Mobile ID World President Peter O’Neill recently spoke with Rob Haslam, VP and Managing Director, Government ID Solutions, HID Global. The result was an in-depth conversation about HID Global goID, the company’s mobile ID solution. Haslam and O’Neill speak on a wide range of topics, from the nuanced functionality of the goID solution, to the role of user privacy in mobile ID, to the need for mobile and physical documents to co-exist (at least for now), and much more.
Read our full interview with Rob Haslam, VP and Managing Director, Government ID Solutions, HID Global:
Peter O’Neill, President, Mobile ID World (MIDW): The HID Global goID solution, which allows for governments to issue mobile IDs to citizens, seems like a logical and exciting evolution for today’s connected world. What are the biggest challenges governments face when it comes to transitioning from traditional ID documents to the mobile ones offered by your solution?
Rob Haslam, VP and Managing Director, Government ID Solutions, HID Global: It is a very exciting evolution in today’s world; we’ve been saying for some time now that the ID document is the last thing to make the transition to mobile. Twenty years ago, you might have left the house for a weekend with a bag full of stuff. But today, all those things can be on your mobile phone in virtual form – maps, camera, tickets, money, credit cards, books, films. Your ID is the one thing that you have to take along with your phone today, and we think that is about to change – and we think we are leading that change.
To say that is very easy, but for governments to implement that change, that paradigm shift is clearly not so straightforward. So, what do government entities need to think about when they make that transition? There are a number of challenges, but clearly but one thing I will emphasize before going through them all is that actually implementing a mobile ID version of a physical document today is much less of a technical and infrastructure challenge than implementing, from the ground up, a physical document issuance program. I’ve been in this industry for almost 30 years now. I cut my teeth as a project manager installing some of the first computerized ID document issuance projects around the world. From my experience, I know that that infrastructure can be very heavy and usually nationwide; it’s not just card printers, which of course is relatively straightforward; it’s all the front- and back-end systems that go with the document printing. When you think about implementing virtual IDs, however, it is a much easier undertaking; it’s not without its challenges, certainly, but it is not the same as implementing a physical infrastructure.
So, what are the actual challenges of this new paradigm? Well, I think the first one that governments need to address is the messaging to citizens to get them to accept and understand these new mobile options. That needs careful management if you think about people’s initial views of online banking, online payments, and credit cards; even though these are far more common now, there can be a lot of misunderstandings around things like security and privacy. I think governments need to really think about how to market new mobile programs and options to citizens.
A clear secondary challenge is legislation. We are hearing that some countries and agencies that we are talking to believe that they can offer mobile IDs as a future add-on to their existing card programs with very little legislative overhead. Conversely, other countries are saying this will take several years because the documents become enshrined in national law, and the privileges granted are very tied to a physical document. Clearly, there is a lot of work to be done in order to change that environment.
The third, and very interesting challenge, is ensuring that governments don’t simply view mobile IDs as a representation on a mobile phone of a physical document. Just to digress a little bit: when HID Global moves its manufacturing capabilities from one country to another, or from one factory to another, we employ a principle that is called “Move and Improve”. We don’t just move what we do; we take the opportunity to improve it.
Back to mobile IDs: governments need to understand that mobile IDs are a lot more than just having a JPEG image with a barcode on a screen that you show somebody, and they look at it and say, “Yeah, it looks real,” as they might do today with a physical card. The opportunity there is massive to enhance that whole transaction, if you like, between citizen and verifying party, and for the government to enhance the privacy and security of what they are doing with that document. A really good example would be law enforcement. As we talk to law enforcement agencies around the world, particularly in the U.S., they have been very vocal about the advantages of goID as they have understood it as HID has demonstrated the potential of this technology. Law enforcement officials have said to us, “If I can verify an ID document from one device to another – say a phone to another phone or a phone to a tablet or other device – and that device is channel agnostic, how do you do that by Bluetooth, for example? Does this take help to keep my law enforcement officers safe when they stop a speeding car in a remote area today and they have to approach that car, essentially not knowing who he or she is dealing with and all the dangers that situation potentially brings?” With our goID solution, the officer can ask to see the credential at a distance. The citizen presenting their ID can then choose to share their mobile ID on their phone with what the law enforcement officer as they are identified on their device. The citizen’s identity is then communicated to the law enforcement officer’s device and before taking any step nearer to that vehicle, they know they have more security in who they are dealing with today than if they were dealing with a physical document.
