Digital Identity: Removing the Barrier to Entry
The ability to prove we are who we say we are might seem simple at its face, but it’s estimated that 1.1 billion people lack access to vital services because they cannot prove their identity. According to the World Bank, these people:
“lack access to vital services including healthcare, social protection, education and finance. The majority live in Africa and Asia and more than a third are children who are unregistered.”
As Article 8 of the UN’s Convention on the Rights of the Child states, children have a right to identity. But as a result of global challenges, millions of refugees and homeless people globally lack the ability to provide evidence for their credentials and identity.
In addition to those who lack an ID, most of the world does not have access to or control over a digital identity that is an aggregate of who they are. Ideally, we’d be able to locally store attested data pieces about our health records, government records, financial records, academic history, physical attributes, social circle, and so forth on a Self-sovereign Identity (SSI) platform that we own and operate (e.g., uPort and Sovrin). This identity can then be used to apply for visas, jobs, onboarding, and global financial (KYC/ AML) compliance, among other things. These identity records, to a varying degree, are already available about most people, but they are in silos, spread across a variety of vulnerable platforms that users do not own or control.
Similar to how we produce and are assigned an identity, both socially and legally in the physical world, we have an identity in the digital world. Though, given the nature of an identity that we can’t see or easily verify, it’s cumbersome to interact with and trust a digital identity. At a grocery store, when we’re asked for an ID, the clerk can check our state-issued identification, make sure the photo somewhat resembles the person presenting it, and check the security features of the card to make sure the ID is reliable. In the digital world, how would an e-commerce store go about identity verification that isn’t cumbersome, resulting in losing customers? In a social setting, when you’re approached by another person, you can tell whether they’re in their 20’s or 50’s, but that’s much harder to assess with the same level of confidence on a dating website. It’s also difficult to deny that we have less sovereignty over our digital identity and often must rely on third parties to provide us with one, a problem that though complex, is avoidable.
Whether you’re using universal login through your social media platform or applying for a credit card, you’re using your digital identity to access a service or complete onboarding. There are several significant concerns that exist as a result of centralization of these services, but the good news is that they have solutions.
The importance of a digital identity isn’t limited to the digital realm, at its core it’s a more robust form of providing identity than paper ID’s are. It’s easy for refugees to lose their ID, and at times very difficult to attain a new one. The homeless are another population that are at risk of losing their paper ID. Projects such as Building Blocks (in the case of refugees), and MyPass Austin (in the case of homeless population) are working on alleviating some of these challenges.
Entities, especially ones that deal with money (i.e., Banks, CryproAsset exchanges) must maintain compliance with KYC/ AML laws to conduct business. My colleague, Richard Forsyth, has written an in-depth post on the topic, in it he writes:
“[For] entities who maintain compliance for significant amounts of time, the costs can still exceed ten percent of an institution’s operating budget; and when problems occur, as they almost inevitably do given enough time, fines levied by regulatory agencies can be sobering: $26 billion in fines has been imposed for non-compliance with AML/ KYC, and sanctions regulations in the last decade.”
A Honeypot Might Sound Cute, but Watch out for the Bees
More people are starting to realize that we’re all vulnerable. If we can learn anything from the Yahoo, Equifax, Facebook, Google, and Target data breaches in the past few years, it’s that central repositories of data, where the records of millions of people are stored in a centralized location are vulnerable. Worse yet, ultimately, it’s the users, not the platforms, who pay the highest cost for these vulnerabilities.
Time and again, centralized platforms have betrayed user trust, either by sharing their data with third parties through abstract terms of services, not properly protecting user data, or using data for their advantage, knowing it compromised the interests of the users. The Equifax leak resulted in the release of a gold mine of sensitive data — social security numbers, driver’s license numbers, phone numbers, email addresses, names, dates of birth — offering identity thieves the opportunity to conduct fraudulent activities for years to come. Such breaches have a severe consequence for people in their day-to-day life. Equifax provided Americans with a year of free credit monitoring (Identity protection can cost $50 to $480 per year for each covered individual), and “Lock & Alert” (free for life), but the data isn’t going anywhere anytime soon. People will have to take extra steps to protect themselves against threats that are a result of an entity’s irresponsible handling of their data that were completely preventable.
We Are the Same, but Just Express Different Parts of Ourselves
On a more personal level, it’s quite frustrating that we must enter the same information (e.g., address, credit card info, etc) for each platform that we’re a member of, and if we change our name, we’d have to report that to hundreds of platforms and organizations, which are all completely avoidable. As someone who moves often, one of my least favorite parts of moving is having to change my address everywhere — banks, magazines, e-commerce, and so forth. Why can’t we have an identity that is an aggregate of all things about us, with data that we can share with entities with which we interact?
Historically two of the main concerns about having such a system have been who owns the data and how safe is the infrastructure. Thanks to Blockchain technology you can now have your cake and eat it too. In the world of SSI, a user owns their own data, and the data is–Ideally–encrypted and stored locally on a user’s device. And though the data is stored locally, it can be shared globally. Through using blockchain technology, an SSI platform will generate a key pair (referring to a public and a private key) for you, and anchor it to the blockchain; this way a third party can verify that the identity data belongs to the person who is claiming it. If you’d like to learn more, I’d suggest reading Alex Preukschat’s essay on SSI.
In practice, you would connect your SSI app to various reliable data sources (e.g., employer, the state, social media, medical institutions, financial institutions, etc.) and import your identity information as a JSON Web Token (JWT) to your app, where it’s locally stored and encrypt. Later, when you’re being onboarded to a new platform (e.g., bank, dating website), the entity will request your information and gain access to your data as soon as you consent to the transaction, ideally, until you revoke access, the platforms will get an updated version of your data when necessary.
