Somewhat lost in the post-Facebook’s Libra announcement is the impact of Libra and Calibra on the social network’s ability to protect users’ digital identities. In this month’s Digital Identity Tracker, Wayne Vaughan, co-founder of the Decentralized Identity Foundation, discusses how Libra could potentially put users’ digital identities at risk, and why a combination of regulation and a stringent certification and audit process would be key to keeping users secure.
Social networking giant Facebook made headlines last month when it announced Libra, a new cryptocurrency expected to launch in 2020. Cryptocurrencies are well-trodden ideas in the FinTech world — more than 1,600 cryptocurrencies are currently in circulation — but Libra has the largest financial backing of any to date.
The main buzz surrounded the cryptocurrency itself, but the Libra white paper also held a pair of sentences that painted Facebook’s intentions in a new light: “An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition.”
A truly decentralized digital identity standard has been a white whale for tech companies for decades. Such a solution would allow consumers to own their digital identities and use them for whatever they need, rather than having to create individual accounts and passwords for every service or relying on a single log-in tool from a massive corporation like Apple or Google.
The Decentralized Identity Foundation (DIF) has been working with corporations and regulators to one day reach this goal, but the foundation’s co-founder, Wayne Vaughan, has some concerns surrounding Libra’s impact on the future of digital identity.
Libra’s Privacy Concerns
Facebook is no stranger to the concept of digital identity, and many websites that require users to log in often allow visitors to use their existing Facebook credentials rather than create new accounts. With that convenience comes a trove of data that Facebook can access about its users, however. Libra will provide Facebook with similar information about its users’ financial habits as spending occurs.
“There has to be a way to identify who is transacting within the system,” Vaughan explained. “The identity component of this is probably not being driven by nefarious motives — it’s being driven by the need for having regulatory compliance in multiple jurisdictions, not an identity that is tied to any one particular government.”
Concerns would be exacerbated if Libra ran on a public ledger, which is the case for many other cryptocurrencies, including Bitcoin. Public ledgers could expose financial data, allowing outsiders using artificial intelligence (AI) and pattern recognition to identify and name individuals making purchases.
“Just five data points might be enough [for a company] to say, ‘I’m pretty sure that this identity that’s anonymized on the Libra ledger is Wayne Vaughan because he purchased something of this amount at this store at this time,’” Vaughan said. “Now [the firm] can search the entire public ledger for a set of data for all the transactions that are associated with that identity.”
Should companies like Walmart or Amazon receive these complete purchase histories from the Libra platform, they’d likely have a targeted marketing field day.
Can Facebook Be Trusted To Secure Financial Data?
Facebook has experienced well-publicized data breaches — it exposed approximately 50 million accounts in a single attack last year. Financial data is a prime target for hackers and fraudsters, leaving consumers concerned about Libra’s potential security holes and avenues for attacks. Facebook partnered with 28 corporations to develop Libra’s infrastructure, but the company intends to expand that number to over 100.
“[Facebook’s] development operations team is responsible for securing its own infrastructure,” Vaughan said. “But if you have a hundred partners, those hundred partners are responsible for securing themselves — and that’s a hundred points of failure.”
Facebook has few options available when it comes to ensuring all of its partners are on the same security page.
“You could also certainly reduce risk by using cryptography to increase the security of the ledger and keep transactions private,” Vaughan speculated. “Or, you could try to implement some sort of certification program or an audit process. I think that regulators and governments might insist on something like that.”
Just days after the Libra announcement, the House Financial Services Committee called on Facebook to halt all development until Congress and federal regulators could investigate how the crypto might cause danger to the global financial system.
“If products and services like these are left improperly regulated and without sufficient oversight, they could pose systemic risks that endanger U.S. and global financial stability,” committee chairwoman Rep. Maxine Waters (D-CA) wrote in a letter to Facebook CEO Mark Zuckerberg. “These vulnerabilities could be exploited and obscured by bad actors, as other cryptocurrencies, exchanges and wallets have been in the past.”
It appears that Facebook is moving full steam ahead with Libra’s implementation despite regulators’ concerns. There are still some questions regarding how the system will operate and whether the privacy and security concerns will be relevant when Libra goes live next year. How Facebook addresses these issues could be the determinant for Libra’s future success.