Navigating personal identity & managing risk
by David ThomasMr. Thomas is CEO and founder of Evident ID. Visit www.evidentid.com
Part III in a three-part story.
The lack of uniform definition of online identity verification, and the perils of storing sensitive information once it is obtained, create an untenable situation for digital platforms managing multiple and ever-shifting users (both providers and consumers). The current options for managing (or not managing) personal data do not adequately meet the needs of digital platforms or the consumers they serve, primarily because they fail to foster trust and a sense of security.
Moving forward, there are various ways that personal data may be negotiated in an effort to increase the viability and trustworthiness of the sharing economy. These methods aren’t meant to be mutually exclusive; they likely will need to be employed.
The Foundation of the Solution: Minimize Collection of Personal Data
During the onboarding process, personal data–such as birthdate, Social Security Number, and Driver’s License Number—typically become the focus of efforts and concerns around data security. Broader categories, such as passwords, answers to account recovery questions, and customer preferences, are often overlooked—even though they have achieved equal sensitivity in an increasingly digital world. Take, for instance, the 39% of adult online users, who are considered “password challenged” and may opt for simpler, easier to remember passwords or use the same password on various digital platforms. If a user has the same password for multiple sites, a breach on one site could allow for access to a completely unrelated site where no actual breach occurred. Yet all platforms involved will suffer consequences to their reputation—even if the sensitive information was accessed through no fault of the platform itself.
This problem doesn’t exist purely in the realm of the hypothetical. Consider Yahoo’s data breach, which compromised more than 1.5B accounts or LinkedIn losing sensitive data related to 167M accounts. Since “[n]early two-thirds of U.S. adults have fallen victim to some type of data theft or fraud”, it is unlikely that anyone with an online presence hasn’t had their password data compromised at some point. One means of combatting the issue relies on customers’ use of password managers, which unfortunately have very low adoption rate. Another step toward heightened password security may be simplifying the login process by using Google or Facebook account logins. Other password-less login options—such as fingerprint scans, facial recognition, or authenticator apps—could be employed for native accounts.
Account recovery questions, that often entail inquiries regarding high school attended, mother’s maiden name, and first car driven, should also be treated as sensitive information. Once hackers ferret out the answers to these questions, they can be used to take over other accounts that ask similar questions or for use in social engineering attacks. Account recovery options that rely on a second factor for authentication or use alternative email addresses create a safer online verification process. However, none of the recommendations to keep sensitive information—including passwords and account recovery questions—safe eliminate the need to hold personal data. Even if a platform incorporates all the listed recommendations, they still maintain the liability of holding personal data.
The first step toward toward a more secure sharing economy is the minimization of the collection of personal data. It is the foundation for any of the following potential solutions: traditional, cutting edge, or trusted identity.
Employ A Traditional Approach
Building out a platform’s own data repositories, while layering on security tools to shore up defenses, constitutes a traditional approach to managing personal data. There exists a long list of technologies that, upon introduction to the security arena, promised to address the most cutting edge cyber security threats: encryption, access controls, key management, network segmentation, firewalls, malware/virus detection, patch management, user training, and bleeding edge advanced persistent threat tools. Attackers, motivated by the commercial potential of the records held, have always been able to circumvent these protection mechanisms. Unfortunately, “[t] he mature Crime-as-a-Service model underpinning cybercrime continues to provide tools and services” which creates an environment that saw an increase in loss of records from 480M.
in 2015 to 3.1B in 2016. Simultaneously, the investment in protecting against these threats shows no signs of slowing down—growing “from $73.7 billion in 2016 to $101.6B in2020. These trends suggest the futility of this approach. Meanwhile, liability from processing and holding personal data remains very high. When platforms accept extensive personal data, the company takes on all the responsibility of trusting, storing, processing, securing and protecting this sensitive information. Managing this data requires a detailed strategy addressing regulatory concerns and the ever-present threat of security breaches. The onus also remains on the company to continuously verify personal data over time to ensure continued accuracy.
For instance, a nanny may register on a platform and have a clean background check at the time of registration. However, 6 months later, she may have a DUI on her record. Because the platform is collecting, storing, and vouching for the accuracy of the data collected, it becomes the responsibility of the platform to continuously track the information. Not being aware of changes in personal data is as much of a liability as not collecting it at all. The collection and management of this data is a behemoth task; it takes time, personnel resources, and capital to manage an ill-defined, constantly shifting system.
Adopt Cutting Edge Approaches
New technologies constantly emerge that are touted as the solution to all data-security related woes. In reality, these inflated promises often fall short, and the proffered technology gets redirected to serve a narrower application. Take, for example, digital ledgers technology (DLT), whose best-known implementation is blockchain. DLTs applications have been proposed for almost every vertical in commercial and government use cases. Several identity applications are being developed to give consumers more controlover their own personal data, a collectively engineered “bitcoin-like service, a protocol, that is distributed and global, not controlled by anybody, architected like the Internet.” Given the nascent nature of these solutions, they must be carefully considered to ensure key qualities regarding which data is stored and available to be retrieved, how it is accessed, how/if attestations to identity are verifiable, limits on transaction time, and associated cost/stability of the offering.
