Data sells. A common notion out there. Yet it is oblivious to many of us, or we merely undermine the underlying value of our data.
The world’s most valuable resource is no longer oil, but data – Economist
Many companies leverage the acquired data to make big bucks, while one on an individual level is left to wonder how he is shown advertisements that correspond to his intent or interests. Almost everyone is a victim of targeted advertisements, but targeted advertisements are merely the tip of the iceberg. Remember getting that loyalty card from your local supermarket to get reward points? Or how about signing up for the Starbucks loyalty program to get free coffee? All they took in return were some key credentials such as your name, phone number, email, date of birth, and address. Similarly, giving consent to a mobile application to access your contacts, location, messages, and gallery or enabling a website to access cookies. It leaves us with a simple question: should we be handing over all this data? A simple photography application might require access to your location and contacts. What could be the reason for that?
All these credentials are used to store data, which comprises personal, behavioral, and engagement information. This data helps in generating user profiles, which in turn are sold to companies ultimately generating revenue. Every offline and online transaction gives away data that holds a monetary value. Everyone is getting their fair share of the pie and the only person missing out from the whole equation is the one giving out his data voluntarily for a free coffee or some discounts. It is not the companies hacking into your data: you are providing it of your own volition.
Terming it as a “Faustian Bargain”, Jeff Wiles states that it is a tradeoff we have to make in the digital world, adding on to that he stated one cannot be an “online hermit” these days.
Most of our daily life transactions are either carried out online or offline through various identity instruments or credentials, which comprise physical — a national ID card, passport, college degree, bank details — and digital credentials — email logins, and social media accounts. These transactions are essential to carry out day-to-day activities. But by providing these details, one also shares information that is entirely irrelevant. People feel more in control using their physical credentials. But what if they go missing or become inaccessible? Certainly, disadvantageous, as it is time-consuming to get them made again, or to pay the delivery fee again in the case of sending the documents abroad. In some cases, missing identity credentials could also lead to fraudulent activities — identity theft or manipulation — geared towards malignant designs. In a transformative world where paperless means of communication are becoming more popular, physical means of information sharing pose a great hurdle
One might say digital credentials are much more secure. Think again.
In earlier times, signing in using your digital credentials was done in silos, which meant creating unique identities and passwords for every single domain or application. A rather cumbersome task. Managing all these credentials became even more arduous, with so many usernames to remember. This later changed to a centralised alliance between the companies and third-party identity — login with Google, log in with Facebook—with each party having bits of autonomy.
Data losses and the stolen identity dilemma
Digital onboarding undeniably helped with the issue of password management and identity management. But what many did not realise was that, in doing so, they were handing over the access to their data to third-party companies, entrusting them with even more data.
The problems pertain not only to an individual level. Enterprises suffered a huge number of losses owing to data breaches for more than a decade. Personally identifiable information — IDs, passports, names, addresses, credit cards — all had been compromised by hackers who mainly hacked into the central databases of not just enterprises, but government systems also.
The data of Equifax, the largest U.S-based credit bureau, was compromised in 2017. The data breach comprised personal credentials, including social security numbers, birth dates, and addresses. The initial figure quoted contained 143 million consumers; 209,000 consumers also had their credit card data exposed, which was later raised to 147.9 million. Dubsmash, a popular video app, had its data put up for sale by the hackers on Dream Market: a dark web market comprising 1162 million email addresses, usernames, and passwords stolen. Personal data of users of the Under Armour-owned fitness app MyFitnessPal was among the massive information dump on Dream Market as well, resulting in the leakage of 617 million customer accounts.
Even the hospitality industry was not spared. The biggest hotel chain, Marriott International, declared that data of 500 million customers had been stolen. The breach started in 2014, and it took the company 4 years to realise its data was compromised. Once again, the primary intent was to hack personal identifiers and credentials (credit card numbers and expiration dates).
The backlash that Uber had to face following a data breach sank the company’s stock. Uber had chosen to keep the breach secret, until it became publicly denounced. It later emerged that Uber had acceded to pay ransom money to hackers. If that is not enough, wait until you come across “The biggest data breach” of the decade: the popular search engine and webmail company, Yahoo, had its data breached too. The figures came down to 3 billion in 2016.
The average total cost of a data breach in the U.S. for the companies studied had grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years – IBM (2019)
Identifying the root cause of breaches, IBM reported malicious attacks to be a major contributor – 51 percent of data breaches were because of malicious attacks. The report conducted entailed 17 sectors from housing and entertainment, to the healthcare industry. The average total cost of a data breach in the healthcare industry was $6.45 million
GDPR to the rescue
To safeguard the individual’s data, the European Global Data Protection Regulation (GDPR) came into action. Companies with clients in the European Union were told to be prepared in advance to strengthen measures to keep data intact and to allow transparency to be in place – consumers should be aware of the data that is being acquired and the underlying reason behind the acquisition. Furthermore, they would gain the right for them to revoke their data.
Altruistic in its fundamental motive – to give control of an individual’s data to themselves and protect their data – the European GDPR regulations came into existence. The United States adopted a similar model and came up with the California Consumer Privacy Act. Companies started gearing up for GDPR compliance back in 2018.
According to the report published by IAPP, around 1.1 billion was spent on the preparation of GDPR alone in the UK — Forbes
The cost of continuous compliance reported for small and medium enterprises surpassed $100,000. A reported figure of $1 million was spent by 20% of the companies to be prepared for GDPR. Many companies had to dump their data and start from scratch, as the amount of capital for getting technical and legal expertise to remodel their existing system seemed inordinate and transcended their financial solvency.
