We’re living at a time of unprecedented concern over identity. Fears abound that our personal data is being abused by distant third-parties, while this data has become more valuable to us at a time when our identities and the identity politics we base around them have become more central to our lives. It’s in this context that blockchain technology has appeared, and while its application beyond cryptocurrencies is still limited, protecting our online identities and data more securely looks set to be one of its most central applications.
In its most basic outline, the use of blockchains in the area of securing personal data is simple: Our data is stored in encrypted form on a decentralized network, and we can grant other parties access to (some of) this data by the use of our private keys, in much the same way that using our keys allows us to send cryptocurrency to someone else. By virtue of this basic framework, blockchain tech promises to place control over our data back in our hands, at a time when Facebook and other technology giants have been abusing and misusing it. And seeing as how crypto-giants such as Coinbase have recently moved into the area of decentralized ID, it would seem that it already has strong backing and support within the cryptocurrency industry.
However, as sound as this all is in principle, there are a variety of challenges — some technical, some commercial — that have to be overcome before blockchains can be used at scale to secure personal data. The companies working in this area are all approaching these problems from different angles, yet it would appear that in solving them, a (partial) departure from the ideals of ‘complete’ decentralization is necessary.
And even when the technical challenges are all surmounted, there will still be the issue of weaning people off platforms such as Facebook, which — thanks to the profits of centralization — can afford to offer the public an enticingly ‘free’ and polished service.
Control and privacy
Alastair Johnson, CEO and founder of e-commerce and ID platform Nuggets, Johnson understands the pitfalls of storing masses of ID data in centralized siloes all too well.
“Today, the reality is that individuals do not control their personal data in any meaningful way. On average, a person has personal data — in the form of payment card details, home addresses, email addresses, passwords and other personal details — spread over roughly 100 online accounts. They can access this data but they do not own it.”
By contrast, the use of blockchain tech grants newfound control to the user, who will be empowered to share their ID data only with the parties they approve. This is achieved primarily through the utilization of “decentralized identifiers” (DIDs), as explained by the Sovrin Foundation, which is building a blockchain platform aimed at providing individuals with “self-sovereign identity” (i.e. an ID they can take with them from platform to platform). As it notes in its white paper, “decentralized identifiers” (DIDs) not only encode information that identifies someone as, say, female, Asian, 35, and living in France, but they also circumvent the need for a centralized authority to verify ID claims.
“A DID is stored on a blockchain along with a DID document containing the public key for the DID, any other public credentials the identity owner wishes to disclose, and the network addresses for interaction. The identity owner controls the DID document by controlling the associated private key.”
In other words, a protocol for a suitable blockchain is created, users register their ID data on this blockchain, and then use their private keys to decrypt this data for chosen parties. This is the kind of system also employed by Nuggets, although in its case it’s referred to as “zero-knowledge storage,” since no one else knows what your data says about you. And it’s also the system being worked on by Coinbase, which on August 15 announced its acquisition of ID-focused startup Distributed Systems. Having purchased the San Francisco-based company for an undisclosed fee, it will now develop a decentralized login system for its own crypto-exchange platform that will enable users to retain ownership of their ID credentials.
“A decentralized identity will let you prove that you own an identity, or that you have a relationship with the Social Security Administration, without making a copy of that identity,” it wrote in its press release.
With such a setup, there’s little chance of a Cambridge Analytica-style scandal where data gets shared with unwanted groups or individuals, while it also grants unprecedented power to the individual user, who’s likely to be treated with much more respect by companies now that his data is in such scarce supply. As explained by Johnson, this provides a vast improvement over the current stage of affairs.
“[Personal data] is stored and controlled in a series of centralized databases controlled by institutions such as retailers, marketing companies, utility companies and data reporting companies. In order to make purchases online, individuals simply authorize these different bodies to connect the different pieces of information they hold in order to authorize a transaction.”
However, while the individual user is currently dependent on hundreds of different companies to store and transmit his/her data in order to gain access to the services, the introduction of blockchain technology completely reverses the balance of power. Johnson shares with Cointelegraph:
“Blockchain-based solutions flip this model on its head, so that individuals can store and control their data associated to a digital identity. It is not stored in the centralized databases of third party organizations, it can be stored on the blockchain in a decentralized network. With the individual controlling their data in this way, they are then in full control to ideally not have to share or store anything by using attestations, tokens or references and share it only if and when they choose to do so.”
Yet, this is only the tip of the iceberg, as using blockchain tech to confirm who we are furnishes many additional benefits beyond user control. For one, it heightens privacy, since with many of the platforms being proposed, our ID credentials won’t even be revealed to those parties and organizations requiring their verification.
This is enabled via the use of zero-knowledge proofs (ZKPs), a cryptographic method that can prove a claim without actually sharing the data (‘knowledge’) through which the claim is proven. ZKPs are being implemented by Sovrin and are also planned for use by such startups as Civic, Verif-y, and Blockpass. By using them, these companies will make the process of ID verification simpler and more efficient, while opening up the possibility of storing biometric ID on the blockchain. They’ll spare organizations that verify our IDs the headache of having to securely store personal data after validating it, which in turn eliminates a potential vulnerability, given that these organizations would have normally kept any data they received on a centralized database.
