Proving who you are, protecting your details from criminals, sharing your data, keeping some information private, have always been part of life. But the digital world has magnified our risk of losing control of these activities. Blockchain may provide some solutions for identity management.
Perhaps you’re surprised to hear that you don’t own your identity? How could anyone take away your identity?
This is the first in a series of articles about the management of personal and digital identity. It will outline what the problem is and give an introduction to how blockchain technology may provide some solutions. Later articles will explore some of the ideas and applications that are emerging from entrepreneurs and developers.
So who’s taking your identity from you, and how can you reclaim it with the help of blockchain?
Losing your identity
Identity is about who you are, or the attributes and qualities that make you different from others. Some of these are personal — your personality, your family, your looks. Others are about where you live, your banking details, your birth date, your identity number, social security number or passport number, your academic qualifications, your medical records. And today you also have a digital identity — this is the full body of information about you that exists online.
Identity fraud is perhaps the loss of identity that is easiest to understand — albeit that it can be extraordinarily difficult to reclaim. This is where someone deliberately takes over some of the attributes that identify you — your ID number, your email address, your banking details — and uses them to pretend to be you. Sometimes this can quickly be detected — for example if someone is using your credit card details to make online purchases.
However, many people are completely unaware that someone else is using their details and living a “parallel” life somewhere else. It’s only, for example, when they try to buy a house or take a loan or change their marital status that they discover that their credit rating is a disaster or that, according to the records, they are already married or even that they are dead and all the insurance money has been paid out!
An article I read recently is titled “If you’re online, you’re getting scammed”. It lists the phishing (by email), vishing (by phone call), SMishing (by text) and other methods used by criminals to get us to part with our information. No matter how careful we think we are, all of us are vulnerable to cybercrime.
Poor identity management
More difficult to understand, perhaps, is how loss of privacy has been creeping up on us and how we lack control over our personal identities.
Much of this is of our own making. We share information too freely online, very often without reading any fine print or conditions. We use the same password for everything. We allow the system to save credit card details and codes so that we don’t have to re-enter them for every online purchase.
This means that multiple companies, other individuals and government organisations are in the identity management business.
Unfortunately many of these organizations are not good at keeping this information secure. Even large tech organisations like Google and Facebook have had their systems hacked, leading to the private information of millions of people being compromised. Any centralized databases are also potentially central points of failure.
Much of what is “out there” as part of our identities is also inaccurate or out of date. There isn’t one central repository for all of our information. Instead there is a sprawling web of private information, linked to unique identifiers for each separate application we have used. This is almost impossible to keep track of or to keep updated.
Proving your identity is not new. We’ve just changed how this verification happens. We’ve moved from the imprint of your ring in a wax seal to providing a paper version of your birth certificate to the need for passwords, biometric scanning and 2-factor authentication on digital devices.
One of the frustrations of modern living, however, is that you have to keep on supplying the same information. Who has tried to open a second bank account at the same bank as your first account, and found that you are treated as if you were a stranger to the bank? And what about the multiple organizations that have know-your-customer (KYC) and anti-money-laundering (AML) protocols. How many times have you had to provide your details?
In all of these scenarios, there is generally one foundational document that is regarded as the most trustworthy. This may be an identity document, a birth certificate or a social security number. This raises a problem if the document has been lost or stolen, destroyed in a fire, or left behind by a refugee fleeing his country. According to the World Bank, there are a billion people around the world without proof of identity. 81% of them live in Sub-Saharan Africa and South Asia.
Not being able to prove who you are can have catastrophic results and an inability to access even the most basic services. It certainly removes access to financial services.
Monetization of identity
A more subtle way of losing your identity, but one becoming more pervasive, is monetization of identity. At the moment, users cede the rights to their personal information whenever they use a company’s online services. If we use Google and Facebook as examples, we see how this massive store of data has been leveraged to earn billions of dollars in advertising revenue. According to Statista, 25% of global ad-spend goes to these two companies. That’s a quarter of approximately $600 billion!
You and I have very little control over this. We know that our information is being used as we see the very focused advertisements that are sent to us — based on algorithms to interpret our preferences. This may provide a level of ease and convenience, but it certainly is invasive. The alternative is to refuse to allow the use of our information — and have access to the sites cut off.
This raises an important question: who has the right to profit off our identity?
