We all want to protect children online and there is no doubt that the lack of digital identity infrastructure is a fundamental problem for a society struggling to deal with social media. There are a variety of different approaches to solving this problem. One of them, adopted by the state of Utah, is to make accessing social media difficult for children by requiring parental permission for access. This will likely mean the submission of biographical information (for the children and their caregivers) to. I noted with interest that the iniative that the data collected for age verification and compliance must be kept by the platforms. That’s a red flag for me.
I’m in Australia this week, so let me use an Australian example to illustrate the problem. Round about this time last year there were really big data breaches down under: Optus and Medibank. Optus is a particularly interesting case study. At the time, the company reported that “no financial data was accessed”, only names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.
(As I said at the time, rather sarcastically, thank goodness the fraudsters only have name, date of birth, phone numbers, email addresses, addresses and “ID document numbers” because I doubt they’ll be able to get up much mischief with those!)
The huge volume of data hacked from Optus was just a fraction of Australians’ personal information hacked last year. There were terabytes of this data up for sale on the dark web. One category of data that was being openly traded online was the login details of individual myGov accounts, sold for as little as a dollar. That is a particulatly worrying category, because myGov is the central hub used to access an array of public services including the Australiation Tax Office (ATO), Medicare and Services Australia, which are being sold for as little as $1 USD.
What would a criminal do with all of this personal information? Well, for one thing, they used it to gain unauthorised entry to the tax office by creating false myGov accounts and linking them to the tax files of genuine taxpayers. This circumvented tax office security checks and it has now been revealed (through a Freedom of Information Request) that more than half a billion Aussie dolllars has been fraudulently obtained to date.
(Next time someone asks me what the business case for digital identity is, I’ll scream.)
This what happens when regulators require organisations to store personal information. I can understand why a social media platform in Utah might need to know whether I am over 13 or not, but not why it needs to my birth certificate. I can understand why Medibank might need to know whether I am Australian or not, but not why it needs to know my passport number. I can understand why Optus might need to know whether I’m a real person or not, but not why it needs my driving licence. We need to shift from business relationships based on identification to business relationships based on authorisation, from storing data to storing proofs about data and from the use of trivially subverted knowledge-based authentication to strong authentication (ideally based on biometrics, in my view).
There is no digital identity infrastructure in America, and requiring children’s details to be uploaded won’t make any difference. If anything, it will teach children to upload their personal details as well as mom’s drivers licence to anyone who asks for it. I think we should skip this inappropriate and dangerous
Snippings 