After spending the first half of his career in traditional technology development and information systems management, Scott Rice has enjoyed the migration to designing and overseeing development of specialized internet-based, real-time information products. Scott is currently the Chief Information Officer at PacificEast Research, a West Coast-based provider of telecom-centric information services. He had previously served as the Principle Scientist of Qsent and Director of Data Management at TransUnion.
Why did PacificEast join the OIX?
PacificEast is a relatively old, established data services company, and is fairly well known within the industry, but it had been historically quiet in relation to industry activities. However, when we heard about OIX and about the proposed trust framework for telecom data we felt it was time to get involved. We see such a need in the market place for high quality, high certainty ID verification services but there is a big gap between the need and the availability. We believe the openness designed into the OIX trust framework and its focus on public good provides a fertile environment in which a telecom data trust framework can develop.
Tell us about the Telecom Data Trust Framework project; what business problem is it solving?
Most people are amazed by the incredible features on their smartphones and cell phones, especially when compared to the capabilities of a landline phone. But what they probably don’t understand is the extent to which cell-phone users are “have-nots” in terms of integration with the existing financial services industry. There are systems in place that let a landline owner call a creditor and pay a bill quickly and easily by just pushing a few buttons on their landline phone. But if they call from their cell phone, those same systems would force the subscribers to tediously repeat all of their personal identity information to an operator whom they don’t know and who may not even be in their country. That can make subscribers uncomfortable, not to mention the additional time and cost of processing that transaction. That’s the problem we’re addressing through the OIX.
Why do mobile users need to manually verify their identities?
Landline carriers have provided landline account information for ID verification purposes for years. Some have done this directly, others have worked through third-party providers, but nearly 100 percent of all U.S. and Canadian landline subscribers can use their telephone identity to initiate and complete a commercial transaction. Using their mobile phone numbers for identity verification is hit or miss for wireless subscribers. Third-party data aggregators, not the carriers themselves, largely enable the limited mobile ID verification available. There have been historic reasons why the wireless carriers have avoided doing this themselves. Their subscribers have had very real fears about having their personal communication device turned into a marketing target. But over the last few years, laws have managed to catch up with technology and provide consumers with a means of preventing this from happening. The core principle of a telecom data trust framework is that carriers and relying parties, like those e-commerce transaction processors, should have an open (as in public) but very secure method for verifying a subscriber-authorized transaction in a way that promotes privacy but also reduces the opportunity for fraud.
What are the one or two key things that you believe the Telecom Data Trust Framework working group must do to be successful?
Well, the working group is still assembling its charter and deciding what it thinks should be a priority, but let’s assume for a moment that we decide to focus on a simple account verification solution. First, for the solution to be successful, it needs to solve a real problem. E-commerce, financial service companies and other digital transaction processing and service providers who currently pay millions of dollars to verify the identity of people initiating transactions on their systems will likely be the deciding factor on the viability of any given solution to one of their core business problems. Second, I can’t imagine them accepting a solution that isn’t national and ubiquitous. The concept of a national and ubiquitous solution is critical. Most electronic commerce is not a local activity so e-commerce facilitators, vendors and processors need an identity verification solution that provides national coverage and consistent results a very high percentage of the time. A solution that allows a person’s identity to be verified if they live in New Jersey but not Montana doesn’t meet the need because it’s only a regional solution. In the same way, a solution that allows us to verify the identity of those who try to initiate a transaction with their landline, but not for those who try to initiate the same kind of transaction with their VoIP or cell phone won’t fly because it’s not ubiquitous.
Imagine for a minute trying to use your Visa or MasterCard in a store and having the cashier tell you that he can’t process your transaction because your bank is ABC Bank, or because it is based in Texas. Credit cards aren’t just successful because they’re convenient, they’re successful because you know they’ll be accepted if you see a Visa or MasterCard symbol on the door or cash register. Visa and MasterCard are national and ubiquitous so you don’t need a specific bank’s card. From the consumer’s perspective and, for that matter, from your bank’s perspective as well, the transaction is predictable, convenient and safe. From the perspective of the company facilitating that electronic transaction, it’s national and ubiquitous. I’m pretty pragmatic about the driver for a working group. There are lots of possible paths for us to choose; we don’t have to pick one that I’ve mentioned here but we’ll have to agree on something – perhaps something modest to start – we can accomplish for ourselves and for the industry. I’m not, by nature, an optimist, but I believe there are good reasons to believe that the timing is right for the working group to agree on some plan.
You mentioned that identity verification systems need to be national and ubiquitous, but doesn’t that imply the need for a single, centralized ID repository and verification system?
