Identity and privacy are like Siamese twins—a beautiful and complicated symbiosis. They are almost the same, but with different souls and heads, and neither can thrive without the other. As a privacy professional, I am wary of the individual rights bandwagon that claims to give individuals control over their data, but which in fact can undermine digital identity and hence, our digital ecosystems. Digital identity is the gateway to effective management of finances, healthcare, education, social relationships, shopping, entertainment, and so much more. What do consumers really want? Do they want to live secret Luddite lives, or do they want lives enriched and enabled by secure and respected digital identities? Rather, robust and trustworthy digital identity, which is Socure’s vision, can genuinely empower people to control their lives and protect their personal information.
The ideal is to ensure that all the players in online commerce, services, and governance treat personal information with respect and security—that’s real data protection, real privacy—and it is certainly better than catchy entitlements like the right to be forgotten or right to delete. Privacy is the oxygen that allows digital identities to work and thrive in the ether. But I’m concerned that lawmakers are not getting this chemistry right and are doing more to suffocate than to support the development of robust digital identity.1 Look, it’s a positive that actions are being taken, but it’s misguided to place the burdens of compliance on individuals. Hundreds of millions of Americans conduct their lives online; trillions of online transactions are processed every day. What does it really matter if some well-resourced people manage their consumer profiles, one at a time, on a business by business basis? What about everyone else?
Finally, there is a dark side to these rights. As noted by Pavur and myself, introducing new mechanisms to provide consumers control over their data, if haphazardly done, will introduce new vectors of attack—and achieve the exact thing these rights were intended to prevent.
Trust must be systemically imbued into digital identity. Otherwise, consumers will neither exercise these new rights en masse, nor will they understand the consequences of their failure to do so. Removing personal information from certain aspects of the digital ecosystem could wreak havoc with a person’s ability to apply for a financial service or be verified for a peer-to-peer platform, or get access to many other online services now and in the future. For example, Socure supports most of the major banks and card issuers in the U.S. as an identity verification solution—not only do we provide dependable risk conclusions for those institutions, but we prevent bad actors from misusing the massive amounts of personal information that has been exposed through data breaches. This ultimately benefits makes consumers’ lives better. But if individuals start removing themselves from the records of companies that are important to the identity verification network, they will be shocked later on when they cannot get swiftly approved for products and services. And accordingly, there will be no one to blame but ourselves and our misguided attempts at making things better.
1 Referring to “data subject rights” or “consumer rights” such as in Europe’s General Data Protection Regulation (GDPR), California’s California Consumer Protection Act (CCPA), and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGDP).