The Importance of Protecting Digital ID Users from “Phone Home” Surveillance
Digital identity systems theoretically offer substantial improvements over the current identity status quo, including superior fraud prevention and enhanced user privacy. As the industry comes together around standards and system designs, we at SpruceID firmly believe user privacy must remain front and center.
One of the more challenging aspects of building digital identity is protecting users from surveillance. It’s always been possible to track Individuals through their movement and activities, in the real world and online. It is now quite common for digital data to be used to form profiles of Web users, and a poorly designed digital identity system risks replicating that pattern. This surveillance could happen by any number of legitimate (or not) entities, including commercial “data harvesters” or by ID issuers themselves, such as the Department of Motor Vehicles.
Below, we outline one effort to combat the risk of surveillance through digital identity systems, using a process known as Private Information Retrieval, or PIR. By using cryptography to obscure remote data queries, PIR can reduce identity-based surveillance and enhance user trust in digital identity.
When A Question Reveals Too Much
One strength of existing physical IDs, such as driver’s licenses, is their natural protection against surveillance. In most cases, someone checking the ID looks at it and verifies its authenticity and resemblance to the holder, and that’s the extent of information capture. There’s no call out to a separate system to verify the legitimacy of that ID, no records kept that you may be showing it quite frequently to a clerk at your local store, and no concerns raised about whether you’re buying a pint or a pint of Ben & Jerry’s.
This sort of protection is more challenging in a digital system when there is an inherent tendency in technology to generate a robust event log for every transaction. A digital ID system with minimal privacy controls might query a central server for verification whenever your ID is checked and - accidentally or on purpose - create a detailed, real-time feed of your online and real-world activities. That data could have great value to the issuing authority and numerous bad actors, who will no doubt attempt to access that treasure trove of personal information.
The implications of abuse of a data set containing granular verified behavior of individuals is sobering. Governments could use it to surveil activists and journalists. Abuse and stalking victims could be tracked by their abusers. Even challengers in democratic elections could find themselves targeted by unethical incumbents abusing the system from within. One worrying example may have unfolded recently in China when a local government allegedly used data from a COVID app to lock down protestors worried about frozen bank assets.
This is what’s known as a “phone home” problem in cybersecurity. Current standards for digital ID reduce this risk by storing an issuer’s digital signature on a mobile device, where it can be verified locally rather than needing to query a server. This works much the same way as a hologram on a physical driver’s license, allowing it to be verified locally without generating a digital trail.
But there are still circumstances where remote identity queries are necessary. This creates a design problem for a privacy-preserving digital ID system: how do you query a database without the database being able to record the query?
The good news is that thanks to innovations in cryptography, it’s very feasible to ensure that digital identity systems don’t risk exposing users to surveillance, even when a verifier has to “phone home. "
Building Private Information Retrieval
A privacy-preserving database query needs to mask many kinds of information: the identity of the querier, the identity of the target of the query, what data is being checked, and the location of the query, for a start. At the same time, the data still needs to be restricted to a specific credential holder.
This is possible thanks to a process called “Private Information Retrieval,” or PIR. The nuances of PIR can be illustrated by a few hypothetical approaches to obscuring data retrieval. For instance, if a database query downloads an entire database, the server won’t know which specific record the query was after. Another brute-force approach involves keeping many separate copies of a database that can be queried at random, making it hard for any one copy’s controller to aggregate a full picture of any set of queries.
These aren’t very practical solutions, though. We believe there’s much more promise in a relatively recent addition to the PIR toolbox: zero-knowledge proofs, or ZKPs. Using cryptographic encoding, ZKPs transform data, such as an ID holder’s identity, so the data can be confirmed without being revealed.
ZKPs can serve several roles in protecting user privacy during a digital ID database query. First, a package of ZKP-protected data can affirm that a verifier, such as a law enforcement officer, has a right to query an identity database without revealing the verifier’s specific identity. The verifier would then submit the credential that must be verified, again protected by ZKP encoding. This encoded credential could then be checked for validity without revealing the credential holder’s private information.
This would make it far less possible to keep a record of useful information that could be used for surveillance—“someone from a trusted entity queried some sort of information from some database at some time”—which doesn’t really allow for Sherlock-level sleuthing. It’s this inability to even generate information that could be aggregated for exploitation that makes ZKP so enticing.
Communicating the Intent of Privacy
71% of Americans now express concern about government use of data. At SpruceID, we expect that holding and demonstrating strong privacy principles will be key to unlocking the acceptance and broad adoption of digital identities. Concepts like Private Information Retrieval should be a standard for any digital identity system, and that ZKP tech is a promising tool in that effort.
Industry practitioners should take lessons from the past 50 years of software development and build personal security and privacy into systems from the start. That’s not to say this work will be simple and seamless. Of course, it will undeniably be challenging not only to design and implement truly privacy-preserving digital identity systems but also to convince a skeptical public. Both will be necessary, though, to foster broad user adoption and make the full promise of digital identity a reality.
Visit our website to learn more about SpruceID's stance on privacy and how we protect digital ID users from phone home surveillance.
About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.