Designing Digital Identity
By Vishal Venkatesh
December 7, 2020
Personally identifiable information can be any data that helps identify a person. The more uniquely identifiable the data is, the more sensitive it is said to be. Features that are used to identify people in the real world often include our full name, date of birth, gender, residence, ZIP code etc. We are largely forthcoming with this information when asked. After all, why wouldn’t we be? This information is assumed to be stored in mutually exclusive data storage facilities that aren’t interconnected. We typically don’t recognize that answers to questions such as what school you went to or what your pet’s name is are often the key to accessing our personal accounts online via our security questions. Perpetrators frequently use this to thieve identities. Their actions could disrupt the owner’s credit scores or even allow the perpetrator to commit life insurance fraud under the owner’s name. According to a report by Symantec, account takeovers have increased by 81% in 2019. Victims lose a lot of time and money trying to take back their identity and it is indisputable that identity theft has very real emotional and physical consequences. A survey conducted by the Identity Theft Resource Center revealed that:
- 66% of the participant victims feared for their financial security
- 84.1% reported disrupted sleeping habits
- 7% reported even feeling suicidal
Of course, we wouldn’t hand over such sensitive information to every stranger who asks. How about online? While identifications issued to us in the analogical world define us by direct features such as name, address, credentials or even account numbers, our digital footprint provides so much more. The choices we make online reflect whose podcasts we listen to, how we travel to work every day, what content we consume, what ideology we subscribe to and largely who we are and what we believe in as an individual. Clearly, our digital footprint provides as in depth an insight into our personalities as perhaps a friend or family member could. Unfortunately, these profiles aren’t stored in mutually exclusive databases and are in fact interconnected and cross referenced. Several profiles created by each individual are linked together for monetization, using data provided such as profile pictures, date of birth, banking information etc.
This cross-referencing process was further expedited by Single Sign On (SSO) infrastructure. We use countless services in the digital world which require us to create a unique account so that the service can be tailored to our individual needs and interests, thereby creating dozens of accounts and passwords to remember. Cloud computing proposed to solve this inconvenience by introducing SSOs (the most popular services being those of Google, Facebook and more recently Apple.) The convenience afforded by these services through integration with their mobile operating systems or web browsers has been revolutionary. Consumers rarely find themselves thinking twice about logging in instantly via these services rather than go through the hassle of creating a new account. Digital services have embraced SSOs for their ability to provide easy access to user data required for tailored services and for preventing users from being discouraged to provide their data. SSOs are a unifying hub that store user data across platforms and services, essentially creating a holy grail of user information, their usage patterns, what content they consume, how they prefer to consume it, what ideologies they subscribed to and the most efficient manner to tailor content for their consumption. Building niche silos of information for consumption, these fence users’ exposure away from ideas they don’t typically subscribe to (re: microtargeting). This can have far reaching consequences for the polity of a country.
It creates a tool that can knit factions of digital content available, based on your demographic and usage data, for the sole purpose of keeping you hooked to consuming its service. It, undeniably, arises concerns about privacy, data security and consumer welfare. Not only does unifying and collecting all of user data into one medium make it a target for thieves to prey upon, it also requires a lot of faith in companies to responsibly handle this data. This was brought to attention in 2016 amidst the Cambridge Analytica scandal. It was revealed that Facebook allowed third party firms to access user’s data at will, without their knowledge. They allowed this with the intention of allowing third parties to analyze user statistics to create content that trends have found more engaging. This was done to keep users engrossed on their platform. Facebook only cared about making content that would encourage more consumption with a shocking disregard for data security and the liabilities of its misappropriation. Much has changed since, with Google and Facebook having made changes to their data storage and security policies. This however still puts these companies in a powerful position where safer data management is not enforced by policy or law but by their goodwill.
Technology that is so influential that it can have such far reaching consequences may need to be regulated by public bodies (without censorship), or must at least be held to the greatest functional, ethical and democratic standards possible by competing services, to ensure that the tool works for its end users. Unfortunately, neither happens. We must ensure that the technology we adopt works towards user convenience without sabotaging consumer welfare for the sake of marketing conglomerates. For this, we must rethink our idea of what purposes digital identity serves and demand for its infrastructure to be freshly designed corresponding to these newly recognized interests.
