Proofing Creep

At Identiverse 2024, I had the privilege of giving a joint talk with Steve Wilson about the risks inherent in the relentless growth of Identity Proofing: “Proofing Creep”. It’s a topic that merits further explanation and exploration: this post is the first in a slowly developing series that Steve and I will be working on independently.

What is proofing creep?

We are being asked to ‘prove’ our identity in the digital sphere with increasing frequency. We’ve all experienced it: upload a copy of your physical evidence of identity (passport, driving permit, and so on), take a selfie… Great! Now we’ll create your account.

Being able to prove that we are who we say we are safely and effectively without an in-person process is evidently important in a world where so many of the things we need to go get done online. Digital identity proofing and verification processes are rapidly replacing traditional paper-based methods: it is certainly much more convenient and less costly for the individual to proof online in lieu of visiting a notary to have physical copies of documents made and witnessed.

In order for proofing to be safe and effective in the long term, however, it’s crucial that we only proof identity when strictly necessary; and, that when we do need to proof, we do so accurately, and responsibly. Unfortunately, there is a growing trend in the opposite direction—proofing unnecessarily, and proofing badly: collectively, “proofing creep”. Let’s look at an example.

Verify Now! Why?

LinkedIn encourages users to ‘verify now’, telling us that ‘verified members get 60% more profile views on average’.

Aside from appealing to my personal brand development desires, there’s no good reason, regulatory or otherwise, for LinkedIn to be promoting this. LinkedIn themselves even make this clear : “Adding verifications is optional. It’s not a required step to complete your profile.” They propose that “verifications can also help you make more informed decisions about connecting with other professionals, as you can see their verified information on their profiles” which, whilst true, is rendered entirely moot if you use the platform the way they themselves advise : “to ensure that LinkedIn remains a safe community, we recommend that you only send invitations to people you know and trust”!

If I do decide to Verify, then in my case (individual experiences will vary), I’m prompted to share my passport information with a third party called “Persona”. A passport contains sensitive information, and we should keep that information safe and secure—in the wrong hands, it can easily be used for nefarious purposes including but not limited to identity theft. So my next step should be to check out what this Persona service is and whether I can trust it. But let’s stop there, for two reasons. In the first place, let’s recognise the reality that most people are not going to research the privacy notice and so on before they go ahead. More importantly, we shouldn’t be in this position in the first place. Encouraging people to share sensitive documents like this for no good reason is normalising an inherently risky behaviour; and that has some very real consequences.

Why is proofing creep a problem?

Even assuming there was a good reason for it, sharing this kind of information with an unknown third party online isn’t sensible without some very thorough checks; checks which are rarely straightforward to make. In this particular case, Persona’s privacy notice is available online, and it’s fairly easy to find, but it doesn’t provide a lot of useful reassurance. From section 6, “Data Retention”: “We retain personal data for as long as necessary to provide the Service and fulfill the verification you have requested.” So… how long is that, then, exactly?

Again, though, most people aren’t going to get that far. It’s simply too much to expect people to be that discerning, all the time, about what they share. Take this article in the Guardian as an example. On the face of it, it’s a straightforward Sim Swap fraud; but it all starts with a case of—perfectly valid and necessary—identity proofing. Unbeknownst to the victim, the proofing site in question had been spoofed, allowing the bad actors to harvest valuable proofing data and so enabling the fraud.

If proofing becomes normalised—if we encourage people to think that it’s just a regular part of doing anything online—then people stop asking ‘should I share this information’. Worse, sensitive information gets proliferated. Organisations and individuals are at risk from data breach. Eventually, that information will be used for identity theft. We’ve seen this before: knowledged-based authentication (“KBA”), which used to be a stalwart of the remote identity proofing methodology particular (though not exclusively) in the US is now contra-indicated because so much of the ‘K’ has been stolen in various data breaches over the past decade that it’s essentially worthless. We’d better make sure that strong identity proofing doesn’t go the same way.

What to do about proofing creep?

There are many reasons why proofing creep is potentially problematic. We could talk about the erosion of privacy, civil liberties, or digital exclusion—and I have a lot of sympathy for those arguments!—but here I’ll focus on what I believe is a more pressing issue for individuals and organisations alike. Proofing creep increases risks to both individuals and to organisations. Over time it will reduce the effectiveness of identity proofing, to a point where we will not be able to rely on it when we actually need it. Because there are plenty of cases where we really do need it. Opening bank accounts, claiming benefits, demonstrating a right to work or to rent, evidencing citizenship, and so much more.

So what should we do? Here are some recommendations for a few different constituencies:

Product/Solution Providers and Systems Integrators

• Ensure your products (or the products you are recommending) are certified. If you are going to do strong, online, remote Identity verification and proofing, do it well, do it responsibly, and demonstrate that you are doing so. Choose your certification body with the thought in mind that you want your auditor to push you to be better — a check-box exercise doesn’t help you or your customers (or their customers). Make the quality of your certification a USP.
• Carefully consider to whom you are marketing and selling proofing capabilities. Ensure that sales teams are trained to look for signals that would mitigate against using proofing. Consider incentive plans that focus on only providing these technologies to appropriate customers with well-vetted use cases. Product marketeers should review their ideal customer profiles and trim the target audience appropriately.

Enterprise Executives and Board Members

• Executives in enterprises and other large organisations should be asking why. Why are we proofing? Is this really necessary? Does it help our customers? Is the risk/reward balance appropriate? If we really have to do it, are we doing it at the right time, for the right reasons, and in the best way. Do you have a review cycle in place to continually ensure that your proofing is still necessary, and still up to scratch?
• The same applies for smaller organisations, although you may need to ask these questions of your technology vendors (why does this solution include identity proofing? How can I turn it off?) or your business clients (is proofing strictly necessary in this case? Why?)
• Board members: any identity proofing your organisation poses a material cybersecurity and/or reputational risk. You should know that it’s happening. You should know why it’s happening. You should understand the risks and you should know how they are being mitigated. And you should be reviewing all of this on a regular (at least annual) cadence.

Digital Identity and Privacy Professionals

• If you ask to implement a proofing solution, make sure you understand why it’s needed. If you aren’t convinced: get help! Your colleagues in the Privacy team are your friends—they can help review justifications and (at the least) they can ensure that a full privacy impact assessment is carried out

Individual Users

• Unfortunately there are already too many examples of unnecessary and/or poor identity proofing in the wild. But do your best to check: do I need to do this? If I’m being asked to provide a copy of my identity documents, am I absolutely certain they are going to the right place? If you’re not sure, then ask. Any reputable trading organisation will be happy to help (if they aren’t, that’s a red flag). And if you are being asked to prove your identity unnecessarily, consider taking your business elsewhere.

Proofing well, proofing only when necessary

Identity Proofing in the digital sphere is vitally important, and we need to be able to rely on it when we really need—we all have a duty to ensure that the value of identity proofing isn’t eroded by poor and unnecessary use.

If you’re interested in other thoughts I have on digital identity, privacy, and corporate governance, I encourage you to read through this site or follow me on LinkedIn .