Personal data insecurity
Customer attitudes and perceptions on data collection and security have a critical impact on the success of high value digital services.
Contrary to the sometimes self-serving assertion that “Americans do not care about privacy”, the Pew Research Center report on Americans’ Attitudes About Privacy, Security and Surveillance tell a very different story.
The report notes that while people feel that privacy is important in their daily lives “… they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used. […] Americans also have exceedingly low levels of confidence in the privacy and security of the records that are maintained by a variety of institutions in the digital age.”
Only small minorities of people from 11 entities that were surveyed asserted any trust in those entities’ ability to maintain records in a private and secure manner.
-
35% of adults say they are confident that credit card companies can keep their records private and secure.
-
31% of adults say they are confident that government agencies can keep their records private and secure.
-
31% of adults say they are confident that landline telephone companies can keep their records private and secure.
Online service providers are among the least trusted entities when it comes to keeping information private and secure.
-
69% of adults say they are not confident that records of their activity maintained by the social media sites they use will remain private and secure.
-
66% of adults say they are not confident that records of their activity maintained by search engine providers will remain private and secure.
The results of this survey once again bring up points that speak to the world as it exists, and not as many would like it to be:
-
Context and expectations matter. “Social identity providers” are not the credential provider of choice for high value transactions.
-
A public sector branded Token Manager a.k.a Login Provider may very well have a place in this world. e.g Canada and GCKey
Additional Reading:
- Nothing to Hide: The False Tradeoff between Privacy and Security by Daniel J. Solove
Obvious Observations
Knowledge based verification has been the staple of remote identity proofing and password resets. And it continues to be in pervasive use even though folks acknowledge the decreasing effectiveness of the approach.
-
The engineers at Google “… analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.”
-
Account recovery is often the seedy underbelly of strong authentication. And a place where knowledge based verification is very pervasive. Should the authentication flow for account recovery be the main authentication flow?
cyberLinks: random and relevant
-
BLT: A Blockchain based digital signature algorithm? Supposedly an alternative for the RSA signature algorithm which is immune to quantum computers and supports the scalability needs of the ‘internet of things’
-
The FIDO Alliance has launched launched a certification program for products and services
-
Let’s Encrypt CA draft subscriber agreement is available for review and comment.
-
The OAUTH Assertion Specifications as well as the JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications are now IETF Proposed Standards