trending
While corporations and governments tout the advantages of digital ID to simplify access to digital services, consumer concerns about privacy and control of data are surging.
Self-sovereign ID (SSI) – in which consumers control access to their identification data – could help solve the puzzle.
According to fraud specialists PerimeterX, attacks against user identity – whether through harvested credentials or cloned/fake user IDs – almost doubled worldwide last year, and are the fastest-growing form of fraud out there.
Growth in user ID fraud is one factor that’s driving governments towards digital identities the kind China requires by law for all of its citizens.
But protecting citizens against fraud is just one of the attractions of digital ID.
Others include the promise of no longer having to remember passwords and user IDs, faster onboarding and logins, and even being able to use a single ID to access government social services, healthcare and banking information – as Norwegians do through that country’s BankID system.
Don’t touch my data
At the same time, consumer concerns about data privacy, government snooping and, in general, the invasiveness of tech giants show no signs of shrinking.
In practical terms, this has meant Chinese video-sharing company TikTok being obliged by the EU to build two European data centres to prevent data being harvested and stored in China; Google being prevented from viewing which apps are held on a user’s phone by another EU diktat; and UK GPs being barred from sharing any patient data over unsecured channels by the General Medical Council.
“86% of US consumers think data privacy problems are getting worse”
Overall, it’s clear that despite worthy efforts such as General Data Protection Regulations (GDPR) in the UK, Canada, Europe and some US states, big tech companies are still misappropriating heroic levels of consumer data – and consumers are becoming disillusioned.
A KPMG USA survey in 2022 revealed 86 percent of consumers thought data privacy problems were getting worse – and 62 percent of business leaders said they should do more to protect consumer data.
To understate the case, these numbers are not great. Nine in ten Americans don’t trust the internet to keep their data private. Wow.
Enter Self-Sovereign ID
In response, the concept of self-sovereign ID (SSI) – a form of digital ID that consumers control and hold independent of any provider, website or government – is gaining serious traction.
Self-sovereign ID gives individuals control over the information they use to prove who they are to websites, services, and applications across the web without recourse to third parties.
By speeding up access to services and obviating the need for third-party forms of proof such as drivers’ license checks, the McKinsey Global Institute says Self-sovereign ID could add three percent to the UK’s economy by 2030.
Perhaps the best-known form of SSI is the FIDO Alliance, which since 2015 has promulgated a form of web-based digital ID via a user’s internet browser.
This system offers users significantly more autonomy than current password or biometric systems that store user information with third parties like companies or governments.
“SSI could add 3% growth to the UK’s economy by 2030″
FIDO2 works by using public-key cryptography to guarantee a secure and convenient authentication system based on data stored in a secure wallet on the consumer’s PC or mobile device that can only be accessed by the consumer.
Some of the world’s biggest tech companies, including Apple, Google and Microsoft are believed to be developing solutions related to FIDO2 – and Mastercard is working on a digital payment wallet secured by FIDO2.
Although 88 percent of web browsers are now capable of using FIDO authentication, adoption to date has been somewhat muted, with FIDO services available to just 150 million users so far via services such as Yahoo! Japan, eBay and Intuit, the owner of Quickbooks and other accounting services.
“We’ll see a shift to more consumer privacy-centric models of verification in the next 5-10 years, driven by growth in digital finance and DeFi”
Michael Ramsbacker, Chief Product Officer at online ID verification specialists Truiloo, is confident that the concept of SSI as a whole will only grow in the next 5-10 years: “We’ll see a shift to more consumer privacy-centric models that offer users more control over their personal information”, he says in an interview with PCM.
“The questions are firstly, who is going to provide those systems, and secondly, what trade-offs are consumers willing to accept – such as holding encryption keys on their phones.”
For Ramsbacker, the growth in digital finance and in particular digital currencies – as part of decentralised finance – may prove to be the biggest driver towards SSI as a form of verification.
That’s because when assets are held virtually, rather than in a physical institution or bank account, protecting them with fully-secure forms of ID that users control becomes more important than ever.
Everything is connected
As digital finance proliferates, the interconnected nature of different portfolios and accounts will make user control more important than before.
Think about what we’re told Open Banking will look like in five years’ time: a single portal that offers the opportunity to review investments, mortgage, retail bank accounts and insurance all in one place. Now imagine that account somehow gets compromised. The risks are clear.
Add to those risks a future enabled by the internet of things, in which car alarms, house locking and heating systems and many other features of everyday life can also be controlled remotely by users via password-protected apps, and it rapidly becomes obvious why users need completely secure and controllable identity.
The UK’s Financial Conduct Authority (FCA) has launched a pilot to explore onboarding users via an SSI, while new fintechs are springing up – such as cheqd, Pool Data and nuggets – that purport to offer SSI via encrypted digital wallets held on PCs or mobile devices.
There are, inevitably, speedbumps – if not roadblocks – to overcome, not least of which will be how many data points are sufficient to prove identity.
For example, will a biometric factor, such as a thumbprint, which unlocks access to a link leading to a Telegram channel’s user information be sufficient to confirm identity?
And if so, what happens if the reference file is corrupted or tampered with?
One answer being mooted to this question is the concept of a super-secure “Data Union”, in which consumers subscribe to a secure, independent data storage service that commits not to exploit or sell their data in exchange for a fee.
The Data Union is then referred to by third parties (think retailers or banks) to confirm the user’s SSI on request.
However this particular thread of the verification narrative plays out in the end, it’s clear that something must be done, since users are growing increasingly – and rightly – wary of being told they are receiving services for free only to find out they, or more specifically their personal details, are the product.
Comments