One ID to rule them all

What do 90 percent of all Swedes have in common? They use Bank-ID. In no time, a unified digital identification layer has become a daily savior. But sometimes trust comes at a high cost.

Large consumer banks have rightly been criticized for lackluster digital innovation and poor customer service. Fintech startups are running in circles around these dinosaurs and users are leaving in droves. Or are they? This is a story of one of the exceptions. This is a story of a revolution in accessibility and usability and huge risks. A story of how Sweden’s consumer bank oligopoly (Swedbank, SEB, Handelsbanken and Nordea) handed the keys to the kingdom to startup competitors, a story of radical empowerment, and a story of how a leapfrog in innovation could also turn out to be a technological dead-end on par with the French Minitel system.

Ladies and gentlemen, fasten your seat belts, this is the blockbuster story of Mobile Bank-ID. The story of WHAT?

As easy as touching your phone

Mobile Bank-ID. A secure digital identification, used by 90 percent of Swedes to open bank accounts, sign agreements, transfer money, take out loans and do tax returns. It’s as easy as holding your thumb to your Iphone. Gone are the scanned passport copies, logins, Pa$5w0rDs, confirmation emails, security questions and verification codes. No matter what the service. Even dating? Yep. The first thing many Swedes do when they buy a new phone? Yep, they log into their banks and install the mobile Bank-ID app on their phones. Most likely the service has wider national distribution than Facebook.

“What does it mean when an entire population is digitally identifiable?”

As a society we have adopted an immensely important and empowering technology, equal to GPS or credit cards. With little or no public debate as to the risks and issues. It just happened, with the consent and active support of the government. You see, we Swedes have no to little skepticism of centralization and we jumped like lemmings. We have put our digital IDs, our digital personas, squarely in the hands of banks and a small private company going by the name of “Finansiell ID-Teknik BID AB”.

Well, what do you expect in a country where every citizen is sampled for blood at birth, and where people (on average) like that fact that booze is only sold in state-run monopoly stores? As a matter of fact we love our Bank-IDs – 2.5 billion times yearly and growing rapidly to be precise. At the moment Bank-ID is used on average about once per day per Swede all year around. How did Sweden create a unified digital identification layer, and what does it mean when an entire population is digitally identifiable? It has enabled citizens digitally and made business easier, but how did we come to trust it so fast? Is it because practicality rules, or because Swedes blindly trust authorities and banks? Truth is, it’s really not that safe.

A logical evolution

Let’s start at the beginning. What is identification? Back when societies were small, and technology simpler than today, you knew if Sam was Sam by the looks of his face. Sam got into his bank vault just by showing up at the bank. The passport was invented in the 1400s by the British, but before World War I the use of identification documents was uncommon. As travel increased in the early 1900s the use of identification documents increased as well, among other things to combat espionage, and has been increasing ever since. Today, the banking system has been walled off by Government’s identification demands to stem money laundering. Banks are required by law to accurately identify each and every customer to understand where and why money enters the system. Normally, this identification is carried out by showing your ID card or passport. As banks have come to store most of our valuables in carefully protected digital bank accounts instead of physical bank vaults, accessing these with digital identification is a logical evolution. And so we started using passwords, PIN codes and other digital IDs.

Back in the present. In Sweden, as a market and an ecosystem we have solved a slew of challenges at once. Digital access to government services is solved. Digital signatures of documents is solved. Distribution of new fintech services is solved. PSD2 is solved. Instant payments is solved. From the eyes of fintech entrepreneurs this is heaven. Onboarding new users to a complex financial service is an astonishingly simple and powerful experience.

Surely this is socialist state Sweden forcing technology on its citizens. Or a zeitgeist-attuned entrepreneur inflicting technology on the people. Actually, the banks did it themselves. The incumbent, oligopoly-wielding, consumer banks of Sweden gave away the keys to their kingdom. In an astonishing feat of cooperation and consensus-building, a national digital ID standard was created.

