Image Copyright © Stephen Wilson, 2018.
Here, in Part 3 of my Rethinking Digital Identity series, I offer some vignettes which can take us to a comprehensive data protection infostructure
To fix identity fraud, we don’t need new and unfamiliar “reusable digital identity”.
We should instead conserve the many official IDs now in widespread use but make the IDs more dependable online.
The critical weakness is plaintext.
The root cause of most if not all cyber crime is simple: IDs and personal data in plaintext form are easily stolen and co-opted by fraudsters. Digital systems cannot distinguish plaintext IDs presented by their legitimate holders from stolen data replayed by fraudsters.
This is exactly the same vulnerability that enabled magnetic stripe skimming and carding.
We have solved this problem before!
Magnetic stripe card fraud was wiped out by pivoting to chip cards with embedded cryptographic processors. Smart payment cards carry what are early forms of verifiable credentials: copies of card numbers digitally signed by the issuer to prevent counterfeiting or copying.
Further, smartcards provide verifiable presentation as well. Every payment transaction is signed in the chip by a unique key to render it tamper resistant and attributable to the cardholder.
We can make the same transition again—from plaintext to signed data—to protect IDs online. We can pivot from plaintext IDs to the verifiable presentation of certified data via mobile wallets.
The importance of focus.
Verifiable credentials are a critical technology, but they can be difficult to adopt if they are specified too broadly, for example as “reusable identity”. The same problem hampered PKI in the 1990s when X.509 certificates were overloaded in an attempt to create ‘electronic passports’. PKI today is widely today used for special purpose credentials for e.g. electricity grid devices, Consumer Data Right participants, COVID vaccination certificates and mobile driver licences.
Likewise, verifiable credentials will work best when narrowly specified. A verifiable credential should mean nothing more and nothing less than the fact that the Subject has satisfied the corresponding credentialing process.
Many consumers already use focused verifiable credentials every day.
Powerful digital wallets, suitable for verifying any certified customer data, are now widespread and used routinely. Close to fifty percent of all card payments in Australia today are made from digital wallets (Ref: Payments System Board 2024 Annual Report, RBA . Consumers are fast adopting the user experience of tap to pay and click to pay. The very same UX could protect the presentation of any ID or credential.
So let’s just add more of the familiar credentials to digital wallets.
We could quickly reach a point where any important facts—driver licence, age, trade qualifications, Medicare number, health ID, employment etc.—can be conveyed in verifiable credentials and presented online by simply clicking in a mobile wallet, with the same ease, speed and safety as digital credit cards.
Protecting the important qualities of data – whatever they may be.
Digital credentials boil down to data and metadata; that is, claims and proofs, or facts and evidence.
By reframing digital identity as What You Really Need To Know? and building infostructure to secure the story behind the data, enormous opportunities would open up in bigger more urgent areas, including open data, the Internet of Things, supply chain integrity, digital safety and generative AI quality. Different credentials would be issued to respective digital Subjects, to assert and protect any qualities of interest. The Subjects of these focused VCs can be non-human; they can even be intangible, such as data itself.
This leads to a bigger vision of “data protection”. From one a[plication to the next, different properties or qualities of data make that data valuable. Examples include originality, authorship, evidence, compliance and so on. Verifiable credentials can convey those sorts of qualities for a given signed piece of data, and protect them from fakery and tampering. That is, verifiable credentials can protect the intangible properties that make important data valuable.