This afternoon in my cohort, a few of us spiraled into a tangent about block chain technology, Tor, cyber security and a few other topics. This is the side of the technology world I find most interesting. Later on in the evening I struck up a similar conversation with the person working next to me at a coffee shop. He works in a marketing related field for a ERC20 token company, RChain. It was insightful to talk to someone working in the field and to be able to pick their brain in a casual setting. The talking point that I found the most interesting was the idea of self-sovereign identity.
In general, self-sovereign identity means that the individual can have ownership over their personal data and control over how, when, and to who that personal data can be revealed. This is very timely topic considering things like the Facebook data scandal, or the Equifax data breach. These sort of instances are great opportunities for financial fraud occurrences and can cause irreversible damage to the privacy of the involved individuals.
Before we discuss some of the main problems we face in regards to how we utilize and store identity, let’s look at some important concepts in identity.
There are three parts:
Claims: Pretty straightforward. An identity claim is an assertion made by the person or the business. For example, I could state “My name is James, I was born on July 45th 7010.
Proofs: The proof would be some form of document that provides evidence for the claim(s). Some typical formats of proofs for the person are things like copies of passports, birth certificates, social security numbers, utility accounts.
Attestations: An attestation is when a third party validates that according to what their records show, that the above claims are valid. An attestation from the right authority can be much stronger than a proof. The downside is that they can be a burden on the authority because the information can be sensitive. This means the information must be maintained.
This has been the standard for quite some time, and up until recently there has not been a push to update these standards. There are inherent issues with these parts we use to validate identity. For example, proofs are usually unstructured data. There is generally a paid representative of a company (bank) that has to manually scan, extract, input, process and update data. The updating of the data also relies on the customer to constantly inform the institution when a change has been made. An example is something as simple as a change of address. Another huge issue is that this data can be easily extracted if not stored properly by either the institution or person(user), or easily faked. Because this data can be easily faked, it usually requires extra steps to ensure validation, like it being notarized.
This all results in a very tedious, time consuming, annoying, and expensive process. We are at the point where we have some interesting tech solutions to these issues. These tech solutions are closely related to how we store our own identity data now, or at least how you should be. Kept safely in storage container that takes a key to open, or within your personal wallet. Things like that.
Some possible proposed tech solutions are encrypting your information via block chain technology. Another interesting thought would be to have an identity wallet that self-generates a ID number or key. This would utilize a public key, one that you can use securely with others, and a private key, that only YOU would have access to. These keys are generated hashes via large mathematical algorithms, ensuring that your keypair is unique and can not be duplicated. This would create your digital signature. It belongs to you. Hence a self-sovereign identity.
This would in theory instantiate legitimacy and eliminate the need for scanning or uploading documents. Which may or may not contain frivolous pieces of data that companies use or “don’t use” as they deem fit. You would be able to share only the information necessary to validate your claim or proof. Your attestations would be stored in the same way. They would be digitally signed by both parties in a given time window, they would be completely machine readable.
Of course this information is not static and would require managing. Networks and software would need to be create and maintained. These ideas need care and attention to evolve but they promote a safer and more efficient way to share the data YOU want, with WHO you want. You would OWN your digital identity data instead of your data being harvested, owned, and sold or utilized in a nefarious way without your consent. In fact, you could maybe monetize off of it. Do you want to contribute to a machine learning tool? Provide the data of your choice in exchange for currency. There are many possible applications for an idea like this.
Be. Your. Self.