Latest News Legislation Technology

Using Digital ID to restrict the damaging impact of online stalkers

Loading the Elevenlabs Text to Speech AudioNative Player...


How do you stop someone stepping into your life, pretending to be you, contacting your friends and relatives? Digital identity technology can protect individuals from people like Matthew Hardy who tormented dozens of women and their family and friends, and is currently serving the longest sentence given to a stalker in the UK.

Imagine a friend messages to say they’ve got something to tell you, something secret, something about your partner. Except it’s not from your friend at all, it’s from a stalker, pretending to be someone you know, feeding you poisonous information that’s hurtful, damaging, and false. Hardy did this to 63 women, along with hundreds of people associated with them.

Building a watertight case

Hardy, 32, from Northwich, Cheshire, UK, initially targeted women he knew from childhood. He later selected women at random, often choosing people with a prominent social media profile. Bullied at school, he struggled to develop friendships and at the time of his trial was unemployed.

Over 11 years, more than 100 complaints were made to Cheshire police alone. Many women, however, found that police officers in Cheshire, Lincolnshire, Kent and elsewhere were slow to take them seriously.

Hardy was arrested 10 times but denied the allegations and police struggled to build a watertight case against him. Some of the women collected evidence, sending screenshots to the police – which Hardy was able to monitor, mocking them for their actions.

‘Can I tell you a secret?’

Eventually, Hardy was brought to trial through the diligent work of Cheshire police officer PC Kevin Anderson. PC Anderson later told reporters that, “The impact on those affected by his actions has been immense, causing some of them to change some of their daily habits, and live in constant fear that they were being watched.”

In January 2022, Hardy was convicted of five counts of stalking and sentenced to nine years in prison. “It’s the longest sentence we’ve ever heard of,” said Violet Alvarez of anti-stalking charity the Suzy Lamplugh Trust. For many of his victims, the impact of his actions still overshadows their lives.

In an appeal hearing, the defence team argued that Hardy’s autism prevented him understanding the true impact of his actions on his victims, and his sentence was reduced to eight years.

Hardy’s case was detailed in a seven-part podcast by Guardian journalist Sirin Kale, later developed into a two-part documentary for Netflix. Both productions used the title, ‘Can I tell you a secret?’, often Hardy’s opening line in his first message to unsuspecting victims. They believed it was from a friend, usually another woman, though in fact it was Hardy using accounts he’d created on social media in the names of other people.

Protecting users from harmful content

The UK’s new Online Safety Act, passed last autumn, aims to force platforms to better protect UK users from harmful content. Intended more as a skeleton framework than a fully fleshed-out package of measures, the 286 pages of the Act make no reference to stalking. The new law does however include an offence of ‘false communication’, committed if a message is sent by someone who intended it ‘to cause non-trivial psychological or physical harm to a likely audience.’ However enforcing the law won’t be easy, especially in an encrypted service like WhatsApp, as the government has assured tech firms they won’t be forced to scan encrypted texts indiscriminately.

Maintaining a balance between privacy and security is difficult. In the meantime, users remain vulnerable to someone hiding behind a false identity. How can you tell if a message is truly from the person who appears to have sent it? A solution lies in digital identity apps like Luciditi.

High-grade digital security

Digital identity can assure websites and platforms that a user is who they claim to be. The app verifies someone’s identity then holds this proof in a user’s ‘digital wallet’, protecting it behind high-grade digital security, of the kind used by banks.

The data is never shared with anyone unless the owner chooses to do so. Websites or other apps that accept Digital Identity are simply given assurance that someone is genuinely who they claim to be – which has obvious advantages for social media platforms.

Large Online Social Media companies who want to protect their users could easily allow them to provide a ‘proof’ of their identity. Again, no personal data would be released, there would simply be a digital yes/no. This would mean that a user’s friends and family need only trust a message confirmed as ‘yes, this genuinely comes from the person you know.’

Helping platforms to protect users

An early adopter would have first mover advantage. Rivals would be compelled to follow suit – or face losing people who were no longer willing to use a platform that still allowed a Wild West approach to identity.

A user joining a platform protected by Digital Identity would be asked to verify their identity through use of their chosen wallet app or by creating a new one using identity documents. The data is secured such that no-one other than the user could access.

The proof provided by the presented ID wallet would assure the platform that this person was genuine, they had been verified, they were not a bot or a fake account, their messages were approved. Unapproved messages apparently sent by the same person could then be easily identified and ignored.

Cheating the system

Luciditi’s Glassvault feature goes a step further in preventing genuine verified accounts being used for harm. Rather than solely relying on the proof from an ID wallet, certain elements of the underlying data used at the time of verification are parked in a digital ‘escrow’.

Police investigating online harm could be granted access to specific Glassvault data which would reveal the true identity of the user involved. Even if an account were deleted, including the ID wallet linked to it, the Glassvault data would stay out of reach and would remain available to investigators.

