Are we stuck in e-Adolescence?

By Ken Moyle

 Online enterprises in the US have been massively successful in turning the Internet into a well-oiled engine for consumer transactions.  By any measure, US companies have been quicker to market, more innovative and have reaped greater financial reward by far than any other economy.  Electronic signatures and records have been replacing paper at a healthy clip, and the introduction of mobile devices has led to the inevitability of “digital transformation” of all paper-based processes, everywhere.  

After two decades with our foot on the accelerator, maybe it’s time to learn to use the clutch and shift into a higher gear.

The Internet gold rush that began in the 1990’s supported a speculative, high-risk, high-reward mindset among entrepreneurs in the emerging “electronic commerce” industry in the United States.  Those with a high risk tolerance, who opted for speed over caution, were handsomely rewarded in an era characterized by exuberance over the digital frontier’s tantalizing possibilities.

 The legal system responded in kind, with the introduction in 1999 of a uniform state law designed to cut off attempts by state legislatures to impose technology standards on electronic transactions. The Uniform Electronic Transactions Act (UETA) was a direct response to a Utah statute that prescribed a high-assurancetechnical method of authenticating individual signatories to an online agreement.  The UETA went out of its way to ban the imposition of technology requirements that would slow down the e-commerce train.  When states began to vary in their enactments of the UETA, Congress jumped in and passed the Electronic Signatures in Global and National Commerce Act (ESIGN), which threatened to preempt any state law that veered from the original version of the UETA.

 In particular, ESIGN was promoted by the financial services industry to help them speed up the process of delivering required disclosures. It had little to do with identity and more to do with efficiency, with the built-in assumption that consumers would be the audience. An electronic signature was defined very broadly, so that parties would not be needlessly inconvenienced by arbitrary form requirements but could determine on their own how to execute an agreement.
As with any new invention, the new regime hit a few bumps.  Things broke, lessons were learned, and the whole nation became more internet savvy.  With each breach, hack, fraud or theft, the victims of “cyber” crimes developed habits and policies to combat the risks that they associated with online transactions.  But that was to be expected; the laws, after all, were intended to work that way, remaining stubbornly silent on the means of establishing the identity of the parties. Just as in the paper and ink world, parties needed to be free to make up their own minds about the lengths they would go to mitigate their risks.

And so the methods of identification, authentication, attribution and proof varied widely, depending on the facts and circumstances unique the transaction.  Everybody was on their own. That’s just how we do it in America.

And ultimately, it was an unparalleled success.  In the ensuing decade, what had been viewed as a niche delivery mode for brick-and-mortar business enjoyed a rapid transition into the mainstream.  Consumers have responded positively to the private sector’s emphasis on usability and time savings in the design of their storefronts.  Businesses have automated paper workflows and eliminated costly processes.


So what’s the problem?

But now that the lush, green fields of simple online transactions have been tamed, we eagerly begin our inevitable push into the unexplored and peril-fraught badlands of finance, insurance, mortgage, estate planning, and government. But here we face a vexing problem:  the piecemeal manner with which we worked to solve the identity puzzle doesn’t scale.  The stakeholders in these industries – borrowers, citizens, consumers, lenders, beneficiaries, regulators—have a lot more to lose if their transactions go awry.  Just as important is the lack of visibility or control that any one participant has in evaluating his risk, let alone choosing how to address it.
For example, you may be comfortable assessing the safety of a one-time credit card transaction with an online clothing store, but you may not have any clue how to assess the risks of financing a deeded timeshare in a Chinese resort through a blind trust co-owned by a Barbados limited partnership.  As the complexity increases, trust and transparency become critical.

It is here that US-based e-commerce faces the prospect of a serious plateau; without a mutually trusted source of identity proofing, e-commerce cannot grow beyond its current state of adolescence.

Imagine going a month without your driver’s license.  You’ll quickly discover how often you need to authenticate yourself in your everyday interactions. Your license is your key to boarding a plane, writing a check, buying a beer, or getting a store credit at Home Depot.  And, oh yes, it also proves you are allowed to drive a car.  Without it, you are prevented—or at least severely limited-- from fully accessing some of the most basic benefits available to you as a customer, taxpayer, member or citizen.

 That driver’s license is a physical example of a “federated” identification tool.  It’s issued by a third party—in this case, a government entity—and it is a trusted source of key information about you. That information (your age, your name, your motorcycle endorsement) is the basis upon which a “relying party” will agree to complete a transaction with you.  The pieces of information conveyed by the license are called “attributes”, and the license itself is a “credential.”   Even though it was issued to you for another purpose, the license will normally satisfy the relying party because they have an adequate level of trust that the data is accurate. A similar credential issued by a different third party may be met with a different response. If you want to test that theory, try using your Costco card to identify yourself at the airport.


