Data today: The Wild West.
If you have digital tracks, the latest revelation of corporate data intrusion will leave you shaking in them.
According to a newly released Oxford University study, Android is a data monster with a voracious appetite for your data. The mobile operating system with 85 percent market share is harvesting and sharing data from 90 percent of the apps running on its OS. More disconcertingly, 43 percent of these apps transfer data to third parties, including Facebook and Twitter.
Such data intrusion is characteristic of the current age of data. Users have been used to seeing their data harvested by the giants of this world, be it companies or governments.
What will it take to re-instill public trust in Google and Android apps? Consider that the recent report of a data security flaw compelled Google to shut down the messaging app.
In a public weary from data misappropriation and hacking issues, nothing short of a paradigm shift in data security may do.
Change is coming: self-sovereignty.
The self-sovereign digital identity movement is already radically changing personal data management practices.
Blockchain digital identity applications are allowing consumers to regain control of their data, secure it, and monetize it. The ability to manage Personal Identification Information (PII) will be the primary driver of consumers migrating to blockchain applications to engage with financial services, travel services, gaming platforms and all other aspects of their digital lives in a single sign-on and secure data environment.
But whether you are a user of, or investor in, blockchain self-sovereign digital IDs, investing in the concept alone could be a money loser. The market is divided on which digital data security technology to employ and rapidly bifurcating like a Merkle tree into evolving technology camps.
Towards Full Identity Rights
Blockchain sovereign identity is the solution to corporate and government privacy violations.
Consumers not only control what data to hand over but also will be incentivized to share data.
All digital identity applications promise to provide various identity, credit, and related functions to allow you to move seamlessly through your digital life, including:
- KYC on-boarding: asking users for their identification information one time only, and authentication of the information performed through biometrics and/or private/public keys
- Credit report information and authorization: applying for credit cards or a trading margin account
- Anonymous access to services without providing a username or password
- Biometric authentication
In the first quarter of 2019, many individuals and businesses will start using self-sovereign identities.
Bermuda, for example, is preparing to give its citizens their full identity rights. Bermudan citizens can claim their digital identities with government-issued licenses, documents, and health care data embedded in them.
Also in the new year, Visa B2B Connect will allow financial institutions to process cross-border transactions with a token identifier. ShoCard’s digital identity system is being trialed in major airline, credit card, credit reporting, immigration, and financial services firms.
So how do you choose among the many self-sovereign digital ID applications? Security should be of foremost concern, and it seems to be still a valid one: modern cryptographic systems are considered to be unbreakable, but blockchain and identity experts are poking holes in existing data security solutions.
Pseudonymization and security.
One of the major ways of guarding the safety of data is pseudonymization, the process of keeping data separate so that it cannot be linked to the user.
However, not everyone agrees on the best way to pseudonymize data.
Cryptographic Hashing vs Encryption Debate
Of all the technology debates centered around digital sovereign IDs (e.g., off chain vs on chain solutions, encryption technology), the industry has been particularly mobilized around a hashing versus encryption debate.
Hashing has long been used to prevent web tracking services from linking personally identifiable information across data sets while still allowing services like Google Analytics to aggregate anonymous data for analysis. A hash is considered to be correlatable to data, while a decentralized identifier can be separated from the data.
Cryptographic hashing is used by Civic, ShoCard, and Bitnation’s virtual jurisdiction, among others. The SHA256 hash turns data into a 64-digit hexadecimal signature. If one character is changed in the data, the signature changes.
The Civic Secure Identity Android app, for instance, collects your data, has it verified by a third party, turns it into a cryptographic hash and stores the hash on the blockchain. Civic then erases your personal data. Let’s say you then sign up to a new cryptocurrency trading or gaming platform. Civic sends your hash with your KYC validated information to the blockchain platform to verify you. Your personal data remains on your mobile device, and no third party ever needs to see it.
Decentralized Identifiers (DID) are self-sovereign digital identities controlled by the owner rather than a central authority. A DID record is a key-wise pair of cryptographically secure private and public keys. Pairwise identifiers create a unique identifier, or DID, for each relationship. Only you have access to the private key that could, for example, authorize access to health care data to your insurance company or KYC compliance with a cryptocurrency trading platform. DIDs are used by Yoti, lifeID and Bridge ID, among others.
Yoti, for instance, provides a similar pseudonymization service but instead of hashing your data, it scrambles it with 256-bit encryption. The consumer stores the private key on their phone, in the same way they would store the private key of their cryptocurrency wallet. Each piece of information is scrambled separately. If a data breach did occur at Yoti’s data center, thieves may obtain your driver’s license number but would not know to whom it belonged.
So what are the pros and cons of these different data pseudonymizing solutions and which would be more likely to be broken by a brute force attack in which an algorithm checks all possible password combinations until it cracks into your data?
Herein lies the crux of the debate that has identity and blockchain experts dividing into different camps. The big unknown is our quantum future. Is the reversibility of a hash function or private encryption code inevitable? And how soon will the supercomputers arrive?
Zero Trust, Biometrics and Other Defenses
The answer has huge implications for our data security.
In the revenge of data consumers — the same week the Android app study revealed that 88 percent of apps shared data with Alphabet-owned entities, Civic launched Civic Connect, an Android integration tool allowing developers to integrate the Civic app into 6,000 Android apps.
Only the user can provide access to personal data through biometric identification. But there are also high risks of having your entire digital life linked to one digital ID.
A study from the University of Hamburg(1) has concluded that even a consumer-grade computer could reveal the pseudonymized data of hashing functions.
The German hackers set out to hack phone numbers; and email, IPv4 and MAC addresses in datasets of one million, and succeeded in each data type in less than one second. Google Android users must be quaking for their data security.
The DID camp has also come under fire. 256 bits can hold a lot of possible combinations of your private key but, crucially, those possibilities are finite. Yoti says a hacker would take one thousand years to break the code encrypting your data with its application. More specifically, the computing power to break AES 256-bit would require 40 supercomputers checking a billion AES keys per second, or 3×1051 years to check all possible password combinations (Wikipedia “Brute Force Attack”).
The quantum computing camp argues the computing power to complete that encryption busting task is a function of economics and could arrive much sooner than estimated. While others argue that such computational power can break your crypto wallet’s private key but will fail to break a hash PII that has been sufficiently “padded.” Padding the data with long random numbers, for example, would create many input values for one output value.
Let’s say an ambitious thief stumbled on technology to compress a millennium into a year of computational effort to solve for all possibilities. The victim is so rich it is worth the effort. But even then, the thief does not know which hashing string contains the real data.
For related theoretical number crunching, this does not mean that the hashing or encryption solutions are necessarily weak. New branches of the PII tree are sprouting with new adaptations of this technology aimed at increasing the costs and efforts of hackers.
Indeed, the German academic hackers call for more elaborate ways of pseudonymizing data to protect consumers.
Multiple fortifications are one solution. Let’s say someone connects your name and credit card information. On current Android apps, the thief could start shopping online with your credit line. Apps using Civic or ShoCard, however, would require biometric authentication to use the stolen numbers — a liveliness test is also conducted.
DID users like Bridge ID are further future-proofing data by using zero trust proofs, which store data privately locally while allowing it to be trusted and authenticated globally.
Self-Sovereign Identity, yes, but not just now.
When choosing PII solutions, users of blockchain personal identification applications should evaluate not only how data is protected against breaks today, but also in our quantum future.
Additional work needs to be done in equipping PII with sufficient security guard mechanisms against threats for self-sovereign identity to become a reality we want to adopt.
Source: https://archive.fo/W24XB