Unfounded fears

Protecting users by verifying identity doesn’t sit easy with everyone. Campaigners fear that identity data can be collected by the government, leading to a backdoor route to a national database. In this scenario, all UK citizens would be required to give their details to a database that would then become the primary way to access public and private sector services, similar to the system adopted by Denmark.

Worse, the data could be used for ‘big brother’-style control of the population, or sold to the highest bidder for profit, leading to a ‘surveillance state’ where you use your fingerprints for everything from buying milk to paying tax.

“The Government is introducing a giant digital identity system for all of us to access basic services”, claims campaign group Big Brother Watch, adding that “the Government is also cultivating a ‘digital identity market’ of private companies that can perform identity checks online.”

However, these claims are refuted by Open Identity Exchange (OIX), an umbrella organisation representing those involved in the digital ID sector, among them Arissian – developers of Luciditi.

OIX says that “digital ID will not be mandatory. There will always be choices…. There is focus on alternative proofing methods for those who either struggle to prove who they are or simply do not want a digital ID.”

For developers like Arissian, digital ID gives users an optional asset that primarily relies on trust. “Digital ID tech puts people front and centre”, says Ian Moody, Luciditi co-founder and CEO, “our user-centric approach is committed to a framework of trust that safeguards privacy, protects users, and is driven by the needs of individuals.”

For Moody, big brother conspiracies are “uninformed scare-mongering” that imply politicians are capable of spending billions of pounds on managing the identity details of more than 60 million people in a system that’s both hugely extensive and completely successful yet somehow entirely hidden from financial oversight and the media.

Robust standards for digital products

We as a society, campaigners included, face hard choices. We’re living in a digital age, it’s never been easier to connect with people. We can instantly buy products and services online; teenagers no longer need to take their passport to a gig to prove their age. However, our digital connections are vulnerable to criminal actions.

We as individuals need to protect ourselves and so do retailers and suppliers. Which is why sometimes we need to involve the police – as Hardy’s victims did. The police can only enforce the law, and so the law must keep up with technical developments.

It’s the government’s duty to protect our online safety, but this is not the same thing as pervasive big brother oversight.

The Department for Science, Innovation and Technology (DSIT) has expressly said, ‘The government is not making digital identities mandatory.’ DSIT is setting robust standards for digital ID products, and overseeing a list of “trust-marked” accreditation organisations. These are the first steps towards legislation that, rather than creating a giant database, will better protect individuals’ digital privacy.

Restricting others like Hardy

As is often the way with innovation, advances in digital identification sometimes outstrip public acceptance. It takes time for people to feel comfortable with developments, from digital ID assurance to live facial recognition in shops. Even so, big brother campaigners are out of step.

The government is working on new legislation that protects the privacy of individuals and incorporates national frameworks of trust as supported by the developers of products like Luciditi. The alternative is no legislation, where stalkers remain unrestricted.

People like Hardy are not fearful about new tech. He was able to investigate his victims’ lives, their social circles, and their actions in reporting him to the police, likely assisted via easily available tools. Others are just as capable. As a society, digital ID is our best weapon in restricting them.

Want to know more?

Luciditi’s Identity Proofing technology can help meet some of the challenges presented by the OSA. If you would like to know more, Contact us for a chat today.

Get in touch

Other News Technology

Digital Identity takes Hackers out at the knees

Loading the Elevenlabs Text to Speech AudioNative Player...


Identity verification is usually a one-way street. Security-conscious companies demand access to personal documents before they trust you. But how far can you trust them? The new Luciditi digital ID app significantly cuts the risk of your details being breached, as recently experienced by a third of the population of Australia.

When Optus, Australia’s second-largest telecommunications provider, was hacked in September 2022, as many as 10 million accounts were exposed. Names, dates of birth and phone numbers were accessed by a person or people who demanded a ransom of a million dollars.

A database that beckons hackers, like a giant Aladdin’s cave, is always risky. Once breached, everything’s up for grabs. Now, for the first time, businesses have a viable alternative – and so do we, their customers.

Luciditi, an Digital Identity Platform from a British team of data security experts, lets you upload your ID documents to a personal digital wallet on your phone, so that relevant details (known in the trade as ‘information attributes’) can be shared with those who need to know. No need to send anything via email, social media or postal snail mail. Accessed by photo facial matching with liveness detection, everything is sealed behind military-grade encryption.

Reducing the risk of a breach

Data breaches have far-reaching consequences that individuals can do little to prevent. According to the UK government’s survey of cyber security breaches (2022), 39% of UK businesses identified a cyber-attack in the previous year, though the true number is probably higher. In the US, the 2021 Thales Data Threat Report found that 45% of companies had experienced a recent breach.

Internal mistakes are just as dangerous. The personal details of 900,000 Virgin Media customers were leaked in 2020 after a database was left open for 10 months. Individuals expect organisations’ data security to be regulated by government departments and independent authorities. However, the UK’s Financial Conduct Authority itself has admitted leaking personal data, so too the Home Office which has apologised, three times, for unauthorised breaches of data.

