YAMDB — Yet Another Massive Data Breach
By now we’ve all heard of the Equifax (site unreachable at the time of writing) data breach and are probably scanning headlines to figure the ramifications to yourself. Equifax, one of the three major U.S. credit reporting agencies (CRAs), handles the personal data of 820 million consumers and more than 91 million businesses worldwide.
In light of the breach, maybe now is the time to ask ourselves is letting a for-profit corporation charged with collecting and monetizing personal and financial data acceptable? If not, what alternatives exist?
The problem
There are two parts to the problem of Equifax and other for-profit companies holding our digital assets:
1. Centralized nature of the data
2. Corporate growth is a requirement
Centralized entities are targets
One of the greatest benefits of centralization is “economies of scale,” the concept of doing things in bulk nets the lowest cost, highest yield and best returns — think Amazon or Wal-Mart purchasing in bulk. But in the digital world, when a centralized for-profit company is entrusted with the digital identities of millions of citizens, centralization can create a huge target.
The downside of centralized data collection is that trusted 3rd party data collectors can have security holes that are only as strong as their weakest link. These centralized databases can be hacked, abused or manipulated. As the value of the organisation’s data grows, so does it’s value as a target of attack.
Corporations must profit
Author Douglas Rushkoff explains the single purpose goal of a corporation in today’s environment like this:
Companies … in particular are duty bound to grow by any means necessary. There’s no such thing as “big enough.” Like a shark that must move in order to breathe, corporations must grow in order to survive. This requirement is in their very DNA or, better, the code we programmed into them when we invented them.
Companies seem to have decided that the cost of insecurity is low enough that they can choose profits over properly done security.
Equifax, like the two other CRAs, Experian and Transunion, is a corporation. Each CRA has expanded their business well beyond FICO scores of American citizens. Here’s a sampling of the business offerings from Transunion from their webpage:
Security godfather Bruce Schneier in his post for CNN says:
This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights.
Given this corporate scope creep, we can expect databases of CRAs to fill with knowledge of individuals private data for the foreseeable future.
This classic Onion article below, lampoons the very idea that a company could reach their financial targets and be satisfied.
What’s the Alternative?
The blockchain revolution is ushering in a new paradigms in smart contracts, distributed ledgers, and also governance. Behind the running of valuable blockchain networks like Ethereum are nonprofit foundations — charged with management of the network. Their foundations do not receive payment from profits, rather sees its working capital grow as a result of the growth in value of the underlying network. The Ethereum foundation is incentivized to see network growth which comes from the value that network provides. As the foundation has already be funded, there is no need to find new ways to extract profits from the consumer. Decisions can favor network growth and stability over profit extraction.
Alternatives to Credit Reporting agencies
CRAs hold your credit card payment history and other credit related information and are used by companies for checking the creditworthiness of a loan applicant, job applicant or patient.
But what if we could individually provide credit information to a bank, employer or hospital ourselves? This is a concept known as Self Sovereign Identity or SSID — the idea you manage your own identity. In this credit reporting scenario, imagine a system where your credit history is securely transferred to your own secure software and the veracity of that data can not be tampered with or questioned.
Such a system for immutable transfer of value exists, is in widespread use and it’s called Bitcoin. A Bitcoin transaction is indisputable — using consensus among multiple distributed nodes, all agree on the source, the payload and the destination — and irrevocably write that data to a public ledger.
This same method of value transfer can be employed to transmit the same financial data that CRAs receive today.
How a new system could work
Imagine each month your credit card and bank statement was transferred securely and safely to your private wallet. Over months and years, you’d develop a history of payments and charges sent directly to your wallet from your financial institutions. Each entry into your ledger would have a verifiable origin. The the sum total of these statements would represent your credit history and could easily be parsed and analyzed to show you a dashboard view of your key metrics like, average time to pay, average payment amount, and other metrics. You now have enough data to generate a local FICO score.
Now it’s time to buy a car, let’s put your credit worthiness to the test. You’re about to head off to the car dealership, when you realize it’s 2017 and you can order your Tesla online. So you start picking our your Tesla and when it comes time to pay — you realize you’ll be making payments. As you are a completely unknown entity to Tesla, in today’s system, Tesla would need to query a 3rd party credit agency to determine your creditworthiness and if they wish to extend you credit.
With a SSID, this time the process is different. It’s at this point the lender would request to see your verified credit history, identity and other relevant information held in your wallet. Now, it’s your choice to approve their request for personal financial data. The lender will have no problem trusting the data stored in your wallet — as they can see the parties who have cryptographically signed off on it.
By storing and presenting trusted data yourself, you have effectively replaced the role of a CSR. A trusted 3rd party is no longer needed because trust is built into the data.
No longer do companies need to go behind your back to a CSR to determine if they wish to do business with you. SSID gives more control to each company to decide on their own personalized credit risks. Companies can provide more flexibility, more options and form better relationships with their consumers.
How would this be implemented?
Implementation of a system like this could be quite simple (since our data is already being shared) and we are already seeing third party data sharing with companies like Mint.com. Some banks have already provided read only access tokens for their financial data, and SSID could tap into this data source the same way that Mint does.
Getting to a world where we handle our own credit identities may take some time but the good news is it can happen alongside existing credit reporting solutions. Changes to consumer credit reporting laws and regulations could mean that personal wallets are allowed to receive the same data as credit reporting agencies.
Undoubtedly there will be many attempts at SSID, but the underlying data the software protects and organizes will remain the same. The wallet software you choose may change, but your financial data stays the same.
In a digital world collected data represents you, controlling when, where, and how it is shared should be your right.
Selfkey Foundation is currently developing a blockchain based SSID platform which intends to solve some of the problems inherent in not controlling your own identity. We hope others would join the initiative launching soon.
