Updated on: October 10, 2024
It’s hard for everyday people like me and you to remain on top of new cybersecurity threats and complex concepts while trying to protect our online privacy and digital rights without giving up the convenience of our favorite apps and technologies.
In this interview series by Safety Detectives, I talk to cybersecurity experts and thought leaders who share insights, actionable tips and future predictions that will help us better understand what is really going on with our data and protect your digital life more effectively without losing your sanity.
Philip Young is the Chief Technology Officer (CTO) and co-founder of Arissian, the company behind the digital identity platform Luciditi. During his over 30 years in software engineering, Young has co-founded Docman, a software that manages clinical documents for a significant portion of the UK population, and remained involved with the project until establishing Arissian in 2014.
Luciditi provides reusable digital identities and streamlines identity verification processes across various sectors, including finance and healthcare. It does that by incorporating advanced technologies such as biometrics, real-time data exchange, and user consent mechanisms to enhance data security and reduce the risk of fraud.
What are the core technologies behind Luciditi, and why do you believe this is the future of digital identity authentication?
We use encryption of various types extensively throughout our applications. The platform is made up of a number of components, everything from App’s and SDK’s to internal API’s and storage.
Thanks to Public Key encryption only the owner can read his own data – we can’t read it either. Using PKI is a fundamental part of building a system of trust because it is no longer exposed to the main downside of centralised storage – data honeypots. Every attribute of every piece of data is individually encrypted by the key belonging to the holder. It’s effectively useless unless you know one or more keys. The keys themselves are stored securely on the device, protected by biometrics making them very hard to compromise.
Luciditi aims to remove anonymity where it causes harm. Where and how do you draw the line between privacy and transparency in digital identity?
It really depends what problem is being solved.
In Age Assurance, you typically only ever need to reveal if someone is above or below a particular age rather than the actual age or real date of birth.
In Identity Verification, the point is either to confirm or provide some aspect of a users identity. Its important that it is clear to the user what is being shared (and for how long) and that they also have the ability to limit what is being shared if they feel it is too onerous – this is called selective or minimal disclosure.
A good example might be a review site implementing digital identity to show that reviewers are real, and allowing Luciditi users to leave a verified review. The review site may ask for first name, last name, age, but as a user you might only wish to provide your first name. The review is still from a genuine verified source but you (the user) have chosen to disclose only part of what was asked.
In your view, what are the biggest misconceptions consumers have about privacy and digital identity?
Those against ID in general believe that wherever it is used, it is being used to track or infer something about you. For example, a journalist in the UK was outraged at the new Online Safety Act coming into law, suggesting that if he used a digital identity to provide his age at a bar more than x times a week, the NHS might not treat him based on an algorithmic decision that he drinks too much. Clearly nonsense, but the kind of misinformation that gains traction with those who don’t understand what it really is.
Digital Identity is now well understood and defined with global standards, starting or emerging ones. It specifically prevents overreach and access to data by the implementation of techniques such as minimal / selected disclosure and anonymity where appropriate. It does not (and should never be allowed to) feed Big Data, the kind used by social media companies that only exist as a result of advertising revenue.
Digital Identity, when implemented by certified businesses or trustworthy governments, gives users back control over important data and allow positive and frictionless experiences in their everyday lives. It has massive economic benefit if implemented at scale and reduced fraud massively.
What are the crucial things people should STOP or START doing today to improve the safety of their data?
Stop using passwords!
Start using passkeys!
Luciditi ditched passwords for user accounts a long time ago. You simply don’t need them for well-designed systems that have other mechanisms for account security and recovery. Using a passkey, or better still a passkey linked to a verified digital identity is significantly more secure than a password, it’s almost impossible to clone, bypass or steal making it the only choice for systems that protect your important digital information such as your identity.
Why is user consent so crucial in digital identity platforms, and how does Luciditi’s Mutual Trust Model address it in a better way?
Think of this very typical scenario: you’re sitting at home one evening and your phone rings… It’s your bank and they have some important information to tell you. However, before they can tell you anything, they need to guide you through a security process for your protection…
They ask you to provide your name, address, and something that you’ve previously disclosed to them, like your favorite pet, first school, mother’s maiden name, etc.
But hang on, how do we know that the caller is genuine?
Can we trust the caller ID?
Can we trust the background noise?
Can we trust that they sound friendly?
Clearly, the way to respond to this is to hang up and call the bank directly. But is there a better way?
With Luciditi there is, because everyone that has an account in Luciditi has been verified and connected to a device that is trusted. So when you get that call, at the same time, the agent sends you an instant verification request and you can see exactly who sent it before you respond. Better still, any information you return is encrypted so only they can read it for a fixed period. Not only is this secure, but also no data has to leave Luciditi for both parties to be certain they are dealing with who they expect. This is mutual trust, which is the heart of every identity transaction.
How do you see the role of biometrics evolving in the future of digital identity, and what’s your take on the concerns over biometric data privacy?
Biometrics are key in Digital Identity as a key binding mechanism between data and the holder of the data. As new modalities come into the market like palm and iris, expect to see new forms of safety tech that ensure a verified person is using a physical device. We’ve already experimented with adding fingerprint templates to the Luciditi App and linking them to devices. The most likely candidate for this kind of technology is for vapes to prevent non-assigned user access. A technique that could just as easily be applied to vehicle eKeys and firearms. But sure there are certainly legitimate concerns over privacy.
The rule should be never to hold biometrics for longer than is necessary to perform a task. If biometric data is required to be held, it should only ever be held in a certified system where it has been proven beyond all reasonable steps have been taken to ensure that it cannot escape.
How can our readers follow your work?
Website: https://luciditi.co.uk
LinkedIn: www.linkedin.com/in/phi1ipyoung