Blockchain-based ID platforms will give us data security and control, but at a cost to decentralization.
We're living at a time of unprecedented concern over identity. Fears abound that our personal data is being abused by distant third-parties, while this data has become more valuable to us at a time when our identities and the identity politics we base around them have become more central to our lives. It's in this context that blockchain technology has appeared, and while its application beyond cryptocurrencies is still limited, protecting our online identities and data more securely looks set to be one of its most central applications.
In its most basic outline, the use of blockchains in the area of securing personal data is simple: Our data is stored in encrypted form on a decentralized network, and we can grant other parties access to (some of) this data by the use of our private keys, in much the same way that using our keys allows us to send cryptocurrency to someone else. By virtue of this basic framework, blockchain tech promises to place control over our data back in our hands, at a time when Facebook and other technology giants have been abusing and misusing it. And seeing as how crypto-giants such as Coinbase have recently moved into the area of decentralized ID, it would seem that it already has strong backing and support within the cryptocurrency industry.
However, as sound as this all is in principle, there are a variety of challenges — some technical, some commercial — that have to be overcome before blockchains can be used at scale to secure personal data. The companies working in this area are all approaching these problems from different angles, yet it would appear that in solving them, a (partial) departure from the ideals of ‘complete’ decentralization is necessary.
And even when the technical challenges are all surmounted, there will still be the issue of weaning people off platforms such as Facebook, which — thanks to the profits of centralization — can afford to offer the public an enticingly 'free' and polished service.
Control and privacy
Alastair Johnson, CEO and founder of e-commerce and ID platform Nuggets, Johnson understands the pitfalls of storing masses of ID data in centralized siloes all too well.
"Today, the reality is that individuals do not control their personal data in any meaningful way. On average, a person has personal data — in the form of payment card details, home addresses, email addresses, passwords and other personal details — spread over roughly 100 online accounts. They can access this data but they do not own it."
By contrast, the use of blockchain tech grants newfound control to the user, who will be empowered to share their ID data only with the parties they approve. This is achieved primarily through the utilization of “decentralized identifiers” (DIDs), as explained by the Sovrin Foundation, which is building a blockchain platform aimed at providing individuals with "self-sovereign identity" (i.e. an ID they can take with them from platform to platform). As it notes in its white paper, "decentralized identifiers" (DIDs) not only encode information that identifies someone as, say, female, Asian, 35, and living in France, but they also circumvent the need for a centralized authority to verify ID claims.
"A DID is stored on a blockchain along with a DID document containing the public key for the DID, any other public credentials the identity owner wishes to disclose, and the network addresses for interaction. The identity owner controls the DID document by controlling the associated private key."
In other words, a protocol for a suitable blockchain is created, users register their ID data on this blockchain, and then use their private keys to decrypt this data for chosen parties. This is the kind of system also employed by Nuggets, although in its case it's referred to as "zero-knowledge storage," since no one else knows what your data says about you. And it’s also the system being worked on by Coinbase, which on August 15 announced its acquisition of ID-focused startup Distributed Systems. Having purchased the San Francisco-based company for an undisclosed fee, it will now develop a decentralized login system for its own crypto-exchange platform that will enable users to retain ownership of their ID credentials.
“A decentralized identity will let you prove that you own an identity, or that you have a relationship with the Social Security Administration, without making a copy of that identity,” it wrote in its press release.
With such a setup, there's little chance of a Cambridge Analytica-style scandal where data gets shared with unwanted groups or individuals, while it also grants unprecedented power to the individual user, who's likely to be treated with much more respect by companies now that his data is in such scarce supply. As explained by Johnson, this provides a vast improvement over the current stage of affairs.
“[Personal data] is stored and controlled in a series of centralized databases controlled by institutions such as retailers, marketing companies, utility companies and data reporting companies. In order to make purchases online, individuals simply authorize these different bodies to connect the different pieces of information they hold in order to authorize a transaction.”
