Do you ever wonder what happens with your data when a business asks you to make an online account with them? It seems that every time we interact or make a transaction online, we are asked to create an account, entrusting various degrees of our personal data to a third party. It’s not uncommon for one person to have hundreds of online accounts with multiple organisations – from banks and online shops to social media, and even healthcare providers.
In the current model, platform owners have control over our digital identity and user accounts are centrally managed by the organisation whose services we're accessing. What’s more, these organisations have a legal obligation to manage that data in a way that protects consumer privacy.
Unfortunately, protecting personal identifiable information (PII) has become more challenging since the onset of the pandemic, with cyber-attacks becoming more prolific as businesses increasingly moved online. According to International Association of Privacy Professionals (IAPP) data breaches rose in 2021 by a 68% increase compared to 2020.
A recent report from the Office of the Privacy Commissioner, 6 out of 10 Kiwis reported concern about businesses sharing their personal information without their permission, information being collected about children online without parental consent, and security of their personal information on the internet.
You only have to look at some of the latest headlines to see what happens when personal data is leaked through a cyber-attack or breach. Identity theft, a loss of privacy and reputational damage are just some of the consequences faced by consumers and businesses alike.
A better way to manage privacy?
With so many businesses collecting and storing personal information for identity purposes, you’re probably wondering – is there a better way? The good news is that a new system is on the horizon, which looks to put the user back in control of their own digital identity.
Advancements in computing power, cloud and the emergence of blockchain technology will soon see self-sovereign identities (SSI) as the solution to replace the old centralised model. The idea of SSI is based on a decentralised identity framework, which replaces usernames and passwords with decentralised identifiers (or DIDs) and cryptographic keys. This lays down the foundational standards for a digital world where many networks, systems and devices interact. By verifying a person's digitally signed credentials, blockchain-powered decentralisation provides a means for to prove an individual is the true owner of the real-world identity.
What does this mean for privacy? Essentially, self-sovereign identities will empower a user to choose which credentials to share with a third party, rather than surrendering their personal information whenever they need to use online services. This means doing away with the need for a business to store any of your information, credentials (such as passports or driver’s licenses), or passwords and login details.
How far away is SSI
Digital identity technology already exists, and we’re starting to see international governments lay the foundations for a new system. Last year the European Commission proposed the introduction of a trusted and secure digital identity for all EU citizens which would see the use of digital identity wallets that can store and manage identity data and official documents such as medical prescriptions, driving licences and diplomas. The proposed system would allow EU citizens to prove their identity, share digital documents or simply prove a specific personal attribute, such as age, without revealing any other personal details unnecessary for the transaction in question.
This sounds great in theory. However even if you have control over what attributes of your digital identity you wish to share, companies could still enforce what attributes an individual needs to share at a minimum to be able to access their services or apps. Once again, lawmakers will have a big say in how digital identities should be used by organisations.
Improved privacy for both users and business
For individuals, apart from having better control over their digital identity and personal data, having less accounts scattered around the internet lowers the risk of personal data being leaked through a breach – reducing incidents of identity theft, fraud, and related attacks.
For businesses, there are benefits to be reaped as well. 3rd parties won't be able to share user data without consent, reducing big privacy issues like that seen during the Cambridge Analytica scandal. By having less need for classic credentials (such as passwords and usernames), a new digital identity model can reduce friction and increase customer experience and efficiency, resulting in an overall revenue increase.
As self-sovereign identities become mainstream and standardised, the total cost reduction to a company could reduce even further. There will be fewer resourcing costs needed for credential administration and data compliance. The burden to comply with data regulations would be greatly reduced, since there won't be a need to store personal user information anymore. Similarly, the overall costs from data breaches and associated reputation loss would likely be diminished.
But don't retire your Privacy Officer or throw your password managers out the window just yet. A new digital identity system will take some time to implement. In the meantime, businesses should still implement best practice privacy practices, such as collecting only the data you need, and making sure it’s appropriately protected through a robust cyber security posture.