Data sells a common notion out there yet it is oblivious to many of us, or we merely undermine the underlying value of our data.
The world’s most valuable resource is no longer oil, but data – Economist
Many companies leverage from the acquired data to make big bucks, while one on an individual level is left to wonder how he is shown advertisements that correspond to his intent or interests. Almost everyone is a victim of targeted advertisements, but targeted advertisements are merely the top of the iceberg. Remember getting that loyalty card from your local supermarket to get reward points? Or how about signing up for the Starbucks loyalty program to get free coffee?
All they took in return were some key credentials such as your name, phone number, email, date of birth, and address. Similarly, giving consent to a mobile application to access your contacts, location, messages, and gallery or enabling a website to access cookies. It leaves us with a simple question: should we be handing over all this data? A simple photography application might require access to your location and contacts. What could be the reason for that?
All these credentials are used to store data, which comprises personal data, behavioral data, and engagement data. This information helps in generating user profiles, which in turn is sold to companies ultimately generating them revenue. Every offline and online transaction being carried out gives away data that holds a monetary value. Everyone is getting their fair share of the pie and the only person missing out from the whole equation is the one giving out his data voluntarily for a free coffee or some discounts. It is not the companies hacking into your data, you are providing it.
Terming it as a “Faustian Bargain”, Jeff Wiles states that it is a tradeoff we have to make in the digital world, adding on to that he stated one cannot be an “online hermit” these days.
Most of our daily life transactions are either carried out online or offline through various identity instruments or credentials, which comprise of physical — a national ID card, passport, college degree, bank details — and digital credentials — email logins, social media accounts. These transactions are essential to carry out day-to-day activities but by providing these details one also shares information that is entirely irrelevant. People feel in more control using their physical credentials, but what if they go missing or are inaccessible. Certainly, disadvantageous, as it is time-consuming to get them made again, or to pay the delivery fee again in the case of sending the documents abroad. In some cases, missing identity credentials could also lead to fraudulent activities — identity theft or manipulation — geared towards malignant designs. In a transformative world where paperless means of communication are becoming more popular, physical means of information sharing pose a great hurdle
One might say digital credentials are much more secure, think again?
Earlier on the signing in using your digital credentials was done in silos, which meant creating unique identities and passwords for every single domain or application, a rather cumbersome task, and managing them even more arduous with so many usernames to remember. This later changed to a centralized alliance between the companies and third-party identity — log in with Google, log in with Facebook—with each party having bits of autonomy.
Does digital onboarding help with the data losses and stolen identity dilemma?
Digital onboarding undeniably helped with the issue of password management and identity management, but what many did not realize, is that in doing so they were handing over the access to their data to third party companies, entrusting them with more data.
The problems pertain not only on an individual level. Enterprises suffered a huge number of losses owing to data breaches for more than a decade. Personal identifiable information — ids, passports, names, addresses, credit cards — had been compromised at the hands of hackers, who mainly hacked into the central databases of not just enterprises, but government systems as well.
The largest U.S-based credit bureau — Equifax’s data was compromised in 2017. The data breach comprised of personal credentials such as social security numbers, birth dates, and addresses. The initial figure quoted contained 143 million consumers; 209,000 consumers also had their credit card data exposed, which was later raised to 147.9 million. Dubsmash, a popular video app had its data put up for sale by the hackers on Dream Market: a dark web market comprising 1162 million email addresses, usernames, and passwords stolen. Personal data of users of the Under Armor owned fitness app MyFitnessPal was among the massive information dump on Dream Market as well, resulting in the leakage of 617 million customers accounts.
Even the hospitality industry was not spared and the biggest hotel chain, Marriott International, declared that data of 500 million customers had been stolen. The breach was initiated in 2014 and it took the company 4 years to realize their data was being breached. Once again, the primary intent was to hack personal identifiers and credentials (credit card numbers and expiration dates).
The critical acclaims Uber had to face, owing to the data breach, plummeted the company’s stocks. The market value declined severely as Uber decided to keep it a secret, and instead of publicly announcing the breach, decided to pay ransom money to hackers. If that is not enough, wait until you come across “The biggest data breach” of the decade: the popular search engine and webmail company, Yahoo, had its data breached as well. The figures came down to 3 billion in 2016.
The average total cost of a data breach in the U.S. for the companies studied had grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years – IBM (2019)
Identifying the root cause of breaches, IBM reported malicious attacks to be a major contributor – 51 percent of data breaches were because of malicious attacks. The report conducted entailed 17 sectors from housing and entertainment, to the health care industry. The average total cost of a data breach in the healthcare industry was $6.45 million
Global Data Protection Regulation to the rescue.
To safeguard the individual’s data, the European GDPR came into action. Companies with clients in the EU were told to be prepared in advance to strengthen measures to keep data intact and to allow transparency to be in place – consumers should be aware of the data that is being acquired and the underlying reason behind the acquisition; furthermore, they would gain the right for them to revoke their data.
Altruistic in its fundamental motive – to give control of individual’s data to themselves and protect their data – the European GDPR regulations came into existence. The United States adopted a similar model and came up with the California Consumer Privacy Act. Companies started gearing up for GDPR compliance back in 2018.