Debunking the centralisation dilemma
Although driven by an altruistic cause, GDPR still operates on centralisation. With the introduction of GDPR, an idea of data security and data ownership was instilled amongst the masses, reaffirming our faith in enterprises, yet centralisation remains the biggest hurdle.
Centralisation itself is the biggest risk. No matter how secure you make it, or how much companies spend on cybersecurity measures regardless of the type of encryption level, hackers will find a way to break in.
Self-Sovereign Identity and Distributed Ledger Technology
If centralisation is the issue, would it be possible to make data more secure and increase personal data ownership using a decentralised solution? One of these possible decentralised solutions is Self-Sovereign Identity (SSI). SSI is essentially an identity base layer, which operates on blockchain technology, making it decentralised by nature.
A common question may arise, how does decentralisation avert security breaches and data hacks?
Decentralisation implies that data is being stored on distributed channels instead of one, meaning it is not stored in a centralised database. This makes it more secure, and data autonomy is not centralised. That means enterprises will not have to pay a hefty amount of money to cybersecurity companies to keep their data intact. While it sounds rather utopian, it is quite the contrary and it is very simplistic and attainable.
Imagine going to a car hire company and renting a car in another country. Now this company does not need to know about your date of birth or the expiry date of your licence. All it needs to know is that the permit is valid for the time duration the car is being hired for, is issued by a trusted authority (government of the country), and whether that issuing authority has legal credentials or strategic alliance with the country of the car hire company. As soon as the car is returned safely to the car hire company the information provided initially should be wiped out from their system unless there are security concerns.
To fully comprehend the alternative paradigm -SSI-, one must be familiar with the ecosystem in which it operates: blockchain. Before moving on to blockchain, one must be familiar with two key terms that the SSI incorporates:
Now, it all appears to be very complicated with the technical jargon involved, but it is a very simple model to understand.
Verifiable credentials imply that your personal information has been issued by an issuer, a governing body, an authority — say a government, an educational institute, or a bank.
Once you get a hold of these digital credentials, you become the subject or holder of these credentials. When you apply for something, these credentials need to be verified —Identity Interactions — hence the need for a verifier, be that a bank loan, a mortgage, or traveling abroad. These digital credentials can be verified across different companies.
Say you want to apply for an academic program in another country based on your qualifications. Your previous educational institute would be the issuer of the verified credential, once that credential has been issued to you it can be verified by the educational institute where you plan on studying, thus making them a verifier.
In the real world, our primary identifier is our face. The other ones are our national IDs, driving licences, or passports. Now think of DID as a digital face. Each verifiable credential is attached to a unique DID, which is distributed, making it self-sovereign in nature. Think of DIDs as a mode of communication or the exchange of peer-to-peer information. It allows associating multiple claims to a single layer, can be accessed from any system, and the identity owner is in complete control to revoke them. The generated DID is always in pair with a public key and a private key. A DID can have many public keys. Everything is fragmented. A DID itself does not hold any information itself and merely resolves the issue of having an identifier linked to the credentials with public keys.
It should be noted that these verifiable credentials are not stored on the distributed ledger system. Think of blockchain as a giant spreadsheet where transactions are taking place, but that spreadsheet is not saved on a single database, in fact, it is an open-source spreadsheet, held within distributed storage, with information registries that correspond to transactions or exchange of public keys using DIDs.
The credentials are stored in a digital wallet that corresponds to a physical wallet. You only use the credentials that are required. What grants a user more power is the control of his/her identity. He does not have to reveal all the information present in his credential, only the information that obviates the need of providing additional information. In the SSI framework it is referred to as zero-knowledge proof: disclose information that is relevant – as mentioned earlier, a car hire company should not be concerned with your date of birth but should know that the permit you hold is valid. Furthermore, it gives you more control as you can revoke the information provided or allow it to be present in a system for a certain limit of time. For instance, an application wants to access your phone’s location. You allow it to do so for that time duration and then you simply revoke the access with the click of a button.
But are these digital wallets safe?
Yes, these digital wallets are created using an asymmetric coding technique, which usually helps in creating a pair of keys. One is the public key and the other one is a private key. The public keys, as the name implies are there to view anytime and are used for exchanging information and can be revoked, however, the private key is for the account holder himself, be that an issuer, a verifier, or a subject. It is only through a private key that one can pass on his credentials using his DID to an issuer who then validates the credentials and sends them to the verifier using his DID. In this way, a quick and efficient way of peer-peer information can be established.
It can be established that SSI gives complete control of public identity, safeguards personal data, and is accessible with the click of one button from anywhere in the world. Furthermore, it establishes trust between parties that guarantees the authenticity of the data being provided. It operates within the realm of ethical information sharing ultimately keeping your identity intact.
It will be interesting to see what the future holds for SSI, but given the growing societal need for a secure SSI solution, it seems like it is only a matter of time before one of these solutions is widely adopted.
Key takeaways
- Every offline and online transaction gives away data that holds a monetary value
- Digital onboarding helps with credential management, but its downside is that, by using this method, the individual hands over the access to their data to third-party companies
- Major data hacks have compromised the personal and financial data of millions of customers
- GDPR aims to protect the right of an individual to safeguard their privacy. Yet, the GDPR framework is inherently centralised
- SSI enables an individual to retain control of their data, and share only what’s relevant
- SSI is based on Verifiable credentials (VCs) and Decentralised Identifiers (DIDs) principles
- Verifiable credentials imply that an individual’s personal information has been issued by an issuer, a governing body, an authority — say a government, an educational institute, or a bank.
- You can think of a DID as a digital face that helps you identify yourself to others
- Through the Decentralised Digital Identity wallet, Zaisan offers a secure SSI solution