Jakub JirsÃ¡k - stock.adobe.com
“Most people are becoming uncomfortable with the data being collected about them by consumer and enterprise services, and we are reaching a tipping point,” says Joy Chik, corporate vice-president, identity division, at Microsoft.
“Just like in any relationship, if your rights are not respected, you disengage,” she told the European Identity & Cloud Conference 2019 in Munich, noting that studies show that 54% of adults have changed their privacy settings on Facebook in the past year.
The reality is that people want more control over their personal data, said Chik. “And that control begins with identity.”
Preparing for the EU’s General Data Protection Regulation (GDPR) was “great” for Microsoft, said Chik. “It showed us how much data we collected and what we have to do to take care of it. But it also helped me realise that identity is central to privacy.”
Microsoft believes that identity can provide the same control plane for privacy as it does for security, she said. “But while the best security is getting more sophisticated, when it comes to privacy, there is a huge imbalance of power and responsibility.”
From the individual’s perspective, organisations have too much control over personal data because an individual’s privacy is in the hands of organisations’ software and their end-user agreements, said Chik. But from an organisation’s perspective, they have too much liability and they are struggling to implement tools and processes to manage all the information they are collecting from customers.
“The resultant situation is one in which nobody is happy, but there are ways our industry can help to change this by helping individuals have more control, and at that same time helping organisations to reduce their liabilities,” she said. “There is a lot of opportunity because we are all looking for a way to balance the equation.”
Microsoft believes there are three important steps that will help to rebalance the equation, said Chik – first, enable individuals to bring their own identity; second, accept independently verified information from individuals; and third, recognise individuals as data controllers.
“Instead of issuing new identities to users, organisations can let users bring their own identity that belongs just to them and is strong and independent of any organisation,” she said.
This approach is like having an identity wallet, said Chik. “Instead of handing over the whole wallet, individuals show organisations only the information they need to in order to do business, and nothing else. Like many of you, we believe that a digital identity leveraging distributed ledger technology will be a key enabler.
“Shifting from a user identity that is owned and controlled entirely by organisations to a decentralised identity that is owned and controlled by an individual will benefit both sides of the equation.”
The second step is to accept information provided by the user that is verified by various authorities, she said. “In this way, organisations can limit their liability, while still having access to the same information in order to do business.”
Again turning to the wallet example, Chik said that by using verified credentials and claims, individuals can establish a mutual trust relationship with any organisation, but without that organisation making a copy of the information or having access to any other personal information that is not relevant.
“The information stays with the individual,” she said. “So by using verified information, organisations do not have to collect, store or protect personal data, but they still have access to the information they need.”
Read more about decentralised identity
- Enterprises need to step up protections around identity-related compromises and look to decentralised identity in the longer term to improve security, says computer scientist.
- User controlled identity is less risky than centralised identity and essential for the next evolution of the web, according to an entrepreneur and evangelist of self-sovereign identity and blockchain technologies.
Microsoft believes that in the digital world, individuals should be enabled to have control over their personal data by setting constraints, said Chik.
“Organisations should get only the information that is necessary to do business with individuals, and with decentralised identity, where information stays with the individual, that person can decide when to dial up or dial down how much access they allow to an organisation,” she added.
In this scenario, the individual has control, which changes the relationship between consumers and organisations that seek to use their data, she said. “The individual effectively becomes a data controller and has more control. At the same time, the individual can still collaborate with organisations, but with much higher confidence, and organisations can reduce liability and improve compliance.”
There is support in the technology industry for this shift towards a better balance between the organisation and the individual, said Chik.
“The Decentralised Identity Foundation [DIF] is working on an implementation of exactly this. And we, at Microsoft, are actively contributing open source code to DIF so that we can bring this technology through the developers to support this decentralised identity.”
Chik said Microsoft is working with the identity community to bring decentralised identity into the Microsoft platform so that businesses and individuals can benefit from the resultant mutual trust relationships.
“We are doing this to elevate privacy, and we are opening our platform to enable innovation, so that we can bring organisations and individuals together by enabling stronger security and privacy at the same time,” she said.
In closing, Chik said privacy is a human right. “And to protect that right, we must enable individuals to own and control their own digital identity,” she said. “Microsoft is committed to making this happen, and we hope others will join us.”