Richard Bird is Chief Customer Information Officer at Ping Identity. He is a sought-after speaker on digital identity and data privacy.
Getty
As a digital society, we’re in the midst of a privacy reckoning and a crisis of confidence. The egregious data collection by tech companies has infuriated users, sparked regulation like Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and prompted Congress to summon Google, Facebook, Amazon and Apple executives to testify about their customer data practices.
Meanwhile, consumers are losing faith in the ability of online companies to manage their data respectfully. Data breaches have become a common and widespread occurrence, leaving personal information exposed. According to Pew Research, 70% of Americans believe their personal data is now less secure than it was five years ago, and, according to Cisco, 84% want more control over how their data is being used.
Particularly at risk is the data used to verify and authenticate people so they can use apps and online services. Login credentials are attractive targets for cybercriminals and fairly easy to steal without advanced protections. Even two-factor authentication is vulnerable, and if you authenticate someone masquerading as the legitimate account user, the system has failed. What’s lacking is authentication with a high degree of assurance and validity because, when it comes down to it, we’re basically assuming that people are who they say they are. Why do we rely on assumptions with something as critical as identity authentication when other systems are held to 99.999% accuracy and availability levels?
Personal Identity
What we need are systems that let people prove their identities with the highest degree of certainty and maintain ownership and control over their information. People should also be able to select specific data to share with apps based on what the apps need to know. Think of it as a “personal identity” that puts the power over the control of data back into the hands of individuals and provides them the capability to confirm their “selfness” without revealing more than they want.
Identity In Your Pocket
Aspects of this vision are already in the market. Digital identities for banking are popular in Scandinavia and can be used with phones or physical ID cards. Colorado officials have approved a digital driver’s license, which has authentication built in and is used to prove the user’s identity at any state agency. And there’s the Token ring, a smart ring that contains an individual’s credentials and can be used for contactless payments and building access. The encrypted data is stored in the user’s account and only the data necessary for a specific function is shared at any given time.
The pandemic has created an opportunity to test out this concept on a large scale. The Private Kit: Safe Paths, developed by MIT researchers, uses anonymized GPS and differential privacy, a method of sharing information gleaned from a data set that does not identify the individual who is connected to it. With this app, public health officials can see the location of people who are infected with Covid-19 but not their names or other personal information.
The use cases for this type of personal identity include:
• Account security: Account theft has exploded, with consumers losing data and businesses losing credibility and reputation. Every single account compromise is an opportunity to use digital identity to preempt this threat.
• Elections: We can eliminate any concerns about the validity of a voter by having them disclose their choice of digital identity at the polling place.
• Financial transactions: Authenticating at the time of transaction protects both the user and the bank. This use case by itself will prove the value of personal identity by cutting down on the vast amounts of fraud that occur in the banking industry.
• Immigration: U.S. Customs and Border Control have already created a “digital you” as part of the Global Entry program, based on an individual’s passport.
• Government benefits: The Inspector General of the U.S. Labor Department estimated that as much as $26 billion in unemployment insurance benefits under the CARES Act could have gone to fraudsters instead of legitimate claimants. Personal identity can streamline, as well as secure, the distribution of benefits of all kinds and small business loans.
• Car registration, loan processing: We shouldn’t have to go to the DMV or title company to finalize the paperwork for car registration and mortgages, particularly during a pandemic.
• Hiring and onboarding: While most companies have transitioned, at least temporarily, to a remote workplace during the pandemic, employees are still having to sign I-9 forms and present their driver’s license in person when being hired. We could solve this problem by adopting digital identification cards like those that enable passengers to bypass security lines at airports.
There are significant hurdles to achieving this vision, but none that can’t be overcome with the strategic effort. The biggest challenge is mental — people don’t trust the government and big companies to not misuse their data. If Real ID driver’s licenses weren’t mandatory, it would not have been rolled out as quickly as it has been. Speed-to-implement is another impediment. This is an entirely new paradigm, which means that business processes and technical architectures will need to change, which takes time. Real ID deployment took 15 years for some states. Finally, we’ll definitely see resistance from the companies that are making money off the consumer data they collect. Commercial interests aren’t going to give consumers authority over their data when the profits of the business depend on it. We might see major efforts on the part of big tech to fight Personal Identity initiatives, much like we saw them lobby hard to water down the CCPA.
Clearly, this won’t happen overnight. The federal government moves slowly on tech transformation, so we’ll see it rolled out state by state first and digital banking applications to be at the forefront, possibly within six months. Streaming and subscription services, like Netflix, Amazon Prime and Spotify, might also adopt it to stem the widespread practice of sharing account logins. While consumers may be annoyed by the fact that they can’t watch movies via friends’ accounts, they should be pleased with the ability to control their data destiny.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
