By Alex Tweeddale, IDWorks

A recent report has suggested that 90% of 11-year olds in the UK currently own a mobile phone, with this figure being close to 100% when the children reach secondary school.

Even at the age of seven, more than 50% of children are reported to have smart phones, with access to the internet.

This development has only occurred within the last five years, meaning that regulation and technical safeguards are outdated.

It is time that companies put proper technical implementations in place to secure and protect children online to stop their data being processed and shield them from harmful content.

The internet is playing ‘catch-up’ when it comes to protecting child safety.

To access inappropriate content online, the user is solely required to check a box saying: ‘I confirm that I am over 18’.

This is not age verification. This is not true age attestation. But a lacklustre and unacceptable technical solution.

Similarly, social media companies do not make special considerations for children, even though children are less aware of the risks and potential consequences of the processing of their personal data than adults.

When using social media websites, children give consent for the platform to use their data, process their data and target them with advertisements.

The only age verification that is in place is self-attested.

Social media platforms do not comply with the law

The law on protecting child rights is written directly into Article 8 of the European Union’s data regulation, known as GDPR.

It states it is only legal to process personal data of children over 16 years old without parental consent.

Companies must make reasonable efforts (using available technology) to verify that no one under 13 uses the platform and that someone between 13 and 16 does have valid parental permission to use the platform.

Generally, if a child signs up to these websites or platforms between the ages of 13 and 16, the site will require them to enter a parental email address to receive parental permission.

This, however, is a flawed mechanism because it is very easy for the child to simply create or input a second email address.

To get around this, most social media platforms contain a clause in their terms and conditions stating that ‘we do not knowingly collect personal information from anyone under 13’.

And, ‘Our services are not intended for — and we don’t direct them to — anyone under 13’.

This notwithstanding, I would argue that social media companies using clause like this in their terms and conditions, do not comply with the law on this issue.

The law requires these companies to take active steps to prevent children’s data being processed using technology.

Yet, the companies are passive on the matter and choose to take a reactionary approach.

The issue is that companies can get away with this reactionary approach because there is little enforcement of Article 8 GDPR in practice.

Enforcement… or lack thereof

The UK’s Digital Economy Act, drafted in 2017, sought to put proper age verification in place online to protect children against online pornography.

But there were questions raised about how the age verification would be implemented, with people worried that their sensitive personal data would be centralised and would become a target for hackers.

Mike Bracken, the former head of the Government Digital Service stated that: “the government relies on bulk data sets too often, instead of simply asking for the individual data set pertaining to the information needed”.

Furthermore, the Open Rights Group suggested that this would simply push more people to using VPNs and TOR and would not act as a feasible block.

This Bill was therefore amended before being enacted by the UK Parliament to remove the age verification for pornography — but for now, we are left with a wholly ineffective system which does not attempt identity verification nor does not protect children at all.

This should not be the case.

The solution is Self-Sovereign Identity

In the last three years technology has however progressed to a point where now age verification may be added to the internet in a much less invasive way, whereby individuals can present proofs of their age to platforms without bulk data sets.

Self-Sovereign Identity (SSI) is a technology which allows individuals to hold verified attestations of their identity, issued by trusted sources.

If SSI is adopted for age verification, a child will have a signed packet of data on their mobile, issued by a teacher at their school, or a doctor attesting to their date of birth and identity.

Whenever this child tries to access an age-restricted website, the website could ask for an ‘age credential’ to be shared with the website.

If this child does not meet the age-requirements, and could not share a valid age credential, it would simply not be able to access the content on the website.

In another scenario, if the website requires guardian permission, the child’s device can be linked to their parents’ device and a push notification may be sent to the parent before access is granted to the child.

Credentials from the parent and the child can be combined to give the child access to the content.

This whole workflow occurs in a peer-to-peer, decentralised way, which means that no child’s identity data would ever need to be held centrally by an internet service provider or social media platform.

This solves the issue that the UK Parliament faced in 2017.

The main challenge now is how to get this technology implemented on a large scale.

The first step towards this is spreading awareness and educating people that there is a technology out there that can better protect children online.

It is time for people to hear about this and to push to change the regulators to implement SSI.

If you want to hear more about Self-Sovereign Identity and how IDWorks can help add a verified identity layer to the internet, contact us at: hello@idworks.io

By Alex Tweeddale, IDWorks

I read an interesting BBC News article last week which highlighted that there has been a surge in cases of fraud in the UK with the police struggling to cope due to being unable to identify the criminals.

