Shield Your Privacy and Digital Identity with Fingerprints

Some stores, restaurants and hotels keep a visitor’s book, placed nicely near the exit door. This visitor’s book with creatively designed cover and colorful pages, tempt us to write something about the service we received. Comments column is kept specious so that you could take as much space as you need to express your feelings about the services. These visitor’s books also have columns like name, address and contact number. These details you leave behind, as a gratitude for good service or complaint for bad one, may go a long way. The traces you leave behind are valuable to businesses. This information can be used for commercial, advertising or just selling personal details’ database to others, whether you like it or not. Similarly, over the internet, when you shop online, pay bills, navigate on maps, order food, or just leave your comments on a Facebook post, you unknowingly fill online visitor’s books, which are way more descriptive than those you ever filled in a restaurant.

Commercial websites and online services are designed the way that they can track user activity and probably no commercial website or service is an exception to this. The user activity data collected by web can be used to create your digital identity. Digital identity is not necessarily need to contain personal data like name, address or phone number, but when shopping online or ordering food, personal details provided are also used in creating your digital identity. Online services are interested in user’s activity patterns like what you buy, search, where you navigate to, etc. Piecing together, this information creates an entity, which can be used to represent you and is called digital identity or digital entity. A person, device, organization or an application can have more than one digital identities.

Since the beginning of human civilization, identity system is based on physical presence and face to face interactions. With advancement of civilization, complexities arose and it was realized that physical presence and face to face interaction were not possible in all cases. Then documents, signatures, seal, and identity cards served as representatives of physical presence, for example, when the president has to pass an order, he or she doesn’t go to public and recite it. It comes in the form of a document, which is signed and sealed by the office of the president. This form of identity has been serving mankind very well. Frauds and scams also came along like duplicating or forging identity, but stayed under control with law enforcement. Where face to face interactions were not possible, documents represented identity.

But with the evolution of cyberspace and growing dependence of economy on it, traditional way of proving identity fell short. Internet knew no boundaries and existing methods of identity were meant for jurisdictional boundaries. Being anonymous became easy and deceiving identity became even easier on the internet. Existing laws that were made for physical identity system also proved to be inadequate, so companies facilitating web services established digital identity by using user activity data cocktailed with personal details, if available. But this method as well does not represent a proper digital identity solution and compromises user privacy.

Digital identity does the job where your physical identity can’t. Paying money to buy a cheap mobile phone from China sitting in Hawaii is what digital identity makes possible. In simpler words, it drives economy. It makes people trust that your digital identity is as good as physical identity and this trust makes you pay money and the seller parcel you goods from one country to another. Your digital identity can pay on your behalf, receive money, make pizza guy drive for you and get your petitions signed on change.org. But increasing number of frauds, data breaches and identity theft suggests that current system of digital identity is not good enough.

Websites and online services collect user data to establish digital identity. In cases like online shopping, users proactively provides their details, however, activity data is always collected without user consent. There is no user control that how much data is being collected, how this data is being used, stored and shared. A privacy policy page does state how this data is used but again there’s no user control. If you don’t agree to privacy policy, you can’t avail the service; this is where it goes wrong. In bars and pubs, bartenders check customer IDs to ensure that they are of a legal to be served with alcohol. Date of birth is all they need, but you have to reveal much more than needed, ID cards contain enough personal information and you have to show it all to get your age verified. Websites and online services capture way more data than they need and that is one of the inadequacies with current digital identity scenario. Other issue like ensuring that people or entities on the internet are who they say they are. It is easy for people to mask their identity on the internet, but this masking is done by faking identity. Providing someone else’s email ID just to try a service is one example of it.

In an ideal scenario, digital identity should enable users to keep hold of their information. How their information flows through the internet, where it is shared, used or abused. User should be the custodian of their information, not Google, Facebook or Amazon. Users should be able to provide the minimum amount of information required for the purpose. Solution lies in a digital identity system that cannot be faked, duplicated or manipulated. This system would take user consent before any use or access to their information. Telling your name wrong when a stranger asks is easy, taking it further you can also carry a fake identity card having that name. When the same thing is done over the internet, verification of that physical ID card would be very time consuming if not impossible. This is where using physical identity system in digital space fails.

Digital identification by fingerprints offers a possibility of secure method to authenticate user identity in cyberspace. Consumers can authenticate ownership of their personal data by fingerprint authentication. Complete hold of user on his information may sound like a fairy tale but work is indeed underway. IBM is working with SecureKey and leading Canadian banks including Desjardins, BMO, RBC, CIBC, Scotiabank and TD to frame a method for consumers to get hold of their personal information. SecureKey is a leading identity and authentication provider to deliver digital identity network for consumers. During the solution analysis, need for a reliable repository of user information was felt. Banks were chosen as the user data repository because they already hold huge amount of user data, which have gone through extensive verification. So with this verified user information, banks can serve as identity verifier. Another reason for choosing banks is that customers trust banks more than any other organization. If banks can be trusted with money, they can be trusted with data easily.

Identity solution, IBM, SecureKey and Canadian banks are working on, will send notification to consumers, when any service providers need an access to their data. For example: A consumer chooses to subscribe to a service that requires verification of user information, consumer will receive a notification that the service provider needs access to verify consumer information. Only when the consumer authenticates with his biometrics like fingerprints, the service provider will be able to access the information. This solution will not only enable consumers to get a hold of their digital identity, but also work as a privacy shield by letting them control how much of their information is shared.

This solution network is underway testing in Canada and expected to go live later in 2017. This solution will expectantly address flaws of current digital identity and privacy procedures and revolutionize how digital identity is established and consumer information is shared. This system will also keep online services and websites in check, which are collecting user data irrepressibly without their consent. Uncontrolled use of this information is made legal between the thin lines of privacy policy terms and conditions, however, we do boast our ability to agree by clicking that Accept button, don’t we?