27 September 2023

ID OK? The importance of controlling our digital identities

Start the conversation

Charles Race* says consumers urgently need to start thinking and taking action about their digital identity and who has control over it.

The data reckoning has arrived.

We’re already too familiar with the breach headlines: Equifax, Under Armour, Target.

But in 2018, social media brands came under the spotlight as well: half a million accounts’ data were inadvertently exposed in Google+, and another 29 million users’ data in the Facebook breach.

The repercussions of these breaches go far beyond just one service because social authentication is used with thousands of connected apps.

How often have we all clicked “Sign-in with [insert social media platform]” out of convenience, instead of creating a new account?

While it’s unlikely social media companies expected to be a custodian of millions of individuals’ personal data when they first got started, after the recent revelations, it’s clear that’s what Facebook, Google, and LinkedIn do today.

Consumers have been rushing to reset passwords, disconnect services from Facebook, even shut down their social media accounts.

And Google+ no longer exists in its previous form.

Amid the chaos looms a larger set of questions: what is our digital identity?

Who is the custodian of that information?

And what rights do we, as citizens of the digital globe, have?

These are the real issues consumers need control of, and urgently.

What makes up your digital identity

To start, we need to fully consider what defines personal information.

Is it your credit card number?

It’s not — your credit card number is an identifier, a number that matches you to your banking information.

You wouldn’t panic about losing your shipping tracking number (for most things, anyway).

Identifying numbers like our driver’s licences, Medicare numbers, and more should all be treated like that shipping number.

Instead, as people have more complex interactions online and share how they think and interact with the digital world, we’ve entered a different era than the one in which Medicare numbers were first printed on paper cards and passwords or PINs were the only gate needed to protect our information.

Today, software companies understand what you like; they gather biometric information like your fingerprint or heart rate; they listen to your voice commands and learn your cadence.

They have a wealth of knowledge beyond identifying numbers that get at the crux of who we are as individuals.

You should care far more about protecting this information.

The dual responsibility of identity custodians

Data (including data about you) is proliferating at an incredible rate: 90 per cent of the world’s data was generated over the last two years alone, and 2.5 quintillion bytes of data are created every day.

Companies need to understand what information they are collecting, especially when other services might be collecting it for them and be required to be clearer about what information of yours they’ll be sharing as a part of the consent process.

Setting and publishing a robust data privacy policy which includes consent for personal information, strict scopes for what can be collected, what it can be used for, and how long it can be kept for (and actively purging data that is no longer needed) is core to this.

The consent process also recognises and places equal value on the two core parties in this social contract: the individual who decides who can access information, and the receiver who uses that information for commercial ends.

A company also shouldn’t be able to exclude you from their services if you don’t say yes to their terms; closing this “bully loophole” is another key to the safeguards needed to ensure consumer protections are maintained with meaningful consequences for failing to do so.

Know (and fight for) your data rights

Social media organisations are not — and have never been — in the business of protecting your identity.

For them, your data is their business model.

Whether it’s personal data being given away or data being stolen, neither is acceptable.

Consider the vast amounts of personal information that different services hold for us, and be mindful of what you give other organisations access to.

Give your consent with caution, and consider alternative identity stores as the core of your connected digital ecosystem (full transparency, my company is in the business of enterprise identity).

There’s too much at stake when it comes to our online identities.

The dangers of not protecting our information are staggering, growing every millisecond.

We need to take action — as consumers, as technology companies, and as a global community — to have a serious conversation about the ramifications of who holds our personal information, and with whom it’s being shared.

Take back control before it’s too late.

* Charles Race is President of Worldwide Field Operations for US identity standard company Okta.

This article first appeared at thenextweb.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.