I’ve been reading Who Owns the Future by Jaron Lanier. It’s a good book, and you should probably read it. It’s particularly important if you’re a person who participates in the economy – which is most of us.
Among the good points he makes is the importance of our online identity and how it must persist – stable and reliable – for many, many years. This should be on your mind because of the Equifax data breach. Critical identifying data on nearly 200 million people was apparently stolen, including social security numbers, birthdates, addresses, and so on. Basically, all the stuff that I talked about in my post about zero knowledge proofs is now known to be out in the wild.
I reacted by putting a “credit lock” on my information with all four major credit reporting agencies. You should probably do that too. It took about an hour, all online (I made zero phone calls), and cost less than $50 in total. Frankly, I’m horrified and disappointed. These companies make a living accumulating data about me, and I have to pay what amounts to protection money to get them to even make a pause in selling it.
I have the option of paying protection money on my credit rating because the major credit ratings agencies are federally regulated. There is no plausible way to opt out of their databases, but at least I can insist on a bit of a firewall.
Meditation: The data that Equifax lost is exactly and completely the data that those same credit agencies (along with every one of my credit card companies and banks) use to “verify” my identity in the event that I want to make changes – including unlocking that very same credit report. They did offer a personally identifying number (PIN) with each lock. For accounts where the lock pre-dates the breach, my bet is that the PIN went into the wild along with the other information.
I was, at least, able to register a mobile number and email address with one of the services – Transunion – so that I’ll get word when changes happen. If I was a bad actor, that’s the first thing that I would disable. Hopefully I will also get notification from my bank if someone calls up and asks to transfer my retirement accounts to some other institution. My experience with a recent rollover transaction suggests that I can do the whole thing with one phone call, with no second factor required.
Conveniently, the data that a bank might check on a drivers license is also among the data that was leaked. Fortunately, they don’t need a picture of me for the fake ID – they can use their own picture for that part.
We need something better.
Unfortunately, one major alternative on offer is going to turn out very, very badly.
That alternative, of course, is to let Google or Facebook handle identity for us. It’s already an option on many websites. The link to “sign up with a different email” is getting smaller and smaller on the signup pages. Google and Facebook provide, effectively, a Single Sign On service at no direct cost to the user.
One problem with this idea is that Google and Facebook will not remain in their current form for long enough to serve as a stable source of identity. At some point, they will change, be purchased, split up, merge, or something. Along the way, they will modify their business plans. At that point, any online services that rely on Google and Facebook for identity services stand to be disrupted.
If enough of our digital life relies corporate credentials, we will wind up regulating them. That’s how the government got into the business of roads and electrical power. Even if it doesn’t rise to that level, we all stand to lose access to a lot of our online identity and social history when social media sites undergo change and growth.
If that’s uncomfortably complicated – just consider what will happen when Google exits the business of providing free email accounts. How will you recover a lost password on the various sites where you’re using that gmail.com address?
We are already in the bad place, and the SSO thing makes it easier and far worse.
The other problem, of course, is that Google and Facebook, just like the credit reporting agencies, are not in the business of serving us as their customers. That’s why these identity services are provided at no direct cost to the user. Their primary product is information about us. They are, without putting too fine a point on it, gigantic, barely regulated, commercial spy operations. As we move from email to SSO, we move from less to more tracking – which amounts to still more data about me, all in one place, which will eventually be compromised.
The incentives and trends do not point in the right directions.
A better solution, in my opinion, would be a very lightweight bit of regulation coupled with identity solutions whose incentives are aligned with human interests rather than corporate ones. Technologies like blockchain will almost certainly play a part in this, though the simplistic solutions being floated now are premature. This should be a long, thoughtful social conversation about identity and privacy in the digital age. Anyone who tells you that they’ve already got all the answers is (a) wrong and (b) trying to make a quick buck.
Speaking of making a quick buck, we should revoke Equifax’s corporate charter and hold their business and technology leadership personally accountable for this mess. There is redundancy in the credit ratings system – I’m paying protection money to three -other- firms to moderate the amount of my data that they sell. Equifax did lasting damage to nearly 200 million of us, and they need to be made to close up shop.
I don’t know if this is a foolish thing to say, but why isn’t there a national 2 factor (or ideally 2+) authentication system of some sort for protecting financially-sensitive personally identifiable information? Such a solution could involve cell phones and geolocation in an example use case (eg are you verifiably at the store where the account is being opened, or you are at your home location when applying for the loan online) . I wonder if this could help solve problems in addition to perhaps renovating SSN as a misused/overused identifier with something new in parallel. That is analog tech in a digital world if ever there was one.
Estonia has a solution similar to what you describe. From what I hear, it works really well. Of course, their history makes centralized government services more politically practical than ours (regardless of the merits).
One apolitical counterargument to a centralized national registry is that it just moves the problem around. While I think that the government is more likely to be accountable to the citizens over the long haul – we’re all aware of the challenges of money, corporations, and political speech in this country.
The idea that I’m liking at the moment (and it has its own flaws) would be to regulate identity services. We would have to spend a bunch of time and effort around the definitions, of course. We might insist that a regulated identity service make use of measures like you suggest: multiple factor authentication, granular authorization, separation of data into portions that reduce the “all-or-nothing” risk of loss, and so on. We might also insist on annual security audits with the results posted – like they have at every restaurant and gas station in the damn country.
I’m particularly interested in a regulation that says that if you hold the keys, you cannot profit from or resell the activity data. That would help to steer the service provider’s interests back into alignment with human beings – since we would be their customer rather than their product.