Phoning Home: Navigating Risk and Individual Privacy

A brief introduction

In a cloistered section of the internet where Decentralized Identity is discussed, we’ve all been buzzing over the statement posted on nophonehome.com. A statement signed by organizations like the ACLU, Brave Software and the Center for Democracy and Technology. It’s not a very long statement. We suggest the reader take a look (nophonehome.com) before progressing with this blog.

Firstly,

This is a statement that had to be made, a truth that had to be acknowledged. Moving forward with large-scale public deployments of Decentralized Identity technologies like Mobile Drivers Licenses has the potential to impact individuals' privacy.

Secondly,

This statement (nophonehome.com) is meant as a call to action. It’s meant to make the reader aware and concerned about these issues. It is not meant to provide a highly detailed, in-depth critique of the technology and its potential uses.

There are valid use cases for phoning home

At Credivera, we deal with highly regulated workforces. There is often a regulatory component to these professions and industries that makes the ability to phone home with certain credentials and documents a feature. Often it is considered a necessity.  

Once again, certain credentials and documents, not all credentials and documents.  

The complex burden on credential networks, issuers and verifiers

Issuers, verifiers and credential networks providing functionality must work together to preserve individual privacy while meeting their regulatory obligations.  

Regulatory obligations vary by jurisdiction and information type. A single worker's identity may be subject to several regulatory frameworks imposed by governments, associations, and industry.

For example, a person employed as an accountant or investment advisor could create data related to their employee identity that is subject to the following regulatory frameworks on a daily basis:

• PII (Personal Identifying Information) legislation  

• CPA (Chartered Professional Accountant-CAN/Certified Public Accountant-US) Association Rules, FINRA (Financial Industry Regulatory Authority)  

• SOX (Sarbanes Oxley)/Bill-198 (C-SOX) legislation

• PCI DSS (Payment Card Industry Data Security Standard)

Some of these will have a valid use case for phoning home; others won’t. It’s important that the issuers, verifiers, and the overall network work together to find the best ways to meet obligations without exposing individuals unnecessarily.  

Industry tends to adapt to this very quickly, but I have no doubt that Federal, Provincial and State legislation will have to change to adapt as many of these regulations create conflicts when they are stacked like this.

Meanwhile, technology marches forward.

How is Credivera dealing with this?  

Credivera, being the network facilitating decentralized verifiable credentials for highly regulated industries, is right in the middle of navigating these regulatory burdens.  

We’re extremely careful with data, and we work with our issuers and verifiers to make sure they are too.

Regarding phoning home

From within Credivera’s network, the biggest vector for using phone home to track credential usage is potentially through the status list.

• By default, Credivera status lists are anonymized; this means that credential status is not stored in a list associated with any one issuer. Essentially making the status list a 3^rd party and making credential tracking very difficult. The status list is public information, but that information does not reflect the activity of any single issuer.
  

• If an issuer requires phone home capability and wants to maintain a separate status list; Credivera does offer that, and we will work with the issuer to ensure that this will not cause unintended conflicts when the credentials are put into use.

It’s very important to us that the solution fits the usecase.  

No single perfect solution for all scenarios

The truth of any technical or process-based solution is that it often addresses the issues at hand while creating new issues. What we must do within our businesses, institutions and society is weigh the costs and the benefits associated with those solutions.

We must admit that one solution does not apply to all use cases. That is where calls to action such as this can go beyond creating valid concern and push into fear, creating a low-resolution picture of a complex issue.

Decentralized is a major improvement

In a world where impersonation and data manipulation are becoming increasingly common, decentralized technologies like Verifiable Credentials (VC) and Decentralized Identifiers (DIDs) are going to play a major part in the solutions.

• They help resolve today’s honey pot issues. Traditional identity provider (IDP) solutions are treasure troves of user information; in a decentralized world, this isn’t an issue.

• Some of the biggest IDPs in the world, social media companies, are tracking you through the data you share with them. VCs and DIDs let you control what you are sharing and when.

• Lost credentials can be quickly revoked and reissued.

• People and Organizations can know that whomever they’re dealing with is operating in good faith and not presenting false qualifications or credentials that are not in good standing.

• DIDs and VCs make processes like Identity Governance easier and more reliable.

• Through the process of verification, you can determine data's point of origin and that it has not been altered since issuance.  

This is all still far from perfect, but please weigh the positive against the negative. The (nophonehome.com) call to action is an essential part of raising awareness and avoiding mistakes. It’s not a condemnation of a technical shift towards a more secure world that is a long time coming.

Michael Burchill, Director Identity, Credivera

About the author: A good intentioned curmudgeon with an extensive background in IAM spanning almost two decades. Michael is passionate about solutions that work and make the complexities of a connected world manageable and secure.