Sunday, April 30, 2017

Who owns your identity?

Digital Identity Today is Broken — But We Can Fix It
In the cases where we do have relatively secure, integrated identities to which we attach lots of personal information, these identities are in reality owned by massive companies, like Google or Facebook, who can revoke our access at any time.
The information you give to Google or Facebook has value to them. How much value does it have to you? Probably substantially more; directly proportional to your usage of and dependence upon them. The trade is irrational on its face, and grows worse with every interaction. You may see an irony in the fact that this blog uses a Google platform. Let's just say I still find this specific trade to be slightly in my favor. I supply free content, Google supplies a channel for ideas I want to share in any case.

I wonder what it would take for people to analyze whether Google and Facebook represent a good trade in exchange for public revelation of their foibles and habits of daily living.

I used to give LinkedIn a partial pass because it had some utility to me and was easy to ignore. Then LinkedIn reminded me of my account by letting me know they were updating their terms of service. I'm retired: Reading the new terms was more effort than it would have been worth. I deleted my account. Not that that means they don’t still have my information. The value of that information will fade with time.

There are some startups who think a market will develop in retaking ownership of personal information. I wonder if most people can develop sufficient common sense and expertise to use these solutions. The signs are not encouraging.

While I would certainly consider the “solutions” mentioned in this article, there is the problem that protecting myself doesn’t free me from the systemic risks. Like vaccination, a significant majority have to participate for there to be herd immunity.

There is still the question of how secure your data would be in the hands of the companies mentioned at the link, of course, but the blockchain approach has promise.

That Averon has "done integrations with all the mobile phone networks in the US” and that the "whole verification process can be done automatically and instantly in the background, without any action required from the user” is not comforting, at least without much, much more information. I’d really prefer to have direct control and notification. While integrations with mobile phone networks may be convenient as a form of identity protection, they would appear to suck bigly.

I sure don’t trust Verizon - the company that secretly invented its own form of stealth cookies to track every users’ every interaction.

The number of counter parties involved in these schemes is frightening, and perhaps unknowable. Whether these startups have a real solution, whether they can be trusted with what could amount to handing over the keys to your identity, we can anticipate that some form(s) of better identity authentication are coming. Whether we can actually “fix it” remains to be seen. One test I would provisionally apply is whether the solution is open source. How proprietary code could satisfy the requirements is something I can’t figure out.

See also.

While it it addresses broader topics, I'd recommend Vernor Vinge's Rainbows End as a very interesting read on future possibilities involving identity authentication.

No comments: