How to Preserve Privacy While Delivering Digital Government Services

Michael Cichon

In this vlog, Mike Engle and Michael Cichon discuss how government agencies can securely deliver digital services to their constituents.

 

 

Michael Cichon:

All right, well, who are everybody? This is Michael Cichon, Chief Marketing Officer at 1Kosmos here with Mike Engle, our Chief Strategy Officer. Today, I want to talk Mike a little bit about government services. We’ve had a lot of conversations recently with various agencies of the federal government. Can you talk a little bit about the growing need for government to deliver services digitally?

 

Mike Engle:

Well, yeah, I mean, the big enabler here or event was COVID obviously. Not only was everybody stuck at home, but the government had to hand out tons of services electronically and offices were closed. So the time was already here, but that really accelerated things.

 

Michael Cichon:

Okay. I guess the front door to a lot of this stuff is logging in and facial recognition has made its way into that discussion. Can you talk a little bit about some of the issues revolving around government agencies using facial recognition? Who are these agencies?

 

Mike Engle:

Well, I think first, if you take a step back, why do you need facial recognition, right? I log into my Bank of America today, and I don’t use my face or whatever website it is, right? It’s very rarely used. But the bad guys take advantage of that because if you’re not using something about me, my face, my voice, something you, something you have actually, then somebody else can impersonate. So the government, rightly so, wants to match your identity to the government identity that they have on file, driver’s license or state identity, whatever it is.

So now, if you’re going to look somebody in the face and say, “Yes, this is Michael,” you have to do it right. So yeah, a number of issues have come up. So that’s the kind of why. There’s no way to prove who somebody else is unless you can match something about them, right? So what the government’s doing today is looking you in the face, and we’ll talk about that, and matching that likeness to the credential that they gave you when you got your driver’s license in California.

 

Michael Cichon:

Okay. Well, you use the word issue. So there are certainly issues I’ve read about in this use of facial biometrics. Decisioning bias or racial bias I’ve read has been one of them. Can you talk about either that issue or some of the other pressing issues in using facial recognition?

 

Mike Engle:

Yeah, there’s several, and we’ll talk about them all briefly. So you mentioned bias and there’s two forms of bias. One is when I am matching your face to this and it fails because I just don’t handle that kind of face well, right? Maybe it’s a certain ethnic persuasion or I don’t like females because my algorithm was made by a male, whatever it is. So that’s one thing you have to take into consideration. You need very low rates of false rejection. It’s called FRR is the industry term for that, false rejection rate.

The other is if you’re matching a face to a big database of other faces, this is where law enforcement gets in trouble a lot where they say, “Yeah, I think that’s the person in the database,” but it’s not. So they call that a one to many. That’s not really needed for the government to do what they do. But there’s been some issues where they’ve tried to do it and gotten into some heat recently. For example, at the IRS, there’s been some challenges over there where they were taking faces and comparing them to a database of other faces, and that’s a no-no.

 

Michael Cichon:

So one of the other issues, and maybe this is just me, but there’s various services. For a while, to get in a sports arena, we had to either show a driver’s license there or use a system where we had already kind of shared a driver’s license online. I’m a little bit reticent every time a crypto service or Google, Google just asked me to provide my driver’s license. Am I out of line being concerned about providing my driver’s license images of my driver’s license online to prove who I am?

 

Mike Engle:

You should be careful, right? Because you don’t necessarily know where it’s going unless you read the fine print. So if that driver’s license goes into some big database and then all of a sudden you start getting advertisements for a new Chrysler, well, that’s not good. That’s using your data for nefarious purposes, right? On the other hand, if there’s a very clear disclosure that this driver’s license would be in your control and you present it when you’re asked, that’s kind of the new way to do it. So there’s the old way, take your picture, your license and throw it into a database, or there’s ways to do it now where the user stays in control of it the whole time. It’s kind of called the Apple way, right? Apple’s all about privacy and there’s ways to do it like that now.

