Share or store? Ockto’s vision for secure sharing of personal data
Customers, consumers, and regulators regularly ask questions about whether Ockto stores personal user data in the Ockto app. In other words, do you store the data, or do you share it?
With the advent of European ID wallets, storing data is becoming the trend – all your personal data in a secure ‘vault’ on your own phone, under your personal control. It sounds secure and offers you, the owner of the personal data, full control over where it is used.
Yet at Ockto, we take a slightly more nuanced look at this issue. In this article, Paul Janssen, Product Director, discusses the differences between sharing and storing, and what trade-offs he makes when it comes to these two services.
Why do solutions like Ockto exist in the first place?
Why did we start offering this data-sharing service almost 8 years ago? Essentially, we wanted to solve one problem: empowering consumers to share personal data with service providers. Securely, quickly, and digitally. These service providers expect structured, up-to-date and verified personal data, limited to only those attributes necessary for providing their services.
Ockto fulfills all these requirements. With the Ockto app, individuals retrieve the data their service provider needs. The Ockto platform handles the exchange between the individual, the sources, and the service provider. Fast, simple, and secure.
Store or share?
From the start, we deliberately chose not to store user-retrieved data within a vault in the Ockto app.
First and foremost, we did this to make our solution as secure as possible. The data is already stored at the source and, where relevant, is sent to the recipient and stored again there. Temporarily storing it in the Ockto app would add a third location and would therefore, by definition, be less secure.
The most recent customer data
Equally important is that service providers want to receive the most up-to-date information. If the personal data is first stored and only shared with the service provider at a later date, a large part of the personal data may no longer be current and therefore less valuable.
After all, the service provider does not want to know where the person lived last week or yesterday, but what their current home address is. The service provider is less interested in last month’s salary, but the salary currently earned and registered.
Ockto thus also serves as a gateway; the personal data retrieved via Ockto is accessed and shared with the service provider and then immediately deleted.
Storing creates a stronger identity
As consumers increasingly start using Ockto to communicate their identity, this ‘gateway’ approach appears to have a drawback.
If a service provider needs additional personal data from the same person via Ockto at a later point in time, that person must identify themselves again within the Ockto platform. The service provider must then compare the newly obtained identity with the previous identity to ensure it is the same person.
Service providers also want to start using Ockto as a means by which an individual can sign an agreement and therefore expect consumers not to have to identify themselves again. So, storing identity in the Ockto app is a need we will address in the near future.
ID wallets & the European Digital Identity
For this, we will leverage the concepts developed under the framework of the European Digital Identity (EDI) and ID Wallets. Within an ID Wallet, a consumer can store their (self-sovereign) identity.
The current Ockto app will transform into an ID Wallet where an individual’s identity is kept. The Ockto app will then be inseparably linked to the identity of that person and can be used, for example, to sign contracts and for verification and authentication purposes.
Simple use cases versus the more complex practice
The architecture of the European ID wallet is still somewhat unclear when it comes to stating a preference for a ‘vault’ or a ‘gateway’ approach. The usage scenarios on which the architecture is based are simpler than the complex markets in which Ockto operates (mortgages, consumer credit, tenant acceptance).
These usage scenarios assume the ability to share some (identity) attributes and/or claims, which would eliminate the need to share a lot of personal data.
This is a good goal, but we think it will take some time before a lender will be satisfied with an answer from an ID wallet like “Yes, I can afford this property”, or “Yes, I earn enough for this loan”. This is quite different from the oft-used example of “Yes, I am over 18”.
For now, more complex services will still require a lot of personal data to be provided by an individual to a service provider. As far as we are concerned, storing all these pieces of information in a wallet is not the right answer. The main issue should be that an individual can easily, quickly, and securely retrieve and share data and that the service provider can process that data in a way that is coherent with its service.
In the coming years, the domain in which Ockto finds itself will become increasingly dynamic. We will ensure that our platform stays ahead of the game and current with European and national developments, always keeping the interests of consumers, citizens, and our customers at the forefront.
Paul Janssen explores the evolving landscape of secure and ethical data sharing, the European ID wallet, and its implications for Ockto customers. He wrote a couple more insightful articles on the subject of ID wallet (in Dutch), such as the developments he expects in the coming years that will affect parties in the financial sector.