Are Canadian banks trafficking in the digital identities of millions of Canadians?

In light of the recent Zuckerberg testimony in front of the U.S. Congress, the May 2018 deadline for organizations to implement General Data Protection Regulation (GDPR) data privacy regulations[7], and the imminent release of the SecureKey verify.me digital identity system, an important question is:

Are Canadian banks guilty of trafficking in, monetizing, and profiting from the digital identities of millions of Canadians, with the support of IBM and SecureKey as their key technology partners?

On October 18, 2016, SecureKey Technologies Inc., a Toronto-based provider of identity and authentication solutions, announced that it has raised:

“$27 million CAD in growth capital to fund the commercial rollout of a privacy-enhancing digital identity network. Teaming up with SecureKey on this initiative and participating in the funding round are leading financial institutions: BMO Bank of Montreal, Bank of Nova Scotia, CIBC, Desjardins, Royal Bank of Canada and TD.”[1]

On March 20, 2017, IBM and SecureKey announced that they were:

“working together to enable a new digital identity and attribute sharing network based on IBM [Hyperledger Fabric] Blockchain.”[2]

Subsequently in early 2018, SecureKey released two additional documents[4][5] that describe both the business model and technology platform for the verify.me digital identity system. Verify.me is SecureKey’s IBM Hyperledger distributed ledger (blockchain) based digital identity system supported by Canada’s largest 5 banks (as well as other institutions):

  • The Toronto-Dominion Bank (TD Bank)
  • Bank of Montreal (BMO)
  • Canadian Imperial Bank of Commerce (CIBC)
  • Bank of Nova Scotia (Scotiabank)
  • Royal Bank of Canada (RBC)

Additional details on the verify.me digital identity system were also presented at the Australian Payments Network conference in August, 2017[3].

The Business Model

The most concerning part of this partnership between SecureKey, IBM, and the Canadian banks is the partnership’s intent to monetize and profit from the trafficking of digital identities of individual Canadians based on the following and similar excerpts from [4][5]:

The Business Model-Healthcare

Figure 1. SecureKey verify.me Business Model

The SecureKey documents’ rationale for SecureKey and the Canadian banks to pursue this business model was driven by a perceived threat by the banks from many fronts including encroachment by non-banking businesses into the domain of the Canadian banks and pending new regulations (e.g. PSD2).

Monetization of data was clearly important

Figure 2. Banking industry rationale for monetizing customers’ digital identites

The Technology Platform

IBM is providing SecureKey with the Hyperledger products, technologies, services, and know-how to create what is, in effect, a digital identity dark web [8] for the Canadian banking industry to engage in trade of their customers’ digital identity information with SecureKey and SecureKey’s digital identity requester clients.

The primary technology platform is the open source Hyperledger Fabric v1.0 project – an open-source distributed ledger project used almost exclusively for private and consortium applications[6].

The following diagram represents a consolidation of the information presented in the SecureKey references mentioned at the end of this article.

SecureKey-verify.me

Figure 3. SecureKey verify.me Digital Identity Dark Web

SecureKey brokers digital identity information requests (claims) from Digital Identity Information Requesters.  SecureKey satisfies these claims (requests for digital identity information) by using the SecureKey digital identity dark web it has implemented with its banking partners (Digital Identity Information Providers) using the Hyperledger technology.

Information and Privacy Risk

SecureKey’s February 2018 documents highlight initial set of digital identity information (digital assets) that will be provided by the Digital Identity Information Providers as illustrated in the following diagram[4][5].

SecureKey-Digital Assets

Figure 4. Information and Privacy Risk

Without adequate governance and government regulation, once in place, the verify.me digital identity system can be used to satisfy any digital identity claim from any requester including health information, additional financial information, and other personal data.  A lot is at stake for individual Canadians.

Conclusions

Why are the Canadian banks and SecureKey being allowed to monetize and profit from individual Canadians’ digital identity information? A person’s digital identity is like their digital heart and digital soul. Individual Canadians need to own and control both of these – all of their digital identity data.  The role of industry and government should be to act as validators of each person’s digital identity …and no more.  Who is watching out for the future of Canadians?

References

[1] SecureKey Technologies Inc., “Press Release: SecureKey Completes $27 Million Strategic Investment Round”, https://securekey.com/press-releases/securekey-completes-27-million-strategic-investment-round/, October 18, 2016.

[2] SecureKey Technologie Inc., “Press Release: IBM and SecureKey Technologies to Deliver Blockchain-Based Digital Identity Network for Consumers”, https://securekey.com/press-releases/ibm-securekey-technologies-deliver-blockchain-based-digital-identity-network-consumers/, March 20, 2017.

[3] Australian Payments Network, “Digital Identity” Session, https://www.slideshare.net/AusPayNet/australian-payments-network-digital-id-session, slides 41-59, August 2017.

[4] SecureKey Technologies Inc., “Identity Now (Banking Edition)”, http://securekey.com/wp-content/uploads/2017/07/SecureKey_Whitepaper_Banking_Final_Feb2018.pdf, February 2018.

[5] SecureKey Technologies Inc., “Identity Now (Telcom Edition)”, http://securekey.com/wp-content/uploads/2017/07/SecureKey_Whitepaper_Telecom_FINAL_Feb2018.pdf,  February 2018.

[6] Wikpedia, “Hyperledger”, https://en.wikipedia.org/wiki/Hyperledger, Last edited on 12 April 2018, at 16:12.

[7] European Commission, “Data protection: Rules for the protection of personal data inside and outside the EU”, https://ec.europa.eu/info/law/law-topic/data-protection_en, January 2018.

[8] Wikipedia, “Dark Web”, https://en.wikipedia.org/wiki/Dark_web, Last edited on 21 April 2018, at 15:12.

 

Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s