It’s time to reclaim the control of personal identifiable data

A report from ITRC shows, that in the US, during 2018 the total number of data breaches reported went down 23% compared to 2017, but the exposing of personally identifiable information (PII) increased by 126%.

PII is any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Source: NIST, https://www.nist.gov

I have been working with internet driven software for more than 20 years now and currently I work for a software company (tretton37) and I’m running a hardware design agency (Dsruptive) for implantable electronics in parallel. The IOT is pushing hardware development forward and bringing the best out of software development. The two goes hand-in-hand very much, even though it hasn’t always been like that. Today we can accelerate the use of a product through software and we can manufacture and iterate on hardware cheaper and faster than ever before!

In this post, I will be exploring how emerging technologies are transforming the landscape of ID fraud and ID theft and how technology will help solve the problems we’re having today. We will look into the implications of the advancements of the following topics and technologies:

  1. Infrastructure for internet coverage everywhere and faster connections
  2. Digitizing the ID process
  3. Acceptance of implantable electronics

Connectivity

There are many reports showing how the coverage of the internet connection is increasing the coming years. This means a lot for the world economy; many new jobs will rise and people who have been digitally isolated will find a new world of opportunities. This will have the greatest impact on 3rd world countries including rural locations with poor or no network connectivity. All by a sudden these people can access the same information as the world leaders can.

The fact that M-Pesa changed banking in Africa is a brilliant example of what happens when connectivity increases. The problem was that people got robbed and killed on the way to the bank. Today people use their cellphones to transfer money digitally, and the road pirates can’t do anything about it.

Multiple companies are trying to provide these areas with the infrastructure needed for a high-speed data connectivity leaving no one behind. Google X is piloting their Project Loon (https://loon.co), Amazon is working on Project Kuiper, which would put 3,236 satellites into orbit to provide high-speed internet to any point on the globe. Except for these, SpaceX, Facebook, One Web, Airbus and even China are building global infrastructure for high-speed connectivity. It won’t take long until the infrastructure is in place to offer high-speed connectivity to all 9 billion people on earth.

With that infrastructure in place education will be available to everyone, inventors will start popping up solving problems the connected world haven’t yet seen and people with certain skill set. Specialist doctors for example, will not have to travel the world to be able to participate, guide or remotely control a specific situation, they just plug in and do their job.

Connectivity is key for anything digital to broadly impact the world. Today, approximately 50% of the world have access to Internet. These initiatives will get us to 100% within a 5-year period. The rural areas who never experienced what Internet can bring, will not have to go through the hassle with a 28k modem. They will jump in on a gigabit connection ready for live virtual reality and other emerging technologies requiring ultra-high-speed internet connections.

e-ID instead of the physical and static ID cards

In Sweden we have almost full internet coverage, and the country has been a pioneer within many IT-related areas thanks to early investment in the fiber optic infrastructure. Another thing we’ve been pioneering in is e-ID.

I have not been able to find statistics that indicates a decrease in ID frauds and ID thefts in Sweden since the introduction of the e-ID, but in 2018, the e-ID was being used by 97,5% of the Swedes between 21–50 years old with a bank account (Source: Finansiell ID-Teknik BID AB Årsstatistik, hela 2018). This paves the way for a shift in technology and that shift is making it really hard for counterfeiters.

The identification document is 600-year-old technology for proving a person’s identity but has been of more importance the last 100 years since the photo-ID was introduced. The personal identity number (known as social security number and other definitions in some countries) has been used in Sweden since 1947 and are being used broadly in systems to keep records of people. Manipulating the systems opens up for the possibility to the misuse of the personal data and would be considered as ID-theft when someone else is using your personal identification number to falsely identify themselves.

ID-fraud on the other hand is considered to be anything related to the misuse of your personal identification number, like a credit card. If your card is copied and someone uses it to pay with, this is ID-fraud. This means someone is claiming that they’re you to be able to access your bank account. The main problem here is that the threshold of security is set by countries and not by the issuer. In the US for example, you can pay by only giving away the card number. The CVC code does not have to be entered. In a global market the weakest link will set the level of security.

The e-ID can be used to log in to digital services requiring a user’s verified identity. This approach allows you, and only you, to gain access to any services linked with your personal data. The e-ID can also be used to sign legal binding documents and authorize transactions.

If you’re a victim of ID-theft or ID-fraud, you can’t do much yourself without involving the authorities. We have an old infrastructure that needs to be replaced by a new one before we would be able to see any changes. You aren’t totally helpless though, even if that’s the feeling that sets when all the anger has left you.