While overall crime has not dramatically increased, the amount of reported fraud has increased by 500,000 cases in the last year.

Alarmingly, ex-Met Police Deputy Commissioner Sir Craig Mackey, has suggested that fraud now accounts for one third of all crimes in the UK, yet only 2% of fraudsters are detected.

To put this into perspective, each day, approximately 2,000 fraud offences are committed, whilst only 1% of police officers will even attempt to investigate the reports.

The main reason for the proliferation of fraud is because of how easy it is to remain anonymous online. In fact, 86% of all fraud is committed online, and most commonly in the form of a phishing scam.

It seems to me that the lack of identity verification and trust in digital interactions is, fundamentally, why online fraud is so pervasive. If I want to know, with absolute certainty, who I am transacting with online or giving my account details to, there is presently no clear way for me to see that the recipient is not a fraudster.

Although most banking websites have secure connections and verified certificates — it still remains easy to impersonate the logins of websites and catch people who are not looking for the secure connection.

For this reason, ex-Met Police Deputy Commissioner Sir Craig Mackey suggested that “fraud investigation in the UK needs a ‘new future’.”

Our team at IDWorks and our parent company, 20I30 Group, believe that this new future is Self-Sovereign Identity.

Self-Sovereign Identity (SSI) is a technology which adds a layer of trust to digital interactions. It will enable each internet user to have a digital wallet containing verified identity information. This could be used for example, if an individual is a customer at a bank, and wants to use online banking.

At the stage of login, the individual will exchange verified credentials with the bank, meaning both parties will know that they are transacting with a legitimate entity rather than a fraudster.

This could also be used for phone calls from the bank — the bank could send, via a push notification to an individual’s phone, a verified credential exchange link to definitively prove it is the bank.

According to Barclays’ article ‘identifying the consumers of tomorrow’: “By 2022 it’s predicted that 40% of interactions between businesses and their customers will be affected by a form of digital ID known as self-sovereign identity (SSI).”

If this is the case, the rates of fraud over the next two years, particularly financial fraud, may begin to decline as SSI is slowly adopted across multiple industries.

Overall, the state of fraud online is only getting worse as more criminals realise that they can ‘operate with impunity’.

Law at this stage is ineffective because it cannot be enforced.

As such, an architectural change is needed to be made to the fabric of the internet — adding a layer of trust and security to what is currently a playground for criminals.

Protecting the identities of the public online is a fundamental human right. Businesses need to take action and recognise they need to do more to protect their customers.

We firmly believe 2020 is going to be the year for true deployment of SSI.

Last week we made a number of predictions for SSI in 2020 — to read more, click here.

‍

Originally published at https://www.idworks.io.

2020 looks to be a year of deployment for Self-Sovereign Identity. Many projects which began as mere concepts now have the building blocks in place to go into production. Following the deployment of various projects, it is likely that increasingly larger companies and governments will begin to recognise SSI as a vital layer of trust for digital interactions.

1. Navigating GDPR compliance will decide which companies succeed

Whilst buzzwords such as Self-Sovereign Identity (SSI), blockchain and digital identity capture imaginations; in reality, decentralised technology will need to comply with legal regulation in order to be taken seriously.

In order to comply with the GDPR, no personal data can be stored on a blockchain. This is potentially a hurdle for companies building on public blockchains in which public write access is enabled. The EU Blockchain Observatory states that “private, permissioned blockchain networks operated by consortiums of companies or government agencies, will find it easier to apply the letter of the GDPR.”

2. Corda on the rise

Corda is a highly scalable, point-to-point enterprise DLT which has a core group of enterprise companies already using the platform. Corda is currently creating its own DID method and is preparing the foundation for SSI natively on decentralised ledgers. This development will bring the benefits of SSI to an already solidified consortium of companies with similar pain points and data management issues.

For this reason, the development of SSI on Corda will be widely trusted by enterprise entities and will complement the ecosystem on Hyperledger Indy and Ethereum.

3. Interoperability of verifiable credentials

The use of verifiable credentials is part of the fabric of all SSI models. Yet, the standards used for verifiable credentials are not yet confirmed or established. This has led to multiple different builds of verifiable credentials which do not necessarily interoperate. Going forward in 2020, we would hope that a lot of the asymmetries in the development of verifiable credentials can be ironed out.