There are different levels of confidence in the reliability of an identity. The ISO/IEC 29115 Standard is what numerous platforms are choosing to base their confidence on. If you’re a user who has verified their bank account (level 3 assurance), then you have the ability to meet KYC compliance and use your identity data to create an account on a financial service (e.g., CryptoAsset Exchange); however, you can’t participate in an election through electronic voting, which required in-person verification by a state-sponsored clerk (level 4 assurance); this empowers users only to import as much data on their SSI app as they deem necessary.
No Thanks, I Can Invest My Own Data
If you dig a bit into the terms of service of most platforms you use, you might be concerned what you find. Facebook’s terms, for example, states that:
“When you share, post, or upload content that is covered by intellectual property rights (like photos or videos) on or in connection with our Products, you grant us a non-exclusive, transferable, sub-licensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content (consistent with your privacy and application settings). This means, for example, that if you share a photo on Facebook, you give us permission to store, copy, and share it with others (again, consistent with your settings) such as service providers that support our service or other Facebook Products you use.”
And while they claim you “own” your identity data, if you read their data policy, it states:
“We also provide information and content to research partners and academics to conduct research that advances scholarship and innovation that support our business or mission, and enhances discovery and innovation on topics of general social welfare, technological advancement, public interest, health and well-being.”
As innocent as the data policy might seem, it’s what allowed them to share your information (and that of your friends) with Kogan–which subsequently made them available to Cambridge Analytica, for political purposes.
Central platforms such as Facebook and Google, make billions of dollars annually by allowing advertisers to target you. The targeting is done by using your age, gender, and interests, among hundreds of other variables. Usually, the more specific a marketer wants to get, the higher the cost of the ad is. This reality allows us to understand that data is an asset that can be used to generate profit. Why would we allow centralized entities to make money off our data?
Projects such as Datavest allow users to share an aggregate of their data and invest it for monthly returns. They, like many others, see data as a new form of capital. They argue that “in ten years there will be more people in the world investing their data than there are investing their money.”
Your data is a form of investment, capitalized by numerous parties that are collectively worth trillions of dollars. This is especially problematic given the fact that these platforms are completely undemocratic, and none of the profit is shared with the users.
Frictionless Identity and Better Security
Earlier, I mentioned universal login and the limitations with it as we know it. Most people would probably not feel comfortable using a platform like Facebook to access their bank accounts; however, if offered the opportunity to use an SSI platform with a higher degree of security and ownership, we can cross these barriers, significantly increasing security.
Estonia is providing their citizens with a digital identity that can be used as a formal ID when voting, traveling, sharing health records, and more. There is also the city of Zug in Switzerland, in which a resident can take their uPort identity to the city clerk, the city sends them a signed JWT, verifying their identity. This verification process allows the person who is holding that identity to vote from the comfort of their home, without sacrificing election security.
Ideally, we would own and locally store our identity data, and selectively share it with third parties if necessary, and only to the extent necessary. Isn’t it odd that when you book into a hotel, you have to check-in at the counter where they take a photocopy of your state issued ID and store it in an insecure binder, sometimes stapled to your credit card information? And it’s not just that, they often hold onto your information for months after you leave. The recent Marriott hack in which 500 million records, many of them containing passport numbers is a reminder that we need a new solution. Ideally, when you book a hotel, a room should be assigned to your digital ID, allowing you to walk to your room and unlock it using your SSI app. The hotel should have temporary access to some of your information that is revoked right after you leave. In this manner, your data is safe, and the hotel is comfortable they have what they need in case something happens.
When we’re applying to open an account on a CryptoAsset exchange, they often ask that you upload a photo of your state-issued ID, which is a document that often provides them with information about your height, weight, hair color, and sometimes even whether you’re an organ donor, none of which are necessary for buying a couple of Litecoins. Worse yet, sometimes it could take up to weeks to verify your identity. A better solution would be for them to request access to a couple of data pieces (e.g., SSN, KYC, Address), and ideally, this transaction will happen effortlessly on your end while allowing the exchange to comply with regulations.
What is DigiPort doing?
As the name suggests, DigiPort digitally transports you! The project came together at a Hackathon in Washington DC, sponsored by Digi.me. Drew Patel, CEO brought up the challenges he faced when he was trying to open an account on a CryptoExcange, which were similar to mine–a long period of waiting time. Once we realized that identity is the most significant barrier to entry into the decentralized world, and both people and entities are suffering the consequences of poor identity infrastructure, we decided to work on a product that can solve some of these hurdles. As mentioned in our white paper:
“DigiPort is a digital identity platform that empowers users to locally store and globally share attested identity data. A user on DigiPort can import their information from a variety of Aggregates — information providers — available to them and share them with a variety of Connectors — service providers — on the platform.”
As the owners of their data, users can selectively share their identity data for onboarding or accessing services in a fraction of the time formally needed, without sacrificing their security or privacy. You can request a beta version of the iOS app by contacting me.
Some Final Words
Having a personal identity is a human right, and we are excited to allow citizens to regain control over their identity, allowing us to reclaim control over our digital lives. We believe in the vision of projects such as World Bank ID4D, the ID2020 Alliance, and Identity for good initiative to provide a safe and reliable identity platform for the most vulnerable populations in our society, such as the refugees and the homeless population.
I hope one takeaway you have from this essay is that the private ownership of what should be public infrastructure–digital identity–Isn’t in the interest of users, but thanks to emerging technologies, we’re in the process of making public ownership of public infrastructure a possibility.
If you enjoyed this post, give it a clap, and follow me on Twitter and Medium. If there is an aspect of the post you’d like me to write a separate article on, feel free to comment or contact me.
