Change the ID fraud paradigm

Fascinating stories about ID fraud regularly come up and illustrate how unsuspecting citizens sometimes end up with major problems. In this episode of Rambam on January 10, 2019 on Dutch television some telling examples were shown, ones that are not hard to set up. In order to protect citizens against such misery, the Ministry of Foreign Affairs, the Dutch Data Protection Authority, the Dutch Consumers Association and the Dutch Fraud Help Desk come up with well-meant tips and tricks about what someone can do to avoid being a victim.

It is remarkable however to note that no tips are being given as to what the requesting party should actually do to reduce ID fraud. Perhaps because the ‘the law’ that specifies what is and what is not allowed is considered clear. But then, who really cares about what the law states? Enforcement is marginal and most often considered window-dressing. So the requesting, copying and processing copies of passports continues to take place at unprecedented levels. Regardless of what the GDPR or the Dutch ‘Wet op de identificatieplicht’ (WID) state.

It is not more than logical, and enforceable, that a controller (in GDPR-speak) takes the responsibility to perform ID verification correctly. And thereby removes legitimate ID fraud concerns for its customers and third parties.

Let’s turn it around and let the controller bear the burden of ID fraud. If an organization enters into an agreement on the basis of an incorrectly verified ID document, it should take the hit. And certainly not the person that was unknowingly involved.

Optimal verification means that it is established that the ID document a. is genuine and valid, and b. belongs to the holder. To prevent ID fraud, a controller must be able to demonstrate that it has performed everything within reasonable means to correctly identify the identity of its customer. If a home corporation leases a home to someone with a forged ID card, the real holder of this ID card must never be the victim. The same goes for an issued credit card and any other service or product.

Current technologies can easily discover these forgeries, by using a normal smartphone.