Another approach to identity involves the creation of a personal data store (PDS), with the goal of putting consumers in control of their data. Similarly to DLTs, several commercial and open source offerings exist, which allow users to collect, store, and share their data with other parties. Implementation of this technology remains challenging: it inherently adds friction to the registration process and has very low adoption rates, as well as limited ability to provide attestations to the verifiability of data. In many cases, integrations with 3rd party verifiers would also be required—which would necessitate processing the same personal data that platforms should try to avoid.
Use an Existing Trusted Identity
Currently, solutions are emerging that simplify verifying the identity of an individual through the creation of a portable identity. A user may register directly or indirectly with the provider, which offers strong identity verification, and attach verified data to the identity. The consumer navigates through a simple, seamless onboarding process and maintains more control over their data. Third-party attested identity verification, combined with limited disclosure, can keep the identity of users up-to-date and separate companies from the risks of holding and managing highly sensitive data. The breadth of verified data offered via this solution significantly reduces the number of relationships and integrations required to accomplish a platform’s business goals.
The use of personal data to instigate online transactions manages to be simultaneously commonplace and anxiety-producing. Until digital platforms nail down a way for data to be managed, stored, and protected in a way that restores a user’s control over their own personal data, the sharing economy remains unlikely to expand to its full potential.
Recomendations: An Opportunity Moving Forward
“For the sharing economy to continue to expand, the players within it will need to find ways to authenticate the identity of consumers..… Identifying, and upholding, quality and trust metrics will be critical to success in this evolving model.”50
The sharing economy is built on trust. But each time a user has to share personal data with an additional platform, trust is eroded. To solve this dilemma, a secure, verified portable identity must be created that can be shared across providers. The onboarding process needs to be simple and hand control over personal data back to the user. Even for sensitive applications, the process should remain frictionless.
Ensuring that every participant in the collaborative space has a simple, third-party verified online identity is vital to the success of the sharing economy. Users simply don’t feel secure sharing their personal information on multiple platforms or navigating multiple checks on their identity.
A third-party identity verification can keep the identity of users up-to-date and separate companies from the risks of holding and managing highly sensitive data. Implementing a focused but flexible approach to online identity verification eliminates the need to parse out which processes can accurately identify users in a dynamic peer-to-peer user base. Accurate, consistent results would be delivered rapidly and cost-effectively.
Evident simplifies the complicated world of personal data. We understand the risk businesses and individuals take every time personal data is verified and shared. That’s why we created Evident, a simple, more secure solution for businesses and individuals to share personal information that can be verified. We reduce the friction and liability associated with collecting personal identifiable information for businesses, while empowering individuals to have complete control over when and where their data is accessed. We do more than just protect personal data – we make it easier to share and manage while revolutionizing the way sensitive information is stored and secured.
When it comes to businesses, our mission is to reduce the liability and cost that comes with acquiring and managing personally identifiable information. Gone are the days of growing and securing a database full of personal information, increasing the potential of a cybersecurity hack. Our simple and secure API allows companies to obtain and use verified personal data when they need it without the risk and expense of managing it. With Evident, information that companies once thought nearly impossible to obtain is accessible and ready to scale, providing companies with an opportunity to offer a broader range of services from stringent identity verifications to licenses and credentials.
The sharing economy has turned the traditional marketplace on its head. The landscape is ever shifting—opening to new platforms, industries, and users. It seems appropriate that the sharing economy be the venue that we use to challenge traditional notions regarding identity verification. In exploring ways to keep identity safe, we must reconsider what kinds of data we consider sensitive and the ways that we collect that data. Moving forward, the way that we store and share personal data will significantly impact this new economy. This is the time for innovation that translates seamlessly into everyday life. For a solution that seems evident, but that will permanently alter the identity landscape—for the better. The way that we store and share personal data will significantly impact the sharing economy.
SideBar: THE PERILS OF ONLINE IDENTITY VERIFICATION
A Consumer’s Perspective
I’ve got concerns about sharing my personal information online. Every time a website or app asks me for my personal information, I wonder if the service is worth the time and risk of sharing my personal info. When I’m deciding whether or not I really want to complete the onboarding process, I think:
- Why do you need this much personal information?
- I guess don’t mind providing my personal information, but can you keep it safe?
- I’m busy. And waiting for my information to be processed is boring. Can you approve me quickly so I can get on with my day?
- I am annoyed that there is a different form for new app I download. Why can’t there be a universal form?
- I’ve got a new certification that doesn’t show up in your app. Why can’t they all be connected, so I only have to update my info once?
- I want my own online ID. Facebook manages to be able to identify me. Why can’t your platform do that?
Three things are most important to me: efficiency, uniformity, and safety. For me to be on-board with an app, entering my information has to be painless, even for more extensive personal info, like degrees, credentials, etc. Otherwise, I’ll just use a different app. I also need to know that this app has the same standards of identity verification and safeguarding my personal information as others I’ve used. If I don’t feel safe sharing my personal information, or trusting the platform to verify the personal information offered by others, I’ll just find another app I find more trustworthy. ◊
See Part I here
See Part II here