4. Governments will start backing standards

Increasingly, governments are beginning to take note of SSI. This can be demonstrated clearly by the Pan-Canadian Trust Framework which launched a working SSI ecosystem. However, it looks like 2020 will see the government progression of SSI in Spain the Netherlands and Germany. Catalonia, for example, have announced IdentiCAT which is an SSI model, aiming to make Catalonia the first province in which citizens are the owner, manager and exclusive custodian of their own personal data and digital identity. Similarly, the Netherlands and Germany are engaging in PoCs with companies such as IBM, TNO & Jolocom.

5. European Self-Sovereign Identity Framework

The ESSIF is something which was initiated in 2019 and is beginning to properly coordinate events in 2020. The most recent stakeholder meeting was held 15th January where the creation of a European-wide ledger called EBSI was discussed, in which each Member State would run a node.

The ESSIF aims to act as a regulatory body and governance framework, ensuring the private sector implementations of SSI are interoperable and compliant with regulations such as eIDAS and the GDPR.

6. See SSI in action in specific use cases

SSI is a technology which has made many claims about what it can do, but little practical use cases have come to fruition. 2020 is a year where we predict we will see SSI truly in action in various use cases.

a. Higher education

One of the most commonly cited use cases for SSI is being able to verify and reuse a digital University degree. Today, Blockcerts, an application for issuing verified higher education records is up and running and used by 69% of graduates in a few Universities in the USA & India. This is a small step towards widespread adoption of digitally verified academic achievements. ‍

b. Know your doctor

Truu is a company working directly with the NHS in the UK to give doctors specific self-sovereign IDs. The premise of this technology is to prevent the potential for fraudulent doctors. Over the next year, we expect to see this use case go live. ‍

c. Verifiable credit scores

CULedger is a technology which uses a combination of SSI, powered by Evernym (MyCUID) and R3’s Corda ledger for blockchain-based settlement (CUPay). What this technology does is add a trusted identity layer to transactions, greatly increasing trust in the transactions and reducing the likelihood of fraud.

‍

Originally published at https://www.idworks.io.

By Louisa Bartoszek, Head of Communications, 20|30 Group and IDWorks

Online dating is mostly a lot of fun. And largely, free. But is it really? Are people secretly paying by giving away their private personal data? Do they even know the extent of how their personal dating profiles are being monetised?

A study this week from the Norwegian Consumer Counsel (NCC) implies the online advertising industry is allegedly exploiting dating apps through collecting personal data submitted by users. It states that the online advertising industry is “systematically breaking the law’ transmitting personal data and tracking users in ways that are banned under the European Union’s data law, known as GDPR.

The study tracked the activity of 10 popular apps during the period June to November 2019 in order to identify howpersonal data is transmitted from these apps to commercial third parties. Grindr has come under fire for the most criticism — specifically its links toTwitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato — for sharing personal data without sufficient consent.

Privacy-wise, the study says Grindr encourages users to read the privacy policy from MoPub; meanwhile, MoPub’s privacy policy recommends that consumers read the privacy policies of the company’s 160 partners in order to understand how their personal data may be used.

Twitter took swift action and suspended Grindr from its ad platform on January 15, 2020, saying it would “investigate allegations and assess Grindr’s consent mechanism”.

GDPR and the issue of consent

I think things are likely to get a little messy. That’s a lot of companies and with the responsibility on the consumer to manage it. Is this in the spirit of GDPR regulation? It will be interesting to see how the authorities react to the legal complaints being filed. If found in breach of GDPR, the companies could face fines of up to 4% of their global revenue.

The issue of ‘consent’ continues to be an issue for all companies who request and hold data on people who use apps.

The largest issue, as I see it, is that there continues to be an emphasis on pushing responsibility onto the consumer to understand a company’s privacy policy. Which is more often than not, heavy legalese. Dense and confusing. Most consumers just tick yes and don’t realise what they have said yes to.

Identity privacy ‘v’ identity trust

So, what if you wanted to protect your identity on dating apps from data sharing and analysis practices?

If you put your privacy first, it makes online dating virtually impossible, as trust in people being truthful online is vital. Daters need information on their possible partner, visual and factual, to determine whether they might be a match or not.

