The Next Wave
Sometimes we need to step back from the technology challenges of the day and understand the opportunities that today’s emerging technologies will create for tomorrow.
Much has been written in the past six months about health passports; they represent one key element for getting the travel industry back to normal. The number of actual and in-development products I have seen touching this space is easily in the dozens. Some come from large organizations, like the International Air Transport Association’s Travel Pass, the World Economic Forum and Commons Project’s CommonPass, the International Chamber of Commerce’s AOKpass, and IBM’s Digital Health Pass. Others have been put forth from younger companies, like United Solutions’ Siqi, and from COVID-era startups like Verifly.
Paper-based health passports also exist but can be easily forged; as a result, they have earned little international recognition. More robust options like the ones mentioned above provide a form of digital proof of vaccination, negative virus test results, and/or positive antibody test results. The holder is identified biometrically, and the health records are confirmed by a third party (such as a testing lab or pharmacy) using a cryptographic “signature” that can be verified by anyone from anywhere and that cannot be forged. A traveler can share this information with an airline, immigration service, hotel, or other service provider, who can independently verify that the “signature” is legitimate and applies to the person presenting it.
The potential use cases are many. Already in Israel, only “Green Pass” holders who have been fully inoculated can eat in restaurants, while others cannot. Health passports offer the promise of a return to low-friction travel much sooner for those who are at low risk of transmitting the virus, while protecting borders, flights, hotels, and other establishments from those more likely to infect others.
While the benefits for the travel industry are obvious, there is a much bigger story at play here that will persist long after COVID, and that is my topic for this week. The underlying technologies used by most digital health passports have far-reaching implications for the way consumers provide personal information to businesses and others, and for how businesses get, use, and retain customer information. It is particularly important for the travel industry because of the complex mesh of data privacy regulations, the ever-present threat of data breaches, and the need to have access to sensitive customer data, often for long periods of time.
It is no secret that personally identifiable information (PII) has been a major source of risk to hotels in the past 15 years. Achieving compliance with privacy and data security regulations and avoiding breaches is expensive – and so are the fines in the case of violations. Marriott was fined $123 million by the UK for a recent breach. And while the fine was ultimately reduced to $23.8 million, it still stands as the fifth largest on record. And Marriott has hardly been alone; over the years most of the major hotel brands have suffered major costs due to breaches. I estimate that fines, remediation and ongoing compliance costs within the hotel industry alone since 2008 have easily exceeded $1 billion. Anything that can significantly reduce those risks – which the technologies used by digital health passports can be repurposed to do – is worth looking at closely, even if it may not yet be quite ready for prime time.
Two key technologies that underpin health passports, and that are relevant to the broader discussion, are Self-Sovereign Identity (SSI) and Distributed Ledger Technologies (DLT). They can work in combination to put consumers in charge of their own data, while supporting public verification of claims such as vaccinations. The broader uses that were already under way pre-COVID include validation of travel credentials (passports, visas, and programs like TSA Precheck and Clear), proof of employment or education, memberships, creditworthiness, and many others. DLT has been around for many years but has been strengthened by recent advances emerging from the blockchain world. SSI is younger and still evolving, but clearly becoming an important part of the technology fabric.
You can find a good (if slightly commercialized) overview of SSI here if you are technically minded, but for this article I will try to keep it in lay terms. It is not a question of whether SSI is coming, but when. Financial institutions and the healthcare industry are already embracing SSI technologies for key use cases. Tech giants who make operating systems and devices, such as Apple, Google, and Microsoft, have some support already in their products, and more in development.
The infrastructure for SSI interoperability is being built on open standards overseen by the Worldwide Web Consortium (W3C), through organizations like the Decentralized Identity Foundation (which is administered by the Linux Foundation) and Sovrin. The landscape is still evolving to be sure, but much more is now known than remains unknown. We cannot predict the exact form of the result or the timing, but the huge investments that industry leaders are making in this technology make it virtually certain that in some form, it will come to pass before very long.
SSI relies on DLT-based databases primarily for validation. The rest of this article will focus mostly on SSI; I will not cover DLT in detail here because, while necessary for most SSI applications, it is a well-established technology and there are plenty of resources online (you can read this excellent primer, which traces DLT’s origins to the Roman Empire). Suffice it to say that key aspects of DLT for SSI (and the reason it is used for cryptocurrencies) include the abilities to verify transactions without a middleman, to provide an immutable historical ledger, and to tie database entries to unique individuals, organizations, or things.
