For as long as I can remember, data security has been framed around the acronym “C.I.A.” for confidentiality, integrity and availability.
In responding to the recent Optus hack, most commentators are focusing on stronger preventative security measures, which is fine, but when passports and driver licences are like identity currency, confidentiality is futile.
When dealing with identifying data, the most important property is originality. If for example you’re a merchant accepting a credit card, or a bank doing a KYC check on an applicant, you need to know that the data being presented is original (not copied from a stolen database and replayed by an imposter) and the presentation too is also original (under the control of the individual concerned).
The originality of data can seem a lost concept in the digital world, because copied ones and zeroes are indistinguishable on their face from originals) but it really isn’t rocket science. Industry solved for originality years ago. The classic examples are SIMs in mobile phones and EMV cards in card-present payments. The long-time standard has been public key cryptography and digital signatures. A static signature on a digital credential proves where it originated (be it a telco for a mobile phone account, or an issuing bank for a credit card) and another dynamic signature on each fresh presentation of the credential proves that the true holder was in charge (making a call or making a payment). This pattern has recently come to be known as a verifiable credential.
So it’s time we refresh the C.I.A. and add O for originality.