The Last Week Tonight host discussed the ‘sprawling, unregulated ecosystem’ that allows for companies to use personal data to target consumers
The Last Week Tonight host discussed the “unsettling moments” that often happen throughout the day online, as we discover that companies are “monitoring our activities a little bit closer than we would like”.
He called attention to data brokers, who are part of a multibillion-dollar industry that encompasses “everyone from credit reporting companies to these weird people-finding websites whenever you Google the name of your friend’s sketchy new boyfriend”.
They “collect your personal information and then resell or share it with others” and have once been referred to as the “middlemen of surveillance capitalism”. It’s a sprawling, unregulated ecosystem”, and looking into what they do and how they do it can get “very creepy, very fast”.
“They know significantly more about you than you might think, and do significantly more with it than you might like,” Oliver said.
The main tools are cookies, which enable websites to remember you and have evolved to include third-party cookies, which track where else you are going on the internet. “I don’t know about you but I don’t want a whole crowd of strangers watching what I search for on the internet,” he said. “Not because it’s gross, but because it’s private.”
The process takes breadcrumbs of where we have gone and what we have done online, and packages it to share with marketing firms. Users are then sorted into groups, such as couples with clout, ambitious singles, boomers and boomerangs and kids and cabernet.
The dark side of this includes more narrowly targeted lists, which separate us by certain ailments or sexual preferences. Investigations have found that people are defined by their depression, diabetes, cancer and pregnancy. It’s a “system that seems ripe for abuse” as “what they can buy is pretty troubling”.
While marketing firms have claimed the data is anonymous, the process of “de-anonymising” is fairly easy as Oliver details as people can be discovered by a quick data investigation. “None of us are really anonymous online,” he said.
He called it all “objectively unsettling” and used an example of a priest who was forced to resign after a Catholic newsletter used app data signals from Grindr and matched his phone to his residence, outing him.
It’s a “massive, harmful invasion of privacy” and also incredibly dangerous. He used the example of a domestic violence victim whose address came up on a data broker website. Oliver also shared a horrifying story of a stalker who killed a former classmate after finding her with info he brought for $45.
Requesting removal of information is a “complex process” and there is no federal law requiring that the companies honour an opt-out request.
It also suits the government as both FBI and Ice have bought data to aid criminal investigations and deportations.
“The entire economy of the internet is basically built on this practice,” he said. “All the free stuff that you take for granted online is only free because you are the product.”
He said there needs to be a comprehensive federal privacy law but many politicians build their campaigns on use of personal data.
He used the example of the Video Privacy Protection Act of 1988, which was passed when Congress freaked out when they realised their video rental histories could be shared. “It seems when Congress’s own privacy is at risk they somehow find a way to act,” he said.
To show this, Oliver’s team used “perfectly legal bits of fuckery” to target members of Congress. They bought ads and showed them to men over 45 in DC who had searched for divorce, massage, hair loss and mid-life crisis, creating a group called Congress and cabernet.
“This whole exercise was fucking creepy,” he said with ads that pushed divorce help, Ted Cruz erotic fiction and voting twice. He said it might worry members of Congress that he now has the information of who clicked on what. “You might want to channel that worry into making sure that I can’t do anything with it,” he said.
Distributed digital identity, decentralized identity, blockchain, and distributed ledgers: what do they mean and how can they help keep my company secure?
What is a digital identity? A digital identity is information that combines all your personal online activities and data. Examples of what would make up your digital identity include usernames, passwords, online searches, date of birth, and social security number.
What Is the History of Digital Identity?
Digital identity is a critical and ever-present part of our lives. Identities play a role in almost every aspect of our lives, from business to commerce to entertainment. Additionally, many jurisdictions are turning to digital identity as civic documentation to cover identification purposes outside of the private sphere.
The history of digital identity has followed security, privacy, and usability questions, with different technologies attempting to address various aspects of these categories. One of the central challenges to digital identity has been centralization.
Centralization brings a host of problems to administrators, enterprises, and users alike:
Central Points of Failure: Centralized identity relies on central control over the implementation of that identity, which often means on-premise databases of login credentials (typically usernames and passwords or PINs). If that database is hacked, then those credentials are compromised and all user information has most likely been exposed.
Usability and Security Practices: Centralized identity schemes force organizations to either adopt outside identity management systems or implement their own—a reality that has led to a fragmentation of identity management. Users have to remember individual credentials for multiple systems, leading to poor security (from simple or reused passwords) and identity theft.
Lack of Ownership: The question of digital identity ownership is a lively one, with different regulations and business practices vying for control of private information. Centralized identity management requires that organizations mediate control between digital identities and users rather than placing ownership in the users’ hands.
Modern identity and access management have worked toward addressing some of these issues, primarily to support a connected, cloud-based, and secure digital world.