For the sake of clarity, I will take some liberties and describe future scenarios with specific hotel examples that are more detailed than we can know them at this time. While the technology foundation is now quite mature for DLT and maturing for SSI, the layers through which humans will interact with it are just beginning to take shape. As with a new breed of automobile, where a new chassis and motor design have been completed and tested but the body and cockpit are still in early design, we can know roughly how it will work even if we do not know what it will look like or exactly how to drive it.
For travel, SSI is almost universally good news – something the industry needs more of today! Travelers will regain control over their personal data and face less risk that businesses will abuse or compromise it. They will no longer need to remember dozens of passwords, or to maintain their contact information, preferences, and payment details on multiple websites and apps. Identity and document checks at airports, border crossings, car rental counters, and hotels can be nearly frictionless. Hotels, airlines, and other travel providers will get a much better ability to know their customers. These travel suppliers and the intermediaries that work with them will be able to vastly reduce risk by eliminating the storage of most PII. If this sounds too good to be true, read on – it gets even better.
The same technologies promise the ability to revolutionize key strategic processes for hotels. Much of the current infrastructure for both distribution and payment is built around an inherent lack of trust (are you, and your booking channel, really eligible for that rate?). If hotels truly knew which customer was booking, regardless of channel, they could always provide the right service and price, verified by the supplier even when an intermediary was the source, and compensate each intermediary channel for the true role it played in selling the customer – and never more than that. Qualified rate fraud could be virtually eliminated if hotels had a way to verify that a guest booking a corporate rate was in fact employed by the company.
Hotels could negotiate innovative deals with online travel agents (OTAs), perhaps paying low transaction fees for bookings from elite-level loyalty members or corporate accounts but guaranteeing the associated benefits. This would allow brand-loyal guests or corporate travelers who sometimes need airfare, activities, or other services that most hotel sites cannot adequately provide, the ability to book through OTAs without losing their elite or corporate benefits – or costing the hotel a high commission. Traditional OTA commissions could be reserved for those guests where the OTA was the sole or primary influence in the booking.
Today none of this can work because there is no way to know, particularly with third party bookings, who the customer is unless and until they show up and you see their identification (and sometimes even then!). Corporate-rate fraud is widespread (or at least was in the pre-COVID days when corporate travel was robust) and is hard to enforce even with identification, which can easily be forged. OTAs might well be happy to get smaller commissions for brand-loyal customers who normally book on brand.com or for corporate accounts booking through global distribution systems, but they are not going to simply take a brand’s word at which bookings should be paid at the lower rate.
What are some of the ways self-sovereign identity could work for hotels and their guests? Here are some scenarios.
- A guest could create one or more profiles, typically using a mobile app on their phone, and enter personal information and preferences, which is encrypted and requires biometric authentication to access. The app might be from a third party or built into the operating system like Apple Wallet – your choice. Versions will be available for all major types of devices and will synch across the guest’s devices.
- The guest links a profile to their hotel account, or to an OTA account or corporate booking tool. Login is now biometric. Yes, some hotel programs already support biometric login, but there is a difference: in the self-sovereign world, login gives the hotel permissioned access to the profile stored on the guest’s device (or parts of it), whereas today it only gives the guest access to data the hotel has about them.
- The guest chooses what specific pieces of information to share with whom, and under what conditions (for how long, for what purpose). For the guest’s preferred hotel brand they might share their name, email, passport, loyalty number, room preferences, employer (if they have a corporate rate) and payment card. For a one-time stay that might never be repeated, they might share nothing more than their name (which is all the hotel gets today with some OTA bookings).
- If the guest books through an OTA, they can decide what to share with the OTA and also what to share with the hotel. The OTA can pass a link to their identity to the hotel, which will then have access to whatever the guest has decided to share (and nothing more). This benefits OTAs because the guest can now share information that will enable the hotel to deliver a more appropriate experience to their customer. Hotels can sometimes get this information today through a pre-arrival email with a weblink, but this is hardly frictionless for the guest, and many guests do not bother.
- Third parties can securely vouch for any claims a guest makes in their profile. If they say they work for IBM, IBM can create a cryptographic signature verifying that. If they say they hold elite status in a partner loyalty program that entitles them to free Wi-Fi at the hotel, the partner can make one to verify it. If they say they hold a particular drivers’ license or passport, the government can similarly verify it (meaning they now have on their phone something that even the government should accept). If they say they have a COVID-19 vaccination, the place where they received it can add one verifying it (this is what many health passports already do).