Otherwise, it is like daters putting their hand into the hat and drawing out a nameless, faceless, information-less lottery ticket in the hope it ‘could’ be their dream partner.

Let’s get real, that’s not going to work.

Then there is an issue fairly unique to Grindr. Grindr is one of the most popular dating apps for gay and bisexual men. And it’s not the first time the app has hit the headlines for data privacy concerns.

It came to light in April 2018 that the app was sharing user’s HIV status with third parties, along with location data and email addresses, without their knowledge (Grindr has confirmed this action has since stopped).

A severe breach in trust and in this instance, a material danger for many gay people around the world who cannot openly identify as such where homosexuality is still illegal.

Self-Sovereign Identity Solution

In my view, this is another example of an industry which needs to transform its approach to managing identity data, through incorporating Self-Sovereign Identity (SSI) technology into their operational infrastructure.

For example, IDWorks has developed a solution which would allow users of the dating app to have direct control and ownership of their profile data. It would allow any dating app to issue verified credentials to all users or users to self-attest identity credentials. These credentials can relate to identity attributes, such as the online dater’s name, age, job, gender, sexual orientation, ethnicity, nationality etc, and can be integrated into existing identity solutions, such as biometrics, for even greater security.

Through this technology, users could set parameters for which data the dating app could see and which data the matches could see. The key however, is that the default setting is one that upholds the user’s privacy. The online dater is in control of their data, not the dating app. The onus would then be on the user to opt-in to sharing credentials with the dating app or with ad-networks — without having to mindlessly click through legalese. No-one should have their data used for anything without their express permission.

Verified credentials would give additional benefits such as increased security and personal safety with online daters, as they will be able to see a secure, verified profile of a potential partner that would be extremely hard to fake, greatly reducing the ability to fake profiles.

Online dating is a contract of digital trust. Data breaches like these erode this trust and can cause substantial reputational and financial damage as a consequence.

This doesn’t have to be the case. Technology exists today which can give daters the confidence to trust the apps they are using. We don’t have to go back in time to a world of only #IRL dating and print ads in the local newspaper.

It’s time for a serious debate about online surveillance practices and put personal data, back into the hands of the consumer.

To learn more about SSI and IDWorks, visit www.idworks.io

‍

Originally published at https://www.idworks.io.

By now, most people will have seen the news that Uber has been stripped of its London licence after Transport for London (TfL) found that more than 14,000 trips were taken with drivers who had faked their identity on the firm’s app. It has less than 21 days to appeal the decision. This is bad news — not just for Uber, but for Londoners like me too.

For Uber, London is reportedly the ride-hailing company’s largest market in Europe. The financial impact of the decision, should it become permanent, would undoubtedly be substantial. Shares fell by almost 6% in pre-market trading in New York on the day of the announcement alone.

For Londoners and visitors who value the convenience, cost-effectiveness and ease Uber provides in transporting people around the capital; losing access is unimaginable. Notwithstanding what this means for Uber’s reported 45,000 drivers in London.

TfL’s public statement indicates that a key issue for them was that a change to Uber’s systems allowed unauthorised drivers to upload their photos to other Uber driver accounts. According to TfL, this allowed them to pick up passengers as though they were the booked driver, which occurred in at least 14,000 trips — putting passenger safety and security at risk. And although this exploit was reportedly resolved by Uber, TfL still do not perceive Uber’s driver verification model as fit for purpose.

Currently across ride-hailing apps, drivers have little ongoing identity verification after they have been registered onto the company, allowing people to log-into other drivers’ accounts to carry out unauthorised trips. An identity layer added as an overlay to the current technology would eradicate the risks of driver fraud completely.

As I see it, the fundamental issue with the ride-hailing industry is the lack of technology which guarantees trust and transparency in driver identity — for passengers and regulators. You can create a fake physical driving license, or pose as somebody else on their Uber account, but this becomes almost impossible to get away with when underpinned by cryptographically secure digital credentials. This problem of identity fraud is one which permeates multiple industries, from taxi-drivers, to fake doctors, to fraudulent lawyers. It is something which can be fixed quickly and easily using an emergent technology known as Self-Sovereign Identity (SSI).

My team here at IDWorks have developed an SSI solution which would allow any taxi company to issue verified credentials to its drivers. These credentials can relate to identity attributes, such as the driver’s name, age, experience, license plate, employment contract, validity to drive, etc, and can be integrated with existing identity solutions, such as biometrics, for even greater security.