According to the report published by IAPP, around 1.1 billion was spent on the preparation of GDPR alone in the UK — Forbes
The cost of continuous compliance reported for SMEs was more than $100,000. A reported figure of $1 million was spent by 20% of the companies to be prepared for GDPR. Many companies had to dump their data and start from scratch, as the amount of capital for getting technical and legal expertise to remodel their existing system seemed inordinate and transcended their financial solvency.
Debunking the centralization dilemma
Although geared towards an altruistic cause, GDPR still operates on centralization. With the introduction of GDPR, an idea of data security and data-ownership was instilled amongst the masses, reaffirming our faith in enterprises, yet the biggest hurdle remains centralization. Centralization itself is the biggest risk. No matter how secure you make it or how much companies spend on cybersecurity measures regardless of the type of encryption level, hackers will find a way to penetrate in.
Self-Sovereign Identity and Distributed Ledger Technology
If centralization is the issue, would it be possible to make data more secure and to increase personal data ownership using a decentralized solution? One of these possible decentralized solutions are Self-Sovereign Identities (SSI). SSI is essentially an identity base layer, which operates on blockchain technology, making it decentralized by nature.
A common question may arise, how does decentralization avert security breaches and data hacks
Decentralization implies that data is being stored on distributed channels instead of one, meaning it is not stored in a centralized database, which in turn makes it more secure and data autonomy is not centralized. That means enterprises will not have to pay a hefty amount of money to cybersecurity companies to keep their data intact. While it sounds rather utopian, it is quite the contrary and it is very simplistic and attainable.
Imagine going to a car hire company and renting a car in another country. Now this company does not need to know about your date of birth or the expiry date of your license. All it needs to know is that the permit is valid for the time duration the car is being hired for, is issued by a trusted authority (government of the country), and whether that issuing authority has legal credentials or strategic alliance with the country of the car hire company. As soon as the car is returned safely to the car hire company the information provided initially should be wiped out from their system unless there are security concerns entailed.
To fully comprehend the alternative paradigm, namely SSI, one must be familiar with the eco-system that it operates in: blockchain. Before moving on to blockchain one must be familiar with two key terms that the SSI incorporates:
Now it all appears to be very complicated with the technical jargons involved but, it is a very simple model to discern.
Verifiable credentials imply to your personal information that has been issued by an issuer, a governing body, an authority — say a government, an educational institute, a bank.
Once you get a hold of these issued digital credentials you become the subject or holder of these credentials. Now when you apply for something these credentials need to be verified —Identity Interactions — hence the need for a verifier, be that a bank loan, a mortgage application, or traveling abroad. These digital credentials can be verified across different companies.
Say you want to apply for an academic program in another country based upon your qualifications. Your previous educational institute would be the issuer of the verified credential, once that credential has been issued to you it can be verified by the educational institute where you plan on studying, thus making them a verifier.
In the real-world our identifier primarily is our face, the other ones being our national ID, driving license, or passport. Now think of DID as a digital face. Each verifiable credential is attached to a unique DID, which is distributed, making it self-sovereign in nature. Think of DIDs as a mode of communication or the exchange of peer-to-peer information. It allows to associate multiple claims to a single layer, can be accessed from any system, and the identity owner is in complete control to revoke them. The generated DID is always in pair with a public key and a private key. A DID can have many public keys. Everything is fragmented. A DID itself does not hold any information itself and merely resolves the issue of having an identifier linked to the credentials with public keys.
It should be noted that these verifiable credentials are not stored on the distributed ledger system. Think of blockchain as a giant spreadsheet where transactions are taking place, but that spreadsheet is not saved on a single database, in fact, it is an open-source spreadsheet, held within distributed storage, with information registries that correspond to transactions or exchange of public keys using DIDs.
The credentials are stored in a digital wallet that corresponds to a physical wallet. You only use the credentials that are required. What grants a user more power is the control of his/her identity. He does not have to reveal all the information present in his credential, only the information that obviates the need of providing additional information. In the SSI framework it is referred to as zero-knowledge proof: disclose information that is relevant – as mentioned earlier, a car hire company should not be concerned with your date of birth but should know that the permit you hold is valid. Furthermore, it gives you more control as you can revoke the information provided or allow it to be present in a system for a certain limit of time. For instance, an application wants to access your phone’s location. You allow it to do so for that time duration and then you simply revoke the access by the click of a button.
But are these digital wallets safe?
Yes, these digital wallets are created using an asymmetric coding technique, which usually helps in creating a pair of keys. One is the public key and the other one is a private key. The public keys, as the name implies are there to view anytime and are used for exchanging information and can be revoked, however, the private key is for the account holder himself, be that an issuer, a verifier, or a subject. It is only through a private key that one can pass on his credentials using his DID to an issuer who then validates the credentials and sends it to the verifier using his DID. In this way, a quick and efficient way of peer-peer information can be established.
It can be established that SSI gives complete control of public identity, safeguards personal data, and is accessible with the click of one button from anywhere in the world. Furthermore, it establishes trust between parties that guarantees the authenticity of the data being provided. It operates within the realm of ethical information sharing ultimately keeping your identity intact.
It will be interesting to see what the future holds for Self-Sovereign Identities, but given the growing societal need for a secure Self-Sovereign Identity solution, it seems like it is only a matter of time before one of these solutions is widely adopted.