Many initiatives have already been taken towards improving identity that tries to incorporate Blockchain as a disruptive technology.
The truth is that the traditional identification problem through centralized entities has not achieved everyone’s needs. Personal identity is one of the Fundamental Rights recognized internationally by a vast catalog of norms and agreements. For example, you can read The European Convention on Human Rights (arts. 7 and 8) in the Universal Declaration of Human Rights (art. 12).
The problem
The importance of an individual owning his identity is undeniable. Effective social participation would become impossible without a valid form of identification simply because you can’t prove who you are. However, there is a considerable amount of problems concerning this issue. All this information is generally centralized in servers and databases, which leads to some challenges:
- Those centralized entities would be the only ones empowered to issue and validate those identities to the subjects they choose under the conditions they stipulate. According to the United Nations, around 1.1 billion people worldwide do not have a proper way of claiming ownership of their identity.
- These entities may be incorrectly using our personal information. Think of Social Media. To use their platforms, you must register (create an identity) in their systems. As users, we rent our identity to these agents without owning it. We enable these entities to sell and license our personal information to third parties.
- Identity theft: Security breaches are currently one of the biggest threats affecting companies that store our personal information in their IT infrastructures. In addition to this, we can verify that in many cases, some “untrusted third parties” may not always act in a legally established manner when sharing our data with other actors. Data custodians often do not correctly notify users about mismanagement or theft of our data.
Blockchain and Privacy Regulations
Blockchain technology, in this scenario, could solve all these problems since it provides its participants with a potential never seen before, even creating the possibility of closely controlling their data (including monetary transactions) on an unprecedented level. Three defining characteristics of this technology are:
- The blocks generally containing encrypted information cannot be easily replicated without a consensus from the Network.
- Blockchain allows the creation of an immutable record.
- Some digital processes can also be considered immutable since they would be recorded in the distributed ledger. Any participant in the Network would have an available and updated copy downloaded to their computers.
Suppose one organization needs to verify our identity. In that case, as operators directly implied in our data management, we can allow these entities to verify our identity and access personal information with our explicit authorization.
Blockchain limits
Blockchain does not resolve everything. One of the main regulatory problems is that users have the right to access, rectify, and delete their data. These rights relate to the well-known problem, at least in Europe, of the “right to be forgotten.” Some regulations collide with the blockchain property of immutable data (modification or deletion). Another problem is data localization. Some European laws demand personal data be localized under specified jurisdictions. We all know that blockchain data is distributed across all participating nodes that are spread worldwide.
However, some recent developments seem to resolve the deletion/edition problem once the Blockchain nodes have recorded it. They are using a hashing procedure over the block contents. Public/private key pairs are created when a new block is made, repeating the process of “hashing” the information, empowering the new block’s creator to delete or modify its content. Unfortunately, these solutions are not yet proven.
Another option is rewriting the Blockchain’s information through a so-called “fork,” which is a consensus of most nodes to create a new version of that Blockchain that includes the changes. After the fork, everybody must use the latest version instead of the original. This solution would be feasible if we’re dealing with private Blockchains. In public Blockchains, the organization responsible for managing users’ data disappears, and an agreed fork to edit data is almost impossible.
Digital Identity requirements
All based digital identity systems in Blockchain or DLT should first put the personal data owner’s interests on the parts that third parties may have on them. Participation in any Digital Identity system should not be mandatory but voluntary: at all times, the user should delete her profile completely. Otherwise, the very basics of building the idea of self-sovereign digital identity (SSDI) breaks.
As established in the applicable regulations for protecting personal information, users must give explicit and informed consent. A third party’s use of the user’s data should be preceded by a clear and straightforward provision of what data are intended to be used, how they will be used, and which third parties will have access to them.
Software developers should structure the identity systems so that users’ privacy is enforced by default. The software should be designed, considering security from the ground up, using the best cryptographic tools, like zero-knowledge encryption.
Some Digital Identity initiatives
Some people are trying to resolve the problems of Blockchain and digital identities. These are evolving projects, and not all of them will survive the regulator’s scrutiny, but it’s worth knowing some of them:
Sovrin
it is a global decentralized identity network. Sovrin provides the missing internet identity layer. They enable individuals and organizations to create portable, self-sovereign digital identities that they control.
The Sovrin Foundation governs the Sovrin Network. The nodes that comprise this Network are managed by third parties and approved by the Foundation. The information can be stored on the Blockchain or pointed to another storage.
Sovrin uses its proprietary consensus algorithm called Plenum, and they claim that it can process thousands of transactions per second.
Civic
Run by Vinny Lingham seeks to turn CIVIC into a global decentralized digital identity platform. They offer each member $1M in insurance against identity theft. Civic can be used for digital processes such as shopping, securing digital identity, and voting.
Users’ information is stored on their devices and not on the Blockchain or a centralized database of the company. This scheme is a two-way benefit. Due to the different jurisdictions’ privacy laws, no one can sue the company as they do not have any personal information under custody.
The IDs generated by Civic are revocable. The authentication process is between the user’s device and the app or service used.
SmartID
It is a project based on Ethereum led by the private consulting and financial services firm Deloitte. SmartID stores the person’s information, including their birth certificate, passport, or driver’s license, within a Smart Contract. All the personal data is hashed, and is this hash what’s used as the user identity. In future versions, the user may be allowed to hash parts of their identity or specific documents to control how much personal information they want to share and with whom.
Serto
It is a secure, easy-to-use system built on Ethereum for a sovereign Blockchain digital identity. Serto has based on the concept that the Blockchain is already a decentralized certificate authority, maintaining the relationship of identities and public keys.
NEMid
This project seeks to provide an authentication service without logins on compatible sites. They currently only have a desktop client for MAC and Windows.
Conclusion
Self-sovereign digital identity is an evolving project that demands participation from governments, private companies, and people. Since technology and blockchain play a fundamental role in digital identity management, software developments must use state-of-the-art software to easily handle the trade-off between user privacy and security and the ability to operate on open networks. Collaboration between different jurisdictions is essential to provide interoperability across different regions.