However, while the individual user is currently dependent on hundreds of different companies to store and transmit his/her data in order to gain access to the services, the introduction of blockchain technology completely reverses the balance of power. Johnson shares with Cointelegraph:
"Blockchain-based solutions flip this model on its head, so that individuals can store and control their data associated to a digital identity. It is not stored in the centralized databases of third party organizations, it can be stored on the blockchain in a decentralized network. With the individual controlling their data in this way, they are then in full control to ideally not have to share or store anything by using attestations, tokens or references and share it only if and when they choose to do so."
Yet, this is only the tip of the iceberg, as using blockchain tech to confirm who we are furnishes many additional benefits beyond user control. For one, it heightens privacy, since with many of the platforms being proposed, our ID credentials won't even be revealed to those parties and organizations requiring their verification.
This is enabled via the use of zero-knowledge proofs (ZKPs), a cryptographic method that can prove a claim without actually sharing the data ('knowledge') through which the claim is proven. ZKPs are being implemented by Sovrin and are also planned for use by such startups as Civic, Verif-y, and Blockpass. By using them, these companies will make the process of ID verification simpler and more efficient, while opening up the possibility of storing biometric ID on the blockchain. They'll spare organizations that verify our IDs the headache of having to securely store personal data after validating it, which in turn eliminates a potential vulnerability, given that these organizations would have normally kept any data they received on a centralized database.
And while not all decentralized identity platforms will employ ZKPs, others will still make use of functionally similar methods. For example, SelfKey harnesses a technique it describes as "data minimization," which "allows the identity owner to provide as little amount of information as possible to satisfy the relying party or verifier." This sidesteps the need to develop advanced technologies such as ZKPs, although it raises questions as to what is meant by 'minimal.' SelfKey writes that "claims can be signed in a way whereby one could choose to disclose only a minimum of information." But without a more formal specification of "minimum" and "choose," it's conceivable that such functional approximations of ZKPs might end up revealing more data than some users would want.
Aside from providing greater user control and privacy, blockchain-based platforms for verifying ID are more secure than their centralized counterparts. This is because, being distributed among multiple nodes, they won't suffer from having a single point of failure like traditional ID systems — e.g. government databases, social networks. As such, one or two nodes of a blockchain can become inactive and users will still be able to use it, while the encryption involved prevents any publicly available data from being gleaned for sensitive info.
By removing the single point of failure, decentralized ID platforms make a large, Yahoo! style hack nigh-on impossible. Instead of being able to penetrate a centralized database that houses all user information in a single location, attackers will have to obtain the private keys for every individual on a one-by-one basis, something which is extremely unlikely in practice. Alastair Johnson agrees:
"The major benefit of a decentralized ledger of personal data over a centralized database is the security against hackers that it provides. We’re all familiar with the major data breaches that have occurred in recent years, such as that at Equifax in 2017. These centralized databases act like magnets to hackers who often only need to take advantage of a single vulnerability to either take them down or extract data from them."
By contrast, decentralized ledgers aren't so sensitive to cyberattacks. "The hijacking of a single node will not disrupt the ongoing functioning of the ledger, as the other nodes can continue to operate without the compromised node’s involvement and the network requires consensus to prove the blocks."
Security is part of the reason why the Indian government, for example, is turning to blockchain for its AADHAAR database — the world's biggest biometric ID system, containing the records of over one billion people – as the country has been the victim of repeated hackings over the past year.
With such a revamped platform, there will be a variety of security benefits. The transparency and immutability of blockchains would mean that users are able to see when their data has been accessed and by whom, thereby providing a deterrent to any would-be hacker. Similarly, this transparency and immutability can be violated only in the unlikely event that a bad actor assumes control of 51 percent of the blockchain's nodes, which in theory would enable to access data and then erase the corresponding records of this illegitimate access.
AADHAAR currently isn't blockchain-based, while a comparable project from the government in Dubai to use blockchain-based ID at the international airport is still under construction. However, one government-led ID system than does use distributed ledger technology (DLT) right now is in Estonia. Its KSI (Keyless Signature Infrastructure) Blockchain forms the backbone of various e-services, including e-Health Record system, e-Prescription database, e-Law and e-Court systems, e-Police data, e-Banking, e-Business Register and e-Land Registry.