Fuelled by dot-com optimism

The birth of Bank-ID came in the early 2000s, when EU amended the law to equate digital identification to physical identification. Fuelled by dot-com optimism, an unholy alliance of government and banks started driving the digital development of Sweden and in 2003 the first digital Bank-ID was issued. A few key governmental services were adapted and astonishingly enough that same year 27,000 tax returns were signed digitally. During the 2000’s Bank-ID existed mainly as a clunky desktop-PC experience until in early 2010 the first smartphone version was launched. Adoption and usage picked up somewhat towards the fall of 2012 when something spectacular happened: The large retail banks, again in a mind-boggling feat of cooperation, launched Swish, an instant mobile P2P payment solution. Small social payments were solved in the Swedish market. The Swish service required mobile Bank-ID and over the next 4.5 years as Sweden universally adopted mobile payments, we also adopted a secure, mobile digital identification as a consequence.

Carrying around a mobile Bank-ID in your pocket is not only extremely empowering, it is also quite risky. Going back to the brick-and-mortar bank vault metaphor, imagine you had it all in your pocket, the whole vault, all the time. Going to the pub with the entirety of your assets in your pocket sounds crazy. But that is exactly what most Swedes do, effectively. All accounts, all government data, all of it. People have been robbed of their Bank-IDs and even coerced to transfer assets, and it is a phenomenon that will likely increase. With great power comes great responsibility, and so far the Swedish banks and Bank-ID have moved decisively to repair trust. This will be critical for Bank-ID to age well, much like most people are kept unharmed by and even unaware of the ongoing credit card fraud.

Other types of more subtly fraudulent schemes are also challenging Bank-ID. One example is shrewd businessmen who are attracted by the power and simplicity of Bank-ID to lure users to sign up for bad products. Bad deals made easy. As users, our trust in Bank-ID is contagious so we implicitly trust in any service that uses the Bank-ID as it’s ID-layer. Saying yes and signing contracts with Bank-ID is deceivingly simple, and who reads the 20-page terms and conditions anyway?

Another example of swindling is the leakage of very sensitive data to third parties. There is a raft of apps offering consumers “help” to manage their assets or monitor their spending and budget. With a simple Bank-ID login, the entirety of your bank account transaction history can be transferred to the app. These are data that show some of the most intimate details of where, when and who you transact with. Not only which shops and products you like, but also inferred data from a too large cash withdrawal at midnight, or a certain pattern of fast food spending. We have yet to have had a public data breach of this kind, but it will most certainly come. Likely in the form of profiles being sold on the dark web, bought and then published for maximum negative publicity. And huge public outrage.

Is it possible that Bank-ID empowered the people just a little bit too much? Yes, sort of. But likely there is no way back. If the phenomenon of Bank-ID was a person, it would be an innocent seven-year-old, yet to be made aware of the dangers of the world. As it matures we need to brace ourselves for the many tumultuous years of teenage revolt to come.

Money is being reinvented

A more long term threat is the risk of complacency. If we take a short detour from ID into a related, but separate, part of the technology landscape, we can see that digital money is being reinvented by Blockchain and Bitcoin. Using some mind-bogglingly complex mathematics, the key innovation is that trust and ownership is established by total decentralization instead of total centralization. Most of today’s money is based on our trust in banks keeping our data secure in central storage. The same goes for Bank-ID: trust is established by the banks and Finansiell ID-Teknik BID AB keeping our ID data secret and secure.

But if money is decentralizing, shouldn’t identity follow? Many entrepreneurs certainly believe it should. Ashish Gadnis, founder of BanQu, is building a mashup of Blockchain and identity to make “identification borderless and immutable”. Monique Morrow, former Cisco Services CTO and evangelist, has founded The Humanized Internet with a similar goal.

Investors believe too. In Sweden a few high profile startups are trying to make the concept global: “Using our technology one can remove all usernames and passwords and use our app instead,” says investor and Covr Security chairman Anette Nordvall. Covr was founded by former employees from Bank-ID.

In June 2017 the high-profile startup Civic managed to raise USD 33 million in 30 seconds for it’s initial coin offering (ICO). Civic is building a distributed identity using Blockchain and bio­metrics on smartphones, and when asked if they will become a Unicorn soon, their high-profile CEO Vinny Lingham ­retorted on Twitter: “We’ll likely become a non-profit foundation before then. We aren’t building a company. We’re creating a new type of public utility!”

Given our runaway success, Sweden will probably be Bank-ID:ing away happily, ignoring the megatrend towards a decentralized, self-sovereign, ID layer. Meanwhile, communities and nations without a Bank-ID-type solution will leapfrog onto the solutions powered by Blockchain. Bank-ID is only a local maximum on the ever-rising ladder of innovation. And early success can be fatal in the long run.