Peter O’Neill, MIDW: I think first responders will really like that, and I think the most obvious application of mobile IDs are driver’s licenses and travel documents which are troublesome these days. What are some of the other mobile ID documents HID goID can bring to the mobile space? For example, around the world, we are seeing a trend toward electronics enabled voting. Do you have the potential to have goID be used in elections, for example, and what are the other applications outside of government as in the enterprise?
Rob Haslam, HID Global: You’re right, driving licenses certainly are a focus, and travel documents are another obvious target program, but we believe that this technology applies to any form of ID that is issued today as a credential. We are having ongoing conversations with governments about everything from hunting and fishing licenses to vehicle registration documents. In fact, talking of vehicle registration documents, the first program we announced last year was the Nigerian Biometric Central Motor Registry (BCMR) program. This is, in essence, a police-led national scheme in Nigeria where they are issuing an HID physical credential, and they are offering the overlay of having the credential on a mobile phone. So vehicle registration is certainly a focus.
Then you have things like property titles, whether it be land or housing or other goods, right up to national ID documents, which is, of course, the de facto document you use to prove identity in many countries today.
On to the voter registration: in many countries, voters’ cards are issued as a form of national ID that also enables the citizen to prove that they can vote. Voter cards are definitely a target for eventually going mobile, no doubt about it. The one thing I would say is that when you talk about voting and everything that entails, it is an area where we would definitely want to think very carefully about the security and privacy, among other factors, especially given the current sensitivities and potential political minefields around voting in several nations today. But the simplest answer is yes, you could you take a voter’s card and put it on a phone in a very secure way and use that phone to verify the voter. We could do that with goID.
To answer the question of using goID for enterprise applications, you have hit on a very exciting area for HID Global. There are many, many potential applications outside of government-issued documents. Just to be clear, however, my business unit, Government Identity Solutions, really only focuses on government IDs. But HID Global as a whole is addressing many areas in the enterprise space; mobile is increasingly a focus for our company, not the least for physical access control, an area where we have been leading for a long time. Physical access on a mobile phone is already being provided by HID Global, and increasingly, logical access control to networks, to data, and to services is also being done via mobile devices.
Peter O’Neill, MIDW: You mentioned a little while ago about privacy. Privacy is such a critical factor these days at just about all the shows I attend and conversations I have with folks in the industry. Can you explain why this is an important aspect of next generation ID, and what are the privacy features that are unique to goID?
Rob Haslam, HID Global: There are a number of aspects to this, and it is one of the areas we take incredibly seriously. If you talked about mobile IDs to your friends and family as a concept, then privacy would be up there at the top of the list.
From a HID Global point-of-view, the privacy aspects are as follows: firstly, the app cannot be read while the phone is asleep. This means that the individual can’t be tracked, and their private information can’t be read from a phone when it is, for example, in a bag or a pocket.
Secondly, the citizen’s information can’t be read until the citizen actually gives permission for their data to be accessed. Even if the verifying app connects to the citizen’s device – whether by law enforcement, or a hotel reception, or a barman – the verifying request cannot see the information on the citizen’s app until the citizen allows that to happen by selecting the permission on their own phone. Linked to that is that the citizen sees who is requesting the information and what information they are requesting, even if they are doing it from a distance. Going back to that scenario of a police officer checking ID from some number of feet away from a stopped car, the citizen sees that the requester is an authorized police officer with the authorized and highly-controlled police officer verification application. Again, in this scenario, you’ve got the fact that when the citizen is asked to share information with the verifying party, the citizen’s application on the phone displays what information is about to be shared. There is no doubt about what you are about to transmit to the other party. By the way, none of this involves holding up your phone screen. A clear privacy aspect for citizens would be as follows: if I’m holding up my phone to in some way replicate what I do with my physical ID today – showing it to a police officer, a fireman, whomever – it is a very different scenario. Instead of holding up a plastic driver’s license, I am holding up this device that has all my private messages on it, photos, etc. With our goID solution, these scenarios do not actually involve showing the screen of your phone. We think this is absolutely key.
Related to that is the fact when the chosen information is transmitted to the verifying device, that verifying device does not retain any information that is being shared by the citizen. Once the verifying app is closed, all the information is lost and screen snapping is disabled so you can’t take a screenshot. Additionally, for any application where the verifier may stay open continuously, the app would be configured to only retain information long enough for the verification to be carried out. Thinking about a scenario of what you share with whom, here’s another example: there have been stories in the press about barmen or bouncers or similar individuals taking down the addresses of attractive members of the opposite sex and stalking these people at their addresses. Now, if I’ve just got to prove that I’m over 21 to get into a bar, why do I even need to show my address? That is not logical in a world where that can be prevented.
