This article was contributed by Debra J. Farber, Privacy Strategist at Hedera Hashgraph
The internet as we know it is broken. When it was originally created with the primary objective of facilitating information sharing, this meant that security and user privacy were little more than an afterthought. The original data architectures were based on the concept of stand-alone computers, which companies used to store data centrally on a server that could be sent or retrieved by a second counterparty. To reap the benefits of the internet both on an individual level and at a societal level, each user needs a digital identity.
There are many interpretations of the term “digital identity” which range from email addresses and social media accounts to actual forms of digital identification such as passports or driving licenses used for authentication in real-life scenarios. As the UN strives to ensure that everyone on the planet has a legal identity by 2030, the topic of digital identification has become more pertinent, prompting companies like Microsoft and Accenture to look at ways to provide digital identities to the 1.1 billion people around the world with no official documentation.
As we enter a new era where our driving licenses are stored on our phones, it’s important to remember that the world was a different place when the foundations for the internet were laid down. Consequently, the internet that we rely on today still sits on shaky footing when it comes to user privacy and security. This is cause for a host of problems – and it’s a large part of the reason why Microsoft and Accenture have turned to blockchain to help the UN realize its goal of providing each member of the global population with a legal identity over the next decade.
Losing control of our digital identities
According to Statista, the number of social network users worldwide reached 3.6 billion in 2020, with that figure forecast to grow to 4.41 billion by 2025. On the vast majority of existing social media platforms, email clients, and the array of other tools we use to communicate online, individual users do not hold ownership of their digital identities.
Instead, these identities are managed and owned by some of the largest and most powerful companies in the world. This comes at a cost to our personal, professional, and financial data. Under the control of large businesses, this data is used and analyzed for advertising, marketing and to predict our collective future behaviors.
Banks can see how and where you spend your money; retailers can identify patterns in your shopping habits; while social media platforms know who you know and what you are interested in. We have seen time and time again how this information can be exposed or exploited through the rising number of cyberattacks like the recent “catastrophic” data breach involving Ireland’s Health Service Executive (HSE) and other notable incidents, such as the Cambridge Analytica scandal.
What makes this more worrying is the fragmented nature of our digital identities – many longtime Internet users would be unable to list off the names of every single website or app to which they have ever registered. For many people, there are little pieces of our identities spread all over the internet for which we can’t even account.
It raises a serious question of trust. With more and more devices getting connected to the internet, virtually all of our data is still centrally stored: on our computers or other devices, or in the cloud. Can we trust the businesses, organizations, and institutions that store and manage our data against any form of corruption – either internally or externally, on purpose or by accident?
In the instance of Ireland’s HSE cyberattack which occurred in May 2021, hackers gained access to highly sensitive data which was centrally stored by the Irish health service. According to the BBC, by September 2021, 95% of servers and devices had been restored – meaning that the HSE has yet to restore all devices and services impacted by the incident.
The attack on Ireland’s health service illustrates just how high the stakes can be when it comes to storing data centrally. In comparison, distributed ledger technologies (DLT) store data in cryptographically linked blocks which are nearly impossible to tamper with, ensuring there is no single point of failure, as there is when centrally storing data.
Taking back ownership
For data protection to meet the privacy standards required by internet users in the 21st century, it’s imperative that we aim to give individuals the ability to control and manage their own identities and the personal data tied to their identities. The key to providing this is through decentralization.
Decentralization offers additional security when compared to the centralized architecture on which today’s internet relies. With the existing internet, problems such as server misconfigurations on the cloud can result in data leaks or disrupted service. If there is a single point of failure, numerous parties could see their data compromised if or when a central controller is compromised.
With a decentralized identity, identifiers such as usernames can be replaced with IDs that are self-owned, as opposed to the existing usernames that we use, which are owned and controlled by social media companies or other entities online. These identities work in a trust framework that uses blockchain and DLT to ensure the privacy of users while enabling secure transactions.
Researchers around the world are working to create alternatives to our existing digital identities through the decentralized web, or Web 3.0. These alternatives use new protocols that remove the need for intermediaries during transactions, while further democratizing the web and bringing value back to creators and participants. The goal is to enable internet users to verify their credentials without the dependence of intermediaries while managing their own identities. This will create a fair, secure, fast, and scalable new internet with a stronger focus on security and privacy.
Who is held accountable?
By nature, data on a distributed ledger is owned by each node – meaning that each computer on the network has access to the same data, enabling more secure, effective data management and storage for everyday users and producers of such data. The challenge, however, remains that existing privacy and data protection regulations require that one owner be accountable and responsible for all data privacy requirements.
One approach for DLT networks to ensure compliance with data privacy regulations is to consider the use of index numbers tied to personal data in a separate database, rather than storing personal data on the blockchain. By utilizing this approach, one organization can secure and own that database, while still sharing the data pseudonymously on the blockchain, which will remain anonymous to anyone else who sees the data on-chain.
While this may add a little more centralization to your dApp, it will keep your company compliant until global laws are updated to acknowledge and enable the full capabilities of DLT. While it is not yet a perfect solution, it is currently the best alternative to the existing system of centralization and the risks associated with having a single point of failure.
By introducing decentralization, there is an opportunity for dApp developers to uphold strong, secure data privacy protections for users across the board. By offering strong privacy defaults and more user-centric options, decentralized data solutions will enable individuals to make informed decisions about their data. As we get closer to realizing the full potential of Web 3.0, existing regulations will be improved to better suit the needs of the blockchain industry and better cater to the privacy needs of Internet users.
Debra J. Farber, Privacy Strategist at Hedera Hashgraph