Proving you are who you say you are on the web has become critical in today’s digital world, and proof of identity has evolved beyond physical forms of ID. Increasingly, we rely on digital identification or ‘digital IDs’ as authentication to access services in various levels of organizations and governments alike.
In essence, digital IDs are an extension of physical ID documents such as driver’s licences, passports, and bank access cards, which allow individuals to verify their identities through biometrics via digital channels – similar to how they would present their physical ID for verification in person.
Digital IDs have become a hot topic when it comes to managing identity, authenticating individuals, and linking personal information. As individuals continue to share their personal data to access services like travel, privacy implications and security issues arise. As a result, consumers who share their digital information with organization to access services expect a high level of privacy and security to keep their data secure. After all, data protection is the responsibility of the organization that collects it.
In an increasingly digital world, where digital IDs are becoming the norm, organizations must be held accountable for protecting user data. Organizations must build and maintain a standardized framework of trust and security to establish clear rules governing the collection and use of personal information. In addition, organizations must also be expected to offer transparency about how much information they collect, access, where it will be stored, used and how it will be managed to ensure individuals’ intrinsic right to privacy is protected.
While digital IDs pose privacy concerns, they can be an excellent enabler for the broader use of digital systems and services. Undoubtedly, digital IDs open up a world of opportunities to streamline operations for organizations with multiple authentication requirements.
Organizations, such as financial institutions, can gain significant value from being the centralized data source others can use to gain access to services. Through digital IDs, organizations have the opportunity to create a more seamless process for access to their products and services and improve their data management.
In addition, digital IDs that use biometrics for authentication can also enable broader usage amongst groups with age-related constraints or those suffering from conditions such as dementia. With digital IDs, these groups can access services without remembering usernames and passwords. However, while digital IDs offer new advantages and are even becoming necessary, they must be implemented cautiously to minimize privacy and security risks.
Digital IDs require robust technology, especially when biometrics are involved, to eliminate room for error. For example, there have been instances where certain facial features or skin tones were not recognized by the technology organizations and governments put in place. This could lead to frustration and infringement on citizen’s rights and lack of trust.
The challenge here is if the technology is not robust enough, there could be false positives that will discriminate against specific populations. Instances like this leave open opportunities for vulnerabilities to be exploited and must be avoided through the right technology and robust levels of testing.
Partner, Privacy & Data Protection Lead, MNP Digital
When it comes to the compatibility of technology needed to power digital IDs, we must consider that all individuals and organizations use different devices and software. These devices could come with different level of security controls and capabilities for deployment of these controls. Therefore, it is critical to ensure that applications used by organizations are compatible with all devices and have robust security measures embedded in them by design to protect the privacy of individuals.
Another consideration is building a framework that standardizes how to collect, manage, and share digital identification information within a country (between provinces in Canada), between multiple organizations or between countries that need access to sensitive information. We have seen countries tackle the challenge of issuing Digital IDs and building and implementing frameworks with various levels of success. However, when it comes to sharing information between different jurisdictions there is a lot more complexity involved.
Consider the need to show proof of the COVID-19 vaccination while traveling between different countries. How will different countries and even different organizations like airlines access individuals’ personal health information securely and trust the data source? What personal information should be made available to organizations like airlines to demonstrate vaccination confirmation? Where should this sensitive information be stored to ensure citizens maintain control over their personal data?
As users of digital IDs, it is essential to consider the risks associated with sharing personal information and question how much data will be accessed and shared. In showing proof of vaccination to airlines, we must know where to draw the line. Why do airlines need access to personal health records? Or do they and for how long? What security procedures do they follow to protect sensitive information and individuals’ right to privacy?
Today there is no common framework that could be used to address this challenge. Moreover, there are many complexities in building and agreeing to such measures before they can be implemented successfully.
Organizations that use digital IDs as authentication have a responsibility to keep sensitive user data secure. While there’s convenience in having a central digital source of information for both organizations and individuals, there is also tremendous risk. Security breaches can lead to catastrophic consequences since individuals have only one set of biometric data. Thus, organizations must be held accountable for creating and implementing defined privacy and security procedures to ensure user data is protected from unauthorized access.
For example, when an airline scans an individual’s digital ID to confirm proof of vaccination, the airline should have absolutely no access to other records besides their vaccination confirmation. Also, no information should be collected and stored to mitigate the risk of compromise, even if their systems get breached. The information access should be tiered to only what is required, for the time is required and the information itself needs to be protected through solutions such as encryption.
Trust plays a critical role in protecting the privacy and security of digital IDs, and it works at two different levels:
One way to manage this issue is that different access levels are provided based on need, but no external party gets to save or use the data outside of the stated purpose — the individual whose data it is, retains the source, much like physical IDs.
– Adriana Gliga-Belavic
This model can only instill trust both ways when it starts from a place of ‘zero trust’ with the consumer rights at the center and is made highly robust to generate confidence from both individuals and organizations. The protection of user data is the organization’s responsibility which collects it. Therefore, creating a standardized framework of tiered access to sensitive information is the responsibility of organizations, and they must be held accountable for this model to be implemented appropriately.
Digital IDs are not just about creating and enabling digital authentication and data, but the entire lifecycle of the data – from how it is gathered, stored, secured, and deleted or purged. Therefore, organizations must build solid policies and procedures around the data they collect and manage.
“Individuals will share personal information to access services, but they have become increasingly aware of their rights related to their data and privacy.” explains Adriana Gliga-Belavic. “As a result, individuals will demand that organizations are transparent and have privacy policies and procedures to protect their sensitive information.”
Cyber security plans and technology are of utmost importance to protecting the data of digital ID users. With the advanced tactics hackers deploy, it is often not a question of whether if organization might be compromised but rather when will be compromised. Therefore, organizations need to be prepared with cyber security plans, controls, and detection measures if a breach occurs to be able to respond appropriately. However, being prepared is half the battle won.
“With more digitization, it’s only likely that we will see more attacks across the board, and the controls and response protocols put in place will be critical to come out on top. With the sensitive nature of information being collected and stored, nowhere is this more true than with digital IDs.” says Adriana.
Digital IDs open a world of endless opportunities for organizations and individuals alike. From centralizing data sources to offering convenience and ease of communication, solving the digital ID challenge is becoming a necessity. However, digital IDs also come with the tremendous risk of privacy implications, and it is the organizations’ responsibility to protect user data and build digital trust. Organizations must be held accountable for:
In the era of digital IDs, individuals need to understand their privacy rights and hold organizations accountable for protecting their sensitive data.
Our experts specialize in creating, implementing, and maintaining data security and privacy at all levels. For more information on digital IDs and the role organizations play in protecting user data, reach out to our team.
Request a free consultation to explore your cyber security and privacy options.
Adriana Gliga-Belavic, CISSP, CIPM, PCIP, is a Partner, Privacy & Data Protection Lead with MNP Digital in Toronto. Passionate about security and privacy, Adriana helps public and private clients build pragmatic strategies and privacy programs to maintain customer trust and find the right balance between business results, proactive cyber resiliency and enhanced privacy.