Blog by Elaine Oldhoff, Policy Advisor Ecommerce Europe
In a digitally developing world, more and more solutions for online identification are born. As a policy advisor for online merchants, I am regularly approached by suppliers that offer several solutions for the same purpose; providing certainty about the identity of a consumer. Last week, during a workshop in Paris, I learned about a solution that gave me inspiration to write about online identification. In particular I would like to focus on a specific form: online identification through a bank. Is it a risk or an opportunity?
The challenge of online identification
In the physical world, we are used to identify ourselves through an ID card, passport or driver’s license. As the need for online identification increases (for example for selling age-dependent goods and services, safety, security and fraud prevention), demand for suitable identification means on the Internet grows accordingly. Especially online, where identification requires the sharing of specific and sometimes sensitive personal data, the development and use of identifying means are challenged by innumerable expectations: we want it to be reliable, safe, privacy-enhancing, fraud-resistant, re-usable, multifunctional, user-friendly, affordable and, ideally, not a physical object.
Why trust banks and payment networks?
Not surprisingly, online identification and sharing personal data (whether through banks or otherwise) often worry the average privacy-concerned consumer.
It appears that:
- 80% of people polled by the Economist think that Internet privacy does not exist.
- 84% of them worry about divulging their data to third parties.
Having said that, from the same source it follows that 91% of the people interviewed feel that their data are safe in the hands of their financial institution. These expectations are even higher than the trust in family and friends, public administrations, doctor’s offices and hospitals.
Apart from the facts, the banking infrastructure at least encourages me to believe that data is transmitted in a safe and secure way. This allows me to expect that it should not be too frightening for other consumers to share their personal data accordingly either.
As a practical example for bank-related identification, I would like to discuss one solution in particular: MyBank Identity. During the above-mentioned workshop, representatives from merchants, service providers and banks were consulted about their views regarding this project.
To me, the presented solution looks like an interesting and properly detailed plan, which I believe will work well on the suggested infrastructure (using the same secure authorization from the online banking environment used for payment confirmation). The infrastructure, that involves payment service providers, is a safe environment to provide the merchant with relevant personal data, that is verified by the bank, quickly and in a user-friendly way. The consumer is exempted from filling out difficult forms himself. This advantage is even more convenient when we consider purchases of goods and services through mobile devices.
Recommendations for solution providers
In general, I believe that the invention of eID solutions requires solution providers to take “data minimization” as a starting point. Ideally the merchant shall receive only the information that is relevant for a specific service at a specific time. In practice, this simply comes down to, for example, considering whether a merchant selling digital content actually needs to save a delivery address. Suppliers of eID solutions could also explore the possibilities of reducing the sharing of a consumer’s actual date of birth. In certain cases it should be sufficient to share the knowledge of the mere fact that a customer is over 18.
Future benefits for merchants and consumers
In the long term, I would like to believe that eID could lead to opportunities that release the merchant from the storage of useless or even all (personal) data. Delivery preferences (date, time and address) could be forwarded directly to the transporter and IBANs will no longer be required at the point of a simple user account registration. It is very much worthwhile for solution providers to take into account as many use cases and scenarios as possible. In the end, privacy by design will not only benefit the merchant (having to deal with less data and therefore compliance with Data Protection legislation), but will also pay off in terms of consumer trust. In terms of conversion rates, this represents a win-win situation.