US carriers are making a foray into the world of passwords and digital identity, joining major tech players like Apple and Google. Verizon, AT&T, T-Mobile, and Sprint have teamed up on the release of a single sign-on service for smartphones called ZenKey (formerly Project Verify). ZenKey looks to replace your passwords with a “unique mobile identity,” a system of multi factor authentication which includes a combination of personal information such as your phone number, SIM card details, and account type.
For anyone concerned about privacy, this new offering should feel…questionable. Transforming your device into the key that unlocks all your personal information is risky, as evidenced by recent SIM card attacks. If a bad actor were to gain access to your phone, suddenly they have free reign over your entire digital identity—finances, email, social media, and on and on. This is the same logic behind having a different password for each of your digital accounts.
The privacy problem
Moreso, there are the many reported instances of carriers leaking and selling your location data, leading individuals’ real-time location data to fall into the hands of private prison companies, bounty hunters, and other shady third parties. The telcos highlighted in the report? Verizon, AT&T, T-Mobile, and Sprint, the same four that are partnering on ZenKey. Here, we’re faced with the same conflict inherent in Silicon Valley’s password and single sign-on solutions (think log in with Facebook), namely, should a company that makes money off your data make a privacy product?
The real issue, however, is one we’re all aware of, but may not like to think about— the fact that our phones are powerful tracking devices containing sensitive information such as our medical records, communications, political affiliations, contacts, and location at any given moment. This is why the government has directed so many of its surveillance efforts to mobile technology, collecting hundreds of millions of phone call records, and the location of millions of citizens every year in coordination with the very group releasing ZenKey. How hard do you think it would be for them, or other parties, to gain access to the credentials stored in that system? Would carriers resist these efforts?
In the same way that you might worry about handing your digital information over to companies that have commoditized it, entrusting your personal identity to firms that regularly sign over control to the government could also prove to be a bad idea. Ultimately, these are massive corporations selling a vast spectrum of products and services with varying and often contradictory motivations and incentives—all things you don’t want to have to consider when selecting a security product.
Here’s the thing. Dashlane sells one service, and security is a fundamental component. We don’t know your Master Password, so we never save or share it, and the product’s security architecture ensures that if a third party did request user data, we wouldn’t even be capable of accessing the information you store on our software anyway. But regardless of whether you use Dashlane, the bottom line with ZenKey is this: Don’t sacrifice your privacy for convenience when there are plenty of products on the market that give you both.