ID.me’s Troubles Highlight the Dangers of Storing Users’ Information

ID.me’s Troubles Highlight the Dangers of Storing Users’ Information

The risk of storing users’ personally identifiable information (PII) stored in a single database came up again in a major way last month. A Business Insider article detailed how identity verification company ID.me, after securing contracts with the IRS and multiple state unemployment agencies in 2020, engaged in lax security practices that resulted in the exposure of users’ PII. Users’ identifying information from drivers’ licenses, passports, and other documents were shared on corporate messaging channels and visible to nearly all customer service representatives.

Everyone should be able to control their own data

The belief that individuals – not private companies or government agencies – should own their data is central to SSI solutions. No single entity should have control over an individual’s information, and people should be able to share what they need when they need to, and no more than that.

Existing digital ID solutions are convenient, but they eliminate an individual’s ability to control their data. A digital ID is simply a digital representation of a physical form of ID, like a driver’s license or birth certificate. Digital IDs contain the same data that said document contains, including a person’s date of birth, address, and other information that may or may not be pertinent for a specific transaction.

With a digital ID, a person hands over all their data, even if they don’t have to. That information is then stored and controlled by the institution–much like ID.me controlled users’ PII. When hundreds of thousands of users’ records are stored in one place, that place can easily become a target for hackers. Or, in the case of ID.me, information can be accessed and shared internally by just about anyone.

With solutions like Voyatek’s Decentralized Identity for Government (DIG), users’ store and manage their information in a digital vault that is virtually tamper proof–on a user’s personal smartphone—and validated through a distributed public ledger, or blockchain. A person only needs to share what they’re comfortable sharing during a transaction.

In short, the only one who keeps an individual’s data is the individual themselves. Thus, they maintain complete control over their own identity.

Better for residents, better for government

SSI solutions not only return ownership of data to an individual, but they also eliminate the risk organizations take by storing so much sensitive information. Since PII is not kept in a central location, there’s no incentive for hackers to attempt to breach a database. There’s also very little chance for data to be inadvertently exposed by malicious or accidental insider threats.

Implemented correctly, SSI is a win-win for organizations and individuals alike. Users own their information and benefit from the convenience of secure online interactions, and organizations minimize their liability and reduce operating costs.

The controversy surrounding ID.me exposes the folly of a single organization controlling users’ PII on their own servers. A couple of years ago it would have been considered standard practice to house this information in a single database. But that’s no longer secure or smart. Today, we have better, more secure, and more distributed options.