In a nutshell, customers will be able to see a secure, verified profile of the driver that would be extremely hard to fake, greatly reducing the ability to operate on a fraudulent identity in these taxi apps. Customers and authorities such as TfL can have the confidence and trust that the driver is who they say they are.

Ultimately, whilst this is a distressing time for Uber customers and drivers, in the long run this could be good news for improving safety and trust in the ride-hailing industry. The potential is there for this licensing nightmare to set a new global standard in identity protection and safety.

I believe that SSI will be a turning point in the ability we have to eradicate identity fraud. Not only will this save companies money it will, more importantly, protect the public who use taxi app services. As Transport for London highlights, “Safety is our absolute top priority”.

To learn more about SSI and how IDWorks can help to ensure customer identities are protected, please visit www.idworks.io or read more about SSI here.

Originally published at https://www.idworks.io.

This article is intended for people who are unfamiliar with Self-Sovereign Identity (SSI) but are interested in gaining a basic understanding of why IDWorks is building an SSI solution and the value it can bring to you, an individual person.

Introduction

In a nutshell, Self-Sovereign Identity (SSI) is a new technology which gives you, an individual, direct control over your data online. SSI allows you to build a trusted digital identity which you can use and reuse to prove who you are in digital and physical interactions with companies, the government and other people.

What is Self-Sovereign Identity?

Self-Sovereign Identity (SSI) is a new layer to the internet which will allow individuals to hold their digital data on their phone, just like holding identity cards in a physical wallet. This technology will allow people to prove who they are online, in a trusted way, when they choose to do so. If a third-party asks for proof of your name or that you are over 18, you can use a verified ‘credential’ to unequivocally prove these attributes.

The key difference between SSI and the current model of the internet is the way data is controlled. In SSI, data is controlled by you. You can choose to share it with companies, and you can revoke companies’ access to your data at your fingertips. SSI is a transparent and secure way of interacting online, in accordance with the GDPR, and is a necessary step for the development of the internet.

How Does it Work?

SSI works by attaching a layer of trust to data. Companies can ‘issue’ data directly to an individual which has been cryptographically signed, instead of only holding it on their servers. This signature is like a royal seal or stamp which proves that it is authentic. The individual then holds this signed packet of data (credential) on their phone and can reuse this signed data if a third-party chooses to trust the cryptographic signature. All of the cryptographic signatures exist on a directory powered by distributed ledger technology (DLT) which enables third-parties to search for them.

With SSI, individuals can build up multiple attestations for identity attributes such as their name, their nationality etc. and build a very strong level of assurance in the claim that ‘I am X’. Once there is a certain level of trust in a digital identity, people will not have a different username and password for each account — they will have reusable credentials which sit, like privacy-preserving cookies, on their devices. These cannot be hacked, phished or scammed away.

The diagram above shows the flow of ‘credentials’ from your device to different organisations

Why SSI is Necessary Today

It is easy to view the current model of the internet with rose-coloured lenses. This is because the internet provides the world with significant value in terms of accessibility of information, ease of communication and entertainment. However, the internet is far from perfect — it is increasingly controlled by large companies which process personal data as a form of currency.

“Whilst at surface level, the internet is free to use, in reality, people are paying with their privacy.” (Alex Tweeddale, IDWorks)

Many people do not have a problem with their data being used as payment for services. This is because, to date, no real harm has been able to arise from this data model. Yet, there are three problems which have gradually arisen on the internet which many people may overlook.

1. There is no trust in your digital identity

One of the main problems with interacting on the internet is that it was initially designed to connect machines together, and the identity behind these machines was an afterthought. Nowadays, people generally set up social media and account profiles in their own name and with their personal information, but there is no trust or verification that this information is true. This certainly has its advantages in terms of privacy and allows people to express themselves without fear of being judged in the real world. However, when people want to undertake secure interactions, such as online banking or perhaps meeting someone in person who they met on the internet — it is important to have a degree of trust in who you are interacting with. This trust is not currently present, and the lack thereof has been exploited by cybercriminals and organsations seeking to aggregate and collect data.

