Lord of the Identities

source: odysseyonline

One identity to rule them all

Let us sit back, relax and just think for a while who we are and how we claim to be who we are in our day-to-day lives:

1. Scene 1: We go for a formal meeting and exchange our business cards. Our business card tells our name, designation, phone number, mail id, company name etc. We are saved in someone’s account as our number, mail id and that is us for each other. We share this information with others and know that the person can only contact me on this phone or mail but can’t hack it, we trust the service providers.
2. Scene 2: We want to open a bank account and we give required documents issued by different government departments as per KYC. We buy a home and we want to avail a loan and we again furnish the same documents. We make an investment and we again furnish almost the same set of documents. The documents that we have is a proof of who we claim to be, and often also have other details of our Parents name, spouse, children, date of birth etc. These documents are very well regulated by the government that we trust.
3. Scene 3: We change the job and are asked to give our experience letter on company letter head and give the same set of documents that we gave to our telecom service provider or the bank service provider. The company accepts it because we are giving it, we possess those documents and we give all the information in our presence, trust is implicit.
4. Scene 4: We love to be connected in our digital world through our various social media apps. Almost all of these apps/websites know and agree you are what you say you are, there was no check wherever and whenever you created yet another user id. At a single point of time, we could be logged in Google, facebook, twitter, amazon, whatsapp, linkedIn, instagram, Uber, Ola, gaming apps and so on……. God knows what. Many people keep lot of passwords saved in drafts of these mails, they trust us and we trust them, no questions asked.
5. Scene 5: Every time we make some payment or login from a different device, we might be asked to enter OTP as the two factor authentication. We get the OTP on our phone number through SMS, the number that we obtained submitting documents issued by certified government institutions. We don’t mind this extra security step and feel more trust in the system.
6. Scene 6: Almost all these apps have some form of credit card details being used and saved except perhaps expiry date and 3-digit cvv number and we pride in doing things as fast as we can, booking flights on the go, paying utility bills, booking movie tickets and so on….. We trust them that it is secured.

Is this how it should be?

1. Why can’t I just say to my bank “Hey, look I submitted these docs with my telecom operator and he verified it” and the telecom operator says, “ Oh yes, I did…” and bank says “yes, you are a reputed service provider” and verifies the data and accepts it.
2. My phone number or my bank account number/CRN number are as much a virtual identity as gmail/facebook/amazon, why should I get authentication to my mail id or mobile. If my device is lost and is hacked, this authentication is of no use. Why can’t there be some other way to say “yeah, its me” in digital world as we do in physical so that trust is implicit.
3. My documents are all issued and maintained by some authorities who I trust, what if they fail or are hacked some how !! Is the data in all my documents coherent? Is the address on my passport same as driving license is same as Aadhar? Highly unlikely, how does anyone know which is the correct one. Is there a single source of truth?
4. Every document was formed at different point of time and some information was taken from some document. Not a single one has complete and correct information. Why should I be not concerned that someone may have used my address proof by submitting a forged electricity/gas/water bill? I mean, just look at how secured these proof of address are, literally ;)
5. If I change my address or my phone number or my name, can it not be updated with every virtual identity? Why should I go to each and every place and tell that I have updated some info?
6. Why should I as a company rely on as tamper proof a document as company letter head of another company !! How can I be sure that the educational qualifications of the person are indeed correct and the copy of transcripts is original?
7. Why can’t my relationships be added simply with other people and stored at one place from where it can be retrieved and updated and modified as we move along in the life?

What’s amiss?!!

Trust

source: identitywoman

We require identities on various platforms and that can’t be changed but we must realize that all these identities, be it the bank/ phone number/ facebook/ google, all of them are virtual identities and extension of our true self. The documents issued to us are certificates by the respective Government agencies and these are our “documental” identities stating some information about us. When a bank verifies my documents, there is an information transaction taking place: I tell them that this is who I am, they ask for supporting documents from a trusted third party which I give them, I sign the copy of those documents, they verify that the details mentioned in the document copies are indeed matching what we are stating, they then provide me a bank account number and a customer id through which I can access my bank accounts. When this transaction takes place, they place trust on the central authority who has issued the documents and since I possess those documents, they trust me. The fact that I possess those documents is indeed implicit in building that trust. However, this trust system is sitting in a “silo” with the service provider and I have to rebuild the same trust every time I opt for another service.

In the digital world, I can go on and create multiple user ids, which can be used to access and create user ids for other platforms, no trust is placed till the time we are doing financial transactions. Isn’t this fundamentally ripe for all sorts of attack and fraud. More often than not, we share these virtual identities as a way to contact us by our service providers like Banks. When we are doing any financial transaction the bank is “authorized” to do the necessary transaction and to authenticate, it uses one of our virtual identities that we have provided, assuming that our other virtual identity is US.

Internet is not owned by anyone, yes there are big firms that exercise centralized power, but there is nobody that owns internet. What we require is one single digital identity which we own, which a) acts as a locker of information of our “documental” identities b) is owned by us as we own the documents, that is, we can create/ update/ share/ purge c) is native of internet, nobody owns the system on which the identity is created d) is secured enough to be trusted. Loss of credentials in any virtual identity does not lead to loss of any shared information on this identity. e) is the super set of all the information in all the virtual identities. f) can act as a watermark on critical digital documents.

Such an identity can be used to authenticate any transaction made by any virtual identity on net and the trust should inherently be there. The chances of this identity being compromised should be astronomically low, so low that it is futile to attempt something like that.