Once again, the use of the KSI Blockchain provides greater transparency than previous systems, since it detects when user data has been accessed and when it has been changed. And as the e-Estonia FAQ explains, it's much quicker than traditional platforms in detecting misuses of data:
"[It] currently takes organizations […] about seven months to detect breaches and manipulations of electronic data. With blockchain [solutions] like the one Estonia is using, these breaches and manipulations can be detected immediately."
Not only are breaches capable of being detected immediately or quickly on a blockchain-based ID system, but they're more likely to be detected more quickly than with a centralized platform due to their public and continuous access to scrutiny from a wide range of armchair experts and professionals alike, as highlighted by PolySwarm CTO Paul Makowski in a December blog post on decentralized threat intelligence:
"Geographically diverse security experts proficient at reverse engineering or capable of providing unique insight will be able to exercise their knowledge from the comfort of their own home or wherever (and whenever) they choose to work."
At the present moment in history, the world's digital identity systems are siloed off from each other, separated in a way that forces people to create new accounts and new data for virtually every digital service they use. This causes personal data to proliferate to dangerous levels, making data breaches and cybercrime much likelier. For instance, the cost of identity theft reached $106 billion in the United States alone between 2011 and 2017, at a time when the average consumer has a staggering 118 online accounts (at least in the United Kingdom, where data was available).
Blockchain-based digital ID systems offer a way out of this. While most chains are currently cut off from each other, standards for sovereign digital identity are being devised by the Digital Identity Foundation (DIF) and the World Wide Web Consortium (W3C). Similarly, a number of startups are building interoperability platforms connecting separate blockchains together, including Polkadot, Cosmos and Aion. By working to achieve an ecosystem in which the standards of one identity platform are accepted by all other platforms that require ID verification, such organizations could dramatically reduce the amount of personal data people need to produce. Instead, users would create an account with one blockchain-based ID service, which they'll then use to register with a host of other services and systems.
Never Stop Marketing CEO Jeremy Epstein said in a December blog:
"Interoperability standards free up capital and time to drive value. What’s more, it offers the possibility to pool security (making the whole system more robust against attack) and enable trust-free transactions across chains."
Blockchain interoperability is still a nascent field, and different organizations are pursuing different approaches to it. However, to take one example, Polkadot is aiming to achieve interoperability via its "heterogeneous multi-chain," which has three fundamental components. These are "parachains," which are in fact the individual blockchains being linked together, "bridges" that connect each parachain to the Polkadot network, and then the Polkadot network itself, which is a "relay chain" of the various parachains being connected.
Other routes to interoperability diverges from this, with Cosmos achieving inter-chain communication via use of the Tendermint consensus algorithm, and with the Aion network monetizing interchain transactions. However, assuming that an interoperability platform receives universal adoption within the blockchain ecosystem, users would find that they'll have to register their personal data only once. From then on, they'll be able to provide other platforms with ID attestations securely and quickly, all without having to reveal any of their data to the companies and services they use.
Scaling toward a new kind of blockchain
The benefits promised by blockchain-based ID systems — control, security and standardization — are all appealing, yet questions remain as to how feasible such systems are and how long we'll have to wait for them to be released in fully functioning form. Added to this, there's also the worry that — for all the improvements offered by blockchains — as a society we may still remain wedded to 'traditional' online services and the organizations responsible for them, which may actively resist the adoption of decentralized platforms that enable us to keep data to ourselves.
Unsurprisingly, the biggest issue with regard to feasibility is that of scalability, so often the achilles heal of many a crypto-based project. Given that an ID service should — by definition — be able to serve millions of people, any blockchain that forms the basis of such a service has to be significantly scalable. Yet, so far the most popular blockchain for decentralized applications (DApps) — Ethereum — was almost brought down by a popular video game last year, CryptoKitties. This is why most of the platforms mentioned above aren't built on any of the most well-known blockchains, but rather on proprietary ledgers, some of which don't meet the conventional definition of a decentralized blockchain.
