While it may be nice that everyone at a favorite gathering place knows your name, this is certainly not the case with the Internet. Identity theft, fraud, confidence scams, ransomware and the many other activities of bad actors are predicated on knowing your name, your user IDs, your passwords, your credit card numbers, your social security numbers, your health records and the list goes on and on…the attack surface is large and for the most part security sucks.
This sad state of affairs can be traced to a number of factors but some high runners in my opinion are:
- The movement of previously unconnected services to internet delivery; examples include financial services and vast troves of data like those held by credit agencies and others. There have been many breaches of these poorly thought out connected services resulting in billions of stolen records.
- The lack of a standard set of identity verification and authentication capability. Everyone believed user IDs and passwords were a temporary measure 30 years ago but they are still here. They are easily stolen and there is no single source of truth. In fact the lack of a standard source of truth and rules around how identity information is stored and protected has led to the average person having as many as 200 logins or more. Think of this as 200+ identity theft targets for each individual.
- Poor governance. It is clear that companies have not taken security seriously enough. IT and security is seen for the most part as an expense, not as a fundamental building block of the business. The result is that measures are taken after the horses have left the barn so to speak. Of course, CEOs do sometimes lose their jobs when serious breaches occur, but by then YOUR data is already out there.
Despite all of this and the billions in costs that we all bear for cybercrime, few of us are willing to give up the capabilities that the Internet has delivered. Internet shopping, banking, insurance and healthcare have become even more ingrained in our society due to the recent pandemic. In fact it is hard to imagine how we would have navigated the last 3 years without the Internet.
The answer my friend is to fix what’s broken ☺
While it is possible to reduce the number of data lakes (targets) with personal data, information will always need to be stored somewhere. Credit agencies and financial institutions are not able to legally operate without the data but they certainly can do a better job of protecting it. To begin with, the number of copies within the institution can be reduced to ONE. Verification of information for various transactions can be carried out using a zero knowledge network. Transport can be encrypted and ephemeral in all cases.
Identity verification ultimately resides with the government. Driver’s licenses, passports, state ID’s citizenship cards, national IDs. This is the ultimate source of truth. A zero knowledge verification scheme that delivers attestations rather than PII is ultimately the right technology to enable peer to peer transactions to take place with trusted identity, but without firing PII to hundreds of enterprises. It can also be used to enroll biometric authentication reliably for future transactions. This same identity verification must be mutual. It is not just important for individuals to verify their identity, enterprises must also.
Governance means that in an Internet world, visibility and governance of identity data, technology and security need to rise to the board level. Ultimately business is about profit and loss and the costs of not protecting information must be clear to the board. Privacy laws and identity protection liability will continue to be legislated. Laws like GDPR in Europe, CCPA in California, LGPD in Brazil, POPI in South Africa, APPI in Japan, the Privacy Act in Canada and many, many others have enacted tangible penalties for privacy failures. The boards of companies with PPI (which is almost every big company) need to have knowledgeable representation that can guide the boards to make good decisions around security and by inference the management of PII.
The rise of cybercrime is not abating; it has become too lucrative for bad actors. It is a war and only by changing the fundamental approach and technology can progress be made.
Web 3.0 is built on 3 fundamental pillars, peer to peer technology recently given a new life through technologies like block chain, decentralization of data which fundamentally means less data lakes, and verified identity which implies being able to verify identity and sensitive information without building more data lakes. If successful, with Web 3.0 only those who need to know your name will know it….
