Online Identity is broken

Mar 13, 2019, 5:23 PM

We sign up for all these products and services and they all require our most personal information. Name, Date of Birth, Address, Tax numbers, and so on.

Why do they need this? They need to identify us, they are building essentially a kind of shared secret (your information) that they can use to "identify" you are who you say you are.

In some instances, such as insurance companies need this information so that they can correctly identify which band or level of risk to put you in, in order to give you a premium that is more appropriate, which makes perfect sense.

However is it really necessary that the insurance company knows what day and month you were born. Do Sagittarius people really have more accidents? Of course not, all they really need to know is what year, or maybe just what age range you fall into. Same with address, does it really matter you live at number 12 Frankton road instead of number 22? Maybe post code is enough to quantify what level of risk of burglary your house falls into.

The issue is that this personal information then becomes all that is needed to make changes to my account with a phone call to which ever company is accepting it. The worst thing is when the companies phone you and then ask you to identify yourself! That is the quickest way to have your identity stolen.

Even phone numbers shouldn't be trusted any more as Sim card hijacking and SMS hacking are now trivial attacks to pull off, and have been used to steal vast sums of money.

Then finally the worst issue is that these companies store all this information in a big pile with other peoples data, known as a "honeypot"
 to hackers after Whinnie the Pooh's favourite condiment.

We need to stop handing our private information out

Who really really needs to know this information? probably only the state, when they print your passport (which again really doesn't need to have all your personal information plastered all over it). So if only the state has this information, how would you go about identifying yourself to other companies? Luckily this problem was solved in the mid 1970s with the invent of public key cryptography!

You exchange public encryption keys with the entity you wish to do business with and that's it, they know its you and you know its them, and you have the added bonus of being able to encrypt all of your messages such that no 3rd party is able to read them. This system is already in place and working well in your web browser whenever you visit a website that has HTTPS enabled.

Conclusion

There are obvious social and infrastructure problems with setting up this kind of identity system, but at the end of the day, if done right;

  • The state knows exactly who you are and has your personal details stored offline somewhere for emergencies.
  • No one else has any of your personal information to any degree of accuracy.
  • Your identity is then not sitting in large collections waiting to be stolen.
  • You are able to confirm a request or action on your behalf with the company by signing the message to them with your private key.

 So what does this look like in the real world? There are already projects working to provide open source means of identity and communication, one of the good ones is Keybase. They have mobile apps and desktop apps that allow for file sharing, messaging and more.