Identity, both digital and physical, is very personal by nature and the systems that have been implemented to manage them are also exploiting them, creating their own identities (profiling) and selling them on. The commercialisation of personal data in order to refine data sets has helped build a multi billion dollar big data market, where data is brought and sold between companies.
This has serious implications for a subjects privacy and could justifiably be interpreted as violating the subjects human rights. Article 8 of the Human Rights Act states:
This right means that the media and others can be prevented from interfering in your life. It also means that personal information about you (including official records, photographs, letters, diaries and medical records) should be kept securely and not shared without your permission, except in certain circumstances.
Recent developments have been made in some localities to address the data mining and commercialisation of personal data into a billion dollar industry. The General Data Protection Regulation (GDPR) which was brought into effect in 2018, give EU citizens legal protection over their personal data held by service providers. This also gives greater visibility of what the service provider is collects and shares with third parties.
There are other threats to subjects caused by the current systems as these entities present an attractive target for thieves who can reap large amounts of personal data in order to steal peoples identities. The most notable of these in recent times being Equifax hack in which personal data on over 145.5 million Americans and millions of British and Canadians were accessed by thieves over 76 days.
The main purpose of submitting personal information is to authenticate who you are to a service provider and that typically comprises of a username and password. One of the problems with this system is that there is a tendency to reuse these authenticating pieces of data across service providers. With it being replicated across multiple locations, the attack surface is large and a breach in one system compromises every other system.
The rise of Open Authentication (OAuth) goes some way to addressing this by allowing service providers to delegate authentication to a third party (such as Google or Facebook), reducing the attack surface to a single location for username and passwords. The delegation of authentication comes at the price of privacy as the third party now has greater visibility of the services that you use and collects data on your activities.
Another method of increasing security of a subjects data has been to introduce 2 factor authentication that relies on an additional, time sensitive, password to be generated for the subject to be entered when authenticating.
Self Sovereign Identity
One of the recent developments to come out of the cryptocurrency revolution is the ability to enable an subject to claim sovereignty over a digital asset. This utilises the well established cryptographic public key infrastructure (PKI) in which a subject can prove that they know a secret without ever needing to disclose that secret to a verifier.
Using this same technology, a subject can create their own identity using a PKI and provide authentication without the need to store any authentication secrets on a service providers system. This eliminates the honeypot target for thieves looking for authentication data and decreases the security burden on both the subject and the service provider.
The subject also has the ability to present a different identity for each service provider that they use which greatly preserves the subjects privacy and makes tracking authentication activities much harder.
Self Sovereign Identity promises to be a revolution in personal privacy and identity security which we are dedicated to working on. There is a great and growing community that are focusing their efforts on making this a reality and with big hitters like Microsoft and IBM coming on board (and on message) the future looks bright.