Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on February 23, 2024

Hackers are hunting celebs. Digital IDs can help — but come with caveats

Decentralised digital identities offer both promise and peril


Hackers are hunting celebs. Digital IDs can help — but come with caveats Image by: Raph_PH (edited)

When it comes to cyberattacks, celebrities have a huge target on their backs. 

Just consider the news at the end of 2023 where Rhysida, the infamous hacking group, announced it had attacked King Edward VII’s Hospital, a private health institution in London. This is bad enough by itself, but what really elevated this news from “another day, another attack,” was the fact the hackers claimed to have obtained sensitive medical data on the British Royal Family.

The King Edward VII Hospital has provided close care to the family for over a hundred years, having looked after the Queen Mother, Prince Philip, Queen Elizabeth II, and King Charles III, to name but a few.

This makes it — and other hospitals serving the rich and famous — a treasure trove for hackers. If bad actors get hold of this sort of sensitive data, it can be used for all sorts of nefarious purposes, whether that’s extortion, blackmail, or any other range of motives, political or otherwise.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

In this instance, the Royal Family got off lightly. Although it’s not clear precisely what happened, a few days after the announcement, Rhysida took down the note on their website about the Royal Family. The data wasn’t leaked.

Now, we could spend some time unravelling this mystery, but, to me, the damage was already done. A glaring weakness was shown to the world. With this, a question: what do high-profile individuals like the Royal Family do about this threat?

Could famous people decouple themselves from public and private institutions? How would this work? And is it even possible?

I wanted to find out. So that’s exactly what I did.

Getting deep with digital identities

“Digital identity, in its simplest form, is a set of facts about you,” says Andrew Bud, the founder and CEO of iProov, a London-based identity verification and authentication service. 

It makes sense. Then, one would assume, the easiest way for the wealthy and powerful to protect themselves would be to decouple their digital identity from institutions. That’d work, right? Surely?

“In the modern era of data breaches and ransomware farming, the idea that any information is a safe secret is fiction,” Bud says.

Ah. It appears we’re off to a rocky start. If no data is safe, how can anyone be? Should we all just pack our bags and give up?

Bud doesn’t think so: “What matters most from a security perspective is securing your data so that it can’t be monetised or exploited for unauthorised use.”

In other words, it’s all about authorisation. Securing who can access your data — something we’ll return to later. That then means it’s possible for high-profile individuals to decouple their digital identities, it just needs to be done holistically. 

But how would it work?

Making the great decoupling happen

“It is in the realms of possibility for individuals to leverage additional technologies to decouple their digital identity from their healthcare or operational data,” Matt Berzinski, senior director of product management at Ping Identity, tells me. 

The key to this, he believes, is “decentralised identity.”

The British Royal Family, whom digital IDs could help
The hackers targeting King Edward VII’s Hospital threatened to reveal the Royal Family’s health data. Credit: Michael Garnett

Berzinski explains the idea behind this technology. Imagine going to a club and showing a bouncer your physical ID. In this case, they can see where you live, how old you are, and a raft of other personal information that’s not relevant. In theory, they could remember this data and use it against you.

A decentralised ID, on the other hand, would simply show the bouncer that you’re of the legal age and can enter. The person looking at your ID would only see the specific info they need to let you into the club. Nothing more, nothing less.

Effectively, this is how your data would be used in a decentralised environment. It’s not there for anyone to see; it sits separate from, say, a hospital’s system which will be only allowed to draw what it needs.

This is where the authorisation element that Bud from iProov discussed earlier comes into play. Only those authenticated to access this data will be able to use it.

But how do you ensure they are who they say they are? According to Bud, one way to achieve this is using biometrics. 

“Things we know, like passwords [or phones], are easily shared, stolen or forgotten,” he says, going on to say that biometrics cannot be taken advantage of in the same way. Yes, they can be copied, but this requires “significant effort and expertise” — which would make it tough for almost any bad actor to get hold of.

What we’ve learnt so far is that decoupling their digital identities could be a way for celebs to protect themselves from hackers, but is it actually possible today?

Freedom! (For identities)

The answer is kinda, but not really. 

Here’s the kicker: much of the technology that’d enable the wealthy to decouple their identities from public institutions exists, but it’s simply not mature enough to make it happen.

As Berzinski from Ping Identity explains, while the promise of decentralised identity exists, it’s “in its infancy, standards are still being formulated, and the general population’s understanding and willingness to adopt it is still growing.”

