Well, here we are again. Another day, another cheerful email from a company letting me know that my data has gone on an unscheduled field trip. This is the umpteenth time a company has reported a data breach. Or rather, bothered to admit one. It’s one in a long, drearily predictable line of privacy and security invasions, once again, I’m left to watch helplessly from the digital sidelines.
We simply have to trust that a booking site, our local grocery store, an online retailer, or our smartwatch manufacturer will handle our personal information with the tender loving care it deserves. And what do we get in return for this blind faith? A polite, belated email and a free year of credit monitoring that I neither asked for nor will likely ever use. How thoughtful. I’m practically weeping with gratitude.
Now, I’m sure companies, institutions, and governments are doing their absolute best to put up defenses. They know that our trust hinges on how frictionless and secure our data sharing takes place. Beyond understanding that a breach could have “huge repercussions” (shocking insight, that), it’s also an issue that’s been “on the radar more and more.” Who doesn’t love a good crisis-management meeting? I hear the catered sandwiches are excellent.
The trade in personal data on the dark web is, as you can imagine, absolutely booming. Business has never been better! Malware attacks, phishing emails, impersonation, social media snooping; it’s a veritable buffet of ways to erode whatever trust we have left. And it doesn’t exactly help when we learn that “it was a technology partner dropping the ball”, or a “user” at an agency who simply forgot to secure their system. You know the greatest hits: the password that was password123, the database left wide open because someone thought “security through obscurity” meant hiding it behind a potted plant. It’s deeply comforting to know the fate of our digital lives rests in such capable, caffeine-deprived hands.
The common refrain, naturally, is that it’s all our fault. We “dumb users,” apparently blissfully ignorant of security measures, should have somehow prevented multinational corporations from getting hacked. How silly of us! And yes, I admit I’m the nerd who takes it seriously, with my password managers, two-factor authentication, the whole paranoid toolkit. But when you need to book a flight or sell a car, and the transaction grinds to a halt unless you cheerfully fork over your name, address, payment details, inside leg measurement, and mother’s maiden name, avoiding these digital tollbooths is practically impossible.
So here’s a radical thought: how can it be that we, as consumers and citizens, don’t yet have our own personal data vault? You know, a place where we control what gets shared, when, and with whom?
“But Roland,” I hear you cry, “that sounds terribly inconvenient! Think of all the extra clicks!” Yes, because the current system of quarterly data breach notifications and identity theft cleanup is the height of convenience. And sure, having to approve each data request might slow things down by a few seconds. Heaven forbid we sacrifice a fraction of our precious convenience for actual control over our digital lives.
This isn’t some pie-in-the-sky fantasy either. We’ve already seen a glimpse of this technology right here in the Netherlands with the COVID app. The government, in a rare moment of clarity (I know, I was surprised too), understood that health data needed strict protection and user control. Your data stayed on your phone. You decided whether to share it. Revolutionary concept, really.
The same model could — and absolutely should — be applied to all our personal data.
Picture this: a tool that you own, unlocked only with your DigiD, using an app strictly tied to you. You decide, case by case, whether someone gets access to your data, and exactly what data they get; all timestamped and issued with tokens that automatically expire after specific actionsor time limits.
Imagine booking a trip. The airline needs your passport info? Fine. But instead of dumping all your details into their perpetually vulnerable database, they get a limited, temporary pass to exactly what they need for exactly as long as they need it. Booking confirmed? Poof. Access revoked. The hotel needs your name for the reservation? They get it for check-in, then… goodbye. No permanent copies cluttering their servers like digital hoarding.
Your credit card company needs payment authorization? They process the transaction and lose access immediately afterward. No storing, no “customer insights,” no mysterious data retention policies written in legal hieroglyphics.
And the communication about it all? It resides in your own personal data vault, opened up only if and when needed and when you decide to share it.
Of course, this isn’t pure fantasy. We’ve already seen early hints of how this could work. In the Netherlands, no less. The Yivi app (formerly known as IRMA), for example, lets you reveal only the data that’s needed: your age, not your full birthdate; your city, not your full address. It’s open source, privacy-first, and built by people who actually seem to understand what minimal disclosure means. Imagine that.
And then there’s the W3C (the folks behind the web itself) who’ve been quietly working on something called verifiable credentials. These are digital proofs that let you share just enough information to get something done, without handing over the keys to your entire identity vault. The EU’s Digital Identity Wallet project is already testing this: a single app where you control your data, consent to its use case by case, and revoke it when you’re done. A little late to the party, sure, but at least someone brought snacks.
Still, what we don’t yet have is the one thing that actually matters: a system that’s usable by normal people. A consumer-grade solution. Elegant. Portable. Practical. No fiddling with five different ID standards or being asked to understand what a “revocable token” is. Just a simple way to say: yes, you can see this one bit of data, for this one thing, for a short while; then it’s gone.
The technology exists. The standards are almost there. The breaches? They just keep rolling in. According to Surfshark, in 2024 alone, the number of breached accounts jumped nearly eightfold — from around 730 million in 2023 to over 5.5 billion.
So maybe the missing piece is… us.
The only question we need to answer is: “are we really content to keep playing digital roulette with our identities?”
Because frankly, I’m getting tired of being shocked.
Comments are closed