Most of us probably don’t think of buying a bottle of wine as a security risk. However, we inadvertently give away our address, surname, nationality and signature – unnecessarily – every time we buy alcohol. In proving our age, which only requires our date of birth and photograph, we give away lots more personal information than we need to.
Digital identity adoption
In the online world, we see the same pattern. In 2020, 75% of large companies in the UK reported a data breach in the last 12 months – and the numbers show no signs of slowing down. As a direct consequence of this, identity fraud is rising, even more so since the COVID-19 pandemic took hold, buoyed by the sheer volume of personal information out there.
While this example is by no means a prominent threat of identity fraud, it begs the question: in a world of constant data breaches and rising fraud, why aren’t we being more careful?
With so much data available on all of us, it’s no wonder that people are hesitant to adopt digital identities. It would be much easier to simply flash a digital ID when buying alcohol or onboarding at a new job. What’s not so easy is willingly handing over a potential minefield of data time and time again.
However, digital identities could actually be a way of withholding unnecessary data and protecting ourselves from fraud, not opening ourselves up to it. The UK government recognizes this as a priority, recently publishing a draft framework outlining its future governance of digital identities. To get it right, consumers need to trust that their data is safe and secure. This all comes down to how we build these digital identities, and who looks after them.
Putting privacy first
Firstly, the story around digital identities needs to change. What they won’t be is a one-stop-shop to access every piece of personal information about you at the touch of a button, shareable and stealable. What digital identities could be, if we put data privacy at their core, is selective. We have the opportunity to create a technology, which means people only need to share the specific data they need at any one time, withholding as much data as they can to get the job done.
This doesn’t seem too big of an ask, either. Mastercard recently partnered with Deakin University and Australia Post to test out a digital ID solution enabling students to register for their exams digitally. This removed the need for tiresome paperwork and trips to campus, but also reduced the amount of data shared about each student. Students created a digital identity with Australia Post, using this to gain access to their university exam portal. With each registration, only specific personal information was required to allow students’ entry to the exam portal – nothing was shared than didn’t need to be.
Now imagine this in our banks, shops, and workplaces. Rather than revealing most of your ‘identity’ with every purchase of alcohol, you only show your ID documents when you first create the identity – to verify that you are who you say you are. Then, each time it’s needed, your digital identity only reveals what needs to be revealed at that time and keeps the rest of your data safely hidden.
Who can we trust?
While putting data privacy at the core of digital identities is critical, it’s not the only step to take to increase trust. Often, who is holding your data is just as worrying as what data they have to hold.
For example, a digital identity card trial in Taiwan was recently delayed indefinitely until stronger privacy regulations are introduced. The digital ID system would have brought their physical identity cards together with a citizen digital certificate, and their health and driving license data. As the plans were made, citizens raised privacy safeguarding concerns, questioning how their personal data could be protected from potential cyber-attacks.
The issue here isn’t the mechanics, or whether or not digital IDs are the right move – it’s simply about ensuring there is enough trust in those who hold the data. In this case, regulation will likely be the answer or allow individuals to hold their own data on their own device like they do a physical document.
Establishing trust with the organizations who will collect our personal data is key. Regulation is one thing, but perception is another. Of all the sectors who have their hat in the ring to create and own digital identities, many are already under intense scrutiny when it comes to data. Big tech firms have a poor track record of putting user privacy first (two words: Cambridge Analytica), and governments too have come under fire for data privacy issues – most recently in Denmark, which exposed tax ID numbers for millions of citizens. That’s why many industry insiders are betting on third parties, like established payments providers or even new entrants to the market such as the Post Office, to win the trust of weary consumers.
Whoever emerges the victor in the race to create digital identities needs to remember one thing: being transparent with data collection and privacy will be critical to getting people onboard.
The future is secure
While we won’t be waving goodbye to our physical ID documents anytime soon, adopting digital identities seems to be looming on the horizon. Beyond simply creating digital identities that are selective in the information they share, it is also entirely possible to have our identities verified one day with our irises or fingerprints alone.
Digital IDs not only promise us fast and seamless user experiences, regulatory compliance, and an easier way to do business – they’ll also offer us privacy and protection that we can’t get from an identity system stymied by rising data breaches. To make this a reality, the rollout must put trust first from the very start. Ultimately, digital identities will only work if we get enough consumers on board. For this, trust will be non-negotiable.