Data Privacy

2021 is going to be a significant year in Identity and Data Privacy. Since the GDPR went into full enforcement in 2018, we’ve seen  many countries rapidly change or update their Data Privacy laws. Although intended to protect the individual, the number of Data Privacy Rights has increased dramatically. And, this is compounded by the fact that emerging technologies are putting a huge burden on identity and Identity systems.

The world is also experiencing an acceleration of technologies that rely heavily on Identity and Identity systems.  As a result, I predict there will be a need to use Identity systems to facilitate new ways for people to access services:

• carry out financial transactions with cryptocurrencies,
• validate vaccination and health status due to Covid-19,
• help big tech better moderate objectionable content.

These are my predictions for the year ahead – share your feedback below!

Immunity Passports will become ubiquitous

As a result of Covid-19, many countries are looking to how they can relax travel restrictions. A cruise company recently confirmed that they will not be accepting passengers unless they have been vaccinated.  This is very likely to be the case for many other travel companies in 2021.  This raises the issue of Data Privacy because some of these companies will now be collecting confidential, protected health information from the customers which they need to manage going forward.

Technologies are being developed right now to create things like Identity Passports through which travellers can present a negative COVID test result or proof of vaccination.  This will then be tied to their identity to determine the right to travel. This will put a significant burden on identity systems as we seek to combine health information with travel information. Identity is going to be critical in making sure that organizations can have confidence in any tests results or new data provided.

Links between Cryptocurrencies and Identity

An essential part of bringing cryptocurrencies to people worldwide is the ability to have users create and maintain digital wallets. A fundamental purpose of digital wallets is to allow the unbanked or underbanked access to digital currency systems. As a result of this, Identity and Identity verification systems will grow in significance to cryptocurrencies.  Identity and cryptocurrencies will be tightly bound together and initiatives aimed at getting people to use digital currency in the digital wallet will depend very much on adoption of the underpinning identity systems. Data Privacy and Data Protection will become the central point for developing trust in these digital money systems.

Emerging technologies and Identity

Emerging technologies like virtual reality (VR) and augmented reality (AR) and mixed reality will require more information about individuals as they move around, interacting with these systems. It will be vital that users are correctly identified and ‘marked’ appropriately so that, for example, their access to certain types of services can be restricted if needed. Identity plays a big part in this, and we will see increasing amounts of data collected about individuals which need to be protected to ensure their privacy rights.

Big Tech, Identity, and Content Moderation

Content moderation by big tech companies has become a hot issue in the US and the EU. Governments are looking very closely at ‘Big Tech”s role in moderating content and support for law enforcement when investigations relate to their customer base. As a result of this, and as we’ve seen recently in the US Capitol attack, the big tech companies are being asked not just to moderate conversations but also to track people that are causing harm or planning harmful events.

This is likely to result in more regulation around the responsibilities of ‘Big Tech’ in this area. In many different scenarios, I can see that this will cause a considerable uptick in how tech organisations identify users – particularly if it is to be used for law enforcement reasons.

It will be interesting to see how 2021 evolves. But whatever happens, it is likely that Identity and Data Privacy will play an increasingly significant role.

Author

Debbie Reynolds

Debbie Reynolds, “The Data Diva,” is a world-renowned technologist, thought-leader, and advisor to Multinational Corporations for handling global data privacy, an internationally published author, highly sought speaker, and top media presence about global data privacy, data protection topics.

I just had two different but related things happen with my 18-year-old daughter regarding her identity…

This week, I took her to the DriveTest Centre to get her G1 (driving license). Since she’s 18, I left it up to her to ensure she had all the necessary documentation. She brought her Ontario Health Card and Canadian Passport. When it was her turn, she went to the counter and presented her documents. The representative looked over the papers and let us know the passport was expired, and thus she could not accept it. She asked if she had another piece of identification, like a birth certificate. Of course, she did not have this with her. As we left the DriveTest Centre, I mentioned that we wouldn’t have had this problem if she had a digital wallet that could store her identity documents. She would have had all her credentials on her phone to prove who she was. She told me, in short, that it wasn’t a better alternative because she just watched a movie on digital identity, and we are all going to turn into tracked and controlled robots of Big Brother if we let that happen.  

My daughter opened a new bank account online, but she still has to present herself in person to finalize things. With a digital wallet holding credentials and verification via biometrics, she could have completed that step online and had access to the new account immediately. Why does the bank offer the option to open an account online?

You’re already at risk.

Maybe it’s because of the nature of my job in decentralized identity consulting, but lately, I’ve been seeing a lot of conspiracy theories on social media about Self-Sovereign Identity (SSI). People criticize the way it’s being implemented and warn about the negative consequences it will have. It’s almost as if people don’t realize that organizations are already monitoring and influencing us and that Google and social media algorithms have been instrumental in this.

Right now, Facebook owns your identity and essentially decides what you see in your feed; and Google tracks your every move. These companies claim our data as their asset and make money off it.