For example, Enigma is a "decentralized computation platform" that has been designed for use with identity verification, among other things. As described in its white paper, it solves the scalability problem by delegating all "intensive computations to an off-chain network." This network also stores all the user data, while the blockchain itself merely stores "references” to this data. In other words, Enigma's platform isn't really a blockchain — and while its off-chain network is still distributed (although each node sees separate parts of the overall data), this isn't decentralization in the way that, say, the Bitcoin blockchain is.
Something similar could be said for other ‘blockchain-based' ID platforms: Estonia's KSI Blockchain isn't a full-fledged blockchain that uses asymmetric key cryptography, but rather a Merkle tree-based ledger. Meanwhile, the Sovrin network achieves consensus via a limited set of "validator nodes," arguably making it less decentralized than certain other blockchains. Together, what such tradeoffs reveal is that, if an ID platform is to be scalable (and also private), it needs to be less distributed in certain areas — and arguably less secure as a result. But more importantly, from a practical viewpoint, it also needs to redefine and adapt just what a 'blockchain' is, since the most familiar chains currently aren't up to the task of securing and communicating our personal data on a massive scale.
This is why even the most advanced projects have roadmaps that extend beyond 2020, since a viable ID platform requires a new kind of distributed ledger that squares the need for cryptographic transparency with the need for individual privacy. And even if any of the platforms above reach this goal anytime soon, they will have another massive hurdle to clear: the dominance of existing arbiters of identity, including social media giants like Facebook, as well as national governments.
For instance, the U.K. and Australian governments have been investing millions in building their own centralized ID verification systems in recent years, making it unlikely that they'll easily give way to a decentralized alternative. Likewise, the idea of Facebook overhauling itself with a truly decentralized platform — where users keep their personal data a secret — is, well, frankly unthinkable, seeing as how the social network reaps billions in annual profit from selling our data to the highest bidder. It’s also widely used to identify people online, so it’s unlikely that it will give up its dominance to blockchain-based platforms easily.
That said, a small number of national and state-based governments (e.g., Singapore, Illinois) have been trialling blockchain-based ID systems. In addition, figures within the burgeoning crypto-ID industry are hopeful that public and private organizations alike will either be forced to decentralize or will fall by the wayside.
"When you operate a centralized system that provides your organization with control and allows you to benefit from this position, it’s understandable that you might be resistant to change," says Alastair Johnson. "But when there is a penalty if this information is breached in the form of fines, loss of share price and cost of recovering the situation and all the PR damage that comes with a breach, businesses will start to see that the model has to fundamentally change."
A key driver of this change could be public sentiment, which has already been shifting in the wake of the Facebook-Cambridge Analytica scandal. "The blockchain provides clear benefits for customers in terms of control over personal data and digital identities and I expect the public recognition of this to move from an early adopter cohort to an early majority in the near future," Johnson says. "From the other side, I expect organizations that have already experienced breaches in their centralized databases to be amongst the most willing to adopt blockchain-based solutions, as they seek to rebuild trust with consumers."
It could be argued that slick, free-to-use, ad-based services such as Facebook will always be more attractive to the average user — a view strengthened by the fact that Facebook reported a 13 percent year-on-year increase of users in April, despite its recent loss of younger users in the wake of the aforementioned data harvesting scandal. However, Johnson believes that a gradual sea-change in attitudes is underway.
"The ‘Delete Facebook’ movement is one sign of change, as is the continuing scrutiny that the tech giant is being put under by American and European authorities. People are starting to wake up to the fact that their personal data is valuable. Not only could blockchain help them to monetize it for themselves, it will also eradicate the kinds of costly personal data loses that I have experienced myself."
And even if blockchain technology is still largely unproven outside the domain of cryptocurrencies, it will start winning converts as soon as it demonstrates its superiority to previous systems when it comes to privacy and security.
"Right now, there may be hesitation to adopt decentralized platforms, but its common sense that personal information should be owned and controlled by the person, and because of this it will prevail."