Identity on Blockchain
While speaking at a blockchain event in Seattle recently I was asked to predict where blockchain technology would make its next big impact. My answer was Identity. As CTO of DigitalTown, identity is something I currently spend a lot of time thinking about.
Blockchain is considered by many as the missing piece to what is known as Self-Sovereign Identity: Individual control, security, and full portability of an identity. It enables us to move from the model where organizations store our identity data on central servers that they control, to each of us maintaining our own identity data on devices we own. It also enables us to provide information efficiently to those who need to validate it, and has the potential to put an end to the unauthorized monetization of our data by third parties.
We have all seen the news reports of data breaches resulting in sensitive data being leaked. If you have ever applied for credit, there’s a good chance that you’re one of the 143 million Americans whose personal information was exposed in the 2017 Equifax data breach. We should not be surprised that data breaches are large as they are a direct consequence of having central repositories of sensitive information.
Recent news reports claim Cambridge Analytica gained access to private information on about 50 million Facebook users. The data was reportedly supplied by a third-party who had developed an App called “This is your digital life”, specifically created to collect information from people who signed into the App using their Facebook account. It’s not just hackers that have more access to our data that we planned. Take a moment to consider how many Apps you have on your devices, or the number of websites you have signed up to in the past 12 months. Few people take the time to read the policies presented on sign-up pages, blindly clicking boxes that essentially agree to the sharing of their data. The European Global Data Protection Regulation (GDPR) which comes into force next month will begin to address some of these issues.
Using Blockchain and a Self-Sovereign Identity App means that logging into a website or an App no longer requires a username and a password. Instead of prompting for credentials, a likely scenario is that the website or application will display a QR code which you scan with the Identity App. The App will ask you to confirm that you wish to share information. If you grant permission then information verifying your identity is securely shared with the App or Website in order to gain access. A similar process, bypassing the QR code, could be used to log into Apps on the same device as the Identity App.
Once we have established a container for our self-sovereign identity, we can take this one step further by gathering verifiable information about ourselves. W3C has published a standard called Decentralized Identifiers (DID’s) to provide a format for verifiable identifiers, also known as Attestations. Through these Attestations we can begin to move from providing copies of documents like Drivers Licenses, or Passports, to having Trusted Authorities attest to certain facts and digitally sign these attestations which are associated with an identity. These attestations can then be supplied to a third party, who can independently verify that the attestation came from a valid source.
Looking ahead to a future where we realize a fully decentralized internet, we also need to tackle the challenge of storing our data in a way that enables us to maintain control. Every time you create a file, rather than storing it in a Cloud which is ultimately a service hosted on physical servers in a datacenter, it could be split into hundreds of fragments and spread across a network of devices. You could control who has access to the items you share, inviting people and their devices to join your network, and sharing your files through a simple Distributed App (dApp). This is discussed in more detail in a previous blog post, “ How Blockchain will clear away the Clouds”.
When it comes to identity and validating personal information, current processes in major organizations are fundamentally flawed. Just a few weeks ago I needed to change my name on my Delta account to make a reservation. I had created my Delta account as Mike, and now that I needed to book a flight I had to change the name on the Delta system to my legal name, Michael. The call center operator was very helpful, but before he would make the change he asked me to email him a copy of my drivers license. He wanted proof that my name was Michael. It will come as little surprise to you that the email address was a generic shared mailbox, or that I had little choice other than to comply if I wanted to book my flight. What I needed to provide was proof of my name. What I actually provided was significantly more personal data that included my home address, my photo and my drivers license number. That copy of my license is potentially still sitting on the Delta email server, and I should admit that it’s also sitting in the sent folder of my email account. Imagine if I could have supplied a signed attestation from the DMV that simply confirmed my legal name as Michael. This attestation could have been independently verified, and I would not have provided any more information than that which was required.
A Washington State based company, lifeID, recently published the “Self-Sovereign Identity Bill of Rights” where they laid out a clear definition of self-sovereign identity. The bill defined key attributes that included “Individuals must be able to establish their existence as a unified identity online and in the physical world” and “Individuals must have the tools to access and control their identities”. The link to the article is here — lifeID Self-Sovereign Identity Bill of Rights.
There are a significant number of companies tackling the challenges of Self-Sovereign identity. In the remainder of this post I will provide a brief overview of two products that tackle the subject in slightly different ways: 1) uPort, built on Ethereum and available today, and 2) lifeID, still in development but scheduled for release this year.
uPort in its simplest form is just an Ethereum address. Attestations are collected and associated with the address. The platform ensures that users are always in control of their data and they are free to share it with whomever they choose. The App is available to download on the AppStore. In the App you can determine which attributes of your personal profile are public and which are private. The data you choose to share as your public profile is posted on the uPort Registry and visible to anyone.
One key feature of uPort is that a lost key can be recovered on the device, through what is called a ‘replaceable controller contract’. While this does reduce security to a degree, we have to accept the fact that most support calls are requests to reset passwords and this ability to recover an identity addresses one of the key blockers to wide adoption of blockchain based identities.
A separate uPort App manager enables developers to register their applications with the service. The first time a user connects with an App its registered with their uPort account and they see information that the App has shared with them along with a history of interactions.
lifeID is building an open source, fully decentralized identity service, that unlike uPort will be managed by the identity holders. Building on the new Blockchain 3.0 RChain platform, a lifeID identity is comprised of a unique digital identifier along with a Public/Private Key pair. A public registry simply associates the Public Key with the Identifier. The use of an Identity as opposed to using the Public Key allows for Keys to be replaced and identities to persist. When connecting to an App or a Service the user simply needs to prove that they own the Identity, which they can do by using the Private Key. Unlike uPort, lifeID is not tied to any one blockchain platform. Its open approach also means that anyone can develop access management solutions leveraging the lifeID identities.
With high profile scandals that include Equifax and Cambridge Analytica, how we think about and manage our identity and data must change. The European GDPR comes into force next month, and will be followed by additional legislation both in Europe and around the world.
The real challenge we face today is that the average person does not understand the value proposition, let alone how a QR code can replace a username and password. Everyone has seen the news reports of data breaches, but most are a long way from downloading an App like uPort to take control of their online identity and data. This is not suprising as it’s almost impossible to find a website that will allow you to login using your uPort identity.
The answer is to build habit forming and life enhancing technology that simply embeds self-sovereign identity and data. This is exactly what DigitalTown are doing, working with cities, towns and villages around the world. Product managers need to adopt a similar mindset to that of automotive engineers, building safety and security into their products. No consumer starts their new car feature list with “Seatbelts” and “Airbags” but every new car has them, and when they are called upon we are thankful.