Luciditi substantially reduces these risks. It works like this. An organisation invites you to sign up to them, requiring you to prove your identity via the Luciditi app. Individuals download the app for free – running costs are paid by Luciditi’s corporate clients.

The organisation you’ve signed up to gives you a public key to their side of the app, which you then use to create your own personal wallet where you upload your details and ID documents.

Within your wallet, each document or other piece of data is separately encrypted, and your personal key (held on your device) is known only to you. No-one else has the key, including Luciditi.

Users joining Luciditi consent to data being gathered from their credit record, the electoral roll and other government-backed sources that confirm their name, age and address. Supported by a live selfie, this information is combined into a digital ‘Luciditi identity’ that individuals can then use at will, whether they need to sign up to a utility company or prove their age at a venue. Users are effectively signing up to a ‘network of trust’, in which all other participants have been verified.

Proven industry expertise

Developed in-house over nearly four years by tech company Arissian, based in Birmingham, Luciditi benefits from the success of the company founders’ previous ventures in UK healthcare, among them Docman. Bringing iron-clad security to sensitive medical data in volume, Docman holds clinical documents for two-thirds of the UK population.

Phil Young, Chief Technical Officer of Arissian, says: “As the recent catalogue of high-profile data breaches prove, even large organisations aren’t necessarily the best equipped to keep your data safe.

“Many businesses haven’t upgraded their data security and privacy technology at the pace required both by the modern customer in terms of a speedy registration process and, most importantly, to ensure the vast and growing cache of personal information now required to stay on file is kept as secure as possible.”

Young, along with co-founder Ian Moody, initially developed Luciditi as a spin-off from a patient consent system. They saw that their pioneering solution, allowing sensitive information to be securely shared between patients and clinicians, had wider potential in other sectors in which individuals need control of their own data.

Protecting users from the start

Luciditi’s healthcare heritage gives it a valuable sense of trust, all too often missing from other identification systems. Since these primarily support the global corporates that own them, customers can do little more than hope that their own interests are safeguarded.

Once you’ve given your details and documents to one of these firms, you as an individual have little say over how they protect that information or how long they hold it for. You might be careful in protecting your own security, but once your data’s out the door you’re at the mercy of others. Luciditi is alone in thinking of individuals from the start, restoring trust to the relationship by giving them greater control, along with a sense of reassurance and agency.

Seeking to build a re-usable platform Ian Moody says: “We wanted to protect the end-user in the process as much as we would the organisation implementing – surprisingly, this is not a fundamental feature of other systems in the market, it’s typically very one sided and not on that of the individual.”

Luciditi enables users to upload their documents and then make them available to multiple operators. It can recognise genuine documents from thousands of different types used across the world – everything from drivers’ licenses, temporary visas through to passports from 250+ countries.

Using the app to provide immediate consent to share or identity, individuals can devote less time to scrabbling around looking for a utility bill each time they need to sign up to something.

No need for ID to get into a venue

While finance companies need to inspect personal documents, businesses such as social media platform Curv use the app only to confirm identity, without routinely requiring access to personal data. Curv can only reach original documents in rare ‘break-glass’ situations, (such as providing the identity of an individual to authorities) – through a feature known as GlassVault, unique to Luciditi.

Curv, which is seeking to restrict the anonymity that’s harmful to other social media platforms, can assure users that it has the capability to prove identity, without taking the intrusive steps of more regulated sectors.

Luciditi also permits real-time identity and age verification, either in the room or remotely. Operators asking for proof receive a reply confirmed by documents which remain hidden behind encryption. People entering a venue don’t need to reveal or even carry personal identification, the app does the job for them.

Passwordless sign-in

Luciditi’s smart innovations also let individuals access websites and apps more securely than via a password. A vaguely scrambled combination of the numbers in your birthday is an easy target for hackers. Worse, passwords are frequently recycled – it’s too difficult and inconvenient not to – which makes them particularly vulnerable. Once breached, they become a stepping-stone to swathes of your digital life.

A much stronger form of security relies on biometrics. Luciditi incorporates a package of web authentication standards (FIDO2, WebAuthn, CTAP2), supported by the likes of Google, Apple and Microsoft, enabling seamless access to apps and authentication systems. Your biometrics, combined with your verified Luciditi ID, get you through the door faster than by typing in a one-time password code, or a number generated by an authenticator app.

To activate Luciditi’s passwordless sign-in technology, you simply scan the QR code of the app you want to access, or enter your Luciditi username and then tap the sign-in button. That’s it. Over time you’ll be able to reduce dependency on passwords, your security will increase and with it your peace of mind.

Ultimately, Luciditi’s package of security features seriously raises the bar in the level of protection that individuals can expect from their online relationship with businesses. Data is available only as long as both sides deem necessary, users can see if their data has been seen, and access can be readily revoked. The app’s compartmentalised design, encrypting and protecting individual documents, limits the need for an Aladdin’s cave database, builds trust on both sides and significantly restores the balance of power between concerned individuals and vulnerable corporate giants.

Want to know more?

If you would like to find out how Luciditi can protect your business contact us for a chat today.

Get in touch