The problems surrounding online privacy and secure data sharing have only gotten worse. Scandals, breaches, and hacks are so common we almost shrug when a new one comes along. Nearly a quarter of the most sizeable data breaches occurred in the last five years, the largest of which affected 3 billion people.
Users feel powerless when it comes to these attacks, which possibly fuels the state of apathy. The Facebook-Cambridge Analytica scandal finally got people talking about online privacy. Issues surrounding data sharing, ownership, trust, and accountability spread from tech forums to chatter in cafes. Awareness is on the rise, but a lot needs to be done before online privacy is ready for the future.
A variety of factors contribute to the state of digital security, but the core of the problem sits in ownership and control of data. Centralized companies are routinely trusted to keep user information secure. Those same companies are increasingly the target of massive (and successful) attacks. It’s clear that this model isn’t viable for the future of a safe digital world.
Data will always be a valuable currency, one that companies will fight to control. Instead of gambling with which entity can be trusted, some solutions are placing identity ownership back into the hands of users.
The Power of Data
Information has always been a valuable asset. Early attempts at organized data collection focused on wartime intelligence. After all, the well-informed commander was a victorious commander. By the 2nd century CE, the value of monitoring citizens was becoming clear. Roman Emperor Hadrian even employed a secret service to collect information about rivals and citizens alike.
As cities grew more complex and human populations swelled, data became its own form of currency. Every advantage had to be seized in order to best the competition. One of the most actionable advantages was having a firm grasp of public opinion, as they increasingly held sway in major societal decisions. If you know what the people want, you can shape your strategies around their desires. And if you’re clever, you can even use your data to sway their opinions in your favor.
Technology has provided countless new tools for collecting data on increasingly larger scales. Stash a microphone in the lamp shade, stick a camera in the smoke detector — that’s all it takes.
If you have eyes on bigger prizes, mass surveillance can provide data for an entire population. It’s more than just demographics information, too; it’s details about lifestyles and opinions and personal habits, things Hadrian only wished he could get his hands on.
Privacy is almost an afterthought in the modern digital age. We routinely hand personal information over to businesses in exchange for their services. Names and e-mail addresses are shared with random websites, mobile apps, and news aggregators; social media sites get your location and family information; financial institutions that follow know your customer (KYC) regulations even get a copy of your passport and home address. The online world is fueled by the data of billions of people.
The act of sharing information isn’t necessarily a problem. Losing ownership of that data is where consequences get real. Putting your trust in another entity is increasingly a recipe for disaster. Technology is progressing faster than safety measures can account for, making every transaction a gamble with your own privacy.
Cambridge Analytica: Pursuing Private Data on a Massive Scale
Information has become so valuable that entire industries have emerged to profit from it. Firms like Cambridge Analytica exist to collect and study massive sets of data in search for exploitable patterns. The more information they obtain, the more accurate their predictions, helping them attract new and bigger clients.
Most of Cambridge Analytica’s work involves harvesting data about human activities, analyzing it, then providing insights into future behaviors through psychographic profiling.
One voter or one shopper may look like thousands of others on a demographics spreadsheet. Cambridge Analytica tightens the lens to see more than just age and gender, allowing segmenting methods that open the door to microtargeted advertisements.
Cambridge Analytica handles contracts in both the commercial and political sectors. Its headline clients are generally political campaigns, and they include Ted Cruz’s 2015 presidential campaign and the digital arm of Donald Trump’s 2016 presidential campaign. It has been reported that by early 2018, Cambridge Analytica had been involved with over 200 elections worldwide.
Cambridge Analytica and the affiliated SCL Group are known to use aggressive disinformation campaigns to achieve desired results. Some of these include stuffing ballot boxes in Nigeria, painting graffiti slogans in Trinidad to give a politician the illusion of sympathy, and provoking tensions between Latvians and ethnic Russians to help a political client.
Firms like Cambridge Analytica couldn’t exist without access to tremendous amounts of data. They need more than broad survey information to build psychographic profiles, too. They need up-to-date personal details, the kind of data that can be obtained on a massive scale by leveraging social media.
The Facebook-Cambridge Analytica Data Scandal
Suspicion over how Cambridge Analytica obtained its information started to coalesce in 2015. A Channel 4 News investigation launched two years later brought some of this to light. An undercover reporter produced video footage of then-CEO Alexander Nix discussing the use of bribery, coercion, and entrapment to win elections, a breach of both the UK Bribery Act and the US Foreign Corrupt Practices Act.
Soon after the Channel 4 News investigation, The New York Times and The Guardian released reports obtained from a whistleblower stating that Cambridge Analytica had “exploited the Facebook data of millions.” It wasn’t a one-time event, either. The firm had allegedly been covertly collecting social media data since 2014.
The Facebook-Cambridge Analytica data breach affected at least 87 million people worldwide. The information harvested included public profiles, page likes, birth dates, and cities of residence. In some instances, the firm even gathered information from news feeds, timelines, and user messages.
Most of this data was collected through an app that paid users to take personality tests, reportedly for academic purposes. Users gave consent to share this information, linking the app to their Facebook profile in the process.
Testimony from a former Cambridge Analytica employee shows the firm has no reservations about deploying subversive methods to gather data for its profiling models. Surveys are also commonly used, including a “sex compass” quiz that went viral on Facebook.
Reports vary on whether or not Facebook was aware that the methods used by Cambridge Analytica were potentially in violation of the site’s guidelines. Regardless, many users feel Facebook had an obligation to protect their data.