BLOCKCHAIN Solution

I would leave the introduction of blockchain for readers to study from various sources and articles on net and give a very basic understanding. Blockchain enables Distributed Ledger Technology (DLT) where everyone has a copy of the global ledger and to hack this requires hacking every single copy. The information in the DLT is stored in blocks of valid transactions which get closed in some average time (seconds to minutes) when everyone reaches a consensus and point to the previous blocks in a chain like a hashed linked list. To hack the system means to change entire series of blocks till genesis in a small time frame on all the nodes, which makes it extremely improbable. The consensus algorithm is the key which is achieved by the most famous Proof-of-Work like in Bitcoin, but there are other ways like PBFT/DBFT/POS etc which have been tried out or are under development. The reason consensus is the most important part of DLT because this is what keeps the system secured and is achieved through incentives for people trying to keep the system secured, the value of the incentive is because the system is healthy and secured. Well, let me explain the last sentence in another way, a cyclic process: Secured and healthy system requires people/node to work to make it secure which in turn requires some incentives to be given to the nodes on the network which in turn requires that people value the incentives which is only possible if the system is healthy and secured. The incentives and the tasks that nodes have perform to make network secure varies as per the consensus algorithm. So, Bitcoin essentially is a token of incentive for making the Bitcoin network secured and this token is valued by the people who are trading goods in Bitcoin.

An example of different blockchain interaction between DI network and VI networks

We have just described “documental” identity (DocI), provided by the government agencies and virtual identity (VI), that we create with lots of independent service providers. We have defined loosely what we want from the new Digital Identity (DI): one identity to rule them all. Imagine, that you can create your DI on net, filling details of your DocI and other information and create a key — value pair through which you can share part of information securely. Imagine that this data is sharded and distributed in multiple copies with different people so that nobody has any significant piece of this data and every time you retrieve this data, you do it from multiple sources (~ like BitTorrent). The DIs are in a block chain and distributed this way throughout the network and it is improbable to break the security of this network. The list of DI created in a block is governed by consensus algorithm and size of the blocks. Just like cryptocurrency, a user can do transaction of the information field in the DI securely. The transaction here is CUSP (Create, Update, Share. Purge). Let us say that the user wants to create a VI with some service provider, the service provider can have its own “permissioned” blockchain in which the VIs are created in blocks. If the user wants, he can share the information with VI service provider and if the VI verifies this information, it can digitally sign it. Hence, the ledger of a user would look like this: Info 1,2..n created -> info 1,2 shared with VI service provider and verified ->….

In this new system, the DI can also act as an authentication system, were the information is hashed and passed on. Hashing has two properties that are very useful: a) if x is not equal to y, then H(x) is not equal to H(y) and b)if you know H(x), you can’t find x (If you are a mathematician, you probably find this blasphemous statement and hold my neck, but wait that is what it is for a layman :)). Now, when we share the hash of information, the information can’t be revealed and if we give the same hash of information on the service provider’s network, it just needs to be checked that two hashes are same and H(x) from DI is digitally signed by the DI holder.

We can authorize the VI to share the info with it which needs to be authenticated by DI that we hold. So, if I have indeed shared my info with a telecom operator and go to some bank and share the info, bank will accept if and only if it is authenticated by a DI. So, no information can be transmitted or accepted by any VI without verification from DI.

The DI can be locked through hashed information of biometric as per the user’s wish.

Actors and players in this network

1. Validators: in the DI network, there can be people who are validating that they know this particular user and verified this.
2. Attesters: VI service providers act as attesters of the information of a DI and create a VI. The VI service providers can pass on this information as if attested by them on request of VI.
3. Verifiers: The VI service providers can have nodes or users/agents who can act as verifiers on the network.
4. Government Agency: The government agency can act as issuers of DI after due verification.

What does it hold for the future

Identity is a key concept in today’s society and one’s identity is associated with basic benefits and also risks. If you have no identity, no record whatsoever, you can do anything without getting traced but it also implies that you will be devoid of any social guarantee schemes and citizenship rights of the nation. Citizenship, usually associated with birth gives the first and basic record and identifies an individual. As more identity documents are generated, there is either an increase in risk/benefit to the identifying party or the identified party. If one gets a PAN card or a passport, there is risk of being subject to scrutiny by the government on the income/travel etc, but also comes certain benefits. Needless to say the risk associated with identity are far higher than benefits and act as a deterrent to not create a bad history. It also favors the rich and powerful who have good history compared to poor or less powerful who have bad or no history at all. The risks for rich can also be lower due to better access to legal resources and influence.

The concept of a single unifying DI makes this a level paying field and gives access to different service providers to act as attesters and allows self-assertion by every individual. The individual bears the responsibility for any wrong information provided and the service providers can be enabled to offer the service to attest an individual, be it employment or bank details or phone number. Another aspect is that this would retain the anonymity of an individual as well as provide trace for regulatory authorities. Furthermore, in the long run the relationships and social validation makes this a network which acts as self registering system, does away with many registrar offices for marriage and forms the backbone of legal process in transfer of immovable or movable properties. To list few of the processes in various industry sectors that would get disrupted:

1. KYC related process get seriously simplified and assured.
2. Background verification of employees.
3. Extension in web browser to use DI to access net. All the login ids can be traced to the DI.
4. Cyber security/patrolling.
5. Education records of individual.
6. Unified medical records.
7. Trust in P2P lending network.
8. International trade/travel and granting of Visa by the government.