Who gets to own your digital identity?

Christoffer O. Hernæs
Contributor

Christoffer O. Hernæs is chief digital officer of Sbanken, Norway’s first digital-only bank and leading challenger bank.

More posts by this contributor

“On the Internet, nobody knows you’re a dog,” was stated in the legendary New York Times cartoon that captured the spirit of privacy and anonymity in the early days of the internet. Even though anonymity is still a hot topic and sought after in the online world, times have changed. With the rise of online banking, social media, e-commerce and peer-to-peer services, a verified digital identity is a crucial ingredient in making any digital platform succeed.

Banking is one of the areas where the ability to verify one’s identity in a secure and compliant manner is a prerequisite to access basic services. Looking at the unbanked population of the world today, it is estimated that as many as 1.5 billion people lack access to everyday banking services due to their inability to prove their identity through a valid birth certificate, passport, proof of residency through utility bill or some other means to fulfill traditional KYC procedures.

In addition to accessing digital banking, most of us also have verified our identity through a plethora of services like Google, Facebook, Blizzard and the list goes on, through various means of identity verification that make up an interlinked web of interdependencies, where one of your identities vouch for your eligibility to access another service. Two-factor authentication or biometric identification often rely on your mobile phone, and when you choose to log in with Facebook, you authorize Facebook to represent you online. While this is often convenient for easy and quick access to the latest mobile app you want to try out, you are paying a price by allowing Facebook to share and sell not only your data but also your digital identity.

However, your digital identity is more than your login credentials. This is merely the authentication that connects you with the digital you. Your digital identity consists of thousands of data points that make up a profile of who you are and your preferences. Today, your digital identity is scattered all over the internet, where Facebook owns our social identity, retailers own our shopping patterns, credit agencies hold our creditworthiness, Google knows what we have been curious of since the dawn of the internet and your bank owns your payment history. As a result, we are all analyzed in detail to predict our future behavior and monetize our digital identities.

A verified digital identity is a crucial ingredient in making any digital platform succeed.

Not only do we lack ownership of our own data, but our fragmented digital identities where various third parties own bits and pieces only gives part of the picture, and also proposes vulnerabilities for those third parties. As an example, fraudsters have started to take advantage of this in countries with no national identifier by creating synthetic digital identities by signing up digital services and applying for credit. Even though the initial credit application is rejected, a credit file is automatically created, thus creating a digital paper trail for a non-existing person. With approximately 10 million new consumer credit files generated in the U.S. each year, synthetic identities can be very difficult to detect. Over time, these synthetic identities gain access to credit, and bank losses due to synthetic fraud are estimated to amount for somewhere between $1 billion and $2 billion each year.

In the wake of numerous exposures of how our data is exploited, with Cambridge Analytica as the most notable example, privacy becomes an increasing concern for the public, as well. Apple seeks to leverage this attention to digital privacy by taking a radically different approach than their counterparts with “sign in with Apple,” where privacy is the main selling point for using their service instead of Google and Facebook.

Blockchain is often proposed as the silver bullet to solve all our digital identity needs, something that has caught the attention of Mark Zuckerberg that addresses what he sees as the pros and cons of a decentralized approach to digital identity. As Facebook represents a quintessential man in the middle, losing ownership of all our identities is most likely the biggest con of a decentralized approach to digital identity in the eyes of Zuckerberg.

With the upcoming launch of Facebook’s cryptocurrency, Libra, the company has the potential to further strengthen its position as a leading provider of a global digital identity solution. Often overlooked with most of the attention directed toward the cryptocurrency, many point to the decentralized identity associated with Libra as the most interesting aspect of Facebook’s plans. A passage hidden away near the bottom of the documentation states: “An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition.”

There is too much at stake when it comes to our digital identities to remain unvigilant.

A consolidated and verified digital identity would be beneficial to both users and providers of digital services. However, allowing Facebook or The Libra Association to be the custodian of our consolidated digital identity is a sinister trail for the future of both privacy and democracy.

On the other hand, the Holy Grail of decentralized identity, often named a self-sovereign identity, has its weaknesses, namely ourselves as human beings. We tend to be forgetful, and sometimes downright unreliable. Letting users keep the only key to access their digital identities is a recipe for disaster the moment someone forgets their password or pass away. There is nobody to call and no Forgot Password button to reclaim the ownership of the identity.

It is difficult to envision a future of digital identity without relying on some kind of identity custodian that maintains a verified connection between your physical and digital self, ensures that no data is used without consent, monitors malicious behavior and provides user support in case of a lost key. This is far from an easy solution and should be provided by a regulated entity. One thing is for sure, such a solution relies on trust and must give the end user full ownership of their own data, similar to data portability under GDPR.

There is too much at stake when it comes to our digital identities to remain unvigilant of what is going on, as shown numerous times through both data breaches where our personal data is compromised and manipulation of public opinion through social media.

No matter which technology or appointed custodian we deploy to solve this, our identities should belong to we the people rather than one corporation or consortium of corporations that seek to exploit our data for profit.

Read More