As we move towards a more privacy-minded world, we must prepare for major platforms to resist the movement.
Identity and privacy have always been a point of contention both online and offline. But while we can generally control our identity and privacy in the offline world with ease, digital identity has long been controlled by third-party entities we interact with and promise to keep our data safe.
History has shown time and again, with major hacks that reveal our names, addresses, phone numbers, and credit card data, among countless other identifying attributes, those third-parties cannot be trusted with our identifying information. Just as concerning, third-parties have long monetized our data, creating an insidious and malicious use of data for their financial gain. We live in a time of digital surveillance capitalism.
The notion of online identity is rapidly evolving in a bid to give internet users more control over their information and who can access it. In several countries around the world, the concept of self-sovereign ID or decentralized ID technology (two terms that, in the vast majority of situations, are interchangeable) is rapidly taking hold. Online users are getting access to the services they desire but controlling what they share about themselves — and how.
But as we move towards a more privacy-minded world, we must prepare for major platforms to resist the movement. We must insist that policy makers around the world join us in our bid to improve privacy and user centric data services. And we must be prepared for the security, privacy, and business model challenges along the way.
The world’s view on identity is starkly different whether you’re online or offline. In the offline world, you hold your license and passport and show it only when required. Want to fly? Show your passport, but keep it on your person. When you want to buy alcohol at the store, someone verifies your age by examining your license.
But when you leave those establishments and after you verify your identity, the establishment you’ve visited doesn’t store your license or passport in its systems. They understand that what you have is a verifiable form of identification, that you, the person referenced on the document, presented it to them, and they trust what it says because it’s an official government-issued card. It’s a form of self-sovereign ID, fully owned and controlled by the individual and serving as a verifiable credential without the transfer of sensitive data to a third party.
Historically, the internet has used a decidedly different tack. When Google, Facebook, or other prominent platforms want to verify your identity, they ask you to provide data digitally. They then store that data on their own servers. In those cases, internet users have essentially handed over their passports or licenses to a third-party and hope that their data will be kept safe.
In far too many cases, it isn’t kept safe. And while we can hope that a provider can protect our data, the fact is, not even the world’s largest organizations (or governments) can guarantee data security. That ultimately reinforces the broader trust issue internet users continue to experience. Even in a best-case scenario, we internet users have discovered, the platforms we’re supposed to trust with our data simply cannot be trusted. And in worse cases, we’re finding they’re misusing our data for their own benefit. Structurally this is a hard problem where large troves of data (like large stores of gold) are attractive to fraudsters and for the most part nearly impossible to fully protect.
That’s precisely why the movement toward decentralized data services and digital identity is so important — and is in step with how society has worked for generations.
With those technologies in place, we can reclaim control of our personal data. Instead of entrusting our information to a third-party provider, we can store it securely within a digital wallet app on our device. This data, referred to as ‘credentials,’ can take many forms but are typically the digital equivalents of documents we are already familiar with: passports, driver’s licenses, membership cards, and even boarding passes or health records; and in the future also include new digital credentials about many other parts of our digital life and digital reputation.
Then, when an organization or peer requests information from us, we can share a digital proof that can be immediately verified while keeping our data safe. It’s as easy as holding up our passport or driver’s license in the real world. And it’s just as portable and trusted: These credentials can be verified by anyone, anywhere – thanks to a series of open standards and protocols that the Avast team helped architect.
Our efforts in this area aren’t centered solely on the possibility of identities being targeted, they’re centered in the very difficult reality that identities are under attack — and increasingly monetized by those who should be more concerned with protecting them.
Just last year, Twitter announced that it had suspended a malicious hacker that stole identifying information and other data on all 45 million people in the country. The hackers accessed the data in Argentina's National Registry of Persons and offered to sell it on a black market forum.
Earlier last year, researcher Javelin Strategy & Research released a study that found criminals stole $56 billion from Americans in 2020 with identity theft attacks. About $13 billion of that sum was stolen by cybercriminals who hacked identifying information.
In December, the Identity Theft Resource Center revealed that data breaches targeting user identities were up 17% year-over-year through September 2021, with 1,291 breaches. Most of us in the security community fully expect that upward trend to continue well into 2022 and beyond.
A real-world movement
To be sure, we will not all start using wallets to protect our digital identities overnight. This migration will take some time. But there are already promising developments in the space.
Alastria, a project started by a consortium of prominent organizations that uses blockchain, is a prime example. Its solution gives users full control over their identities, and it’s being rapidly adopted (and applauded) in Spain. Several other European countries, including Finland, Germany, and the Netherlands, are also embracing the technology and want to iterate on some of these early solutions to create a working framework for how digital identity can evolve over time.
We at Avast have also been eyeing the decentralized identity space for quite some time. Last year, we acquired Evernym, a U.S. company that is widely recognized as a pioneer in developing self-sovereign identity technology and standards and is far along in developing a true solution for improving trust in our digital interactions. Adding their technology to ours will allow us to advance our vision for delivering decentralized, digital trust services
But even as we and other companies (along with privacy advocates across the globe) continue in our quest to build a better digital identity solution, challenges abound.
While European countries are farther along than the U.S. and other countries in embracing decentralized identity services, there’s still much work to be done. Even European countries that are most aggressive on improving digital privacy are only developing a framework for how these technologies could work. What’s ultimately needed is a regulatory policy, across the globe, that requires companies to utilize decentralized digital trust services. But that’s far from happening.
What’s worse, major platforms like Facebook and Google aren’t keen on the idea. Losing access to a person’s data means having less control over those users. It also makes the data these companies house far less valuable. But in order to move forward with a policy and plan, we need buy-in at all levels — and those platforms are preparing for a fight against it by making broad promises of shoring up their privacy features by limiting tracking on the web and in apps. They’re also quick to note that their scale and practices are our best chance at data security. Without them, they say, things can only get worse.
We also must acknowledge that even the most well-meaning technologies are fallible. As important as this technology is and will be in the coming years, privacy and security challenges will remain, and bad actors looking to disrupt our progress will engage in malicious activity. We must be prepared and address those problems as they arise — or preferably before they become a problem.
But the stakes are simply too high and the impact potentially too great to not chart that course and deliver a true solution to today’s digital identity problem. After all, if we can’t solve the challenges we face today, how will we address a future where services launch online and place digital identity at the forefront of their platforms?
Luckily, decentralized data and identity technologies and techniques are here. And there are many of us in the security community that are feverishly working to build solutions that not only safeguard user data but give users much greater ability to control who has access to that data and how it will be used.
But with challenges in the offing and platforms preparing to do battle, we must all support initiatives that support privacy and security, as well as the services that will bolster it. We must expect better and support the solutions that help us do better. That’s the only way to create a future where privacy and security are at the core of our collective digital experiences.
To achieve, we at Avast believe that a digital smart agent, in the form of a service/app for people, is the way to achieve user centric digital interactions, and that this digital smart agent that is interoperable across the globe, with strong public-private sector collaboration/partnership.
eIDAS 2.0 continues to move swiftly. Avast recently teamed up with the Intesi Group to co-host a webinar discussing the latest developments of the effort.
Yesterday, the W3C approved Decentralized Identifiers as a new web standard. Here's what it means for digital freedom.