Another day, another case of Grand Theft Data. Can a verified ID save the day?

They say that the more you witness something, the more normal it becomes. I opened Twitter last week to see yet another mega-hack from hell in the form of the Equifax breach; the breach exposing around 143 million US customer accounts and quite likely a further 44 million UK ones too.

The Equifax breach is one in a long line of personal data mega breaches. At last look, the Breach Level Index, maintained by Gemalto, has counted over 9 billion lost data records since 2013. Many of those lost records will be accidental, but many more will be maliciously stolen.

If I go to haveibeenpwned.com and check just two of my email addresses, I’ve had seven online accounts compromised. All we seem to be able to do when this happens is get annoyed and let out a large sigh. Something has to give.

I am not one for expecting technology to be a global panacea. But we need to start thinking about the severe lack of privacy and security in a smarter manner.

The world is awash with accounts

The fundamental issue we are dealing with is that every time we want to transact online, we have to open up a new account. This usually means sharing the same data across multiple of online sites. We find ourselves in a situation where the Internet is awash with online accounts, each containing essentially the same data, and each being a point of failure in the privacy and security of these data.

Anonymized verified ID

The collection and processing of all this customer data are coming under scrutiny with the likes of GDPR, and other local data protection bills. Having a sea of data, swirling around the Internet does nobody any favors. Reigning this in, but making sure that the identifying data you do have is true, and secure is the key to fixing this issue and minimising the number of ‘Equifax’ moments in data security.

Verifying customers and assigning them a digital identity that can be used across relying parties is a way forward. Of course, writing this down is a lot easier than actually achieving this. Verification of consumers can be performed, but it is the implementation of a verified identity that is the key.

Some places we can look to in correct implementation include:

Blockchain use case for verified identity

The blockchain has come under a lot of hype and conversely a lot of scrutiny. In a recent blast against the use of the technology within the identity space, some respected names poured water on blockchain for identity use cases. I beg to differ. I believe that the use of blockchain for verified identity status and cross-checking of that status gives us a good chance of redressing the balance that centralized identity systems have in being targets for mega-hacks.

The blockchain can be used to store signatures. These signatures can represent a verification status, over time. This status can be checked by sharing the public key of the signatory. Having proof of private key ownership is part of a chain of authorization events to maintain authenticity.

But how does the average Joe or Josephine store a private key? I hear you say. Well, they could store it in a piece of paper if needs be. But better still would be a randomly generated unique pass-phrase that unlocks the private key when it is needed.

Privacy enhanced identity

Another implementation option when providing an online identity for consumers is the use of pseudonymization or even anonymization. Services who consume personal data need to ask:

Do we really need these data to transact or can we get away with just knowing that person really is who they say they are and that they are over 18?

Even in terms of marketing data. Can the service, request subset of data to market effectively. Do we really need that person’s home address? It may change anyway. Do we need their date of birth, will age over or under suffice?. This privacy-based approach gels well with the concept of consented and targeted marketing. We are rapidly moving into an era of consumer-driven data sharing; your customers telling you directly what they are interested in. Consumers are increasingly savvy buyers and this scenario is not far off. Online Identity needs to move with it.

In the end, security matters

The idea of ‘one identity to rule them all’ which pops up now and again, is a good and laudable goal. However, the likelihood of this happening hangs in the hands of not technology, but commercial models and business deals. Verified identity can help to move these hurdles.

Whichever mechanism you use to maximize authority, and minimize personal data movement will still, at some juncture have an open point of vulnerability. Security of CIAM systems should never be overlooked no matter what technology you use. In another post, I’ll be talking more about the balance between usability and security in Customer Identity Access Management systems.