When we get a driver’s license, start a job, open a bank account, or start some other thrilling administrative event, most of us know we need to bring some identification. We’re prepared for the small headache of providing phone numbers, maiden names, and digging up paper documents. This is identity verification, the process of proving that you are actually you. In the digital age, it’s increasingly commonplace.
This is the first post of a two-part series about consumer identity verification. In this piece, we’ll cover what verification is, why it matters, and why it’s an important digital rights issue for consumers. Our next piece will highlight some of the nuts-and-bolts of how companies are doing identity verification in 2022.
What is Identity Verification?
Identity verification, also called identity proofing, is a process of providing evidence that you are who you say you are. In many cases, it relies on administrative documents like a government ID. Identity verification is usually used as protection against impersonation or identity theft.
Identity verification is related to, but distinct from, authentication. Authentication is a process of providing evidence that you have permission to access something. Authentication can be as simple as entering a password. That password, however, doesn’t provide any information about who you are. Identity verification does, and it does so by associating your data with a person or identity.
How does Identity Verification relate to privacy?
Here at the Consumer Reports Digital Lab, we are interested in identity verification because of our research in consumer privacy. Emerging laws such as the California Consumer Privacy Act and other state privacy laws give everyday people rights to the data companies collect about them. Under these laws, consumers can send data requests to companies including requests to delete data, to correct data, and to access a copy of their data, among others.
The data rights R&D team at Consumer Reports has helped send thousands of data requests on behalf of consumers. Throughout our research, we’ve heard from both consumers and businesses that one of the biggest challenges of fulfilling data rights requests is identity verification.
Identity verification is rightfully a critical part of exercising data rights. Are you requesting a copy of your purchase history, or did an identity thief make the request? Did you request to delete all your family photos, or was that your disgruntled ex pretending to be you?
The risks of bad actors and fraud require that companies institute a strong verification process. In 2019, Oxford and Dionanch researchers (1) illustrated this point by successfully sending fake data requests under European privacy law. In an adversarial study of more than 150 businesses, they found that many organizations failed to deploy adequate safeguards against abuse of privacy rights. In other words, there was a real risk that sensitive information could be exposed by fraudsters.
However, it is also true that verification processes can be so complicated or burdensome that they prevent consumers from being able to exercise their rights. Companies need to walk a difficult line of making data rights attainable for real consumers and difficult for fraudsters.
Privacy laws require consumer identity verification
In addition to being the right thing to do, identity verification is also legally required in many cases. Identity verification is explicitly included as a component of many privacy laws, including the EU’s General Data Protection Regulation (GDPR). As research at Consumer Reports has focused on California privacy laws, we’ll highlight California’s approach to verification.
California regulations (2) don’t attempt to offer a one-size-fits-all solution to identity verification. Instead, regulators have asked companies to consider six questions as they design their identity verification flows:
- How sensitive or valuable is the data your company has?
- If there’s an unauthorized request, how likely is it to cause harm to a consumer?
- How much would a bad actor want the data requested?
- How easy is it to spoof the verification documentation you ask for?
- What kind of technology is available to bad actors, companies, and consumers?
- How do consumers usually interact with your business?
The regulations offer a handful of examples of appropriate and sufficient identity verification, but for the most part, companies are tasked with interpreting regulations and designing verification flows in good faith. During our research, we’ve encountered some strong flows alongside some that are not so friendly for consumers.
Common challenges in Identity Verification
In the thousands of data requests our team has sent, we noticed some identity verification patterns. Account log-in, email verification links, and SMS verification codes are the most common techniques used in CCPA requests. Less common processes include those that ask for a selfie or copy of a government-issued ID. The most stringent and rare flows require in-person actions like sending notarized documentation via mail.
Every technique for identity verification has strengths and weaknesses. Here are five challenges that apply generally to verification methods:
- Data collisions – There are many Jane Does in the world. How does a company distinguish between them?
- Identifiers change – Identifiers like names or mailing addresses are not stable. People move. People change their name. How does a company maintain a consumer’s identity through these evolutions?
- Access to documentation – A small but important fraction of US residents do not have access to government-issued documentation such as a photo ID.(3) How can companies serve these consumers?
- Digital literacy & access – A small but important fraction of US residents do not use smart devices or have at-home access printers or scanners. How can companies serve consumers across the digital literacy and access spectrum?
- Authorized agents – We’ve written and conducted research about how consumers can appoint an agent to send requests on their behalf. However, verification of the consumer or agent can be tricky with three parties in the loop.
In part two of this series, we do a deep dive into identity verification types with their strengths and weaknesses.
(1) Pavur, James, and Casey Knerr. “Gdparrrrr: Using privacy laws to steal identities.” arXiv preprint arXiv:1912.00731 (2019).
(2) Two important caveats: One, this is our informal reading of California regulation. It of course isn’t intended to be legal advice. Two, the regulations are still in flux. Rulemaking power recently shifted to a new agency (CPPA), and new relevant legislation (CPRA) will go into effect in 2023.
(3) LeBrón, Alana MW, et al. “Restrictive ID policies: implications for health equity.” Journal of immigrant and minority health 20.2 (2018): 255-260.