Mastercard launches distributed self-sovereign digital identity trial in Australia
The problems with personal data are multi-faceted, but the solution boils down to giving control back to users.
Today Mastercard announced the first tests of a new digital service that has the potential to verify a person's identity instantly and securely, in both the digital and physical world. The tests are taking place in Australia, through two separate pilot programs with Australia Post and Deakin University.
The system uses a distributed model where personal data is stored on a user's mobile device, to be verified by third parties when needed.
For example, if a Deakin University student who doesn't look 18 wants to hit the bar, they can use their phone to present their digital identity at the door. This system essentially lets them call up a note from a reliable third party, such as the state motoring authority who issued the student's driver's licence, which says "yes, this person is over 18".
The actual trial, though, featured student volunteers testing the identity verification process for student registration and digital exams. The other separate partnership, with Australia Post, involves integrating its existing Digital ID solution.
In its Principles of Digital Identity paper released earlier this year, which serves as the foundation for this trial, Mastercard envisioned the system like this:
The user is the user. They hold their own personal data on their mobile device. The relying party is the entity who needs to verify the user's data.
Then we have the trust providers. These are the institutions with existing relationships with the customer, such as a bank, which plugs customers into the digital identity service and gives them the tools to manage their personal data. The identity verification provider is a third party who's called on when needed to verify the user's claims.
In the centre you have the digital identity service itself, which is the framework that all these other users tap into, and what Mastercard is aiming to build here.
Mastercard's envisioned solution may be an example of another intermediary step on the way to a more complete solution to the trainwreck that is personal data management in the digital world today.
Data all around and not a drop to drink
As the Internet evolved and we started spending more of our lives in cyberspace, by shopping, socialising, playing and doing business online, we also ended up scattering pieces of personal information and identity data all around the Internet.
This includes information on our spending habits, political affiliation, who we interact with and who our families are, information on health ailments, hobbies, ambitions, education, credit rating and everything else that defines us as a person.
This is already having significant impacts. From one angle, incidents such as the Cambridge Analytica scandal and the Facebook Brexit ad blitz, both of which may have changed the course of history, are a consequence of us scattering all this data across the Internet.
It was access to this data (and people's willingness to use it in flagrant violation of existing privacy laws and the basic principle of factual accuracy) that allowed the creation of hyper-targeted political advertising campaigns on an enormous scale. There are fine lines between effective political advertising, spreading fake information and literal mind control technology, and easy access to everyone's personal information is how you cross those lines.
Elsewhere, our habit of leaving bits of our identity everywhere we go in cyberspace is responsible for the constantly-growing problem of identity theft, the pain of which is compounded by the way it impacts victims' credit scores, even as the credit rating agencies themselves are harvesting and selling our data, which is directly contributing to the problems of identity theft.
It's quite ironic then, that even as we litter personal data everywhere we go, financial institutions are still having serious trouble accurately identifying people. An estimated one billion people are still unable to access basic services because, even as the whole Internet knows what they had for lunch, they don't have any kind of proof of identity.
The current system of managing personal data in the digital world is a disaster, and over the next few years we're about to pump an estimated 50 billion interconnected data-gathering IoT devices and sensors into this trainwreck of a paradigm.
Self-sovereign identity (SSI, or SSID) is a potential solution.
The basic principle of SSID is that an individual owns and has complete control over their personal identification data. When applied, this underlying principle can guide the creation of a system to help solve all these data problems.
Whether Mastercard's envisioned system qualifies as "self sovereign ID" is debatable, given the fuzziness around the exact definition of SSID, and the extent to which it depends on trust providers and other third parties. But it's clearly a step in that direction, in that it relies on users storing personal data themselves on their own devices and is designed to put users at the centre of their own data, and needing to provide their explicit consent for it to be shared.
SSID solves the problems with data today by:
- Giving users more direct control over where their data is released. By actually putting control of personal data in the hands of users, it's possible to create abuse-resistant systems where a third party genuinely cannot access a user's data without their explicit consent.
- Giving users more granular control over data sharing. When we consent to share our data today, we're often consenting to allow a company to essentially take as much of our data as possible, to freely share with affiliates and sell to third parties. Self-sovereign identity is a framework for sharing only select and necessary nuggets of information rather than handing everything over.
- Reducing duplication of verification efforts. Today, different entities need to separately verify the same person's identity over and over again for themselves, which spreads information further and wastes a lot of effort. By giving users themselves a reliable way of proving their own identity, you can reduce wasted efforts.
All of these help limit the amount of data that gets spread around the Internet, which prevents the creation of data honeypots where detailed information on hundreds of millions of people can be stolen or released simultaneously.
For example, that time the Exactis marketing firm put detailed information on 340 million people, including their name, phone number, age, children's names and ages and addresses, on a publicly-accessible cloud server.
While cynics will question Mastercard's motives as a commercial entity, and wonder whether it's genuinely invested in the idea of giving users back control of their own data, it's worth noting that Mastercard, as a card issuer, is also a victim of data breaches.
Target and TJ Maxx have previously been ordered to compensate Mastercard after leaking Mastercard customer data, and earlier this year one of Mastercard's third party affiliates ended up leaking a "large number" of Mastercard customer names, card numbers, email addresses, home addresses, phone numbers, genders and birth dates onto the Internet. Neither of these incidents was Mastercard's fault, but it was its customers who were affected.
Mastercard is probably just as sick of these kinds of incidents as everyone else.
There are many issues left to overcome though. Regulatory shifts may be required to prevent organisations from pushing the same "give us all your data" terms and conditions onto users. While stiffer requirements for holding user data, and harsher penalties for noncompliance, such as those imposed by Europe's GDPR regulations, could further discourage the hoarding of user data.
A lack of standards and the need for interoperability is also a major obstacle, but this is being overcome largely with concerted efforts of organisations such as the Decentralised Identity Foundation, which Mastercard is a member of.
Disclosure: The author holds BNB, BTC at the time of writing.