One of the emerging technologies to address these issues is single sign-on. The goal of SSO (also known as federated identity) is to facilitate authentication across multiple systems using a centralized repository of identities and policies.
Generally speaking, there are a few protocols through which SSO works:
Security Assertion Markup Language
SAML is an open markup language used by identity providers to format and transmit authorization credentials to other platforms or service providers. The idea is that a centralized SSO provider manages identities through a server and formats SAML authentication through an XML-based token system that connects identity providers and service providers (the organization handling your identities and the company with which you want to authenticate).
Open Authorization
As the name suggests, OAuth is more an authorization approach than an authentication method, but it can be used as part of an SSO scheme. Unlike SAML, where federation happens from a centralized identity provider across multiple service providers, it’s more often the case with OAuth that a user in an authorized session with one provider can access another provider from that session.
Of course, it bears stating that SSO is a smaller part of the larger discipline of IAM explicitly focused on how to provide federated identity and authentication without compromising security.
The problem with SSO and IAM, in general, is that they only address a small subset of issues with centralized SSO or OAuth. To start with, SSO systems still have security issues, and a compromised identity provider will still pose a risk to all users. Additionally, none of this addresses the issue of identity and data ownership.
To take steps in facing some of these lingering issues, developers and scientists are working toward developing distributed identities.
What Is Distributed Identity?
Distributed identity, also called decentralized identity, is the practice of truly removing the centralized nature of identity management from the equation.
Instead of creating localized or platform-specific usernames that rely on a single organization or consortium of participating organizations to manage, decentralization uses technology to place ownership of identity data into the hands of the users that information is supposed to represent.
How is this possible? The truth is that there isn’t a clear-cut answer yet but rather a collection of technologies that are stepping up to introduce decentralization into IAM as a whole:
Blockchain: Originally introduced in cryptocurrencies, like Bitcoin, as part of the nascent “Web 3.0,” the blockchain has been isolated as a uniquely powerful technology that provides an immutable, decentralized ledger of ownership. Under a blockchain, users have programs called wallets that store information and denote ownership, and this ownership is not dependent on a central organization to manage.
Decentralized Identifiers: Created by the World Wide Web Consortium, DID is a scheme of identity decentralization outside of blockchains proposed as a general protocol for managing identity. With DIDs, users can control their data, be protected by cryptography, and authenticate with participating organizations.
The blockchain, in particular, is part of what is currently being dubbed Web 3.0, emphasizing decentralization of control over information. It works by creating a ledger that the users of that network control through their participation, protected with cryptography.
Why Is Distributed Digital Identity So Important?
Right now, data ownership and protection are critical questions for large enterprises, governments, and end users alike. The General Data Protection Regulation is one of the most stringent privacy and security jurisdictions globally, due in no small part to its driving mission to place control of private data into the hands of consumers.
But giving users control over their digital identity and their personal data is no small task. Data is often seen as ephemeral, and users in many places (including the United States) have willingly given up control over their information to large corporations.
A distributed identity system could allow users to take control of their digital identities. Several governments have already begun to develop distributed forms of digital identities to support their citizens.
The European Union, for example, has started creating a self-sovereign identity framework built on DID and blockchain to modernize government ID for citizens. Countries like Germany, Uruguay, and Finland have started issuing electronic IDs and bank-issued eIDs to serve as national identification.
On a smaller scale, distributed identity can still benefit enterprises internally. By leveraging distributed identity systems, enterprises can connect user IDs with several different service platforms and authorization policies without reinventing or replacing existing identity systems. Additionally, enterprises can then adopt their schemes or extend existing ones offered through government agencies.
Strong Authentication and Distributed Identity with 1Kosmos
Distributed identity isn’t just a powerful new technology or the future of identification—it is a business imperative that will eventually shape how enterprise organizations integrate and adopt different types of managed services, cloud applications, and internal security measures. By working with user-owned, self-sovereign ID, businesses can mitigate some of the most significant weaknesses of centralized identity (security and usability) while expanding their ability to adapt and scale with new technologies.
BlockID from 1Kosmos provides secure authentication and promotes identity ownership through a few critical features:
Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification. Our ledger is immutable, secure, and private, so there are no databases to breach or honeypots for hackers to target.
Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
Streamlined User Experience: The distributed ledger makes it easier for users to onboard digital IDs. It’s as simple as installing the app, providing biometric information and any required identity proofing documents and entering any information required under ID creation. The blockchain allows these users more control over their digital identity while making authentication much easier.
Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
Interoperability: BlockID and its distributed ledger readily integrate with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
To discover the self-sovereign identity and BlockID, read more about 1Kosmos as a Distributed Digital Identity Solution. Also, make sure to sign up for the 1Kosmos newsletter to receive updates on 1Kosmos products and services.