Many initiatives and steps have already been taken towards improving identity and identification in the business world that try to incorporate Blockchain as a disruptive technology.
The truth is that the traditional identification problem through centralized entities has not achieved everyone's needs. Personal identity is one of the Fundamental Rights recognized internationally by a vast catalog of norms and agreements. For example, you can read The European Convention on Human Rights (arts. 7 and 8) in the Universal Declaration of Human Rights (art. 12).
The importance of an individual to own his identity is undeniable. Without a valid form of identification, effective social participation would become impossible simply because you can't prove who you are. However, there is a considerable amount of problems concerning this issue. All this information is generally centralized in servers and databases, which leads to some challenges:
Those centralized entities would be the only ones empowered to issue and validate those identities to the subjects they choose under the conditions they stipulate. According to the United Nations, around 1.1 billion people worldwide do not have a proper way of claiming ownership of their own identity.
These entities may be incorrectly using our personal information. Think of Social Media. To use their platforms, you have to register (create an identity) in their systems. As users, we are renting our identity to these agents without even having ownership over it. We enable these entities to sell and license our personal information to third parties.
Identity theft: Security breaches are currently one of the biggest threats that affect the companies that store our personal information in their IT infrastructures. In addition to this, we can verify that in many cases, some "untrusted third parties" may not always act in a legally established manner when sharing our data with other actors. In many cases, data custodians do not correctly notify users about mismanagement or theft of our data.
Blockchain and Privacy Regulations
Blockchain technology in this scenario could solve all these problems since it provides its participants with a potential never seen before, even creating the possibility of closely controlling their data (including monetary transactions) on an unprecedented level. Three defining characteristics of this technology are:
The blocks that contain information, generally encrypted, cannot be easily replicated without a consensus from the Network.
Blockchain allows the creation of an immutable record.
Some digital processes can also be considered immutable since they would be recorded in the distributed ledger. Any participant in the Network would have an available and updated copy downloaded to their computers.
Suppose one organization needs to verify our identity. In that case, we as operators directly implied in our data management can allow these entities to verify our identity and access to personal information with our explicit authorization.
Blockchain does not resolve everything. One of the main regulatory problems is that users have the right to access, rectify, and delete their data. These rights relate to the well-known problem, at least in Europe, with the "right to be forgotten." Some regulations collide with the blockchain property of immutable data (modification or deletion). Another problem is data localization. Some European laws demand personal data be localized under specified jurisdictions. We all know that blockchain data is distributed across all participating nodes that are spread worldwide.
However, some recent developments seem to resolve the deletion/edition problem once the Blockchain nodes have recorded it. They are using a hashing procedure over the block contents. Public/private key pairs are created when a new block is being made, repeating the same process of "hashing" the information, empowering the new block's creator to delete or modify the content within it. Unfortunately, these solutions are not yet proven.
Another option is rewriting the Blockchain's information through a so-called "fork," which is a consensus of most nodes to create a new version of that Blockchain that includes the changes. After the fork, everybody must use the latest version instead of the original. This solution would be feasible if we're dealing with private Blockchains. In public Blockchains, the organization responsible for managing users' personal data disappears, and an agreed fork to edit data is almost impossible.
Digital Identity requirements
All based digital identity systems in Blockchain or DLT should first put the personal data owner's interests on the parts that third parties may have on them. Participation in any Digital Identity system should not be mandatory but voluntary: at all times, the user should delete her profile completely. Otherwise, the very basics of building the idea of self-sovereign digital identity (SSDI) breaks.
As established in the applicable regulations for protecting personal information, users must give their explicit and informed consent.
The use of the user's data by a third party should be preceded by the clear and straightforward provision of what data are intended to be used, how they will be used, and which third parties will have access to them.
Software developers should structure the identity systems so that the privacy of users is enforced by default. That is, the software should be designed, taking into account security from the ground up, using the best cryptographic tools available like zero-knowledge encryption.
Some Digital Identity initiatives
Some people are trying to resolve the problems of Blockchain and digital identities. These are evolving projects, and not all of them will survive regulators scrutiny, but it's worth to know some of them:
it is a global decentralized identity network. Sovrin provides the missing internet identity layer. They enable individuals and organizations to create portable, self-sovereign digital identities that they control.
The Sovrin Foundation governs the Sovrin Network. The nodes that make up this Network are managed by third parties and approved by the Foundation. The information can be stored on the Blockchain or pointed to another storage.
Sovrin uses their proprietary consensus algorithm called Plenum, and they claim that it can process thousands of transactions per second.
Run by Vinny Lingham seeks to turn CIVIC into the global decentralized digital identity platform. They offer each member $1M insurance against identity theft. Civic can be used for digital processes such as shopping, secure digital identity, and voting.
User's information is stored on their devices and not on the Blockchain or a centralized database of the company. This scheme is a two-way benefit. Due to the different jurisdictions' privacy laws, no one can sue the company as they do not have any personal information under custody.
The IDs generated by Civic are revocable. The authentication process is between the user device and the app or service used.
It is a project based on Ethereum and led by the private consulting and financial services firm Deloitte. SmartID stores the person's information, including their birth certificate, passport, or driver's license, within a Smart Contract. All the personal data is hashed and is this hash what's used as the user identity. In future versions, the user may be allowed to hash parts of their identity or specific documents to control how much personal information they want to share and with whom.
It is a secure, easy-to-use system built on Ethereum for a sovereign Blockchain digital identity. Serto is based on the concept that the Blockchain is already a decentralized certificate authority, maintaining the relationship of identities and public keys.
This project seeks to provide an authentication service without logins on compatible sites. They currently only have a desktop client for MAC and Windows.
Self-sovereign digital identity is an evolving project that demands participation from governments, private companies, and, of course, people. Since technology and blockchain plays a fundamental role in digital identity management, the software developments must use state of the art software to handle with ease the trade-off between user privacy and security and the ability to operate on open networks. Collaboration between different jurisdictions is essential to provide interoperability across different regions.