Personal Data

The Microsoft-Mastercard SSI alliance is great news, but some thought it was a bad thing.

By all accounts, Fast Company’s Cale Guthry Weissman is a good reporter who knows his audience. Informed that Microsoft and Mastercard were partnering to create a new kind of digital identity, he went to get some answers, assessed the situation, and wrote an article that called the alliance “frightening”

But the solution they offer–a one-stop, universal identification for any and all applications–would mean that every citizen would be entering into a system built by private companies that centralizes all of their personal data. Every digital company wants to be a data hoover, and this program seems to underscore the extent of this pursuit.
[…]
Overall, this announcement speaks to a common tone-deafness among large companies when it comes to privacy. While proving digital identity can certainly be onerous, some solutions may only imperil us even more.

• Microsoft and Mastercard have a frightening plan to create “digital identities”, Fast Company 12/04/18

Weissman can be forgiven for such a sentiment; tech companies have a well earned reputation for turning their users into unwitting laborers  on data farms. But it should be noted that Mastercard isn’t “a tech company”. When Weissman reached the global credit card company for comment they explained their bold new venture with excitement, emphasising that they’re going to use trusted sources to give control to the user, who will “share only the information needed to conduct their transactions,” but it didn’t really seem to take. They came off like someone who walked into a party wearing a set of Google Glass, then tried to use the uncomfortable pause that it created to explain how his dork goggles weren’t just a mass surveillance tool, they were also going to change the world! The spokesman would have done better to explain that SSI applications are explicitly NOT “centralized” as Weissman came away understanding, but they appear to have got a bit carried away.

It seems like a good solution because it is a good solution, but Mastercard won’t be able to sell it themselves

We have no reason to doubt that Mastercard’s excitement is earnest. Credit card companies live the third-party verification problem every day, because they’re third party verifiers. Mastercard sees ease-of-use and fraud prevention savings in this project that are meaningful, and are excited about being able to achieve them without having to handle customer data. They’re telling their merchants and cardholders: “Look! You’re going to FINALLY have control of your own verification process! No more 2 pieces of ID with a credit card, and we don’t even have to hand the process over to a data-harvesting behemoth to get it done! (You just know Facebook or Amazon would have underbid anyone to get their hands on card verification contract, and for all the wrong reasons.) But Fast Company isn’t inclined to take them at their word. After all, they are partnering with Microsoft, who would surely know what to do with a bunch of cardholder and merchant data.
Microsoft, for their part, declined comment, which is interesting since they have so many good people working on this project who could comment eloquently including Daniel Buchner, Pamela Dingle and Kim Cameron among others. Perhaps from the PR department the silence is born of experience. Microsoft is the butt of the funniest tech jokes, and is aware of the shadow they cast. There isn’t anything they say to the general public to convince them that an identity play they’re making isn’t just another way to sink their tentacles into their users a bit further. The process knowledge just isn’t out there. Best say nothing until it’s ready.

Microsoft have good reasons to be this helpful.

The Microsoft that dominated the 90s and early oughts got their lunch eaten by Google, Facebook and Amazon, who cornered users into a Faustian bargain that they didn’t even know they were making. Microsoft’s unbreakable hold on the enterprise software market financed attempts to compete in the data and advertising realm, but it’s clear by now that beating data harvesters at their own game isn’t in the company’s DNA. This identity play may be Microsoft doing the next best thing: taking them out at the knees by giving the data control back to the customers.
Facebook is able to give access Cambridge Analytica and others access to user data by virtue of the fact that they have it. They could (and still do) broker access to users via their data, because they have ongoing user consent. If the user revokes that consent, nobody is checking if they’re honouring that revocation.
But they can’t sell what they don’t have. A user-centred permissions system would allow individuals to give Twitch streaming access to their X-Box ONE account, or not. LinkedIN could offer seamless work history verification, which would allow for an easy transition into the corporate HR services business, handling payroll, insurance and benefits for enterprises – all newly simplified user centric verifiable credentials. There are all sorts of places Microsoft can organically grow their core software business once the framework is in place to allow users and organizations to provide and revoke data from each other… once they can get over concerns people have over how the system actually operates.
There is not yet an SSI killer app. While Microsoft would no doubt like very much to develop one, they’re probably just as happy having someone else strike the discovery vein that gets the public’s attention. Once the user base gets wise to their new-found control, a self-sovereign-ID-enabled Microsoft will be in a position to enter the 2020s as a major player in this new market place of decentralized identity and credentials under the true control of the user.
(With files from Braden Maccke. Feature image courtesy Humans Unlimited Blog.)