“Many acts of ‘digital misdirection’ are happening before our very eyes every day, and we are starting to become more aware of them. Every action we perform online has become a piece of data which is used to coerce and constrain our digital experiences. We see it in the ads that show up across all our devices following an Internet search, in the ever-narrower set of content we’re shown on our social media sites, and in the increasingly compelling, and sometimes spooky, product recommendations we receive. This digital misdirection goes on to the point that we begin to wonder whether we can still exercise any free will online at all.” – The Rise of Surveillance Capitalism

What if you could monetize your identity? What if you could share extra preference data with Facebook and allow them to share that data with a third party for a fee? You could charge $0.50 for every additional set of preference data you share. Self-Sovereign identity can give you control over your data and generate passive income. Why wouldn’t you pick this option?

How can we trust them to be honest stewards of our data?

A lawsuit has been filed against Google that stems from investigations dating back to 2018 by Princeton University and the Associated Press. The lawsuit alleges that “Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access. The truth is that contrary to Google’s representations it continues to systematically surveil customers and profit from customer data.”

What else are these media giants doing that we haven’t figured out yet? How Bad is the Global Data Privacy Crisis? And you want them holding your information? I’m confused.

Platforms like Facebook and Google aren’t fond of losing access to people’s data; having less control over the user data makes it far less valuable for monetization. I’m not sure why people aren’t more concerned with this aspect.  I can’t help but come up with my own conspiracy theory: the Facebook algorithm suppresses positive news and advancement in SSI while pushing misinformation.  With digital identity, you (the holder) will be able to control your identity and decide which credentials to share with whom.  That’s a significant loss for big tech.

SSI Architects care about privacy and security

I saw a Facebook post shared with a photo of a copy of The World Economic Forum – Advancing Digital Agency report with the quote, “Digital ID, it isn’t just a rumour, people. WEF wants to control everyone’s life. SHARE“. The WEF report is more about protecting users, the challenges of broken trust, and data intermediaries instead of controlling everyone’s life.  There are many benefits to Digital Identity, particularly with vulnerable and marginalized groups (refugees). 

We care about privacy and security; we have the same concerns. Organizations like Evernym/Avast want to embed eIDAS in their products, but only if it addresses these four problems and maximizes opportunities. 

Something crucial for laymen to remember is that governments cannot build and implement these frameworks without help from the private sector. That includes SSI consultants like us here at Continuum Loop. We’re regular members of society; we have friends, family and children that we care about and want to protect: now and in the future. We are involved because we care and are aware of the negative implications and aspects; we can help mitigate these factors, build these frameworks, and make them beneficial for all.

Hold, own, and control your credentials/identity.

Digital ID is nothing new; it’s been around for a while in one form or another. However, the COVID pandemic has caused a “digital acceleration” event where our reliance on technology has catapulted forward. The pandemic has accelerated the adoption in many ways, like the increased use of QR codes and contactless payment to mitigate the risk of exposure to the virus. In particular, it has helped to raise awareness of the need for such a system and its benefits.

You will take back control of your identity and hold it. Not Facebook, not Google, and you will decide what credentials to share on a need-to-know basis. We don’t have to be scared of the shift; we have to ensure the architecture is built ethically for all.

The Privilege of Hesitation.

We are privileged to be able to be so critical of these emerging technologies. We take for granted that the college or university we graduated from will always be there or that our government institutions will always be in place and functioning to provide us with the services we need. I can’t help but wonder how a current refugee, who had no time to take paper documents, would feel to have the ability to easily prove their identity while starting over in a new county. All we have to do is look to Ukraine and see why centralized Identity systems can cause a problem.

Many Ukrainians have been displaced and need to apply for new documents to be able to travel and access services in other countries. The centralized identity system can make it difficult for people to get their records. As different groups seek refuge, they face unique challenges. Many Ukrainians of Roma origin, for example, suffer discrimination in Ukraine and may not have any documentation indicating their identity or citizenship. Being undocumented as you flee conflict and navigate foreign countries can lead to many dangers like human trafficking. Desperation can lead to refugees bribing government officials to get their documents. 

In contrast, Estonia has a practical but highly-centralized digital identity system that makes it easier for people to access the various services they need. While it is centralized and questionable from a privacy and surveillance perspective, this system allows for secure and transparent transactions that make citizens’ and e-residents’ lives more convenient and secure. The Estonian government has been using this technology since 2001, and it has helped them become one of the most digitally advanced countries in the world. 

While this implementation of digital identity is not ideal for many reasons, it’s a step in the right direction, and we can build from it. The flaws within the system (e.g. privacy, centralization) can be handled.

Rebuilding Trust

These technologies cannot move forward without the general public’s adoption. Organizations must rebuild trust for this to happen. Those building the framework architecture are fully aware of this challenge; the general public has lost confidence in the way organizations hold and use their online information.

There are many possible ways to rebuild trust. One way is to give people more control over their information. With Self-Sovereign Identity, they can choose what information they share and with whom, and they can also see how their data is being used and change their settings accordingly. 

Another way to rebuild trust is to ensure that the technology is secure. People need to know that their information is safe when shared online. Organizations need to ensure that they use the latest security technologies, Blockchain Technology, to protect people’s information.

