Digital Identity
Digital identity is the phrase referring to the data that computer systems use to represent external agents, which can be individuals, organizations, applications, or devices.
Registration
Most likely many of us have used several online applications like Gmail, Facebook, Amazon, Online Cinema booking site etc;
The very first time we attempted to use these solutions, we encountered a "Register" / "Sign-up" / "create an account" and we got displayed a set of fields, which have asked us to enter some information.
This information is stored on a computer system (server).
Depending on the business process of the online system in context, additional documentary evidence will require to be uploaded.
For example, online trading platforms, will ask to upload multiple identity documents (eg Driver's license, Passport etc) in addition to possibly involving a biometric identification (facial recognition with liveness detection).
This is where the Identity Proofing (covered as part of previous topic) comes into play.
Different businesses require different minimum strengths of identity proofing.
The reasons could be internal business processes, risk minimization or legislative compliance for example.
The information provided as part of registration includes attribute(s) that uniquely identify the individual - example email/phone number for example
And, some attributes that identify the individual - first_name, last_name, dob etc;
This set of information that forms a user's digital identity, is usually stored in some data store with an associated unique identifier (eg. email, unique number, unique string etc;)
The above example discussed digital identity in the context of an individual, but digital identity is not limited to individuals.
Digital Identity can represent an Organization, business, application or device.
Privacy
Answer: NO, Its disastrous for the individual
Personally Identifiable Information - PII
Personally identifiable information (PII) is any information connected to a specific individual that can be used to uncover that individual's identity, such as their social security number, full name, email address or phone number.
PII is used by hackers to commit identity theft, exploit the individual or sell such information to other offenders. Hence, its the responsibility of system designers to ensure only the most minimum of personal information that is necessary is captured.
Most of us already have accounts across
- Social media - Facebook, Twitter, Snapchat, Instagram...
- At least 20 different shopping sites - clothing, jewellery, grocery, fashion items...
- online gaming, sports, movie sites...
- several 100 others over the years that we've registered for, that we don't even remember...
Imagine how many data stores out there in the internet, contain our personal information.
And not just that, most of these sites have privacy policy and terms of use, which nobody reads. (obviously... its usually a verbose legal document)
Example -
Apple terms of website use: https://www.apple.com/au/legal/internet-services/terms/site.html
Apple privacy policy: https://www.apple.com/legal/privacy/en-ww/
Google terms of service: https://policies.google.com/terms
Google privacy policy: https://policies.google.com/privacy
Many of the websites share information between their subsidiaries and affiliates for business reasons. Which means more copies of our personal information stored forever across more data stores!
Even if one such online system/data store is compromised, its sufficient to cause disastrous consequences for an individual whose data is compromised. Hackers are getting smarter in aggregating, deriving digital identities and exploiting information, and hence the onus is on the individual users as well as system designers to ensure digital identities are protected.
This uncovers the need for a strong Authentication and Authorization mechanisms to protect digital identities.