Digital Identity: Not a Conspiracy Theory

Published on 1st December 2022 Author: Alan McDermott

Talking about digital identity makes you sound like a conspiracy theorist.

The government, banks, health care, and retail companies all have something in common.

You.

They’ve all collected huge amounts of data about you.

Each industry has its specific reasons for collecting this data, but they share a common need to ensure you are who you say you are, and to get as much insight into you as they possibly can.

This is not necessarily for any nefarious purpose (but that’s of course always a possibility), but so they can make better business decisions based on more complete information or sell that information so others can use it. See “Data Brokers: Last Week Tonight with John Oliver” for some jaw dropping examples of the information available to buy (and piece together) in their unregulated world. John summarized it well when he said “They know significantly more about you than you might think, and do significantly more with it than you might like.”

Digital Identity Changes the way we Think and Act

Our day-to-day lives are quickly diverting from in-person interactions to digital ones. The pandemic sped this process up, but it was happening regardless.

Moving to a digital environment changes the way people think about things. Money is a great example. It’s much easier to be conscious of how much you are spending when you need to take physical bills out of a wallet than it is when all you have to do is tap a card. Identity is similar. You would rightly be concerned if your passport or driver’s license was able to be accessed by people who don’t need to see it but many of us give little thought to creating a new account and giving personal information.

Big data with machine learning capabilities are allowing previously unmanageable quantities of data to be mined for business gold, with the central cog in all of it being digital identity. This is true for both categorized trends and personalized services.

Different industries and government agencies are jockeying to own the digital identity by being the dominant platform people use. Banks, governments, Google, Alibaba, etc. have a very large carrot with their ability to provide more convenient, useful and insightful services. However, the power that comes with such central control is significant.

Imagine the insight (or control) any one organization, public or private would have through analyzing many or all of your digital identities. They could have your health, investment, spending and travel information as well as government documentations or anything else you can think of. Imagine the repercussions of a meaningful data breach or worse a competing entity who is able to gain access and sit there monitoring without anyone knowing? (Think nation states like Russia or China)

How do we balance the innovation and convenience of combining data with keeping this power in check?

Open vs. Centralized Digital Identity

The finance industry globally has come up with one solution, known as open banking. In open banking, any data specific to you is “your” data and your digital identity is owned by you, but all sorts of services are able to access this store of data, once you approve. This approach has taken off globally (with the notable exception of the US) and is expected to be worth approx $75.7 billion by 2028.

While open banking is specific to the financial industry, the underlying mechanics could work anywhere.

Because open banking is specific to one industry and hasn’t caught on in the US, centralized digital identity continues to be a problem.

Different solutions are being put forward, such as a not-for-profit organization in Canada called Digital Identification and Authentication Council of Canada (DIACC). DIACC has created a trust framework to “completely and securely participate in the global digital economy” for both the public and private sectors.

The key takeaway is that your data and digital identity should be yours and nobody needs to have control. There are solutions out there. Given time, the hope is that a standard solution will be found. In the meantime, it’s vital to understand what control and power you are giving to others when you sign up for a new account or give information. Once given it can be very difficult if not impossible to reign in. It may be worth it but make sure it’s an eye wide open decision rather than a thoughtless ‘accept’.

Business Leaders: Be aware of this evolving space.

If you own or work for an organization that processes and stores identifying information about its customers – like a SaaS or Fintech company – you need to keep on the pulse of this evolving space.

Regulatory bodies are taking a close interest, new standards are being developed, and new parties are throwing their hats into the ring. These could streamline things (like open banking), or limit the ability to integrate with stakeholders and restrict who sees and shares data securely.

For regulatory concerns, governments and leaders are responding with more regulations, particularly in Europe and Canada. There may be impacts beyond what data is permissible to be collected and how. For example, incumbent players in the financial industry (banks) have been forced to share client information with FinTech companies because the data belonged to the clients, not them.

New standards are being created by big players or industry groups. If your organization doesn’t align with them, you might be shut out of key functionality or face delays while you catch up.

The development of new standards may also come with new opportunities. DIACC is looking for stakeholder input, giving business leaders an opportunity to participate in decision making.

Understand your data and how you’re giving away control.

Like everything in life, compromise is required in this space. Many modern businesses need access to at least some personal data to function. On the other hand, organizations don’t need to have all your information by default – and they don’t need to be selling it off either.

What happens to someone’s data is something the individual should be able to control, and hopefully the ability to better control it is coming.

In the meantime, the best way to be in control is to just be aware of what data you’re giving to an organization, and what they do with it.

So let’s put away these tinfoil hats – they won’t help anyways!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Alan McDermott, CISSP, CIPP/C, CISA

As a Virtual CISO, Alan provides strategic guidance to executive teams. He is a skilled communicator, capable of helping key stakeholders make the best security decisions for their organization. Alan has over a decade of experience serving as a CISO in a number of industries, including insurance, IT data, and fintech. Alan has an MBA from Wilfrid Laurier University and two undergraduate degrees in computer science and commerce. Alan is based in Toronto, Canada, and boasts CISSP, CIPP/C, and CISA among his many security certifications.