Worried about how online firms use data they get from you?

In our increasingly online lives, convenience has come at a cost. 

The average person has more than 100 online accounts, and creating a new one often requires handing over personal information like an email address or a birthdate. 

Researchers at the Applied Social Media Lab at the Berkman Klein Center for Internet & Society say the current system puts your privacy at risk and makes you more vulnerable to identity theft, and they have a plan to fix it. 

As part of a digital identity symposium in April, engineers from ASML launched the Keyring wallet, an open-source identity verification tool. Rather than surrendering personal data to be stored in corporate databases, Keyring lets users keep their information on their mobiles and disclose only what is absolutely necessary to verify who you are. 

“Identity is actually deeply personal,” said ASML principal investigator James Mickens, Gordon McKay Professor of Computer Science at Harvard John A. Paulson School of Engineering and Applied Sciences. “Your age, your name, your location, your gender — all of these are inextricably tied to you as the user, not to some company or some particular piece of technology.” 

During the symposium, researchers described what they see as an increasingly insecure digital identity ecosystem. Meg Marco, senior director of ASML, said individuals have too much data spread out over too many accounts they don’t fully control. 

“This is important, not only because it is annoying. It is also insecure,” Marco said. She pointed to the 2022 breach of the password manager LastPass’s cloud database, in which hackers obtained copies of tens of millions of users’ encrypted data. 

Keyring, which was developed in collaboration with the Linux Foundation’s Decentralized Trust Graph Working Group, was designed around a user-owned identity wallet where users can share a specific but limited aspect of their identity. That might mean revealing age but not birth date or that they possess an account with a specific email provider without disclosing the username.

To use the wallet, users prove their identity through biometric data such as a fingerprint or face scan, which is only stored on the user’s cellphone. They can also add verifiable credentials like a digital version of a driver’s license or proof of employment. 

Keyring also supports verification of in-person connections without a company operating as an intermediary — for instance, two people who meet at a professional conference could securely verify their identities and confirm they met in person without handing over their data to a service like LinkedIn. 

Each securely verified connection contributes to what researchers call a decentralized trust graph: There is no centralized database of identity data, but each user can be sure of the credentials of everyone in their network. 

“Our hypothesis is that this type of trust graph can help address important challenges in social media, such as distinguishing people from AI agents, providing age assurance or determining the origin of certain content,” said principal engineer Brendan A. Miller.

Nicole Brennan, senior UX designer, said one of the main goals for Keyring ease of use. “We were handed a problem nobody had solved. We had no UX patterns, no templates, no precedent. And we built something that a real person can pick up and use in seconds,” she said.

According to Yajaira Gonzalez, a product leader at ASML, the technology’s main challenge is buy-in from institutions, governments, and corporations, because they would need to issue and recognize verified credentials. Without their participation, the system is limited to peer-to-peer or experimental use. 

“Incentives for all of these entities to join into this model are misaligned,” Gonzalez said, “because currently they do benefit a lot from owning and controlling your data, because at the end of the day, they monetize it.”

Gonzalez said there may be technological workarounds, but her main hope was for a grassroots movement demanding greater agency over user data.