Rethink Identity So Personal Data Can Stay Personal

The Internet term "doxing" refers to the leaking of sensitive personal information, typically by hackers. But in reality, the way commerce is conducted today requires consumers to dox themselves, constantly. To prove we are who we say we are, we share our names, addresses, Social Security and phone numbers, payment or banking credentials or other "private" details with countless strangers. We have to trust these third parties to not abuse the data and to protect it from others who would. They often fail at that task, as the massive data breaches of the last year underscored.

In addition to compromising individuals' data, the system places a huge burden on retailers and other businesses that lack cybersecurity expertise. Meanwhile, customers must provide the same information over and over again each time they start a relationship with a different business. Identity is fragmented in one sense and bundled in another, resulting in the worst of both worlds — redundant paperwork and endless targets for hackers.

"The flow of information is backwards in a way," says Stan Stalnaker, founder and CEO of Hub Culture, a London-based social network and digital currency company. "I have to go to all these different websites and log in and they store my data, instead of me having data I own and I can take with me."

Stalnacker's firm is among a handful of organizations, mostly in the tech and digital-currency fields, that are calling for an overhaul of the way identity is managed. In their vision, outlined this year in a manifesto known as the Windhover Principles, personal data would be under the consumer's control. It would be held in fewer and more secure places and portable from one business to another rather than constantly reconstructed.

Here's one way it might work: a young person opening her first financial account — say, with PayPal — would create an identity file, stored in a secure digital vault. She would need to provide certain information for PayPal to validate her identity, but that information would reside in the file, not with PayPal.

Later on, if this consumer wanted to apply for a car loan or a mortgage, she might need to add more information to the file to prove her creditworthiness, but she wouldn't have to start from scratch. She would give the lender a passcode temporarily authorizing it to view only the parts of the file it needed to evaluate her application. (Think of a car key that allows the parking valet to open the door and start the ignition, but can't access the glove compartment or trunk.)

The customer "wouldn't need to go around revealing [personal details] to everyone," says Karen Gifford, the chief compliance officer at Ripple Labs, a digital-money startup that, like Hub Culture, endorses the Windhover Principles.

In this scenario, "not everyone needs your Social Security number. They just need a username that shows you were validated by someone else." Importantly, "the people securing your details would be in that business," Gifford adds. "You wouldn't be forcing a lot of vendors who aren't in information security to be providing information security to you."

One potential objection to the concept is that the keepers of the vaults would have to excel at information security, and would themselves be popular targets for hackers.

Similar proposals in the past contemplated placing banks in that data-custodian role. But Gifford, a former counsel to the Federal Reserve Bank of New York, mused that banks might be as eager as big-box stores to avoid that chore. "Think of the burden they would get out from under," she says. While anti-money-laundering laws require banks to know who their customers are, "you can imagine a day when they simply validated information and did not hold it themselves and... weren't sitting ducks for hackers."

Another problem with unbundling identity is that taking banks and other companies out of the information storage business might prevent them from mining data for insights such as sales leads. If you really think that's a problem.

"The reality is all these large companies, whether you're a Walmart or an Apple or anyone, they all believe right now they're aggregating data and they can monetize it," said Stuart Lacey, founder and CEO of Trunomi, an identity-management startup based in Bermuda. "Well, I would posit, who's the right person to monetize your data? You."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER