Civic, Evernym and uPort are start-ups that believe in the right of individuals to own their identities. Here is an overview of their blockchain-based solutions for identity management.
Our previous article on identity management described how it is possible to lose control of our identity. It highlighted the concepts of self-sovereign identity and trust and showed how blockchain solutions are providing a way for us to regain our privacy and reclaim our identity.
This article describes the approaches taken by three start-ups to set up self-sovereign identities.
In following articles, we will look at use cases for these identities and also at initiatives to gain official acceptance and coordination across governments and businesses.
Start-ups with blockchain solutions to identity management
In January 2018, representatives of 3 start-ups took part in a panel discussionabout digital identity. They were part of the Silicon Slopes Summit in Utah, USA, that attracted 15,000 delegates.
· Vinny Lingham, founder of Civic, which proposes to provide every person with a digital identity
· Timothy Ruff, co-founder and CEO of Evernym, which wants to help people manage their “sovereign identities”
· Michael Sena, who heads product at uPort, an identity service built on the Ethereum blockchain
While they have different technical solutions, they were in agreement on some key principles. Primarily they agreed that it was necessary to counter the large monopolies that were starting to control people’s identities — and that distributed, tamper-resistant databases were a solution.
Lingham highlighted the massive data breach at Equifax in 2017. Equifax is one of the USA’s largest credit reporting agencies, and the breach in security made the highly private personal and financial information of 145 million people available to hackers. Current centralized databases — such as Equifax — are like honeypots to hackers. And if the system is compromised all of the information is compromised.
Timothy Ruff said that in a decentralized blockchain world, “There is no big pile of data — it doesn’t exist.” Instead of data being held on a small set of web servers and controlled by a single business, it is distributed across a sprawling network of servers.
Michael Sena from uPort went further, saying that to be truly in control of their own identities people couldn’t rely just on the decentralized network. They actually needed to be in control of the cryptographic keys that allowed them to interact on the blockchain.
So, it’s not blockchain per se that is the answer to the identity problem — it’s the technical solution built on the blockchain that will matter.
Here is an overview of the key features of the technical solutions of Civic (built on the Bitcoin blockchain), Evernym (built on Hyperledger) and uPort (built on Ethereum).
Well-known internet and crypto entrepreneur Vinny Lingham is the founder of Civic. The vision is to provide every person with a digital identity that will allow them to interact privately and securely with the world. The costs and inefficiencies of identity verification should be eliminated and there should be security and privacy for all interactions.
Associated with Civic is a decentralized platform called Identity.com. According to Lingham,
“Identity.com is designed to connect users, requesters, and validators around the world to enable reusable identity verification, powered by Civic tokens (CVCs).”
The Civic platform is built on the Bitcoin public blockchain and relies on the power of the hash for information security. So, for example, the entire contents of the Cambridge Dictionary would be represented by a 64-digit set of numbers. If a single change were to be made to the dictionary, it would return a different number. This number is called a hash. A cryptographic hash will be a record that the data exists and that it hasn’t changed, but not what the content is. Only someone with a private key will be able to access the content.
Put simply, Civic works like this:
· A user signs up to the Civic app
· The app collects identifying information about the user
· The information is verified against a third party verification agency or government department, depending on the country
· Civic creates a cryptographic hash of all the information and stores it on the blockchain
· All personal data is then erased from the Civic servers
· Users who need to prove their identity or any personal information with another service, provide only the information asked for by the new service. The service can download the Civic software tools to check the information against the hash on the blockchain. If it matches, the new service can be sure that they are dealing with authenticated data.
What is especially powerful about the Civic system is that it does not store any user information. It can affirm your identity, but it doesn’t actually hold any of your information. Neither does the information being checked by another service move through the Civic servers. The user’s information remains on the user’s devices and so can never be hacked, even if there were to be a hack of the Civic system or in the systems of any one of the services requesting authentication.
This means that provided you keep your personal devices secure, you can prove yourself whenever you need to, but nobody has your ID or personal information.
Despite the cleverness of this solution, and despite dozens of users signing up each week, Vinny Lingham is realistic about how long it will take to move into mainstream use. He says that Civic will start with small projects like vending machines and website logins. Later it will move to social media applications and dating sites.
The vending machine application is a joint venture between Civic and the brewing company ABInBev to verify that purchasers of beer from the machine are over the 21-year-old legal age. While this is a very simple use case, it is the first time that liquor-vending machines have been possible in the USA, as there have concerns about faking driver’s licenses and ID documents.
Evernym, Inc. was founded in 2013 and is based in Draper, Utah. It is a startup that has developed its own distributed ledger, Sovrin, to help people manage the problem of siloed identities and create self-sovereign identities.
With the growth of the internet, practically every business and billions of people are online. Every time an individual interacts with another entity some form of identity is created. This leads to everyone having a myriad of these “siloed identities”, owned by others, often sold to others without consent and open to fraud and hacking.
This approach to identity is problematic for organizations too. Each one is expected to be an identity provider and security expert. Each one must deal with KYC, AML, HIPAA and GDPR, the latter two being the legislation in the USA and the EU to protect individual data. Each one faces reputational damage should there be any leaks.
