SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Okta: Reclaiming control over digital identity
Wed, 20th Feb 2019
FYI, this story is more than a year old

The data reckoning arrived last year when news of Facebook's major breach hit the headlines.

The repercussions went far beyond the social media giant, because social authentication is used with thousands of connected apps.

Diligent consumers rushed to reset their passwords, unlink services from Facebook, and even close their accounts.

But from the chaos, bigger questions emerge: What is a digital identity? Who is responsible for that information? And what rights do digital citizens have?

While they didn't necessarily set out to be the custodian of millions of individuals' personal data, it's become clear that social media companies, including Facebook, Google and LinkedIn, are in that position today.

When news of the Cambridge Analytica scandal broke, Facebook users the world over felt betrayed. Most people didn't know their personal data - information they thought was shared privately with friends and loved ones - was being given to third-party companies.

Through social authentication, Facebook's data breach could have far-reaching ramifications, as users' digital identities have potentially been compromised in the plethora of apps they permit Facebook to access.

This is not a unique issue to Facebook: similar concerns were raised by a bug in the Google+ network, though it's not confirmed that any personal information was actually exposed or used by attackers.

A continuous stream of headlines questioned what exactly had happened to Facebook's shared user data, yet there hasn't been a wider push to fully understand how much personal information is out there in the ether, and how it's all interconnected.

Users urgently need a better understanding of their digital identity, and greater control.

First, it's important to consider what defines personal information.

Most people fear exposing credit card numbers the most.

And while that's valuable, it's not personal.

A credit card number is an identifier that matches a consumer to their banking information.

Think of a postage tracking number: it's better to have control of it, but it's not that concerning if someone else has access to it.

Other identifying numbers, including credit card numbers, driver's licenses and tax file numbers, should be thought of in the same way.

As people have increasingly complex interactions online, sharing how they think and what they do on the internet, the world has entered a different era than the one in which passwords or PINs were the only keys needed to protect our information.

Software companies now gather information to understand what users like; they record biometric information like fingerprints or heart rates; they listen to voice commands and track typing patterns.

The wealth of information they hold goes far beyond credit card numbers and encompasses who users are as individuals.

In many cases, social media profiles – used to authenticate applications and services across personal and professional environments – now represent much of a person's digital identity.

It should be a priority to protect this information.

Next, it's important to understand what companies are allowed to do with user information, and why caution and consent are important.

With new data regulation laws in place, companies now need to know what data they are collecting (especially when third parties are collecting it for them) and are required to be clear about what personal information they will share as a part of the consent process.

Setting and publishing a robust data privacy policy, including consent and strict scopes for what personal information can be collected, what it can be used for, and how long it can be kept for, is essential to being a responsible company in the digital age.

The consent process recognises and gives equal value to the two parties in this social contract: the individual deciding who can access their information, and the company using that information for commercial ends.

It's worth noting that a business isn't allowed to exclude users from their services if they don't say yes to their terms; closing this ‘bully loophole' is another safeguard needed to ensure consumer protections are upheld.

Last, it's important to weigh up the benefits of using Facebook to access other services against the risks. The benefits of social authentication are clear: simple, secure verification for both the user and the app developer.

But social media companies have no commercial interest in protecting their consumers' identity. Whether personal data is being given away or data being stolen, neither is acceptable.

Businesses and individuals alike should consider the vast amount of personal information that is held by different services and be mindful of what organisations are given access to.

Use consent with caution and consider alternate identity authentication methods for the foundation of your connected digital ecosystem (full transparency: Okta's in the business of enterprise identity management).

There's too much at stake when it comes to digital identity: it has become a commercial currency. Rather than letting Facebook and others be the custodians of personal data, users need to take back control.

With the dangers of not protecting information continuing to grow exponentially, it's time to be serious about digital identity.