And while not all decentralized identity platforms will employ ZKPs, others will still make use of functionally similar methods. For example, SelfKey harnesses a technique it describes as “data minimization,” which “allows the identity owner to provide as little amount of information as possible to satisfy the relying party or verifier.” This sidesteps the need to develop advanced technologies such as ZKPs, although it raises questions as to what is meant by ‘minimal.’ SelfKey writes that “claims can be signed in a way whereby one could choose to disclose only a minimum of information.” But without a more formal specification of “minimum” and “choose,” it’s conceivable that such functional approximations of ZKPs might end up revealing more data than some users would want.
Aside from providing greater user control and privacy, blockchain-based platforms for verifying ID are more secure than their centralized counterparts. This is because, being distributed among multiple nodes, they won’t suffer from having a single point of failure like traditional ID systems — e.g. government databases, social networks. As such, one or two nodes of a blockchain can become inactive and users will still be able to use it, while the encryption involved prevents any publicly available data from being gleaned for sensitive info.
By removing the single point of failure, decentralized ID platforms make a large, Yahoo! style hack nigh-on impossible. Instead of being able to penetrate a centralized database that houses all user information in a single location, attackers will have to obtain the private keys for every individual on a one-by-one basis, something which is extremely unlikely in practice. Alastair Johnson agrees:
“The major benefit of a decentralized ledger of personal data over a centralized database is the security against hackers that it provides. We’re all familiar with the major data breaches that have occurred in recent years, such as that at Equifax in 2017. These centralized databases act like magnets to hackers who often only need to take advantage of a single vulnerability to either take them down or extract data from them.”
By contrast, decentralized ledgers aren’t so sensitive to cyberattacks. “The hijacking of a single node will not disrupt the ongoing functioning of the ledger, as the other nodes can continue to operate without the compromised node’s involvement and the network requires consensus to prove the blocks.”
Security is part of the reason why the Indian government, for example, is turning to blockchain for its AADHAAR database — the world’s biggest biometric ID system, containing the records of over one billion people – as the country has been the victim of repeated hackings over the past year.
With such a revamped platform, there will be a variety of security benefits. The transparency and immutability of blockchains would mean that users are able to see when their data has been accessed and by whom, thereby providing a deterrent to any would-be hacker. Similarly, this transparency and immutability can be violated only in the unlikely event that a bad actor assumes control of 51 percent of the blockchain’s nodes, which in theory would enable to access data and then erase the corresponding records of this illegitimate access.
AADHAAR currently isn’t blockchain-based, while a comparable project from the government in Dubai to use blockchain-based ID at the international airport is still under construction. However, one government-led ID system than does use distributed ledger technology (DLT) right now is in Estonia. Its KSI (Keyless Signature Infrastructure) Blockchain forms the backbone of various e-services, including e-Health Record system, e-Prescription database, e-Law and e-Court systems, e-Police data, e-Banking, e-Business Register and e-Land Registry.
Once again, the use of the KSI Blockchain provides greater transparency than previous systems, since it detects when user data has been accessed and when it has been changed. And as the e-Estonia FAQ explains, it’s much quicker than traditional platforms in detecting misuses of data:
“[It] currently takes organizations […] about seven months to detect breaches and manipulations of electronic data. With blockchain [solutions] like the one Estonia is using, these breaches and manipulations can be detected immediately.”
Not only are breaches capable of being detected immediately or quickly on a blockchain-based ID system, but they’re more likely to be detected more quickly than with a centralized platform due to their public and continuous access to scrutiny from a wide range of armchair experts and professionals alike, as highlighted by PolySwarm CTO Paul Makowski in a December blog post on decentralized threat intelligence:
“Geographically diverse security experts proficient at reverse engineering or capable of providing unique insight will be able to exercise their knowledge from the comfort of their own home or wherever (and whenever) they choose to work.”
At the present moment in history, the world’s digital identity systems are siloed off from each other, separated in a way that forces people to create new accounts and new data for virtually every digital service they use. This causes personal data to proliferate to dangerous levels, making data breaches and cybercrime much likelier. For instance, the cost of identity theft reached $106 billion in the United States alone between 2011 and 2017, at a time when the average consumer has a staggering 118 online accounts (at least in the United Kingdom, where data was available).
Blockchain-based digital ID systems offer a way out of this. While most chains are currently cut off from each other, standards for sovereign digital identity are being devised by the Digital Identity Foundation (DIF) and the World Wide Web Consortium (W3C). Similarly, a number of startups are building interoperability platforms connecting separate blockchains together, including Polkadot, Cosmos and Aion. By working to achieve an ecosystem in which the standards of one identity platform are accepted by all other platforms that require ID verification, such organizations could dramatically reduce the amount of personal data people need to produce. Instead, users would create an account with one blockchain-based ID service, which they’ll then use to register with a host of other services and systems.