Self-Sovereign Identities to Protect Future Social Media Platforms from Hacking

The major Twitter Bitcoin scam appears to be the largest hack in Twitter's history. It raises grave concerns about the vulnerability of the social media platforms and the consequential implications on user confidence and, more crucially on data privacy.

This is not the first reported incident of this kind in which a social media company has failed to take adequate measures to protect personal data of the user. It is not yet clear whether the hackers were able to see the messages and other sensitive information linked to the hacked accounts, or the actual purpose was to take ransom.

The EU's General Data Protection Regulation (GDPR) dictates that organizations have a responsibility to demonstrate appropriate levels of security, and it is incumbent on the company not only to protect IT systems, but also to provide training, and to ensure that the staff remain vigilant. So, what are the implications on the company? Regardless of whether the hack was the result of compromised systems or negligence of the employees, Twitter is likely to face legal action under GDPR if the victim/s of the scam turned out to be EU citizens.

Therefore, if sensitive information had been compromised by the hackers, and as a result the victims had parted with their money, the company may be liable to pay compensation to those affected for any claims made it.

In addition, if data protection officers find that Twitter has failed to take adequate measures to protect European citizens, the Twitter could be liable to a fine of up to four percent of its global annual turnover. However, such action is unlikely to be successful in the US because most states do not have data laws that closely match those in the EU. That provides the basis for a valid reason to emphasize the importance of having an adequate global data privacy and security policy that safeguards and underpins the user and national interests, and prevent social media sites such as Twitter who handles large volume of personal data getting away without impunity.

The failure to do so will make the users become jittery about their privacy in the hands of the social media platforms and lose their confidence in them.

The root of the problem lies in the IT infrastructure of today’s systems that requires to hold a lot of personal data about their users, leading to the creation of data honeypots that are lucrative for hackers. In the case of Twitter, the hackers used the admin tool to access the user’s account. This ‘backdoor’ makes the system inherently flawed. One could have had the most complicated password in the world, stored in the most sophisticated way, yet the admin tool could have allowed access to the accounts as if Elon Musk had ‘tesla’ and Bill Gate had ‘office’ in all lowercase, as their passwords!

The question then arises that how could this single point of failure have been avoided? While these centralized infrastructures have been critical in today’s web, a decentralized web with self-sovereign identities (SSI), decentralized identifiers (DIDs) and verifiable claims, operating on a backbone infrastructure of distributed ledgers technology, may hold the key to a secure online future.

SSI refers to the idea that an individual should retain the ownership of their data and have control over their persona with an interacting party, giving them a precise authority over the information they wish to disclose. SSIs give the data owner a granular control to establish and govern the rights of access to their personal data.

Since the personal data always resides with the individuals, there is no avenue for data honeypot creation. Hackers would be required to hack millions of personal devices to access personal information of millions of subjects, rather than a single sophisticated attack like that of Twitter.

DIDs are a new standard for decentralized, verifiable, and self-sovereign identities by the World Wide Web Consortium (W3C). A DID is capable of identifying anything that the controller of the DID wishes to identify, and become particularly useful when used in combination with verifiable claims, which is another W3C standard that can be used to make any number of attestations about a DID subject.

For example, a verifiable claim can attest that an individual has been KYC-ed by Bank X in past, is over 18, lives in UK and has a valid driving license. Or in this case, Twitter can attest a verifiable claim on a DID controlled by Bob, asserting that Bob can login to a particular account using his SSI.  Verifiable claims can be extended to system administrators as well, i.e verifiable claims can assert that Bob is authorized to access only certain programs while Joe can access another set of programs.

While it is impossible to steal verifiable claims of another person’s (since they are cryptographically linked to the person’s identity), this separation of duties makes hacks like Twitter very cumbersome to execute. All verifiable claims and identities would be protected by the secure distributed ledger instead of central authorities.

It can also be used to store access permissions, logs and verification of personal identifiable information (PII).  These can provide the provenance information, accessible and controlled only by the owner of the data – the data producer not the social media platforms.

What’s Hot on Infosecurity Magazine?