2. You have no tangible copy of your data

Currently, your digital identity and personal data is scattered across multiple companies’ centralised databases. For example, you are probably reading this article in LinkedIn, Medium, Twitter or perhaps Facebook. Your account details for that platform, alongside your profile information, likes, comments, photos, activity, location information etc. are siloed on a central server probably in a warehouse and backed up in another. This means that if Facebook or LinkedIn, for example, was to switch off due to unforeseen circumstances, you would lose a large portion of your current digital identity and personal data.

3. You have no control over your data

Nearly every company across the internet bases its business model around processing, aggregating and selling your data. This is how most websites run for free. There are two problems with this:

Firstly, developments in AI and big data algorithms mean that companies know a strikingly large amount about you, and can concisely profile that information, painting a progressively clearer picture of exactly who you are. The issue with this is that these companies can then manipulate your online experience with psychological targeting, ‘priming’ and ‘nudging’ — exploiting the fragilities in the human sub-conscious for commercial gain.

Secondly, given that individuals have no direct control over their data, when it is leaked, lost or stolen there is little a person can do to recover it. Over the last 10 years, cybercrimes which rely on social engineering such as phishing and fraud have drastically increased and very few cybercriminals get caught. The UK Office for National Statistics show that, in 2019, online fraud is almost 3 times as prevalent as domestic burglary or robbery. In terms of the actual amount which is stolen online, it is unclear, but reports are between £1 billion (UK Finance) and £5 billion in the UK (Norton Security, 2017).

Conclusion

We are in danger of entering a data dystopia where our experience online is so heavily affected by targeted advertising, ‘nudging’ and ‘priming’ that we lose our sense of autonomy. At the same time, we are losing our security and privacy because the data is becoming more difficult to manage and easier to fraudulently obtain. With the rise of the Internet of Things, surveillance and data capture alongside cybercrime, the need for privacy and greater control online is quickly becoming more important.

With the way the world works becoming increasingly complex, it is imperative to ensure that we protect the integrity of our interactions in a user-friendly way. It is time that data was decentralised, and was not stored in companies’ servers, sitting as honeypots for cybercriminals. People should have control over their data and to be able to see where and how data is being used and processed. It is time to take our privacy, security and control back online — this is something that IDWorks believe Self-Sovereign Identity can facilitate.

‍

‍

‍

Originally published at https://www.idworks.io.

The recent Report by the Joint Committee on Human Rights on the “Right to Privacy and the Digital Revolution” highlights that companies have found loopholes in the GDPR to maximise data collection and big data analysis, which in turn undermines digital privacy rights.

Introduction

“The GDPR should offer a substantial level of protection for people’s personal data, but this does not seem to have materialised in practice. The Government should review whether there are adequate measures in place to enforce the GDPR and DPA in relation to how internet companies are using personal data, including consideration of whether the ICO has the resources necessary to act as an effective regulator”.

The internet is built on what are seemingly free services. However, the business models of companies providing these services monetise personal data by selling it to third-party advertisers. These companies provide a service to their customers but are simultaneously ‘data brokers’ for other companies. The Joint Committee on Human Rights has highlighted that this model does not uphold an individual’s Article 8 right to privacy, nor does it adhere to the spirit and intention of the GDPR for two main reasons:

1. The Way Consent is Provided is Trivial
2. Legitimate Interests is exploitable.

“Our view, based on the evidence we heard, is that the consent model is broken. It puts too much onus on the individual to educate themselves on how the technology companies work rather than setting a high standard of protection by default.”

The Way Consent is Provided is Trivial

In order to process personal data, companies need to disclose a legal basis for processing the data. Most companies use ‘consent’ as a legal basis for processing personal data, however an issue which arises is that individuals are highly unlikely to read or understand the terms and conditions which they technically consent to.

Individuals generally have to navigate through ‘clickwraps’ or ‘browsewraps’ to access a service. If they do not accept the terms, and agree to legal jargon, then they cannot use the service. What this results in is that children and vulnerable adults in particular are likely to find it particularly difficult to give meaningful consent. This is further illustrated by a research project conducted by Doteveryone which highlighted that 47% of people felt they had no choice but to sign up to terms and conditions, even if they have concerns about them.

According to the Doteveryone research, 62% of the people are unaware that social media companies make money by selling data to third parties and 45% are unaware that information they enter on websites and social media can help target advertisements.

This design by companies, is purposeful however. Companies want to collect as much data as they can about an individual, and if they collected zero data by default, then their business model would likely fall apart. It is however, possible to empower individual rights without damaging companies’ business models.

