The recent data breach at Optus has highlighted, once again, the need to rethink how we protect our identities and personal information in the digital age.
It’s easy to say that more should have been done to increase security posture or IT governance controls that led to the data breach affecting 9.8 million customers. However, as is the case with many of these catastrophes, human error in judgment or action remains our most acute IT vulnerability.
Regardless of the measures or penalties that will be put in place to compensate for the damages caused to the public (rightfully so), the surest way to minimise the risk of losing sensitive data is to minimise the amount of it you hold onto.
Andrew Nash, formerly SVP of Identity Services at Capital One says “It is time to change the way we handle user information. Storage of user data in massive databases provides ever bigger targets of opportunity. Decentralized identity provides users the option to share information when it is needed and remove breach targets”.
We’ve long normalised the over-collection of personal information, like driver's license numbers and dates of birth, in part because access to identity credentials has historically been the best system we have for someone to prove their identity.
It’s why we developed plastic ID cards – to easily prove you have access to a valid driver’s license or an official document, or an address that has been validated by someone, or an active mobile account – something issued to you by a trusted authority that is difficult to fake or obtain without proving identification. Since there is only one original copy to use as proof, we’re keenly aware that these credentials are important to safeguard so we keep them in our wallets or at home where we can protect them.
As we evolved in a digital society, no new identity system analogous to this was created that was as easy, convenient and sharable, so the need to use this same personal information for identity followed us online in a format that can easily be replicated. Digital businesses had no good ways of proving your physical identity remotely, so they ask you for enough personal identity information to be reasonably sure that you are who you say you are for their needs.
The number of businesses and services to whom we routinely provide this type of information without thinking about it has exploded. Keen to store it for commercial or regulatory reasons, it has become standard practice for companies to hold onto this information for reasons of liability or the allure of commercial and customer insights. A digital footprint builds every time it’s stored – propagating the risk of data breach, as the credential information critical to proving our identity is further used, misused, or shared with others.
Once breach events like Optus happen, there are reputational damages for all involved, not least the victims whose information was compromised because of how frustratingly easy it is to impersonate someone with private data once it's out there on the internet.
We need people to start letting people own, control, and present their sensitive data only as needed and break the habit of storing it en masse in databases. This would dramatically reduce the scale of these type of events when they do occur, limiting the damage done to all parties.
If we want to stop moving from headline-to-headline about the latest big breach, and genuinely protect people, we need to modernize our digital identity infrastructure for the modern world and our relationship with the value and sanctity of personal data.
We must think differently.
We and others in the industry are working hard on open identity standards, decentralized identity wallets, and credentials-based identity models grounded in privacy to make digital identity work for the needs of the modern age.
Built with decentralized patterns and modern cryptography to prevent the correlation of data, they protect the rights and privacy of the individual, increase the convenience of proving identity claims, and reduce the risk exposure for businesses from accepting falsified data or having to store troves of personal information.
Say ‘Yes’ and join this journey to protect individual data rights and adopt safer ways to be identified online.
Erik Zvaigzne is Vice President, Product Innovation at Convergence.Tech