No online equivalent to a driver’s license

Here’s the problem: for all those transactions you want to do online, there really is no electronic equivalent of a driver’s license.  You likely don’t have a federated credential you can pull out of your virtual wallet to give you instant access to all the various transactions you want to undertake electronically.  For every online relationship you have, you probably need to go through some kind of identification process, after which each transaction partner (website, merchant, bank) issues you a separate credential – usually a user name and a password.  Now, instead of one driver’s license, you’ve got perhaps hundreds of user names and passwords to remember, and none of them can be used for the next merchant, bank or website you come across.
Your inconvenience is only one side of the problem.  The parties with whom you are transacting online face an even tougher challenge, since they need to assess the risk associated with every transaction you are requesting, and then come up with a means of mitigating that risk, often without ever meeting you. Then they have to do it over and over again with each individual.  This kind of one-to-one identity proofing (as opposed to federated identity management) becomes overly burdensome and subject to unacceptably high rates of error.

 Increasingly frequent and noteworthy data breach and cybercrime incidents only add to the concerns about the lack of adequate controls in online transactions. And while the risk of loss faced by regulated industries like money lenders and insurers is very high, the ultimate high-risk profile is in the public sector. Government agencies have been pressured for years to offer paperless alternatives, but concerns about user authentication have driven most digital transformation projects into a brick wall.  There is no budget for fraud losses at the Department of the Treasury, nor is there an “acceptable level” of identity theft at the state DMV. The institutional appetite for converting an admittedly imperfect paper process to a digital one decreases as the margin for error approaches zero, so that even the most obvious and available solutions do not get implemented.  


Trust is the key

Authentication guidance for both public and private entities has been plentiful, varied, and inconsistent.  Conflicting risk models and technical solutions have led to confusion in the market and frequent misapplication of otherwise solid security and authentication principles.  The result, for government agencies and regulated industries like financial services and insurance, has been to sit safely in the middle of the pack and wait for a first mover to take the risk.
But that 1990’s style trial-and-error has run its course.  The next level of transaction needs more assurance to make it run. Trust is the key.  It doesn’t have to be in the form a driver’s license.  It does not need to take the form of a government-issued ID at all.  But it has to come from somewhere.

 By taking advantage of the commercial benefits of online interactions, private companies in the US have pioneered the most significant economic advancements since the Industrial Revolution. And there are many more tremendous opportunities for digital transformation in clear view.  But until we have a reliable and widely recognized online identity ecosystem of trust and security, our collective ability to realize and enjoy the benefits of a more digital economy will be stuck in low gear.

 K6 Partners can help you change gears from neutral to drive;  not just entering the digital speedway, but owning it.  K6 offers complete end-to-end digital transformation consultation services to take advantage of the digital age, preparing your business for the next level and beyond. To learn more about digitally transforming your organization, contact K6 Partners.

Comments

Post a Comment

Popular posts from this blog

SEC Cyber Unit files first charges

The Securities and Exchange Commission today announced it obtained an emergency asset freeze to halt a fast-moving Initial Coin Offering (ICO) fraud that raised up to $15 million from thousands of investors since August by falsely promising a 13-fold profit in less than a month. The SEC filed charges against a recidivist Quebec securities law violator, Dominic Lacroix, and his company, PlexCorps. The Commission's complaint, filed in federal court in Brooklyn, New York, alleges that Lacroix and PlexCorps marketed and sold securities called PlexCoin on the internet to investors in the U.S. and elsewhere, claiming that investments in PlexCoin would yield a 1,354 percent profit in less than 29 days. The SEC also charged Lacroix's partner, Sabrina Paradis-Royer, in connection with the scheme. Today's charges are the first filed by the SEC's new Cyber Unit. The unit was created in September to focus the Enforcement Division's cyber-related expertise on misconduct in
Read more

Stop passing blockchain laws

History has a way of repeating itself. Twenty years ago, when Amazon was just an experiment in online book sales and Google was just a Yahoo! copycat, nobody seemed to understand what the “Internet” actually was or how it would eventually affect our lives. That went double for lawyers, who in the mid-1990s pushed the panic button when the concept of online contracting became a reality. State lawmakers rushed to introduce statutes that would define and constrain this monster before it wrought havoc on the unsuspecting analog world of contract law. They came up with technology-specific, proscriptive rules for electronic signatures that, had they been successful, would have left the U.S. a patchwork of unworkable state laws that would have prevented electronic delivery and signatures for all kinds of transactions that we take for granted today. Fortunately, a model law called the Uniform Electronic Transactions Act (UETA) emerged that, in contrast to the initial view that online
Read more

Just Published: Free Library of Digital Policies

K6 Partners announced today the release of a free e-signature policy library at www.esignaturepolicies.com . “The lack of esignature policies–and the sense of certainty they provide– is the number 1 reason for delaying critical digital transformation initiatives,” said Ken Moyle , president of K6 Partners.  “The eSignature Policies site is designed to give transformation leaders a resource for learning more about esignature policy design.” Free Webinar: E-Signature Policies for the Public Sector K6 Partners previously announced that experts in public sector e-signature policy will offer a free webinar on July 11 , 2017 at 2:00 PM Eastern / 11:00 AM Pacific. Panelists from state and local governments will share insights on adopting and managing online citizen engagement. "State and local entities are looking for new ways to engage citizens and provide value through digital channels," Moyle said. "Yet they face challenges that are different from those faced by p
Read more