‘Legitimate interests’ is Exploitable

Companies do not have to obtain consent to process personal data, they can rely on the processing ground of legitimate interests.

There is not sufficient clarity on how an organisation determines what is in its legitimate interest and how it overrides the individual’s rights. This leads to companies using legitimate interests for very vague reasons such as ‘to provide the individual a more personalised service’. Essentially, this acts as a loophole in the GDPR which allows companies to process data and sell data behind an individual’s back.

Self-Sovereign Identity — An Architectural Solution

Personal data is currently stored with companies, and as a result, companies are data controllers for this personal data about their customers. Self-Sovereign Identity (SSI) changes this. SSI puts data into the hands of individuals who can explicitly consent to where and when it is used via an affirmative and clear action.

Companies will still be able to monetise data and will have more up-to-date data from individuals. However, the transparency of where and what the data is being used for is vastly increased for the customer.

To learn more about the value SSI can bring for individuals and for businesses, please don’t hesitate to contact us here.

Originally published at https://www.idworks.io.

Australia’s Digital Platform Inquiry encourages a movement away from the loopholes in the GDPR and towards a more consent-centric data protection framework. Alex Tweeddale, Regulatory and Compliance Associate at IDWorks suggests that Self-Sovereign Identity is the perfect technology to facilitate this evolution.

On 26th July 2019, the Australian Competition and Consumer Commission (ACCC) published a 623-page report relating to the ongoing problems with data protection and data processing by Google and Facebook. It highlights that “Innovation and rapid technological change has transformed the ability and incentive of entities to collect, use and disclose the personal information of Australian consumers in the digital economy.” Specifically, it suggests that companies have now evolved to process data in a way in which the GDPR does not provide sufficient protection.

The main takeaways from the report can be summarised in five points:

1. Consent should be required whenever personal information is collected, used or disclosed by an entity subject to the Privacy Act unless the personal information is necessary for the performance of a contract to which the consumer is a party, is required under law, or is otherwise necessary for an overriding public interest reason.
2. Companies can no longer rely on ‘legitimate interests’ as a ground to process personal data.
3. Click-wrap consent is not enough to ensure adequate protection
4. Higher penalties must be implemented for breach of the Privacy Act: which increase the penalties for an interference with privacy under the Privacy Act to mirror the increased penalties for breaches of the Australian Consumer Law
5. The ACCC recommends that this be achieved via an enforceable Privacy Code of Practice to be developed by the OAIC to apply to digital platforms

“All consumers will be better off when they are sufficiently informed and have sufficient control over their user data, so that they can make informed choices that align with their privacy and data collection preferences.”

What this means?

Companies like Google and Facebook, as well as Australian banks and internal companies will need to gain consent through alternative methods to process personal data. Currently, these companies rely heavily on the uncertain processing ground which is ‘legitimate interests’. This ground has been described by S.S. Rana & Co as a ‘loophole in the GDPR’ and a barrier to its proper implementation.

Furthermore, the ways that companies do gain consent currently, such as click-wraps have been written to leverage platforms’ bargaining power and deepen information asymmetries. This prevents consumers from providing meaningful consents. If the ground of legitimate interests was removed, and click-wraps were formally legislated as insufficient, society may see companies forced to use more transparent consent mechanisms or face significant fines.

Self-Sovereign Identity as a Solution

Given that society is moving towards consent as a necessary basis for processing, and click-wraps are being held as insufficient, there is a gap in the market for a technology which enables freely given consent to be built into the architecture of the technology.

“changes to laws which give consumers greater control over their personal information […] are needed”

Self-Sovereign Identity (SSI) is a technology which puts the ability to process personal data, into the hands of the end-user. The personal data is, by default, stored and controlled by the individual, on their mobile device. Therefore, if a company wants to use someone’s personal data and store it, there must be explicit and freely given consent from the device of the user. The individual also has the ability to revoke personal information it shares with companies at the touch of a button.

It is therefore contended that this movement to an extended and defined version of the GDPR could open the door to technologies such as SSI. The Digital Platforms Inquiry will not be the last of its kind, and as such, companies should begin looking beyond the GDPR to have real privacy by design, built into data management architecture, such as the consent-approach used in the SSI model.

Originally published at https://www.idworks.io.