Category Archives: data privacy

Decentralized identity and the path to digital privacy

Security is the central challenge of the digital age. Our digital lives have moved into the cloud. People now use multiple devices to connect to multiple applications through many different networks. Just about everything is connected to the internet, where threats remain constant and evolving. In this distributed, heterogeneous environment, however, there’s still only one “you.” That’s why identity is the best path to security.

The identity technologies my team at Microsoft builds serve as the frontline of our enterprise-class security solutions. Whether it’s a customer using biometrics to log in with Windows Hello, or enterprises relying on us to deliver risk-based conditional access through Azure Active Directory, identity is the front door to our customers’ content and experiences.

Identity can also be a key enabler to something that’s as important to our customers as security—privacy. With identity as the control plane, we’ve made security solutions more sophisticated, which is a good thing for both organizations and individuals. But when it comes to privacy, the needs of individuals and organizations are still out of balance. This week, I’m in Munich, Germany, at the European Identity and Cloud Conference to talk about how mechanisms like decentralized identity can help us address this imbalance.

Joy Chik speaking at the European Identity and Cloud Conference in Munich, Germany

Anyone who reads the news knows that many individuals feel organizations have way too much control over their personal information. Organizations are rightfully being asked to take more responsibility for protecting the information of their customers. Even the best security isn’t enough, however, if we don’t give people greater control and privacy as well.

That control begins with identity, because in your digital life, everything starts with you. Your identity is who you are. It’s everything you say, do, and experience in your everyday life. Identity can provide the same control plane for privacy that it has for security.

At Microsoft, we envision a world where technology facilitates respect for privacy. In this world, organizations no longer need to issue new identities. Instead, they embrace the digital identities that individuals bring with them. Each person’s digital identity belongs to them. They control it.

In this world, organizations are more intentional about the type of data they collect, how much they collect, where it comes from, and where it is stored. They accept information from individuals that an independent authority has verified, like citizenship verified by a government agency or education level verified by a university. Using verifiable credentials or claims that are digital, individuals can prove who they are, and they can exchange digital information, or what they are, with each organization. In other words, individuals and organizations can establish a mutual trust relationship.

Verifiable information is stored with the individual. The organization doesn’t have to collect or protect this sensitive information—less liability for them, and more control for the individual. When people control their own identity, they can set constraints and control their digital data, sharing only the information necessary to conduct business with organizations, and no more.

Organizations, for their part, can decide to store information with individuals rather than storing it themselves. This allows them to collaborate with anyone, confident that the information exchanged can be trusted, while reducing their liability and improving compliance. The individual, in essence, becomes a data controller. This changes the relationship—and the balance of power—with organizations.

We’re already seeing industry support for this paradigm shift, spearheaded by the work the Decentralized Identity Foundation (DIF) is doing. Microsoft, along with other companies, is contributing open source code to DIF so developers can take advantage of decentralized identities. Soon, DIF will have everything necessary for individuals and organizations to start using them. We’re working with the community to build support for decentralized identity into the Microsoft platform so we can enable innovation, and so we can bring individuals and organizations together for stronger security and privacy.

As part of our goal to empower everyone with a self-owned identity, we’re contributing technologies to a system that can support all kinds of entities, including millions of organizations, billions of people, and trillions of devices. One example of this is our collaboration with members of DIF, notably ConsenSys and Transmute, to develop a blockchain-agnostic protocol for creating scalable DID networks, called Sidetree.

As part of that collaboration, earlier this week we announced an early preview of a Sidetree-based DID network that runs atop the Bitcoin blockchain, called ION (Identity Overlay Network). ION is designed to deliver the scale required for a world of DIDs, while inheriting and preserving the attributes of decentralization present in the Bitcoin blockchain. As with previously announced efforts, we’re sharing our work as early as possible, rough edges and all, to start a conversation with the community and encourage further collaboration.