Users were powerless in the scandal, and unaware that profile information and quiz results were being collected by a worldwide data mining company. Their trust was violated, and despite the severity of the breach, both Facebook and Cambridge Analytica could be absolved of all accountability.
A Flawed System
There have been more than 20 high-profile data breaches since 2011. This includes the 2017 Equifax hack that resulted in 147.9 million stolen records. Yahoo! itself has been hacked twice since 2016, with one breach affecting 500 million users, and the second an incredible 3 billion.
The main issue with breaches and the Facebook-Cambridge Analytica scandal isn’t necessarily what data was stolen; it’s that the underlying structure is flawed. Centralized companies have little incentive to guard private user data. In fact, it’s often more profitable for them to share or sell it.
This puts users in an unfavorable position. Giving private data over to institutions is often a requirement to access their services. Signing up for a cryptocurrency exchange, for example, involves sharing your address, phone number, and passport or driver’s license scan. Failing to do this means access to the service is impossible, yet proceeding with it means handing over your information to an entity you probably can’t trust in the long term.
Rebuilding Online Privacy
Technology is always a step ahead of regulations. No matter how quickly the legal system attempts to react, a new project or service will spring up to change the way the game is played. Few privacy laws exist to protect consumer data from cyber attacks, a situation that isn’t going to resolve on its own.
The increasing number and severity of data breaches illustrates that centralized storage is too tempting of a target. The Facebook-Cambridge Analytica scandal shows that companies are both unwilling and unmotivated to safeguard the data they collect.
To begin restoring online data privacy, users need to take control of their data. Giving personal details to centralized services means accepting the risks involved in the process. Sharing personal details on social media carries the very same set of risks.
Overall, the less you share, the safer you’ll be, which many see as the only way out of a no-win situation.
One of the problems with holding onto personal data with white-knuckled vigor is that sharing information is still a necessity, and it likely always will be. It’s a smart and safe practice for financial institutions like banks, credit card companies, and cryptocurrency exchanges to verify the identity of their users. However, this process doesn’t have to shift control of that data.
Any solution to the problems of online privacy needs to address both the issues of centralization and data ownership. Users must remain in control of their documents at all times, but doing so shouldn’t prevent them from accessing online services.
SelfKey’s Decentralized Solution
SelfKey has a potential solution to modern privacy issues — one that addresses ownership, usability, security, and trust, all in one swift motion.
SelfKey works using a distributed self-sovereign identity system (SSID) that runs on the blockchain. SSID allows individuals and businesses retain control of their information even while signing documents or sharing details with online services.
When logging in to SelfKey, users are able to authenticate their identity in the Facebook-style way they’re familiar with. The difference is that a SelfKey user will always retain control of their data as the user is the only one who knows their private key. Moreover, unlike Facebook, SelfKey does not track user data, and it never knows or has access to user activity and information.
Imagine wanting to sign up for a bank account but being wary of handing over personal details. SelfKey gives each user a personal identity wallet that stores sensitive information like phone numbers, addresses, and passport data. This wallet is secured with private and public keys generated by the user, and it never leaves their device.
When signing up through a service partnered with SelfKey, users can request ID verification through the network. Notarization takes place using the wallet’s public key, and when it’s complete, the ID owner then shares confirmation.
The end-service uses the verified ID to onboard the new customer, storing only the public keys to access the user’s wallet, which remains safely in his or her control.
The entire SelfKey system is trustless. Apart from the ID owner, no single entity ever gains control of private documents. The SelfKey Foundation itself can’t even access the information. All of this takes place on a decentralized system that’s resistant to attacks common to centralized services.
The Advantages of SSID
SelfKey’s self-sovereign identity system solves a lot of problems inherent in online privacy. The structure of the service also eliminates common pinch points associated with standard data transactions, as we discuss below.
One drawback to data sharing is the inability to choose which information is delivered to a company. If you share a photo of your driver’s license, you have to send the entire thing, not just the relevant information. The end-service gains access to everything from your height and weight to eye color, when all they really needed was your photo paired with an ID number.
Sharing minimum info is built into SelfKey’s SSID system. If a service only requires an ID number to activate your account, that’s all it will receive. Even then, users remain in full control over access to that ID number.
Centralized services store vast amounts of data and constantly struggle to keep that information safe. Blockchain projects like SelfKey avoid this by using multiple small storage nodes on a decentralized network, hardening security and reducing the potential reward for a successful breach. Fraud or massive data loss are far less likely in a distributed system such as SelfKey.
SelfKey doesn’t just fix existing problems, it also provides new services. The KYC process for joining financial service is commonly met with sighs of exasperation from users. It’s frustrating giving out the right private details, and the process can take days or weeks to complete.
SelfKey’s identity system streamlines KYC validation. When a service joins the SelfKey Marketplace, users can create accounts with them and verify identity information quickly and painlessly. The companies involved can even save on KYC costs associated with validation, as SelfKey transactions are inexpensive and handled through KEY token micropayments.
SelfKey and the Future of Online Privacy
At the time of writing, the dust is still settling from the Facebook-Cambridge Analytica scandal. Inquiries were made and apologies were issued, but firm action has not been taken to punish the involved parties or to prevent future breaches.
To the affected users and the public in general, the entire discussion seems ludicrous. Data was trusted with a company, that trust was violated, and millions of people were harmed as a result.
SelfKey’s solution to these trust problems is simple: let individuals control their identity, not centralized companies. SelfKey overcomes the limits of centralized identity systems, complies with privacy laws and KYC regulations, and leaves ownership of personal data with the user.
Data will never stop being a valuable commodity. Sharing it can be beneficial to us and to society as a whole, but only if it isn’t at the expense of the individuals involved.