- If the guest shares any of these claims with a hotel, the hotel can verify the authenticity of each one easily and securely, without needing to contact the third party directly or exchange sensitive information.
- For a hotel, a credit card issuer could verify that the guest has a credit card that will be valid to pay a deposit or cancellation penalty, without the guest having to provide the card number or the hotel having to run an authorization. In this case it could be more than a claim; it could include a promise of payment by the card issuer, analogous to a pre-authorization run on a particular card number (but not requiring the card number).
- A guest would be able to revoke a hotel’s permissions at any time and the hotel will no longer have access to their information. Most hotels will likely copy certain key information and retain it for a period of time to service the guest, to avoid problems like the guest’s name becoming inaccessible in the middle of their stay because they revoke permission. However, if the hotel gets a guarantee of payment and certainty of the guest’s identity, the data they need to copy may be little more than their name, loyalty level, and preferences relevant to the current stay.
- A verification can be revoked if the underlying claim being verified ceases to be true. If the guest no longer works for IBM, IBM can revoke its verification of employment. As soon as it does, a hotel attempting to validate the signature will discover the revocation.
- Nothing prevents the hotel from copying data from the guest’s profile that is necessary to deliver the services, or from retaining it as necessary and permitted under privacy regulations. The important thing is that they can minimize the PII they keep to the bare necessities, and thus minimize the risk of compromising it in a breach.
I can foresee the day where all the hotel has is your name, your loyalty history and point balance, and future/recent reservations – no credit cards, no passwords, no passport data – all the things that have been regularly breached and that have led to big fines. It does not completely eliminate PII risk, but it greatly reduces it.
On the other hand, we know that the hospitality industry is rarely a leader with new technologies, so when and how will this happen?
As with other technologies, other sectors will almost certainly lead the way. SSI is already appearing in the healthcare sector with digital health passports, and while that has become a high priority because of COVID, it is hardly the only application of interest. The finance and banking industries are not far behind because they want to reduce fraud risk and ease the burden of compliance with Know-Your-Customer and Anti-Money-Laundering regulations. Many governments are looking at SSI as a way to modernize border controls, as are airports to simplify check-in, bag-check, security, club access, and boarding.
Applications from these industries will lead consumers to start using the digital identity apps that I mentioned earlier, and they will start to become commonplace (there are already examples of this from several countries). If I had to guess, we probably talking about months until digital health applications start to take hold, and one to two years for broader health applications and financial ones – an adoption curve similar to Apple Pay and Google Pay. Airport and border-control applications could emerge in a similar timeframe or lag by another year or more. Politically it will take some time for a critical mass of countries to agree on a common set of protocols; in the meantime, we may see different apps for different early-adopting countries.
Once consumers have SSI profile apps on their phone and begin to experience the reduced transactional friction, they will start to ask for it in other areas – and travel will be high on the list for any regular traveler. Many of the applications already in development by various governments and industry organizations will make the changes needed to interoperate with personal identity wallets. I expect in many cases these adaptations will be relatively simple. And some SSI applications can already function through Apple and Google wallets (think about the membership cards you probably already have in yours, then add a QR code that can be scanned to cryptographically validate it). The Singapore Government’s SingPass app, which already allowed citizens to view all their data from government sources in one place, recently incorporated COVID test results using these same core technologies.
As this evolves, before long guests will start asking hotels why they cannot use their digital identity to make reservations, check in, and even open their door – much as they asked about Apple Pay. Based on what is happening elsewhere, I would expect this will happen within one to three years. That is a wide range, but it is not far off, so it is time to start planning for the day that it comes.
If this future interests you and you want to help shape it for the hospitality industry, I encourage you to look at and potentially get involved with the Decentralized Identity Foundation (DIF), introduced above. It is not-for-profit, open source, and you can participate for free. Several well-known thought leaders from hospitality and travel tech have proposed a DIF special interest group around hospitality and travel, which, if approved, would be its third such group, after (can you guess?) financial services and healthcare. The purpose of the special interest groups is to ensure that the technical specifications for SSI can handle the key use cases from each industry, such as the ones I described above for hospitality. Both business and technical participants are welcome; technical knowledge is not required. Please reach out to me via email or LinkedIn if you are interested.