Lastly, goID supports the idea of verifier roles, so you’re sharing different types of information, depending upon the verifying party. You would show a very different data set to law enforcement, typically the whole data set, than the barman who just needs to see your photo and confirm your age, or the car rental company that needs information about your driving privileges.
I think all of that paints a picture of the incredible focus on privacy by HID Global. Additionally, I’d like
to emphasize that the areas where we think we are leading the field and we think we are actually unique are:
- Knowing who is asking for verification.
- The verifier not retaining any information.
- Segregation of that information that you share according to use case.
Peter O’Neill, MIDW: With mobile IDs being remotely provisioned, the issuance and renewal process are obviously made more convenient and timely. What are some of the benefits that come with remote provisioning of mobile IDs?
Rob Haslam, HID Global: Good question. One of them is cost, both to government agencies and to citizens. I mentioned the cost of initially rolling out an ID program of whatever type. The provisioning of a virtual type of ID clearly has a very different cost profile as compared to deployment of smart card infrastructure where you need specific readers all over the country to read those applications that are held on the smart card. With mobile IDs, that reader infrastructure essentially goes away because now in future any suitable smart device, smartphone or tablet can be configured to be a reader.
Also, the data is always up-to-date, compared with a current smart ID card and particularly when compared with a current non-smart ID card. So if you think of your U.S. driver’s license with no chip in it, when you show that to anybody, how do they know that data is still current, like your address? With an application-based identity, you can build in it assurances that the data is current and the verifying authority has been informed that is the case, or else flag that citizen’s data with a date less current. In this way, I, as the verifier of the ID, will know if this ID that I’m seeing today hasn’t been updated recently. Then the verifier has a reason to question the authenticity of that ID.
Another huge advantage about remotely provisioning IDs that doesn’t really fall into the other categories of questions: offline verification. I think most technology professionals view mobile IDs as relying on you being online. This then begs the question: what if I’m in the mountains where there is no network reception, no 3G or 4G, no Wi-Fi network? HID Global’s goID solution is absolutely verifiable offline, device-to-device, without relying on any internet connectivity. That is a very important distinction from other companies that say they offer mobile ID solutions.
When we talk about revenue streams for governments or even public or private enterprises, this is the more future-looking part of what we are doing. Right now, we are engaging with customers on real projects, but the revenue from verifier apps has yet to be defined. While I think that it is logical that your average smartphone user is probably going to want their ID on their phone for all the reasons I hopefully have expressed, we can’t predict when that will become a commonplace, everyday scenario. I think with goID’s enhanced verification capabilities and the ecosystem I mentioned developing over time, we have to believe that new business models are going to come available that will drive new opportunities many can’t see today.
Peter O’Neill, MIDW: I was reading in an HID Global white paper about some of the important principles for a successful transmission to mobile ID, and one of those is that it be voluntary. Why do you think that is important for citizens to be given a choice between older traditional documents and mobile ones? And will it ever be 100 percent mobile?
Rob Haslam, HID Global: I think for the foreseeable future, mobile IDs and the existing physical documents will continue to coexist, side-by-side. We should also remember that not everybody has a smartphone, and not everybody wants a smartphone. And then, of course, some people are just late adopters – for reasons of trust or for their perception of security or privacy – they’re not going to jump on this tomorrow. If you think of it like the paradigm shift back in the 1970’s of moving from cash only to credit cards, or more recently, online payments versus going to a physical shop, I think the comparisons stand quite well. The future of the physical document remains to be seen, but that’s really a very long-term view.
Now, as I said, I started my career in this industry in 1990, implementing ID schemes for a company whose principal business was printing money. Even when I started there, the “death” of cash had been imminently predicted, and I think it is safe to say that I still don’t believe 30 years on that we are quite approaching that point. Likewise, the death of the ID card, the death of the physical passport, is probably somewhat over-exaggerated.
Peter O’Neill, MIDW: Thank you very much, Rob. I want to take this opportunity to thank you for taking the time to speak with us today. HID Global’s goID solution is quite remarkable and very timely, I might add, as well. The market is ready for this solution – congratulations on that.
Rob Haslam, HID Global: It has been my pleasure. Thank you, Peter.