It’s no secret that COVID-19 has changed the very fabric of our world and how we live our daily lives.
For example, consumer online spending with US retailers increased 44% in 2020, compared to 2019, according to the latest Digital Commerce 360 analysis.
International tourist arrivals declined by 74% (roughly one billion fewer trips) in 2020, compared to the previous year, making it “the worst year in tourism history.” Plus, 29% of polled working professionals said they would quit their jobs if they couldn’t continue working remotely, as the world begins to reopen.
All of these changes will impact the way that business is done moving forward. They will push organizations to closely consider the vulnerabilities of their current online and on-premise privacy and data management policies and procedures.
The internet has always been susceptible to fraudulent activities. Think for a moment back to the iconic New Yorker cartoon, which first appeared in July 1993 when the internet was in its mainstream infancy.
The “On the Internet, nobody knows you’re a dog” pictorial demonstrates that from its initial inception, there have been myriad online opportunists leveraging the internet to misrepresent who they are.
While the pandemic has largely kept the world at home for almost a year now, we have seen online shopping and virtual banking transactions consequently skyrocket making the inherent vulnerability for the digital consumer much more obvious.
The “trusted triangle” concept
While the internet does not provide its own secure trust layer, there are still some solutions available to proactively protect one’s digital identity.
The idea of “identity” is based around the concept of a mutual, trusted relationship between parties through which each person has a basic understanding of who the other person is. One such solution involves using a “trusted triangle” process, similar to the conducting of an e-commerce transaction.
When e-commerce transactions are conducted online (whether for retail, healthcare, travel, education, or entertainment purposes), a trust triangle is formed, with the issuer, the holder, and the verifier serving as the three corners.
All parties involved want to be certain that the individuals within the ecosystem have gone through a verification process. In retail transactions, for example, the verifier must confirm the cardholder, the validity of the card being used, and the legitimacy of the issuing organization before the retailer should accept the payment.
However, in these types of transactions, does the verifier or issuer really know that the cardholder is who they purport themselves to be? Or are they just someone with the right information at the time of the transaction?
Proving you are who you say you are
Using verifiable credentials, individuals, or holders, use a digital wallet that can carry multiple types of verifiable identity credentials in a user-managed and controlled device or cloud-based platform.
Individuals are then able to securely store, control, and share their most valuable information through that self-sovereign wallet. This includes access credentials like passwords, proof of educational degrees, certificate completion, membership cards, government credentials, and healthcare credentials.
Within this digital ecosystem, verifiers — employers, schools, airlines, and others — will be able to request a verifiable, reputable presentation of credentials to determine acceptance. Thus, they will ensure that individuals are who they say they are and possess the necessary credentials to enter or participate.
I believe ownership, management, and control of one’s personal online identity is a basic human right. Just as a person has the right to control the use of their name and who has access to medical information, individuals should have the right to own and be the sole beneficiary of their valuable digital data.
If a digital wallet is controlled by the service provider who issued the wallet, then the user is neither sovereign nor completely private while making transactions.
Supporting privacy-focused regulations
We must continue to support regulation like GDPR in the EU, CCPA in California, PEPIDA in Canada, the Consumer Data Right (CDR) in Australia, and other countries.
These privacy and security laws change the standard of access to someone’s personal information from entitlement to request. They also empower individuals to control what information they wish to exchange and expose when they share it, how they want to share it, and with whom.
There are many areas of life in which individuals would greatly benefit from exerting keener control over their digital identities. The following are just three examples spanning retail, travel and daily life scenarios.
- First, within the world of retail — whether online or in person — the retailer generally assumes that the person holding the debit or credit card, signing the transaction record and/or entering a PIN is the holder of the account.
As a precautionary measure, the card issuer will then validate that the holder is within their spending limit before the transaction goes through. Still, there are many cases in which retailers mistakenly allow the use of a card by someone other than the rightful owner of the account.
These kinds of errors contribute to the $30 billion in fraudulent identity transactions per year globally, with more than $9 billion of that total occurring within North America each year.
Typically, the lion’s share of the losses incurred by this criminal activity is absorbed by the merchant, issuer, and payment processors, who then passively pass costs along to consumers in the form of late fees, higher interest rates, and annual fees.
If retail consumers take back control over their digital identities and the card companies more effectively support this process, the industry will likely be more efficient. Also, consumers may reap savings from these charges and better protection against this fraud.
- Second, as the public starts to resume travel by airplane to reach domestic and international destinations, it will likely become necessary to share vaccination records and COVID-19 negative test results to board those flights.
Individuals who can easily provide verified proof of vaccination will benefit by gaining greater freedom to return to some semblance of normalcy via travel, tourism, dining, live events, and more. But they should not trade their freedom of movement for loss of privacy/data governance.
By storing one’s records in a digital wallet that they own and manage, the individual will gain more control over who has access to their information, as well as what level of information is up for view.
While a person may be willing to share their vaccination status to board a flight, they might not want to share other private medical information.
With a self-sovereign digital wallet, the verifier must request access to certain information, and the holder controls which attributes or credentials are shared.
Airlines, airports, hospitality industries, international customs officials, and others who process the arrivals and departures of visitors will also be better assured that the identity credentials shared with them by individuals are verified, valid, and truthful.
- Third, the use cases of user-controlled digital credentials are nearly limitless. They can also be used to access online sites, vehicles, properties, share proof of graduation from a university or group, voter registration information, insurance cards, electronic medical records, for proof of age, among other things.
A universal system of information
This can empower proven credential holders to gain access to private events or secure-access areas in hospitals, workplaces, or government facilities.
In Ontario, the Canadian province I live in, we use a government-issued Health Card that gives our healthcare providers access through a consumer held credential.
This system creates one universal, centralized system of information, thereby eliminating the need to repeatedly share one’s information across different vendors and reasonably creating verifiable assurance based on traditional methodologies.
However, it should be noted that the Ontario government is moving towards digital credentials, expecting to start rolling those out by late 2021.
As more and more corners of our world are moving online, identity/financial fraud continues to rise. When you couple this with the eight billion people in need of a COVID-19 vaccine in order to resume their regular routines, it becomes clear that the time has come to put the control of digital identity and online data back where it belongs — in the hands of the individual.