Finally, people need to know that the organizations they trust with their information are reputable and honest. Organizations need to be transparent about using people’s information and their steps to protect it, and Verifiable Credentials will facilitate this.

In a world where corporations and governments are constantly harvesting our data, it is more important than ever to take back control of our identities. Self-sovereign identity is a new way of thinking about identity that puts the individual in charge of their information. We should embrace it and use it to create a more just and equitable society.

A celebration of data privacy month and how privacy needs to remain at the forefront of IAM.

Data privacy has made big headlines in the last 12-months. Wherever we look there is an article about a data breach, a data protection regulation update, or a colleague talking about data privacy. It may have all gotten too much and we have to ask ourselves - have we reached “peak privacy”?

In the identity space, data privacy was never really a consideration until we entered the realms of the consumer. In enterprise IAM, although we were, in fact, using the personal data of our employees, privacy was rarely, if ever, mentioned. When the enterprise perimeter earthquake happened, and we moved our IAM services to cover consumers and citizens, data privacy started to enter the industry parlance.

Why it is important to not become jaded about privacy

Data breaches and privacy violations can almost be thought of as a kind of ‘digital trauma’. When I heard about the Collective #1 data breach which exposed 773 million data records, I just thought, “Oh no, not again”. I searched HaveIBeenPwned and sure enough, my email address showed I was part of the data breach. But I didn’t feel worried, as I should be because I have become desensitized.

Desensitization is a common issue amongst people who experience trauma. So, for example, teenagers who are subjected to real-life violence become less affected by acts of violence than their counterparts. If you experience something over and over you do get used to it happening. That does not, however, mean that it should be tolerated.

As I write, there will be continued breaches that affect our personal data. GDPR helps to focus the mind of organization leaders, but it does not stop cybercriminals trying to get at our personal data. Since the GDPR come into effect, Law firm, DLA Piper have recorded, 59,000 personal data breaches across Europe.

As custodians and processors of personal data, we can’t just turn a blind eye to privacy. It hurts our businesses as much as it hurts the customer who forgoes privacy. A report by Privitar said that 90 percent of consumers are concerned that technological advancements are a risk to data privacy.

Tech and privacy - A good double act in IAM?

IAM platforms have needed to innovate to keep up with the tidal wave of personal data and to improve customer experience. Data is an incredibly useful commodity that can be used to do online jobs, including make onboarding processes digital. Privacy, as seen through the lens of the IAM technology stack, should be intrinsic across a platform. But what does that mean in practical terms, can we have our privacy cake, and eat it?

Privacy peak 1: Great UI/UX can facilitate good data privacy

The touchpoint between the identity management backend and the user is where the data privacy choice begins. It is also where your relationship with the customer begins. Privacy is an intrinsic part of trust which is a relationship building tool. Your UX should guide your customers down a pathway that distills privacy for them. The UI should reflect the data processing you do in a simple way. If you do this, you start on a pathway to trust by being privacy respectful.

Privacy peak 2: Deliver what you promise

If you tell users you won’t use their data for X or Y, then don’t. If you tell user’s you will use their data to give them a better service, do so. This type of basic thinking has to be part of the design process at the beginning of building a service. If you have to retro-fit it, it is harder to do, but not impossible. Using identity API-based service architecture can help to facilitate the addition of missing features that enhance privacy.

Privacy peak 3: Consent is fluid

Consent management comes in many forms. You should have already taken consent when you first touched the customer’s data. However, consent is fluid. People change their minds. Build consent for data privacy control into the system, end to end. This can be included in transaction consent - OAuth 2.0 and UMA are example protocols for achieving this. Consent management can also be included in the user’s account manager. Consumer IAM vendors are now beginning to add in the ability to manage consents across services. Even the blockchain can add value here - used as a layer for consent transaction receipt and audit, it offers an immutable way to show that you have taken the consent requirements of the GDPR seriously.

Privacy peak 4: Technology is the friend of privacy

Privacy is about individual choice, but data privacy is augmented and enforced using technology solutions. Always use the best possible security solutions to enforce the privacy choices of your customers. Make these as seamless as possible. This can be a challenge in certain customer-facing areas, like authentication. But the world of authentication is starting to offer solutions to the conundrum of usability vs. security. Other areas, like data in transit and at rest should be secured, by design, in any system that moves personal data, in all of its forms, around.

Let’s make data privacy month data privacy by default

Data Privacy Day has now become Data Privacy Month which runs throughout February. As custodians of people's data, we should never, ever, be desensitized or complacent about data privacy. Data privacy holds the key to the relationship we need to build between our service and our customer. Privacy is not about hiding data, it is about using it with due respect to the person that data represents. When you next set out an RFP for an identity service, make sure you add in a requirement that asks for privacy by default.

Author

Susan Morrow

Having worked in cybersecurity, identity, and data privacy for around 35 years, Susan has seen technology come and go; but one thing is constant – human behaviour. She works to bring technology and humans together. 

Find her @avocoidentity