Cybersecurity Awareness Month: The Dark Side of Centralized Personal Identification Data
Posted by: Tristan Morris
Guest Blogger: Branden Williams | VP, IAM Strategy | Ping Identity
This Cybersecurity Awareness Month, join GuidePoint Security for A Voyage Beyond the Horizon, a speculative exploration of possible scenarios that could be brought about if current technologies and security issues aren’t addressed. While the following short story may be far-fetched and unlikely, it’s inspired by our conversation with Branden Williams and the issues he believes are important to address in the next one to five years.
Henry flicked through the options again, hoping that maybe in the past five minutes the price of a ride across town had gone down. They hadn’t, and it looked like the prices would keep going up. Not all the prices, of course, just the prices for the higher tier, ad-free rides. The ad-subsidized rides were at least mostly affordable, but the experience was a nightmare. He’d never taken one that didn’t have him wanting to jump out and walk halfway through, and he would follow through on that urge if the experience of walking weren’t also a cacophony of lights and sounds trying to target his personal advertising profile.
Apparently in his grandparents’ time there was a fear things could get this way, but by the time any politician started to care, it was too big of an industry for them to rein in. Just a few short decades later and you couldn’t go for a walk without getting an ad talking about how the meal you ate last night didn’t meet your recommended health metrics.
Henry begrudgingly selected a subsidized ride and skipped through the terms of use agreement. They already had all his information anyway, why bother caring now? As the car pulled up, he was immediately greeted with a customized script. “Hey Henry, are you sure those are the shoes you want to wear for your big date? It’s been almost a year since you bought a new pair, and they’re probably looking a little beat up. Shop the available selection of new kicks on the embedded screen, and they’ll be waiting for you at your destination. Use code ‘HENRYSNEWSHOES10’ for 10% off if you order by the midway point of your ride!”
He touched the “No thanks” button on the screen. It would just queue up another ad to listen to, but he barely had money to cover tonight’s date, let alone a new pair of shoes. The next ad started almost immediately.
“With CashFriend’s new line of credit, you can shop for anything you need and use our friendly buy-now, pay-later terms! When things get a little tight, CashFriend is here to get you through. Apply now and be approved immediately so you can start shopping right from your ride! Use code ‘HENRYSDATE’ for a special introductory rate of just 47%!”
His fingers found the “No thanks” button through muscle memory. Another ad.
“Are you struggling to shed those last few, stubborn pounds? Don’t lie, the weight sensors in your seat have already told us the truth! Here at Shred House, we guarantee that you’ll get the lean, fit figure you’ve been dreaming about in just 3 months, or you’ll get half your money back! That’s the Shred House guaran…”
Henry paid the $1.50 fee for ending the ad early. He spent the remaining 23 minutes of his ride tapping “No thanks” over, and over, and over. Finally, the car pulled up outside the restaurant. He sighed with relief as he got out, thankful to at least be in the open air again. He pulled out his phone and watched the mandatory unlock ad so he could text his date, but it looked like they had already texted him.
“Hey, I won’t be able to make it tonight. You seem great but I decided I’m just not interested in dating right now. Sorry!”
He sighed and called another ride. As he opened the door, the ads started.
“Stood up by another date? Try the new and improved-”
He shut the door. “I’ll walk.”
Citizens of the digital age benefit from the interconnectedness of society to deliver instant gratification, speed, and simplicity. What used to take days or even weeks now can be delivered in near-real time for physical goods, and streamed immediately to wherever you are for digital goods.
While the instantaneous nature of today’s society can be quite satisfying and efficient, the reality is we have freely given up our information to enable this digital magic. With all that personal information out there residing in large centralized data stores, we also live in wait of who is going to be the victim of the next data breach, and how it will affect us. This notion of information either consciously being shared or the nagging sense of our lives being aggregated behind the scenes guides how we choose to interact with our digital world.
Either we are conscious and act in ways knowing this is happening, or we throw caution to the wind and let our future selves deal with the headache.
And from a company’s perspective, centralized identity data stores can be a nightmare for a few reasons. First, customers are already wary of giving away their data. A company that asks for too much information is already eroding customers’ perception of their brand. But once that information is obtained, when a company takes on massive amounts of customer data they’re also taking on a massive amount of liability. In the event of a breach, a company that’s storing all that data may be opening themselves up to legal ramifications if that customer data is improperly secured and accessed.
But what if it didn’t have to be that way?
What if we could interact with digital or physical providers differently? Our providers need to understand things about the person or entity interacting with them. Absent this ability, business doesn’t get done. But they don’t necessarily need to know all of the details, they simply need to know that one or two key details are accurate and can be relied upon for interaction.
Enter decentralized identity.
As the name implies, identity information is not stored in a large centralized database that is owned by an organization or entity, but instead it is owned by the individual. Decentralized identity puts control in the individual’s hands when it comes to sharing identity data. We can now present cryptographically signed digital credentials authenticated with a live selfie to providers to optionally include contact information, details about your customer/provider relationship (think loyalty programs), and any other attribute that you might deem useful in this interaction. The provider does not need to store any sensitive information or reach back to a service to confirm the authenticity, provenance, or validity of the details transmitted. It’s all there, local, decentralized, and secure.
If the idea of decentralized identity and how your organization could implement it interests you, reach out to GuidePoint Security to start the conversation.
About the Guest Blogger
Dr. Branden R. Williams has nearly twenty-five years of experience in business, technology, and cybersecurity as a consultant, strategist, and executive. Dr. Williams has experience working for the largest and smallest institutions as an entrepreneur, practitioner, and advisor. His specialty is navigating complex landscapes—be it compliance, security, technology, or business—and finding innovative solutions that promote growth while reducing risk. He is a practitioner and advisor for operational, engineering, and management of IT and IS tools. He’s held several executive roles in the industry, and served on both the PCICo and EMVCo boards. He is an author of several books on PCI Compliance, and his blog and other publications can be found at his website.
Tristan Morris
Cybersecurity Solutions Marketer,
GuidePoint Security
Tristan Morris started his cybersecurity career in 2010 as a cryptologic linguist in the US Marine Corps, where he learned the fundamentals of security and threat hunting. At the end of his enlistment in 2015 he began using his skills, knowledge, and perspective to build training and education labs and CTF events by re-creating advanced attack lifecycles to construct realistic datasets for lab attendees to hone their skills. He has spoken at large security conferences and events from Black Hat to Singapore International Cyber Week.