Trust is a fundamental tenet of security. The faster it’s established, the faster someone is able to complete a transaction or action that they’re trying to do.
However, it is also easily damaged or broken. A spate of high-profile data breaches involving the personally-identifiable information of millions of Australians has led to some fundamental questions about how trust is established today and how that might differ tomorrow.
Today, people are often required to overshare their data in order to use a platform or service. That has led to an unnecessary amount of data – name, address, date of birth, credit card information and so on – being held across dozens or even hundreds of sites.
There’s an assumption by customers that their data will be well-protected. That isn’t unfounded, either: almost every organisation, when prompted, would say that they take the collection and storage of customer data, and the privacy rights of customers, seriously. Not doing so could open them to significant reputational damage, financial fallout and put them into the crosshairs of regulators, where potential fines have increased in size by orders of magnitude.
In a 2019 study, we found 81 per cent of people would stop engaging with a brand online following a data breach, and 25 per cent would stop all interaction whatsoever. Customer acquisition prospects were also curbed, with only 14 per cent of respondents indicating they would readily sign up for and use an application/service following a breach.
Three years later, the only thing that changed is the number of data breach victims and a growing feeling of hopelessness. More than half of respondents said they are now more cautious about revealing information online as a result of being caught up in a breach. Concerningly, customers seemed resigned to being caught up in even more data breaches, with 77 per cent feeling they would never be fully in control of their personal information online.
Clearly, this level of defeat in customer sentiment is not good for any part of the online ecosystem.
This may be a reason why governments, including in Australia, have injected themselves more into the space from a policy and implementation standpoint.
In particular, Australian governments at both federal and state levels have expressed interest in finding better ways for customers to be able to securely confirm their identity and establish trust with third-parties, without needing to constantly hand over large amounts of personal information every time.
A decentralised approach to proving identity
With customers demanding more privacy and the ability to maintain control over what they disclose about themselves and what that data is used for, businesses must still be assured that the human at the other end is who they say they are and that the information they are providing is valid.
Decentralised identity, also referred to as digital or mobile ID, is being touted as one way to achieve outcomes for all parties involved. At its core, decentralised identity minimises the need for service providers to store personal data or have a backend integration with issuers for the user to be able to engage with that service provider digitally.
Under this model, customers verify their identity once and receive a credential from an issuer that is cryptographically signed and verifiable. The verifiable credential is then added to the person’s digital wallet and can be shared with a business that requires the establishment of trust.
The individual is in complete control of what information gets shared. Businesses only ever see the credential – but not any of the identity documentation that sits behind it.
A range of use cases are already being discussed for what verified credentials could allow a person to do. For example, purchases of property, cars, or concert tickets may be made simpler. The credential could also be used to confirm memberships, such as citizenship, employment, or vacation club status, or to verify achievements like an educational diploma or certification.
What’s clear is that a decentralised identity approach reduces the need for service providers to collect and store out-of-date and sensitive personally identifiable information (PII) for even the smallest of transactions. Instead, people can simply open their digital wallet and produce a QR code that can be scanned to authenticate or verify their identity, providing a business with only the verified information they need to interact.
For example, a patient visiting a general practitioner could provide their verified credentials via a scan of their phone immediately upon entering the surgery, which would eliminate additional time and backend infrastructure or manual methods typically required to verify Medicare and/or private health insurance coverage. Health service providers are regularly among the most breached entities, according to statistics released by the Office of the Australian Information Commissioner (OAIC).
In Australia, the real estate market is another sector that has come in for particular scrutiny lately over its personal data collection and handling practices. Again, these practices have increasingly been exposed by data breaches involving the loss of large amounts of personally identifiable information (PII). NSW is among jurisdictions that have called for a “rethink” of data collection for real estate, and indeed for “any purpose”.
Decentralised identity promises to improve how users interact with businesses because it revolutionises how they build trusted relationships with each other. With the concept now gaining traction, it is time to convert the interest in it into hard and fast action.