Introducing IDfra – Securing Privacy During the Exchange of Accurate Personal Information

Welcome to the inaugural post of the IDfra (pronounced idʹ frah) blog. As our tagline indicates, IDfra refers to a new and very different way of managing the universe and infrastructure of the information that makes up our identities. The proposed new IDfra identity infrastructure poses the best solution for the central problem in our current information age: how can we ensure the exchange of accurate information about ourselves for any type of human transaction without having that information collected, abused, impersonated, lost or stolen?

There can be no doubt that the selective disclosure of information about ourselves is a necessary and routine event that can make our lives better. In many ways, the purpose of exchanging such information boils down to “access control.” Whether we are talking about access to our country across our borders, access to airplanes, access to sensitive commercial information, access to private facilities, access to alcohol, access to medical records, access to DNA profiles, access to the voting booth, access to firearms or access to bank accounts, having an accurate understanding of the identity of the person seeking access is critical.

What makes IDfra’s approach to the identity information infrastructure radically different is this: right now most of the information that exists in the world about us is “out there.” Each state’s DMV has some, our banks have some, our doctors have some, our insurers have some, the credit bureaus have some, and a multitude of commercial and governmental interests have some. And these days, social media sites have a lot of information about us. So, when we need to establish certain facts about ourselves for a specific transaction, say, renting a car or an apartment, seeking employment or boarding an airplane, we give a third party access to information about us that is already “out there.” Based upon the nature, quantity and quality of that information, the third party does or does not do the transaction with us. And along the way, that third party collects and stores whatever data it can get its hands on about us – because everyone now knows that information is money and power.

So what’s the problem with this model? The problem is that our personal information is “out there.”  Out there to be sold, lost, stolen, traded, mined, aggregated, corrupted and abused – oftentimes entirely without our knowledge. One would literally have to be just crawling out from under a rock not to be familiar with the daily reports of personal data being secretly collected or being lost, stolen and abused. Another section of this IDfra blog will be devoted to discussing this problem in greater detail.

The IDfra solution to this problem is so simple, but so radically different from the current approach, that it is at first difficult to comprehend. The basic concept is that instead of keeping all of that personal or private information “out there,” it is kept “in here.” In this case, “in here” is simply a portable or cloud-based database belonging only to you, and to which only you can grant access. For those who are not technically inclined, think of a system in which all of your personal information: your medical information, your financial information – everything – is locked inside a giant vault that only you can open with a set of keys only you possess. (For those of you who are technically inclined, think of a strongly encrypted database whose decryption key requires multi-factor authentication, including a biometric authentication factor).

At this point you may be thinking to yourself: “Wait a minute. Who puts this information in my vault then? Me? If it’s me, then why would anybody trust that information?” And you may also be thinking: “If  third parties are the ones who put information into my vault, they must have it to begin with, so it is already “out there” before it ever gets “in here.” These are great questions, but they do have answers. The answers get into technical stuff, like “databases,” “metadata queries,”  and “coefficients of credibility.” Suffice it to say, though, that there are ways that measurably-credible third party data can be stored “in here” and nowhere else!

So why is the IDfra identity management system better? Because instead of having your personal information scattered all over for people to lose, abuse, aggregate, mine and sell, it is locked up tightly in a place only you can access and from which only you can choose to disclose personal information. Because instead of third parties’ having to rely upon  information of unknown credibility existing “out there,” which can be corrupted, lost or stolen, they instead are relying upon information only you have access to, and about which they can directly and accurately measure the credibility. In other words, you control the possession and disclosure of your personal data, but credible third parties control the content of that data. And when someone wants to access your personal information to decide whether to conduct a transaction with you, you control whether, how, and how much information they receive, and they decide whether there is sufficient trustworthy information in their eyes to do the transaction. Everyone gets what they need, but your information stays “in here,” safe and sound.

The how of how this is done is somewhat mystifying to those not technically inclined, but trust me: it is very much achievable. It is the IDfra way of managing identity information, and it is the way of the future. For any of you who aren’t so sure about the need for the IDfra solution, please take a look at the “NSTIC” grant program sponsored by NIST, a federal agency that is posing the precise problem for which IDfra is the solution.  We invite you to review and respond to any of our blog posts down the road and share your thoughts about IDfra’s new identity infrastructure solution.