What if we Gave Users Control of Their Own Digital Identity?

Written by

Digital identity is overdue for a reckoning. In recent years, it has become one of the great political issues of our age. From the global threat of cyber-attacks, to increased regulations, to presidential elections, to the rise and fall of corporate giants, to the everyday lives of the global population, digital identity now plays a central part in global, national, local and personal affairs.

Consumers have taken a renewed interest in the protection of their personal data and will readily dump one company for another if they don't believe the former will adequately protect their best interests. In fact, a report by Ping Identity showed that 81% would stop engaging with a brand after a data breach and 55% of consumers would not sign up to an online service that had recently been hit with a breach.

When the Cambridge Analytica scandal was revealed, many users fled Facebook, afraid for the safety of their personal details and how they might be used to manipulate democracy. In late 2020, when WhatsApp - a service whose entire selling point was privacy - updated its terms to share more data with Facebook, millions of users left.

On the illicit side of things, the picture is not much prettier. The UK government’s 2020 Cyber Security Breaches survey has shown that almost half (46%) of businesses reported some kind of cyber-attack in the previous year. And many are experiencing attacks more frequently, with 32% saying that such incidents happened at least once a week in 2020. For comparison, that was only 22% in 2017. Pew Research shows that Americans feel far less in control of their identity than at any time in recent memory, with 70% believing their personal data to be less secure than it was five years ago.

It’s for that reason that the world has started to take a very deep interest in digital identity and personal privacy. The EU’s General Data Protection Regulation (GDPR) came along several years ago, promising stark punishments for those that failed to protect the personal privacy of European citizens. The rest of the world has followed suit and there are now over 123 countries where privacy regulations have been passed or will soon pass, with many of those regulatory regimes modelling themselves on the GDPR.

Privacy is no longer negotiable, which raises a problem. That problem is not just for those who are legally bound to protect privacy or those who are most at risk of losing it - it’s a problem for everyone. With all the will in the world, privacy a requirement which most cannot meet nor comply with. That is for one simple reason - digital identity is broken.

So, with that in mind, let me propose how we might change it and put users back in control of their own digital identities.  

This current model of digital identity provision goes something like this. Users authenticate to an identity provider. Then, they are passed on to a service provider. This model leaves next to no control for the user over their own identity. It’s for that reason why our current model of digital identity is broken. Instead, I propose that the identity provider and the user switch places.

In such a model, identity providers would give individuals a digital identity through which all important records of the relationship and various transactions could be kept and stored in a secure identity wallet placed, say, on your phone. That wallet can be protected behind powerful biometric authentication, and filled with pre-validated identity claims. From there, users could pick and choose which parts of their personal data to share and not be required to hand over the entire tranche as they often do now. Additionally, enterprises would then be able to verify those identifiers quickly through cryptography and provide a better customer experience. This not only increases user privacy and control; it also removes friction as these data exchanges can take place without requiring separate consent to be shared with other third parties to provide the data on behalf of the user.

This is sometimes called decentralized or self-sovereign identity and it represents a radical shift in the power dynamic between service providers, identity providers and users.

It’s not just a pipe dream either - but a rising current in the sector. In early 2020, Gartner proposed that "decentralized identity and the renewed interest in protecting privacy and data ownership will be transformational. There is a reasonable indication that the winners in the next decade will be those that figure out the new formulas for adopting a decentralized identity.”

Decentralized identity could put users in control of their own identity. It reduces their level of risk when the next mega breach hits, releases businesses from the burden of storing personal information and as a result, improves compliance with privacy regulations.

On a holistic level, such a movement could bring trust back into online transactions, allow enterprises to better protect personal data and grant users more control over their data in a time when they have far too little.

What’s hot on Infosecurity Magazine?