De­moc­ra­tiz­ing ID af­ter the Equifax Breach

In the wake of the Equifax data breach, it’s clear that So­cial Se­cu­rity num­bers are out­dated in the dig­i­tal age. Can blockchain do bet­ter?

ISO & Agent - - INSIDE 11/12.2017 - BY JOHN ADAMS

The So­cial Se­cu­rity num­ber isn’t as se­cure as it used to be (was it ever?) — but new tech­nol­ogy could take its place. What role does blockchain, the dis­trib­uted ledger tech­nol­ogy be­hind bit­coin, have to play?

Se­cu­rity pro­fes­sion­als have long ar­gued against the use of static iden­ti­fiers like pass­words and So­cial Se­cu­rity num­bers, while con­sumers have long ques­tioned why a hand­ful of bu­reaus can claim to be the ul­ti­mate judges of their iden­ti­ties.

While the Equifax data breach will rein­vig­o­rate the dis­cus­sion about iden­tity, the re­al­ity is the sys­tem is as vul­ner­a­ble as ever, par­tic­u­larly in the health care in­dus­try, ac­cord­ing to Julie Con­roy, a re­search di­rec­tor at Aite Group.

“This breach will un­ques­tion­ably add fuel to that fire,” Con­roy said. “In the highly reg­u­lated spa­ces that rely on [per­son­ally iden­ti­fi­able in­for­ma­tion] it’s dif­fi­cult to make fun­da­men­tal changes overnight, par­tic­u­larly when reg­u­la­tion man­dates the ver­i­fi­ca­tion of the tra­di­tional data el­e­ments.”

It’s pos­si­ble that the com­pro­mised data was not only ac­cessed but poi­soned with fake iden­ti­ties and mal­ware. Even if this sys­tem can be fixed, con­sumers may be will­ing to help build some­thing that’s more ap­pro­pri­ate to the mod­ern age.

“The Equifax hack shows that uni­ver­sal iden­ti­fiers like So­cial Se­cu­rity num­bers are 20th- cen­tury so­lu­tions that were de­signed for the age of pa­per,” said Phil Wind­ley, chair­man of the Sovrin Foun­da­tion and a pro­fes­sor at Brigham Young Univer­sity. “They’re de­signed for in­dus­tri­al­ized na­tion states with large bu­reau­cra­cies. Uni­ver­sal identi- fiers aren’t good in a dig­i­tal age. In fact they’re dan­ger­ous.”

Sovrin is a non­profit es­tab­lished to gov­ern a self-sov­er­eign iden­tity network. It uses dis­trib­uted ledger tech­nol­ogy pow­ered by Plenum and Evernym to man­age a global group of in­ter­con­nected nodes, which it hopes will even­tu­ally be run by public and pri­vate sec­tor or­ga­ni­za­tions.

The con­cept is to de­cen­tral­ize con­trol over ID at­tributes, mov­ing them away from a large lo­ca­tion where the data is a sin­gle tar­get for crooks. To form a Sovrin iden­tity, or­ga­ni­za­tions or peo­ple move into the network by what it calls a “trust an­chor,” such as a bank, iden­tity provider or other pre­ex­ist­ing re­la­tion- ship. Once an ini­tial Sovrin iden­tity record is es­tab­lished, the ID owner can add items that only the owner can see, man­age and share.

“If you put each per­son in charge of their own iden­tity, it’s as hard or harder to hack a sin­gle iden­tity as it is to hack 143 mil­lion,” Wind­ley said.

He likened the con­cept to a bartender check­ing a pa­tron’s driver’s li­cense be­fore serv­ing a drink. The bartender can see only the in­for­ma­tion printed on the li­cense, and this is suf­fi­cient to pro­vide proof of age. The li­cense doesn’t give the bartender ac­cess to the DMV’S en­tire data­base, so driv­ing records and other mo­torists aren’t at risk of ex­po­sure.

Sim­i­larly, a Sovrin iden­tity owner gives only ba­sic in­for­ma­tion such as date of birth to an­other Sovrin par­tic­i­pant, the “re­ly­ing party,” which can check that record on the blockchain and cre­ate a con­sent record. That record is largely un­us­able in an­other con­text. All ID in­for­ma­tion is sep­a­rated into at­tributes, such as birth date, name, street or fre­quent-flier num­bers.

Sovrin is not a di­rect re­sponse to the Equifax breach, but the na­ture of the breach should spur peo­ple to find ways to make iden­tity more dy­namic and less fi­nan­cially at­trac­tive to sabo­teurs, Wind­ley said.

“The data that’s ex­posed in these breaches isn’t that valu­able by it­self,” he said. “No­body goes to a large amount of ef­fort to steal one per­son’s iden­tity. But 143 mil­lion? That’s an­other mat­ter.”

This iden­tity ini­tia­tive will need will­ing par­tic­i­pants to be suc­cess­ful. The state of Illi­nois is among Sovrin and Evernym’s early adopters, us­ing the iden­tity to dig­i­tize birth cer­tifi­cates in a re­cently an­nounced pi­lot. The state hopes the dig­i­tized birth cer­tifi­cates can be the ba­sis for a broader set of iden­tity tools that grow with the in­di­vid­ual, and can be ac­cessed only from a dis­trib­uted ledger with the per­son’s (or par­ent’s) con­sent.

At­tempts to move be­yond static ID to ac­com­mo­date dig­i­tal trans­ac­tions aren’t new. And there are other com­pa­nies, such as Civic, that are try­ing to cre­ate a network of par­tic­i­pat­ing com­pa­nies in a dig­i­tal ID pro­tec­tion scheme.

The fright­en­ing scope of the Equifax breach should give the de­cen­tral­ized ID move­ment a shot in the arm, but it re­mains to be seen if the ef­fects will be long-last­ing, ac­cord­ing to Al Pas­cual, a se­nior vice pres­i­dent and re­search di­rec­tor at Javelin Strat­egy & Re­search.

“Re­ly­ing on an amal­gam of per­son­ally iden­ti­fi­able in­for­ma­tion has be­come such a ubiq­ui­tous ap­proach to es­tab­lish­ing iden­tity, from the small­est busi­nesses through the largest or­ga­ni­za­tions … that it will take more than just one head­line-grab­bing event to cre­ate solid mo­men­tum,” Pas­cual said.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.