Added to this is the identity of “things” — the millions of devices that are connected to the internet. They are also subject to hacking and there is a problem with interoperability — getting various devices to talk to each other.
A sovereign identity, on the other hand, is owned by the individual. Evernym notes that even if a system is developed on the blockchain it will continue the problem of siloes if there is someone who retains the power to “pull-the-plug” or change the rules. Self-sovereign means that the individual owns the identity and is not just in control of it. Nobody else can manipulate it or use it in any way or remove any rights.
This identity must be combined with verifiable claims — ie it must be possible to verify that an individual, organization or thing is indeed what it claims it is. Only then can there be trust and privacy.
And this is where Evernym has introduced Sovrin, a distributed ledger built on top of the Hyperledger Indy blockchain. This is an open source framework, hosted by the Linux Foundation, and purpose-built for decentralized identity. Evernym has donated its own code to the Hyperledger Indy project. It is not owned by anyone; anyone can use it, and anyone can improve it.
Sovrin recognizes that in the physical world we have to prove our identity with documents like a driver’s license. On the internet, we’re forced to use a patchwork of username-password systems. However, Sovrin uses a system of blockchain-based Decentralized Identifiers (DiDs). These are like secret URLs stored on the blockchain. Each is assigned a part of the user’s identity — name, birth date, social security number, etc. The user has the power to allow or deny access to each DiD.
So, for example, if someone wants to sign up for a new app, the typical requirement is to share name, email address and other basic information. With DiDs, the new app shows a QR code which the user scans. Relevant DiD information is transferred to the new app and access is granted.
What is encouraging about Evernym is that they are partnering with a significant number of entities to test and validate their technology:
· R3: The project is to develop permissioned distributed ledger-based interoperability for Corda, R3’s platform for bank to bank transactions.
· The Illinois Blockchain Initiative: A government initiative to use birth certificates to establish sovereign identity.
· CU Ledger: A partnership to allow credit union members to protect themselves from financial fraud and identity theft while improving relationships with the credit union. Members will have a lifetime portable digital identity that does not depend on a central authority and can never be taken away.
· iRespond: Evernym is partnering with this global non-profit organization to provide private biometric identification for at-risk populations in countries like Kenya, Senegal, Sierra Leone, South Africa, Thailand, and Myanmar.
Evernym is also working on projects with homeland security, UK doctors, global financial services players and state identity initiatives to advance the achievement of sovereign identities.
The mission statement for uPort is “We believe that everyone has the right to control their own digital identity — how it’s shaped, shared and sustained.”
uPort is built on the Ethereum blockchain and relies on the security provided by the Ethereum blockchain and the power of smart contracts. It also uses IPFS (Interplanetary File System) technology to allow for off-chain communication.
A uPort identity is really just an address on the blockchain. However, it is a full digital representation of a person (or organization, device, app or bot). What makes it self-sovereign is that it is able to make statements about itself when interacting with smart contracts and other uPort identities, either on-chain or off-chain. It can do this without relying on a centralized identity provider.
uPort addresses the problem of key management — ie how to deal with lost private keys without needing a centralized infrastructure. (For more information on this see the explanation given by Pelle Braendgaard, Engineering Lead for uPort.)
The answer is in smart contracts. And especially smart contracts that can be controlled by other smart contracts. In this case, the controller contract is programmed to support key recovery. So, a uPort identity is a smart contract identity rather than a key-based identity.
The uPort identity interacts with the uPort Registry. This is a single smart contract shared by all uPort identities. uPort refers to this registry as a single shared source of truth. It is the infrastructure needed for off-chain sharing and verification of identity using IPFS.
For the technically-minded, and thanks to Pelle Braendgaard, this is the way the app works with the Registry:
· It creates a JSON profile object following the http://schema.org conventions
· The profile JSON is uploaded to IPFS
· Finally it creates a setAttributes transaction on the Registry, which sets the resulting IPFS hash as your public statement
The uPort Registry contract is an on-chain reference point for off-chain data. The data that is uploaded to IPFS is not stored on-chain, only the IPFS hash is. The rationale for this is that most people would not want to have all of their personal data available on a public blockchain.
A person can create a uPort identity within the uPort mobile app and make certain information available to the public in the Registry — a bit like a Facebook public profile. The individual has absolute control over what is and isn’t available. Nothing can be censored or blocked. At the same time, the individual can share other information with others.
uPort has been working with the city of Zug in Switzerland to register citizens’ IDs on the blockchain so that they can participate in government eServices like online voting and proof of residency. In November 2017, the first citizen was registered during a public launch.
Where to from here for identity management?
Many believe that widespread adoption of blockchain-based identity projects will lead to adoption of other decentralized services. The three projects we have described are a step in that direction.
However, until such time that there is official acceptance and coordination across governments and businesses, all of these solutions remain a long way from adoption. Our next article will, therefore, look at initiatives that are aimed to achieve official acceptance and coordination.