So, what should high-profile figures do now? If they can’t decouple their identities from public platforms for protection, how do they defend themselves?

Terry Slattery — CEO of IDScan, a company that validates identities — believes it’s “imperative that individuals adopt effective data privacy practices.”

Effectively, celebs should suck it up and take increased responsibility. This involves everything from using password managers to being careful about what they share online. 

“A digital ID could provide a gateway to their entire digital presence.

As an example, Slattery tells me a story about former Australian Prime Minister Tony Abbott accidentally posting his Qantas boarding pass on Instagram, leading to a hacker obtaining sensitive information on him “in just 45 minutes.” In other words, even something seemingly innocuous can be dangerous.

I won’t lie, this is leaving me deflated. I thought there’d be a stylish and simple way to decouple digital identities, but, like life in general, it’s proving more complicated than I thought.

Yet, there’s hope. If it won’t work today, it should in the future. Or so I thought.

Problems heaped upon problems

Keen to further burst my bubble, Simon Bain, CEO of OmniIndex, tells me flat out that “digital identities are not the answer.”

Simply put, he believes that “if we cannot currently trust third parties with our data, we cannot trust them with our identities.”

To him, organisations themselves need to take more responsibility and “adopt modern technologies that protect our private and personal information,” with one such example being homomorphic encryption.

When I pushed him further about whether celebrities should push for their own, private security, Bain stated that we should all be demanding better protection — not just the wealthy or famous.

This is something Berzinski from Ping Identity also mentions: “The risk of allowing high net worth individuals or high-profile figures to do something different is that they actually become an even bigger target, a whale so to speak, and there is more vulnerability involved.”

Now we’re getting somewhere. Maybe the best way for celebrities to protect their identities from attackers is for everyone to get better security, not just them.

Power to the people

The EU Digital Identity Wallet is one example of decentralised identity in development today,” Bud from iProov says. 

This aims to deliver all 447.7 million EU citizens the ability to store and exchange identity documents and credentials, securely and conveniently, while ensuring they have full control over their data.

Of course, the proof is in the pudding. How successful this is depends on how well the project is run and what happens.

Ursula von der Leyen, one of the EU's leading proponents of digital IDs
Ursula von der Leyen, the president of the European Commission, wants to create “secure European” digital IDs. Credit: European Parliament

In an ideal world, this way of removing data from public and private institutions into a more decentralised space could work wonders — but it could also be managed appallingly.

Slattery from IDScan has this to say: “The advent of decentralised digital identities could make it easier for perpetrators to commit identity fraud on a larger scale. Gaining access to someone’s digital ID could potentially provide a gateway to their entire digital presence, from financial to social accounts.”

To rephrase that, as things get more convenient and technologically advanced there’s a strong chance that hackers could turn this to their advantage. I guess that’s the thing about evolving technology: other people have it too.

For every decision that’s made, a series of unintended consequences will happen. If managed correctly, something like the EU Digital Identity Wallet could deliver benefits that make us all safer online, whether wealthy or not. But if managed badly? Well, it could open an even bigger can of worms than the one emptying out today.

The good, the bad, and the decentralised digital IDs

While it’s been enjoyable to follow this line of inquiry, it’s important to swing back around to the original question. So, could high-profile individuals decouple their profiles from public institutions?

The answer? Yes. They could. Although this has the rather large caveat that while the technology is technically available today, it’s not really in a place where it can be effectively used.

More pressingly though, celebrities going alone down this road would be a bad move. It’d make them even more of a target and potentially draw more nefarious attention, defeating the entire purpose of the move.

The solution to identity-focused cyberattacks isn’t getting the most at risk to change, rather it requires an entire industry to shift. Keeping our data held ad hoc across multiple different systems with varying security standards is not sustainable in the modern world.

Instead, the focus should be on, as Bud from iProov mentioned at the start of this piece, authorisation. Organisations should only be able to access specific information.

This is why the EU Digital Identity Wallet is so exciting. Here is something that could protect people’s data, ensure there are fewer leaks, and keep us all safe. If it works, of course.

The success of a project — and whether we want the government to be the sole holder of all our data — is a conversation for a different article. Fundamentally, things have to change — and, in the EU, it seems like that might just be happening.

For once, it appears that the best thing for celebrities is to just be like everyone else. Now that’s a message I can get on board with.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top