Ride hailing app Uber lost its London license last week, when the city’s transport regulator accused its drivers of faking their identities. To appeal the decision, Uber must demonstrate that it’s put in place sufficient measures to eliminate potential safety risks to passengers. A solution exists, yet Uber seems disinclined to use it.
Sources privy to the negotiations, speaking to tech publication Wired, said the only way that the app could comply with the stringent requirements of the UK capital's regulator, Transport for London, is to collect biometric data from drivers.
Biometric identification methods are controversial and many people simply don’t trust tech giants to become the keepers of our digital identity. But there is a way to use biometrics, and reap the benefits they provide, while still enabling users to retain full control of their personal information. And 2020 could be the year we see it make an impact on our lives.
Privacy enhancing potential
Transport for London claimed that around 14,000 Uber journeys were with drivers who have falsified their identity information, with all the insurance and safety ramifications that ensue.
Uber declined to comment for this article, but industry sources told Decrypt that its current verification process is a once only affair, completed when they first sign up. Subsequently, drivers need only input a username and password into the app to authenticate themselves—and could even change their ID photo without any authentication being required.
A facial scan would provide a much higher level of assurance that the person behind the wheel is actually the one authorised to drive, but that solution raises issues of its own.
“My position is pretty clear about this – as long as Uber customer credit card details continue to leak all over the web I’m less than keen to hand over my biometric data,” said one Uber driver, Tom Elvidge, on his blog.
"The problem with biometric authentication is that it’s very sensitive information. People probably don’t want others sharing their biometric data. So what we’re proposing is using blockchain as a core technology to verify yourself, in a privacy preserving way,” Abbas Ali, Head of Digital Identity at blockchain company R3, told Decrypt.
Since 2016, the firm has been working on Corda, an open source blockchain platform for enterprise. In the past year, its been running blockchain pilots, which offer an identity solution that need not compromise privacy.
Using Uber drivers as an example, Ali suggests that they could verify themselves by taking a selfie, a facial scan, and sending the biometric imprint to Uber. The company need not hold the data in order to verify identity. Instead, algorithms would confirm the authenticity and the likeness of the image, and record it on a tamper proof blockchain.
What’s more, users would be free to build their personal reputation across multiple platforms, and manage their own digital identity, bypassing the privacy busting surveillance of the tech giants.
“You don’t need to have multiple verification factors across all your online services; you don’t have to do one with Uber, one with Airbnb, one with Netflix, said Ali. “Instead of your identity being held by every one of these providers, in their own databases—their own silos—a user would manage their own identity and permission these guys to access it.”
First movers
Challenger banks, like Monzo, already use digital wallets with biometric information. The problem is that they also control users’ information. So what needs to happen for centralized trust enforcers to give way to decentralized trust systems and P2P network-enforced reputation systems?
Abbas said that the industry is currently building a network where the user controls their identity, how it’s shared and who they provide access to.
French digital security and aerospace multinational Thales recently acquired e-passport provider Gemalto. It’s developed a decentralized identity solution, the Trust ID Network, on Corda, and is currently working on a trial with a number of financial institutions.
Corda is a permissioned, or private, blockchain, designed specifically to address scalability and security issues, said Ali. “With identity, you’re dealing with—potentially—millions of records. And most [public] blockchains can’t scale to support that level of transactions.”
The European Union is also working on its own version of a blockchain-enabled digital identity solution, which is due to roll out early next year.
And Microsoft is also working on decentralized identity solutions. According to Ali, LinkedIn has already unofficially introduced a way of inputting tamper-proof digital credentials, which means there’s no need for potential employers to run an educational background check.
In fact, there are hundreds of startups—including Yoti, ID works, Persistent Systems and Luxoft—all working on various solutions. Most are developing mobile wallets, with digital identity services on top, but also academic and banking credentials.
But while the technology is mostly in place, Ali says the biggest challenge lies elsewhere. “When you’re dealing with something as significant as identity, there are huge risks involved in implementing new technology. So the biggest challenge—the only one, in fact—is adoption. It’s getting first movers to take a leadership position.”
Network Effects
A digital identity network’s efficacy increases the more providers use it; each one will inspire additional trust, as well as efficiency. In one futuristic example, frequent travellers would see their journey streamlined; instead of a passport, boarding pass and visa, all they would need is a phone to board a flight.
“It really becomes much more valuable when you have a network effect because then you can use that same identity in different contexts,” said Ali.
But that presents a chicken and egg situation: There are almost too many options. With thousands of developers working on solutions, no one wants to be the first to deploy a technology if everyone else then adopts another one.
“People always want to wait and see who has the best solution, and that’s a real barrier to adoption,” said Ali.
But an initiative to promote standardization may be about to change all that.
The Decentralized Indentity Foundation, whose members include Microsoft and consultancy Accenture, and the World Wide Web Consortium (W3C)—the main international standards organization for the web—have been working on complementary standards for digital identity.
These will introduce interoperability and make decentralized identity solutions interchangeable, so that users can switch between networks and solutions. The first of these standards was finalized last month.
“This year—in terms of development and standardization—we’ve achieved a lot,” said Ali. “And next year we’re going to see a lot of solutions being put into production. So we’re very close.”
Rather than twisting drivers’ arms to persuade them to use biometric authentication, Uber may want to read up on blockchain, and give its London-based drivers a primer for Christmas instead.