up across various sectors, often where trust and safety, or regulatory compliance, are important, eroding or potentially both:

• Sharing Economy Platforms: Rental marketplaces (short-term stays, cars), ride-sharing services – to verify hosts/guests/drivers and deter fraud.
• Freelance and Gig Work Platforms: To verify the identity of freelancers and clients, ensuring accountability and payment security.
• Financial Services (Especially Fintech): For remote customer onboarding (‘Know Your Customer’ or KYC compliance) and transaction verification to prevent money laundering and fraud.
• Online Marketplaces: To verify sellers or buyers in high-value transactions and generally because these marketplaces are hotbeds for scams.
• Age-Restricted Services: Verifying age for access to content or products (e.g., alcohol, gambling).
• Remote Proctoring/Education: Ensuring the student taking an online exam is the registered individual.

The primary drivers for organisations adopting these systems often include:

• Fraud Prevention: Combating bots, fake accounts, synthetic identity fraud, and account takeovers. Liveness detection specifically aims to ensure a real person is present, not just a static photo.
• Regulatory Compliance: Meeting legal obligations like KYC and Anti-Money Laundering (AML) requirements, particularly in finance.
• Building Trust and Safety: Creating a more secure environment for users interacting on the platform.
• Efficiency: Automating and speeding up onboarding or verification processes compared to manual reviews.

Is The Growing Use of Digital ID Verification ‘Bad’ From The Privacy Perspective? 

The technology isn’t inherently bad. It can offer improved customer onboarding, reduced cost, increased trust, better platform integrity, and streamlined compliance for organisations. From the customer perspective, it can also improve trust and offer faster access to services. So there are some win-wins. 

At the same time, the reality is that these customers are submitting their sensitive personal information to establish their identity – usually in the form of their biometric/facial markers. This comes with significant risk to your organisation and the customer since, if this data is breached, the customer cannot change their face. In other words, breaches involving biometric data can have permanent consequences and, as a result, are more likely to attract attention and potentially penalties from the enforcement bodies.

Digital verification systems that use AI to match a person’s biometrics to their government-issued ID also come with a risk of racism. Facial recognition algorithms have been shown to be inaccurate and racist in more than one study. 

Considerations Before Implementing Digital ID Verification Systems

Generally, it’s a good practice to think about why you’re considering implementing a technology that collects biometric data and brainstorming alternatives. If there’s an alternative that will achieve the same purpose without collecting biometric data, it’s often a good idea to proceed with that option. 

However, if digital ID verification is the only method that will achieve the purpose, here are some further considerations: 

• Is the risk of collecting sensitive biometric data proportional to any risks posed to the organisation? 

In cases where the collection is disproportionate to the risks posed, it’s a better practice to avoid the collection if you want to manage organisational risk and avoid harm to your reputation. 

• Have you conducted a privacy impact assessment? 

It’s worthwhile completing a privacy impact assessment before implementation. This allows you to consider what the risks are and how you will mitigate them before you start building anything. In turn, this can reduce the overall cost of implementing privacy measures while also getting better privacy outcomes.

• How will you get consent? 

If you’re going to collect sensitive biometric information, you should carefully consider how you’re going to get opt-in consents from your customers. This is crucial for transparency, and will be a compliance requirement for those organisations subject to the Privacy Act. 

• How will you protect the biometric data? 

Neither the regulatory enforcement agencies nor your customers are going to care if it’s a third-party technology provider that caused the breach. Your organisation needs to be careful to keep biometric data it collects safe. So, what are your options? 

While the best solution for you will vary depending on your purpose for collection, measures we would expect to see when it comes to digital ID verification security would be immediate deletion once the user has ‘passed’ verification, or otherwise encryption, data obfuscation, and/or tokenisation. 

Where you need to keep that data safe beyond initial verification, on-device storage is generally considered to be a better practice (like many smart phones use today). You should also adopt regular audits to detect and address vulnerabilities. 

• How will you avoid deepfakes passing your digital verification systems? 

Deepfake technologies have already bypassed certain digital ID verification systems and the risk of deepfakes passing digital ID verification grows every day. With this in mind, you might consider adoption of systems that require multiple layers of verification (MFA) or continuous authentication.  

If your organisation is considering adopting digital verification, reach out for a free consultation to learn how we can help you manage the privacy risks. And if you’d like to receive updates like this in your inbox, subscribe to our newsletter below.