Canadian banks and telecoms are contributing data about their customers to a new, comprehensive digital ID system aimed at allowing people to access insurance and credit reporting services more quickly, and eventually other businesses, health or government services.
Launched on Wednesday, Verified.Me, an app from Toronto-based company SecureKey, is a platform that lets people verify their identity while controlling access to the personal information associated with their bank and telecom accounts. Participating financial institutions include TD Bank, Royal Bank of Canada, Scotiabank, CIBC, and Desjardins, with Bank of Montreal and National Bank of Canada support launching soon.
When, say, a landlord checks your credit score, “they're going to the credit agency, they're printing out this file, and everything I've ever done, and they're putting it in a manila envelope in a drawer. There's just too much leakage and too much data. We should be sharing only what we need to the party that needs it,” Greg Wolfond, CEO of SecureKey, told Motherboard.
Landlords and businesses can request access to the Verified.Me network as data consumers right now. To maintain security, only individuals and organizations vetted and accepted to the network will be able to request data through the application.
Insurance and benefit provider Sun Life Financial has signed on to be one of the first receivers of data in the Verified.Me system. Stevan Lewis, senior vice president of digital transformation at Sun Life told Motherboard that people can sign up for employee benefits by logging into their bank accounts through the app. As well, consumers will be able to get free credit scores from Equifax at launch.
“We don't have to go out and get you to prove that you are who you say you are. It's already been done,” said Lewis.
In a time of staggering data breaches and privacy nightmares such as bounty hunters buying telecom-sourced location data, SecureKey sees an opportunity. Wolfond said that the express purpose of the platform is to halt the over-sharing and over-accumulation of critical information.
The app uses the biometric features on a user’s phone built into bank apps to ensure that it’s only the phone’s owner can approve data sharing. According to SecureKey, after Verified.Me receives consent from the user, the transmitted data is encrypted by a trusted source like the bank, and sent to a single destination which uses a key to decrypt it.
Crucially, Verified.Me isn’t a central database of everyone’s sensitive information—institutions hold on to it, and the app allows users to manage when those institutions share that information, and with whom.
“One of the most interesting parts of the platform is that there's no central repository of information,” said Katie Greenberg, Scotiabank’s vice-president of digital products. “All of the identity attributes exist with companies who already are housing and custodians of data today. So you're not actually creating a new place in which you're keeping your customer data.”
Scotiabank worked with SecureKey in the past to help build a service called Concierge which helps people log into the Canada Revenue Agency online system.
Another Verified.Me partner is Canadian telecom joint venture EnStream. It leverages the unique data that the telecoms have about Canadians to offer identity verification services in a number of industries. For example, EnStream can tell how long a SIM card has been active, or if it has recently been changed. This is aimed at stopping SIM swap attacks.
During a SIM swap attack, a hacker poses as the victim and convinces their telecom provider to change their number to a different SIM card. Once in control of the victim’s phone number, hackers can bypass security measures and highjack Instagram accounts and access cryptocurrency wallets,
“They're using another piece of information to help secure the Verified.Me app to ensure that the user with his banking app hasn’t had a SIM swap recently which could've been an account takeover,” said EnStream’s chief identity officer, Robert Blumenthal, in a phone call.
To protect the owners of this information, Enstream doesn’t send any raw data over the Verified.Me network, according to Blumenthal. Instead, it sends “confidence scores” based on the information provided by the user.
According to Wolfond, Verified.Me is powered by a network of nodes controlled by the data suppliers. They are connected using IBM’s iteration of open source blockchain-like software called Hyperledger to enable encrypted transmission of authentication information. Only the user’s consent to share is recorded to the ledger, and not their personal information.
Often, “blockchain” is a buzzword that has little bearing on the product, but Wolfond said that Verified.Me doesn’t support a cryptocurrency or token, and the distributed network approach means the system is more resilient against potential cyber attacks and downtime.
“From a privacy standpoint, they’ve done all their assessments,” said Tim Bouma, senior policy analyst for identity management at the Treasury Board of Canada Secretariat. “That, I’m not worried about. To their credit, they’re addressing issues head on that have been problems with some of the big centralized providers.”
The biggest unknown facing Verified.Me is user adoption, said Bouma. The success of the platform will largely depend on the public’s willingness to store important identifying documents like a driver’s licence on an app, instead of in their wallet.
According to information privacy and security consultant John Wunderlich, having more digital ID services than Verified.Me will be important to protecting Canadians in the future. While Verified.Me could be one option, the data it holds should work with other digital ID solutions that come to market, he said.
“if you own the identity authentication system with seven banks and it's not an open standard, it becomes an effective monopoly,” said Wunderlich.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.