In a trustless environment? It would, yes. But that is one of the most important concepts about OIX and these trust frameworks. They enable distributed, non-centralized systems because they provide a mechanism for consistent, predictable interaction between diverse entities and systems. Several years ago, Kim Cameron produced a short but seminal work called the Laws Of Identity. One of the laws was that any identity system should allow for what Kim called a “pluralism of operators and technologies.” There have been numerous attempts in the U.S. to come up with a national ID card, but Americans have never cooperated with those attempts and I doubt they ever will. We have way too much respect and faith in the prophet Orwell and as a people. We’re typically distrustful of any single authority knowing too much or having too much power. A trust framework provides the ability for different companies, organizations or systems to communicate, to agree on how interactions will take place and to establish levels of confidence which one entity can place on another entity’s standards of trustworthiness. Trust frameworks allow important activities to take place without a central, omniscient, omnipotent control mechanism which is very important since Americans are not likely to allow a central, omniscient, omnipotent control mechanism to exist.
Do you see identity management becoming a competitive advantage to telecom companies?
For identity management to be a competitive advantage some carriers must do it and some must not. All the major carriers already manage a lot of identity information. What I’d like to see is for all carriers to choose to participate in some kind of trust framework, not because of some perceived competitive advantage, but because it’s good both for their subscribers and the general public.
If any major carrier decides not to participate it doesn’t so much increase the competitive advantage of the others as much as it lessens the value of the solution for everyone: carriers, the public and subscribers alike. The question is, will the job get done as well as it could be done with the active participation of all the carriers? I wouldn’t be spending my time on the project if I didn’t truly believe the answer to that question is no.
How could the results of the working group ultimately benefit consumers?
I need to step back and clarify something about identity verification in order to answer that question. Any particular means of indirectly identifying someone needs to be verifiable. If it isn’t, the system can be duped. Any dupable system will invite fraud. But for an ID verification system to work, the party trying to verify an identity has to have a reliable, trustworthy “truth” resource against which to ask the simple “are they who they claim to be?” question.
If you’re pulled over by a policeman, the officer will probably cross-reference three pieces of information to try to confirm who you are and if you should be driving the vehicle: your driver’s license, which is associated with you; your registration, which is associated with your car; and your license plate number to confirm your vehicle and driver information in another database. In this way they can verify the association between the driver and the car. But now change this scenario in two key ways. First, imagine that it’s not you in the car, but someone who just stole your car. Second, imagine that the officer doesn’t have access to a vehicle license plate database. As a person who just had his car stolen, you would likely hope the officer would be able to figure out that the person driving your car is not you. But without access to some vehicle identification system that confirms “this car is associated to this person” or even “this car is registered to this address,” the officer can’t readily tell who should be driving the vehicle. If the officer doesn’t know who should be driving the vehicle, neither can he say who should not be driving the vehicle. That is the situation we have now in the telecom world.
We currently have a situation where one of the most frequently used pieces of non-credit information used to authenticate a transaction, the phone number, cannot actually be verified consistently against any kind of truth system. There is a truth system for some of the phone numbers, just not for all of them. And the quality of the existing available “truth” data is not nearly what it should be given the amount of commerce dependent on the truth systems being used. The truth systems are all in place and are effective, they just don’t work for everyone everywhere. Third-party service providers (PacificEast is one those) are trying to improve the quality and quantity of those truth systems, but a truth system for verifying telecom identity data that doesn’t include participation from the majority of the big carriers is never going to reduce the potential for fraud to the point that I assume consumers would want. So the consumer may not even realize he is getting the benefit of these trust frameworks and systems.
What do you find most interesting about the work of the OIX?
OIX is a new “thing” and I don’t see a whole lot of new things. I’ve spent a fair amount of time discussing what OIX is and isn’t. Since I’m a “data guy” I always try to classify objects into a known category and OIX has been hard for me to classify since I haven’t run across many OIX-like things yet. But this doesn’t bother me as much as it intrigues me. What I appreciate about OIX is that the end goal is the framework. In such a short time, OIX leadership has done an absolutely amazing job getting some of the biggest industry powerhouses together –not to mention the federal government – to discuss how to better serve and protect consumers even if the resulting trust framework ends up leveling the competitive playing field a bit.
Anything else you would like to add?
I’m hopeful that if we have a similar discussion in a year there will be much progress to talk about. In my discussions so far with the carriers I’ve been very pleased with their willingness to join in the discussion. Hopefully, we’ll have an update for you soon on how things are going.