Normally, the first thing that happens when your identity is stolen is that the perpetrator will change the records of your official residence. This will allow for any automatic lookup on your (or the perpetrator rather) address to be confirmed and the goods ordered in your name will be sent to the criminals. If you live in Sweden, you can actually stop this from happening simply by signing in on to Skatteverket, the Swedish IRS, and tick the checkbox that you require e-ID to be used when changing residential address.

In Sweden (and I’m sure it’s similar in many other countries) there are several e-ID solutions, the most adopted one is called BankID and is a solution requiring you to have at least one of these three:

  • BankID installed and connected to your smartphone (Mobile BankID)
  • BankID on a card and a card reader
  • BankID stored in a file on your computer

The user base of the mobile BankID (red bars in the graph below) are growing more and more popular. The mobile BankID also requires a two-factor authentication. When being used you confirm with a 6-digit code, fingerprint or facial recognition.

A minimum of a two-factor authentication should be required when requesting any PII, physical or digital. Ultimately, you should be able to trace back to any external interaction with your PII’s to the function using it. Obviously, that’s not possible as long as the plastic card proving your identity exist. This will only be possible if the old infrastructure is completely replaced by a new.

The normal phasing-in of new technology could be visualized with the conventional technology s-curve (see graph below). Currently we are in the mix of two technologies and it’s not until the old technology has been phased out that we can rest assured our data is safe. Until then you may slip and flash your ID card to someone inappropriate, or your unique personal identification number, could be found in your mail, paper trash collection or in a digital breach and being misused by someone with bad intentions.

I like the fact that we have come this far with the digital BankID, but it’s only barely taking us half-way there. As of today, my PII is being stored in many different databases and I have no idea where, why and how it’s being used. To gain control of the situation the data should only be permanently stored in one place and that’s on the device I control.

I would like to receive a “receipt” from the service using my data. The receipt should contain the intention of the use and for how long time my data are being used. If I would like to remove the access to my data in the other system, I simply cut the access to it from my log. This would put me in absolute control of my data.

I see a future where we have our identity stored in a device protected with any preferred multi-factor authentication. Except for identification purposes, this identity can be used to authorize digital purchases, meaning it would replace any physical plastic cards too. In a near future there’s nothing such as transactions with coins or banknotes, everything will be digitized. Sweden is expected to ban trade with cash by 2023 (Source: Handelsrådet, När slutar svenska handlare acceptera kontanter) and plastic cards should be gone by then too since they are open highways into our bank accounts. This would make it possible to stop ID-theft and ID-fraud completely.

Control the access to your data

More and more people use the devices as an extension of the common things we use, like e-ID, mobile payments, and so on, and most people are fine with this. It has even come to that point where we say that my battery is running low when talking of the mobile phone! It’s ok to use a mobile device since it only contains a snapshot of the data. It’s not the master system. If the device is failing, we replace the device, sync it and are up and running in a matter of hours. But it’s our extended arm and mind already at this point.

If we would be in complete control of our data, we would need to carry around the master data, and preferably it needs to be securely stored somewhere. It would require that it can transfer data to other systems when in proximity without the need of batteries. It also needs to be able to encrypt the data and select only the records requested. The biggest problem to tackle would be to not lose the device. Not ever ever ever!

Another area the Swedes have been pioneers in adopting is the implantable devices. A technology you can’t forget at home or have stolen. The numbers of users are not confirmed, but 10.000 users are a number people talk about and the interest from the public shows no signs of slowing down. We can squeeze in a couple of kilobytes of storage in these tiny devices today, but the acceleration in this technology is exponential and will soon provide enough storage to safely store and encrypt any data needed for e-ID and maybe even medical records and sensory data. The thought of embedding something in the body is scary to some people, but I sincerely believe that everyone can gain from the benefits.

Wouldn’t it be great if we could use our DNA to authorize the use of our personal identifiable information, money transactions and the signing of legally binding documents in a safe manner? Any data stored would be encrypted and decrypted with our DNA, making it impossible to misuse.

Summary

It’s clear that internet security is maturing, technology advancement allows for better security that is exponentially harder to crack, and this is reflected in the decreasing number of data breaches on systems living online.

Data is gold, and biometric data will become a bigger part of the data collection of PII. To be able to control the data the ownership has to change. The EU-regulation with GDPR is one step in that direction but we will see other initiatives taking us further.

If we don’t want to see the numbers of exposing of personally identifiable information keep increasing, we should organize and find a future solution.

As I’m working in both the software and hardware industry I’m interested in continuing this discussion. Feel free to connect in any preferred way.

Twitter: @lanhed

LinkedIn: linked.com/in/lanhed

Email: patriclanhed[at]gmail.com