 

Michael Cichon:

Well, what is the right way to do this? We’re talking about facial matching. We’re talking about providing credentials online. Aside from the issues, what’s the best way to address the issues? What’s the right way to do it?

 

Mike Engle:

It’s with a wallet. So if you think about your physical wallet that you’ve had and enjoyed, just my fancy little wallet that I have here, it has credentials in it. I pull the credential out, I give it to somebody, I’m in control of it. Then you will look at the picture, look at my face, TSA agent, state trooper. I’ve never been pulled over, but maybe you have, and you’re proving your identity. Well, you can do that now digitally with a digital wallet. That wallet has to be in your control. A great form factor that for that is your smartphone, which has very secure technology in it and a great camera and all these things.

That’s the new way to do it. The key is that the data stays under your control at all times. It’s verified, right? So you get credentials, they’re verified, and you put them in that wallet, and then you use them whenever you give consent and give them to that stadium or whatever it is that you’re… In the example you gave earlier. So that’s the right way and the new way to do it.

 

Michael Cichon:

Okay. So is government ahead of the curve or behind the curve on the use of these facial biometrics and verified identity?

 

Mike Engle:

It depends which government. Here in the U.S., we’re still a bit behind the rest of the world. In several other countries, they’ve been doing either government or bank sponsored digital identity and putting the user in control, but we’re heading in the right direction. I’m seeing lots of RFIs, right? Requests for information and some real projects spinning up where the government is seeing the right things and they’re trying to figure out how to navigate the monstrous organizations and cross agency stuff. So we’re optimistic that in the next couple of years that’ll happen. There’s been some recent legislation passed that is really encouraging this type of activity as well.

 

Michael Cichon:

So what are some of the governments around the world that are leading the charge in regards to digital identities and facial matching?

 

Mike Engle:

Well, it just so happens, I have a picture. So if you check out this graphic here, it’s a map of the world. You’ll see there’s pockets of identity efforts going on and this isn’t necessarily all of them. But some big ones. You see in Korea, they have something called SK Pass, combination of the telcos, some tech companies and the government digitizing your identity information. In the Nordic regions, they have bank and government led partnerships where you can use your government credential digitally across hundreds of services. There’s something called NEM ID and Bank ID. So pretty exciting stuff over there.

There’s some consortiums here that are heading in the right direction. There’s a organization called the CARIN Alliance, that’s C-A-R-I-N, which is a bunch of healthcare payers, providers coming together to say, “Here’s how we’re going to do identity right in the healthcare industry.” So that would involve you proving who you are from a government perspective, but then leveraging it, do it once and leverage it across your whole medical ecosystem. So more to follow on that as it matures.

 

Michael Cichon:

Okay. So at least in the U.S., it looks like we have a little bit of catch up to do. But I read recently, I mean, coming out of the White House, there’s further guidance and clarity on using NIST as the standards body moving forward to govern some of this. Is that accurate? Is that what’s happened recently?

 

Mike Engle:

It is, yeah. So the government agencies, three letter agencies that provide the services, the IRS, SSA, HHS, et cetera, they follow a standard known as NIST 800-63-3. What that does is it says, “If you’re going to onboard a remote identity, here’s how you do it with a high level of assurance. I need one or more strong forms of verification matching it to your face.” So it’s got all these rules. 1Kosmos is certified to the highest level that there’s certification for, and that has gotten us a lot of attention at these agencies, which need a certified solution to provide these benefits to citizens and residents.

 

Michael Cichon:

That’s really great. All right, well, I appreciate the roundup, Michael. You have a good rest of your day and appreciate as usual all the great information.

 

Mike Engle:

Great to be here. See you soon.

 

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Michael Cichon

CMO of 1Kosmos

Michael is a Silicon Valley veteran with over two decades of experience marketing B2B SaaS solutions for startups and publicly traded companies. Prior to joining 1Kosmos, Michael held VP of Digital and Content Marketing roles at both Agari and ThreatMetrix.