These examples are only the beginning of our efforts to champion digital privacy through identity. The privacy conversation requires constant engagement and collaboration. In addition to industry partners, we’re calling on organizations everywhere to join us in this effort:

  • Instead of issuing new digital identities for external parties like partners and customers, accept existing ones that users bring.
  • Limit the data you’re collecting to only what’s necessary and accept independently verified information from individuals.
  • Based on your business model, decide where you will balance control over data between your organization and the individuals who do business with you.

Privacy is a human right. To protect that right, individuals must be empowered to control their own digital identities. Many members of the identity community, including Microsoft, are committed to making this real.

The post Decentralized identity and the path to digital privacy appeared first on Microsoft Security.

Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You?

A classic meet-cute – the moment where two people, destined to be together, meet for the first time. This rom-com cornerstone is turned on its head by Netflix’s latest bingeable series “You.” For those who have watched, we have learned two things. One, never trust someone who is overly protective of their basement. And two, in the era of social media and dating apps, it’s incredibly easy to take advantage of the amount of personal data consumers readily, and somewhat naively, share online and with the cloud every day.

We first meet Joe Goldberg and Guinevere Beck – the show’s lead characters – in a bookstore, she’s looking for a book, he’s a book clerk. They flirt, she buys a book, he learns her name. For all intents and purposes, this is where their story should end – but it doesn’t. With a simple search of her name, Joe discovers the world of Guinevere Beck’s social media channels, all conveniently set to public. And before we know it, Joe has made himself a figurative rear-window into Beck’s life, which brings to light the dangers of social media and highlights how a lack of digital privacy could put users in situations of unnecessary risk. With this information on Beck, Joe soon becomes both a physical and digital stalker, even managing to steal her phone while trailing her one day, which as luck would have it, is not password protected. From there, Joe follows her every text, plan and move thanks to the cloud.

Now, while Joe and Beck’s situation is unique (and a tad dramatized), the amount of data exposed via their interactions could potentially occur through another romantic avenue – online dating. Many millennial couples meet on dating sites where users are invited to share personal anecdotes, answer questions, and post photos of themselves. The nature of these apps is to get to know a stranger better, but the amount of personal information we choose to share can create security risks. We have to be careful as the line between creepy and cute quickly blurs when users can access someone’s every status update, tweet, and geotagged photo.

While “You” is an extreme case of social media gone wrong, dating app, social media, and cloud usage are all very predominant in 2019. Therefore, if you’re a digital user, be sure to consider these precautions:

  • Always set privacy and security settings. Anyone with access to the internet can view your social media if it’s public, so turn your profiles to private in order to have control over who can follow you. Take it a step further and go into your app settings to control which apps you want to share your location with and which ones you don’t.
  • Use a screen name for social media accounts. If you don’t want a simple search of your name on Google to lead to all your social media accounts, consider using a different variation of your real name.
  • Watch what you post. Before tagging your friends or location on Instagram and posting your location on Facebook, think about what this private information reveals about you publicly and how it could be used by a third-party.
  • Use strong passwords. In the chance your data does become exposed, or your device is stolen, a strong, unique password can help prevent your accounts from being hacked.
  • Leverage two-factor authentication. Remember to always implement two-factor authentication to add an extra layer of security to your device. This will help strengthen your online accounts with a unique, one-time code required to log in and access your data.
  • Use the cloud with caution. If you plan to store your data in the cloud, be sure to set up an additional layer of access security (one way of doing this is through two-factor authentication) so that no one can access the wealth of information your cloud holds. If your smartphone is lost or stolen, you can access your password protected cloud account to lock third-parties out of your device, and more importantly your personal data.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Roses Are Red, Violets Are Blue – What Does Your Personal Data Say About You? appeared first on McAfee Blogs.

Why the government isn’t a fan of commercial encryption


Federal governments and major technology firms are arguing for or against encryption, respectively. But why?

Due to recent political turmoil and devastating events overseas, the topic of end-to-end encryption has reentered public discussion. At the center of the debate, you have federal governments and major technology firms, each arguing for or against encryption.