by
Mark G. Haley
Jun 1, 2021

Whose Data Is It Anyway?

Like many of us, I recently checked into a hotel for the first time in well over a year. When I presented my ID and payment for what was supposed to be a contactless check-in experience, my first thought was that the guest service agent needed very good eyesight to be able to read the driver’s license in my hand from that distance through the poorly mounted plexiglass shield.

Whose Data Is It Anyway?

by
Mark G. Haley
Jun 1, 2021
Data Privacy
Share

Like many of us, I recently checked into a hotel for the first time in well over a year. When I presented my ID and payment for what was supposed to be a contactless check-in experience, my first thought was that the guest service agent needed very good eyesight to be able to read the driver’s license in my hand from that distance through the poorly mounted plexiglass shield.

My second thought was before long an emerging technology will be helping travelers and travel suppliers (us hoteliers) in many ways, not to mention countless other industries that rely on trust and knowing who your customer is.

This technology is called self-sovereign identity (SSI) or decentralized digital identity. The underlying concept is to use blockchain technology (a real application for blockchain!) to securely store an identifier called a decentralized ID (DID) that the individual (i.e. the guest) creates and owns. The DID references off-chain encrypted and secured storage containing data describing that individual and provides a secure place to host valuable information.

This data could be a Spotify playlist, a guest profile they use when making a hotel reservation, their COVID-19 vaccination credentials or even a digital driver’s license or national passport. The individual owns this storage. It, along with a DID and numerous new protocols, enables secure peer-to-peer (P2P) communication between two or more parties such as a booker and a hotel. This communication allows accurate, verified and encrypted information about a consumer, corporation or even a thing, to pass securely between parties. Other pieces of technology and standards-based processes serve to orchestrate the entire suite of transactions seamlessly. These standards, now under rapid development, are public and open-source.

The consumer controls this info with what is most likely a mobile device app. It lets them control who receives what information about them. A guest may need to share their name, address, photo and confirmation of employment to qualify for a hotel check-in at a corporate rate.

The “self-sovereign” part of the name means the consumer owns the data and controls the release of it. This concept flips existing metaphors for identification and profile, where a centralized resource drives identity. Under SSI you holder the credentials and choose what to share with trading partners rather than logging in to see what information they have about you. You’re in full control of your personally identifiable information (PII). Meanwhile merchants and others can be confident that the you are who you say they are and your address, age, and photo have all been verified.

The beauty of SSI is that identity, and derivatives like personal information and digital credentials, can be verified and trusted without going back to the source for verification. In the same way you show your driver’s license only when you pull it out of your wallet, you only need share your SSI credentials when you decide to.

How does all this work?

Let’s start with the consumer, or identity holder. We’ll give her a mobile phone with an application she can use to manage her SSI credentials. She might call it a digital wallet but in the SSI world it’s a “user agent.”

With her user agent in hand, she controls her decentralized identifiers and who gets them. These encrypted credentials are stored on a blockchain, aka “distributed ledger.” The universal resolver provides access to the DIDs to or from many kinds of applications, vendors and implementations.

The identity hub replicates and stores data in a mesh to facilitate interactions, especially DID attestations. These are the trust mechanism, providing standards-based verification of credentials and claims. All of this working together provides authenticated communications with hotels, banks, airlines or others. The encryptions, attestations and distributed ledgers prevent fraud and drive trust. It all relies upon the well-known decentralized public key infrastructure (DPKI) toolset for verified encryption/decryption.

Self-sovereign identity is an idea that’s time has come. One obvious application is in the burgeoning arena of COVID-driven “vaccination passports.” A simple to use, difficult to forge, fully certified proof of vaccination will go a long way toward restoring confidence in the safety of travel. Countless entities are working on such applications, ranging from large organizations like IATA (Travel Pass) and IBM (Digital Health Pass) to startups launched during the pandemic. In fact, one problem with such health certification applications is that there are likely to be too many of them from too many sources. That raises questions like will the same ones be accepted in Europe and in Asia?  

Vaccination certification is only one class of applications. Think about loyalty programs. A fully loaded SSI implementation could support status matching across programs or push a change of address out to all the loyalty programs (or other such entities) you belong to. Hotel check-in could become truly seamless with a wave of your mobile device replacing a driver’s license inspection, exchange of payment card information or signing a registration card.

In short, the potential applications for hotels are countless. A general benefit is to reduce the need to capture and store PII in your systems. This might lead to a reduction in credit card information storage, which, in turn could decrease PCI risk and compliance costs. Another potential use centers on the ability to store hotel stay details and release them when you give the OK. If a guest writes a review of your property and can use SSI to prove they actually stayed there, the site can be marked their review as coming from a verified stay. Or if someone asks for a loyalty program to grant elite status based on status in a competing program, you can verify their claims of “50 room nights last year.”

There are many organizations of widely varying sizes in this decentralized identity space. A number of them are focused on travel, such as Evernym (https://www.evernym.com/), which developed the technology supporting the IATA Travel Pass (https://www.iata.org/en/programs/passenger/travel-pass/).

Microsoft and IBM are also active in this arena. One non-commercial resource is the Decentralized Identity Foundation (DIF): (https://identity.foundation/), which works to define and publish relevant standards and protocols (see sidebar on page 126 by Nick Price).

Mark Haley and Mark Hoare are Partners at Prism Hospitality Consulting, a boutique firm serving the global hospitality industry in technology and marketing. Managing system selection efforts is a core practice area. For more information, please visit prismhospitalityconsulting.com.

Mark Haley is a partner at Prism Hospitality Consulting, a boutique firm servicing the global hospitality industry at the intersection of hospitality technology and marketing. For more information, please visit https://prismhospitalityconsulting.com.

Let's Get Digital

7 Questions to Ask Before You Invest in a Hotel Mobile App

DOWNLOAD

Make a Better PMS Choice!

Not all properties are ready for PMS in the cloud. The good news is, at Agilysys it’s your choice on your timing. State-of-the-art leading PMS in the cloud or on-premise PMS. Either way we say YES.

DOWNLOAD