For ideas on how to go about designing infrastructure for digital identities with reference to current needs, the boardroom must take notes from the online money transfer industry that arose during the late 1990s and early 2000s. This was the need of the hour at a time when internet usage was going mainstream and customers were looking for solutions to shopping and banking online. Firms innovated software that was secure to use without compromising convenience. They did this by developing software databases and building infrastructure for its use. Noticeably, the challenges that confronted the industry are comparable to that of the digital identity industry: They needed to build a convincingly safe platform for larger sections of the population to adopt and they needed to cater to shopping and banking needs of their time to become a mainstream and accepted mode of payment.
Fast-forward to 2020 and with the onset of the COVID-19 pandemic, we do not just shop and bank online, we work, learn, access government services, even consult a doctor, etc. A majority of these services that used to be mandatorily done in person have now been forced to work online or perish. To adapt, we need to build the digital infrastructure required to enable it. A key component of this foundation- in which all our information, be it regarding our health, what books we read or news we watch is stored- will be our digital identification. With the invention of the credit card, digitizing and developing online transfer software was an organic process. This made digitizing payment methods easy. Replacing documents like our insurance, loyalty, or even blood donor cards is going to be a whole other ball game.
A key feature of widely adopted IDs is the scope of their acceptability and interoperability. To create verifiable identification systems that can meet the purpose and requirements of, say, your health insurance or loyalty cards, we need to define a set of norms and specifications that these systems can meet so as to qualify it as a valid ID. Such a reliable system that is widely accepted can consequently provide a validated ID that can stand on its own. This could be the first step towards accepting the credibility of those whose services we choose to subscribe to online. As of now there is no popularly accepted verification system that can be used to check the credentials of people whose services we subscribe to online. A valid digital identification could be the first step towards a system that verifies the credentials of a professional without the professional having to divulge too many personal details, thereby allowing a greater degree of anonymity.
This addresses an important issue that is prevalent while identifying people online without established digital identification infrastructure- the need to reveal more personal and sensitive data than required to verify their identity. Therefore, we require dedicated software in accordance with redesigned web standards to prove identity. Existing SSOs merely provide identity for logging into web portals. The issue with providing an identity that cannot be proved is that it fails to provide authentication. The problems that can arise from failing to prove authentication for professionals we avail services from are obvious (You wouldn’t consult a practicing doctor if you weren’t confident of whether or not she earned an M.D., would you?).
About a third of tweets regarding the Brexit vote were generated by unauthenticated accounts, more precisely, bots. There is an underrated upheaval of accountability that authentication can bring to digital communities. Imagine forums without bot generated spam saturating the comments section of a political informative post, or a petition that you can share across the globe online and still maintain the value of each signatory because they have been signed by authenticated individuals rather than with unverified or possibly fake identities. A digital world where e-commerce websites (which grew by over $52 billion and are soon to be primary markets) do not have to deal with fake reviews, thus creating a market where customers can buy products on reading reviews that they can actually trust. This would pave for healthier use of the web for both customers and honest businesses. This is what a verified identification system can do for the digital world.
A sustainable identification service built with end users being prioritized as primary customers rather than as products can help create a more accountable, equitable internet community that all people- businesses and consumers- can benefit from. The problem with the digital identification available currently is that it has now become synonymous with the constant tracking that comes with it. A system that can track your location, commute, purchases and day to day activities at all times – though increasingly common across developed countries like China and most of the US- is absolutely dystopian and must not be accepted as the norm. This has drastic consequences such as political surveillance, data profiling and microtargeting. It threatens the tenets of our political and representative democracy.
To prevent profiling of data by SSO service providers without having to lose out on the convenience they offer, we need a service that eases the process of creating a new account for web services without providing personal data to the service provider. This would require the SSO to generate unique identifiers to each website the signee uses. Essentially blocking the web provider’s ability to obtain and sell user data that they can use to cross reference with other platforms in order to profile users without their knowledge. The lack of profiling would mean a severe blow to surveillance capabilities. Users would not have to use ad blockers and web services will not need to erect a paywall for their services. Thus, both businesses and consumers benefit from this model (Hint: It’s called humanID).