Be it the latest NFT range, the digital land grab, or cryptocurrency trading platforms, the third generation of the internet is upon us. But with blockchain technologies offering rich pickings for cybercriminals, how do legitimate investors protect themselves? For one group of digital privacy entrepreneurs, the answer is staring us in the face – a peer-to-peer identity verification system.
“At the end of the day, everything revolves around your identity,” says Itay Levy, CEO of Identiq, a digital privacy company he co-founded in 2018. “When the internet moved online, there was the risk of account takeover, someone else using your identity. But all in all, it was mostly financial risk, and the hazards of organizations needing to protect themselves from hackers.”
Levy says the arrival of Web 3.0 has changed all of that, and we are now on the threshold of an era when films like Face/Off – in which a criminal uses high-tech surgery to trade faces with a policeman so he can use his identity as a shield for his crimes – could become a reality if businesses and governments do not act.
“In the metaverse, identity is even more important, because it's not only about organizations – it's also about people,” says Levy. “The risk has increased significantly, and it's not just financial anymore. With account takeover for example, someone is using my digital persona and pretending to be me. Essentially this can be a risk to my reputation and even to my relationships.”
As far-fetched as this might sound to some, the threat is real. Last year, reports emerged of a female beta tester for Meta’s virtual-reality social media platform, Horizon Worlds, being groped online. Nor was she the first – five years previously, a female gamer trialing a VR zombie shoot-em-up was similarly appalled when a fellow player started taking liberties with her digital avatar.
Levy says that such problems are fuelled by a growing sense of impunity among bad actors, who feel they can use the anonymity afforded by the metaverse to get away with anything. But given that anonymity is linked to identity protection, a necessity for defending against financially motivated cybercriminals, this problem is more complex than at first meets the eye.
“All of the issues in the metaverse – even sexual harassment – are because you feel that you're protected, and you can do anything you want,” he said. “But on the other side, my avatar is my avatar, and I want it to be safe. It can cause real issues.”
Risk vs reward
Levy believes that if identity verification systems do not evolve to match the changing cyber landscape, account takeovers in Web 3.0 could potentially have much more serious consequences.
“Think of it now as using someone else's identity and onboarding [connecting to a platform in the metaverse] without their knowing, using their credentials in order to create an avatar on their behalf,” says Levy, pointing out that the internet – for all its claims to virtual reality – struggles to replicate the norms human beings take for granted when assessing one another in the real world.
“When we are meeting a person, we can see each other, we can validate that you're a real person and you are who you say,” he says. “That's something that, moving to the online world, was extremely hard to do. We lost the ability to validate.”
It isn’t that Levy believes the metaverse to be a bad thing so much as a higher reward, higher risk social platform: “We have increased engagement [between people] – there are many nice things about the metaverse. But there is so much risk as well.”
Beware big corp
Levy warns that current methods used to weed out online scammers and sexual predators – in particular, general data protection regulation (GDPR) – are lagging behind the times and no longer fit for purpose. The big cybersecurity corporations that store our data cannot always be trusted either.
“All the power is in the hands of large companies, and this is a thing that we need to make sure they are doing correctly,” he asserts. “With GDPR, there was an effort to create a safer and greener world when it comes to our data.”
But with profit-motivated data sharing companies active in the field, such methods of protection have become a part of the problem themselves – something Levy believes the public still does not have enough awareness of.
“It's really an unknown fact that when you are onboarding, companies behind the scenes are sending your data to so many third parties that deal with this as their coin,” he says. “They are using it for marketing and identity purposes, and it's a privacy jungle.”
While increased regulation took some steps to rectify this problem, Levy still believes that not enough is being done to guarantee privacy, because the digital landscape is evolving too quickly for government regulators to keep up. By allying themselves with tech innovators, he says, state bodies could become much more effective.
“GDPR forced the world to be a better place [but] with new technology and innovation, it could be even better,” he says, referring to a solution devised by his own company. “For the first time in history, we are enabling the largest businesses to validate user identities without sharing any data.”
Trust your peers
This is quite a claim, and I press him on it – how do you verify the identities of platform users without exchanging knowledge of their personal details?
“It's like magic,” he enthuses. “Essentially, we are using a branch of cryptography that existed thirty years ago or even more – but we're using it in a very different way.” Levy refers to this branch of cryptography as Secure Multi Party Computation. “It allows different parties to know that they have the same asset – your identity – without sharing it with each other,” he explains.
“We are building a peer-to-peer network for companies,” clarifies Shmuli Goldberg, head of marketing at Identiq. “We ourselves – and this goes back to the privacy angle – have no data. We don't want your data. Our ethos that has driven our success over the last two years is that we enable companies to work together – so when you log into the metaverse, it's a peer-to-peer network that validates you.”
This works by mapping a person’s prior use of the internet across multiple points – be it a ridesharing service, video streaming outlet, dating app or gaming platform – to paint a clear picture of their activities online and verify whether or not the person trying to access a virtual-reality platform is who they claim to be.
“So we're not relying on one point [of reference],” says Goldberg. “This consensus that we're able to build privately guarantees your identity much more than any one-time validation will do.”
As well as taking away the undue influence of large data corporations and reducing the risk of third-party profiteering, Goldberg and Levy believe that this new system could neutralize a new generation of fraudsters who seek to model themselves on the Tinder Swindler – a conman made infamous by a Netflix documentary, who used false identities on the dating app to cheat women out of vast sums of money.
“We would expect a good person today to be known by tens – if not hundreds – of services and applications,” says Goldberg. “What we're leveraging is the history and trust that you've built over the last few decades online, coming to vouch for you today – without sharing or exposing anything. And in our opinion, that's the only way to build identity moving forward, without relying on huge data pools that can then be hacked.”
Agreeing with Goldberg that the provider-based system of data protection is too vulnerable to threat actors to be effective, Levy insists that he isn’t simply trying to promote his service – although Identiq is a private company.
“The solution doesn't have to be Identiq, but it needs to be providerless – it cannot be centralized,” he says. “These approaches are not working, we saw so many cases of companies losing data and then asking [clients] for more details, because the [lost verification data] was no longer valid.”
Levy predicts a “green revolution” for online data privacy, with government bodies improving regulatory practices to reflect the fresh dangers posed by Web 3.0 by championing solutions like his to counter them. In this way, he believes governments will be able to regulate for better data security online without having to adopt the kind of top-down centralized approach he says is detrimental.
“Technology privacy-enhancing solutions like Identiq protect customers,” he says. “Identiq is just one solution, but we definitely think this is the way forward.”
More from Cybernews:
Subscribe to our newsletter