Blockchain as the solution to identity management
Up to now, credit agencies, banks and social networks have been the gatekeepers for our identities. However, this is an area that seems ripe for disruption, as entrepreneurs and developers are designing new solutions, many of them based on blockchain technology.
These solutions are based on key concepts such as self-sovereign identity and trust.
A self-sovereign identity is one that you own. You create it, and you manage it. It provides all the credentials needed to interact with either the physical or the digital world, without the need for a centralized authority. The ID can add information about you, such as social security information, medical records and social media credentials.
Such an ID would do away with the need to produce documents and paperwork to verify identity. It can be done with a single key that can be matched against an immutable ledger.
Creating such an identity depends on cryptography where a pair of cryptographic keys are generated — one public, one private. Anyone can view the public key but only the owner has access to the private key. He/she can demonstrate ownership of the public key — and therefore ownership of the identity — by using, but never showing, the private key.
An app will create a unique digital identifier (a large random set of numbers and letters) and the pair of keys. The identifier and the associated public key are stored on the blockchain. The private key, which is also a very large set of numbers and letters, must be stored separately and securely by the owner.
So, in a way, setting up a self-sovereign identity is very similar to setting up a wallet for cryptocurrencies. The way they work is similar — and the need for security in dealing with them is also similar. Please read our article “Wallets for dummies — how to protect your crypto” to learn more about this very important topic of key management.
The only way that data can be accessed, changed or used is by someone who has access to the private key. The individual has control of the data, not some company that is monetizing it.
Blockchain and trust in personal IDs
There may be some misunderstandings when we talk about trust and blockchain. Blockchain in itself does not add trust, but it enables trust.
- A government department goes through the process of verifying the identity of Citizen X. Part of the process includes a blockchain component that anchors certain attributes and a verified status. (An example of this is the Illinois Blockchain Initiative which aims to register birth certificates on a blockchain.)
- Citizen X now has a record that is immutable, and it is given credence because the record was verified by a trusted “brand” like a government department.
- The original record is immutable, but events can be updated. This can be done only by someone who has the private key to the particular blockchain address.
- Citizen X also has a visual representation of the blockchain attributes registered on an app and in an online wallet as described earlier. (This is where opportunity lies for developers and entrepreneurs who can come up with different ways of managing this part of the process).
- If Citizen X then wants to open a bank account with Bank A, he/she can choose to share the relevant contents of the wallet. Bank A can query the blockchain and find that the identity has been verified by a trusted party — the government. It is then possible for the bank to open an account without having to start from the beginning in verifying Citizen X’s identity.
Important in all of this is that Citizen X has the power to release only those details from the record that are required. He/she can control who has access to the data.
Another example comes from the Malaysian Ministry of Education that is embedding QR codes into certificates issued to students that have completed degrees at Malaysian Universities.
- This e-Scroll system is based on the NEM blockchain.
- It will prevent degree fraud and obviate the need for universities to respond to thousands of queries from around the world from potential employers and other educational institutions.
- It protects genuine graduates from the flood of “fake” graduates presenting fake certificates all around the world. It protects the reputations of the Universities. And it protects the general population — for example against unqualified doctors or engineers.
The blockchain is therefore part of setting up a multi-party chain of trust and verification. As the content is updated it also represents a history of who you are.
Examples of approaches to identity management on blockchain
There are many examples of new approaches being developed to manage identity on a blockchain. Some of them include
- Attest (working with Deloitte)
- Evernym, with its blockchain Sovrin
We will look at the technicalities of these approaches in our next articles in this series on personal and digital identity.
There are many issues to be addressed. Not least is incentive. Where will the funding come from to finance the development of these applications? Certainly not from established companies wanting to hold onto their power over information. On a technical level, the challenge is about how to connect digital with physical identities. There’s also a question about a privacy infrastructure and whether there should be regulations and some legal and enforceable rules.
Blockchain and identity — how they go together
Security, privacy and identity, in the final analysis, are about human beings. Even as we talk about blockchain as the answer to problems we must remember that this is simply a technology. There will always be people somewhere in the process. And the owner of the identity must be the central party, with the ultimate control. Having control over crypto keys may be the most important part of this.
However, with blockchain it seems that there may be a chance to reclaim our identities and to return some privacy to our lives.