In December, Mastercard announced that it was working to develop an international digital identity scheme which could be used as a flexible verifier for financial transactions, government interactions, or online services. The idea of a secure, decentralized, universal ID has become a sort of holy grail in the age of rapid digital interactions and rampant identity fraud.
Mastercard’s initial announcement was met with some skepticism from privacy-minded observers. Now, the company is releasing more details in a new 24-page report on how its platform will be set up and what the tool will offer. But you still can’t try it yet.
Mastercard envisions a platform in which consumers have control of their identity information and it is stored locally on their devices, rather than in a centralized system that Mastercard would need to defend. The ID would be set up through a bank or other participating institution that already holds identity information about the individual. And people would manage their enrollment and interact with their universal ID through that institution’s secure mobile app.
“It’s a consumer-centric model for digital identity that gives consumers control,” says Ajay Bhalla, president of cyber and intelligence solutions at Mastercard. “It will securely bind a person’s identity to their smartphone or any other device, and the idea is that this will unlock new and enhanced experiences for people as they interact with businesses and service providers.”
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
Mastercard says that the project puts a strong emphasis on privacy rights, both so that consumers feel more in control and to cut down on the amount of data they share (whether they realize it or not) that contributes to identity theft in current digital systems. Institutions that offer the ID and those that use it to verify transactions (like say, car rental companies or governments) would pay Mastercard to manage and oversee this verification network.
Here’s how the system is meant to work: You initiate the creation of a Mastercard ID at your bank or other institution that participates in the program and already holds some of your sensitive data. That organization would begin to combine your identification documents into what Mastercard calls a “data collage” or “data package.” You can enrich this package by feeding in other points of identification, and then all of this is churned up into a sort of digital verification token, which is then stored on your phone. This way you aren’t literally storing PDFs of your birth certificate and driver’s license on your device. And Mastercard doesn’t ever see or hold a copy of any of these documents, nor does it hold everyone’s tokens in a central repository that could be breached.
The identity platform will use elements of the cryptographic concept known as a “zero-knowledge proof,” a mathematical approach to prove that a statement is true without directly evaluating the information that proves it. For example, the universal ID could allow someone to prove that they are old enough to buy alcohol under a given country’s laws without having to share their specific age. Or they could prove that they have a valid passport that meets set requirements without a hotel needing to know and store their passport number. These types of controls could significantly cut down on the troves of personal information hackers can grab in data breaches, and could even help cut down on shady data brokering among corporate third parties.
The ID scheme was also developed, Bhalla says, with humanitarian goals in mind. The system could potentially bring an identification option to the roughly 1 billion people around the world (by Mastercard’s estimation) who don’t have adequate documentation, such as refugees and those who lack government recognition for other reasons. It is unclear, though, exactly how Mastercard’s system would establish factual information about people, such as their age, if they do not have an existing relationship with a bank or other institution.
Mastercard’s platform claims to incorporate all the elements you might expect of a digital corporate offering in 2019, including biometric authentication, strong data encryption, and a distributed ledger (blockchain!) that keeps data decentralized. But the company still hasn’t released detailed technical documentation of what specifically will underly the system. When Mastercard announced the project in December, it named Microsoft as a partner and said that the identity platform would be “powered” by Microsoft’s Azure cloud. While Mastercard’s press release Tuesday notes the relationship in passing, the report itself makes no mention of Microsoft, and Microsoft did not return a request from WIRED for comment about its involvement.
Access to robust identification is an uncontroversial idea in theory, but it is extremely difficult to provide in practice. And privacy advocates have warned that there are many ways for even the most well-intentioned digital identity schemes to turn into dangerous and invasive surveillance apparatuses. And these types of platforms need to be extensively and independently vetted to ensure their security.
“One of the hard problems is identity proofing,” says Jim Fenton, an independent identity privacy and security consultant, who followed Mastercard’s initial announcement. “How can you be sure that an online identity is associated with a specific individual? I’d like to know how they plan on identity proofing billions of people securely.”
Plus, even if Mastercard’s system is robust, it will need buy-in from institutions around the world to truly become a useful form of ID. Mastercard says it is in talks with banks and other partners about the project, though it isn’t naming any of those groups yet.
A trustworthy, broadly useful digital identity would be immensely valuable for people around the world, but in practice, it’s thorny to actually set one up. And Mastercard’s offering will need to gain significant traction to actually end up on your phone.