Identity and privacy have always been a point of contention both online and offline. But while we can generally control our identity and privacy in the offline world with ease, digital identity has long been controlled by third-party entities we interact with and promise to keep our data safe.
History has shown time and again, with major hacks that reveal our names, addresses, phone numbers, and credit card data, among countless other identifying attributes, those third-parties cannot be trusted with our identifying information. Just as concerning, third-parties have long monetized our data, creating an insidious and malicious use of data for their financial gain. We live in a time of digital surveillance capitalism.
The notion of online identity is rapidly evolving in a bid to give internet users more control over their information and who can access it. In several countries around the world, the concept of self-sovereign ID or decentralized ID technology (two terms that, in the vast majority of situations, are interchangeable) is rapidly taking hold. Online users are getting access to the services they desire but controlling what they share about themselves — and how.
But as we move towards a more privacy-minded world, we must prepare for major platforms to resist the movement. We must insist that policy makers around the world join us in our bid to improve privacy and user centric data services. And we must be prepared for the security, privacy, and business model challenges along the way.
Evolving identity
The world’s view on identity is starkly different whether you’re online or offline. In the offline world, you hold your license and passport and show it only when required. Want to fly? Show your passport, but keep it on your person. When you want to buy alcohol at the store, someone verifies your age by examining your license.
But when you leave those establishments and after you verify your identity, the establishment you’ve visited doesn’t store your license or passport in its systems. They understand that what you have is a verifiable form of identification, that you, the person referenced on the document, presented it to them, and they trust what it says because it’s an official government-issued card. It’s a form of self-sovereign ID, fully owned and controlled by the individual and serving as a verifiable credential without the transfer of sensitive data to a third party.
Historically, the internet has used a decidedly different tack. When Google, Facebook, or other prominent platforms want to verify your identity, they ask you to provide data digitally. They then store that data on their own servers. In those cases, internet users have essentially handed over their passports or licenses to a third-party and hope that their data will be kept safe.
In far too many cases, it isn’t kept safe. And while we can hope that a provider can protect our data, the fact is, not even the world’s largest organizations (or governments) can guarantee data security. That ultimately reinforces the broader trust issue internet users continue to experience. Even in a best-case scenario, we internet users have discovered, the platforms we’re supposed to trust with our data simply cannot be trusted. And in worse cases, we’re finding they’re misusing our data for their own benefit. Structurally this is a hard problem where large troves of data (like large stores of gold) are attractive to fraudsters and for the most part nearly impossible to fully protect.
That’s precisely why the movement toward decentralized data services and digital identity is so important — and is in step with how society has worked for generations.
With those technologies in place, we can reclaim control of our personal data. Instead of entrusting our information to a third-party provider, we can store it securely within a digital wallet app on our device. This data, referred to as ‘credentials,’ can take many forms but are typically the digital equivalents of documents we are already familiar with: passports, driver’s licenses, membership cards, and even boarding passes or health records; and in the future also include new digital credentials about many other parts of our digital life and digital reputation.
Then, when an organization or peer requests information from us, we can share a digital proof that can be immediately verified while keeping our data safe. It’s as easy as holding up our passport or driver’s license in the real world. And it’s just as portable and trusted: These credentials can be verified by anyone, anywhere – thanks to a series of open standards and protocols that the Avast team helped architect.
A real-world problem
Our efforts in this area aren’t centered solely on the possibility of identities being targeted, they’re centered in the very difficult reality that identities are under attack — and increasingly monetized by those who should be more concerned with protecting them.
Just last year, Twitter announced that it had suspended a malicious hacker that stole identifying information and other data on all 45 million people in the country. The hackers accessed the data in Argentina’s National Registry of Persons and offered to sell it on a black market forum.
Earlier last year, researcher Javelin Strategy & Research released a study that found criminals stole $56 billion from Americans in 2020 with identity theft attacks. About $13 billion of that sum was stolen by cybercriminals who hacked identifying information.
In December, the Identity Theft Resource Center revealed that data breaches targeting user identities were up 17% year-over-year through September 2021, with 1,291 breaches. Most of us in the security community fully expect that upward trend to continue well into 2022 and beyond.
A real-world movement…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
