Why we don’t use blockchain

Uri Arad
Uri Arad
May 14 · 8 min read
  1. No centralized database - if there is no centralized database, there is nothing for hackers to attack
  2. Complete privacy - without sharing or exposing any consumer data, not even in a hashed or pseudo-anonymised fashion
  3. Full anonymity - no one can learn who is asking to validate an identity, which identity is being validated, or who is vouching for the user
  4. Clear data control - each company holds the data about their own users, and do not replicate or duplicate it anywhere else
  5. Fully compliant with GDPR, CCPA, and all other privacy regulations - this includes the user’s right to be forgotten, and the right to correct any inaccurate data

“An open, distributed, immutable ledger that can record transactions between parties efficiently, verifiably and permanently.”

In a nutshell, blockchain technology provides transparency, and the ability to generate consensus on the state of the stored data without the need for a central authority. It was designed to create agreement on transactions between two or more parties that need to be recorded with a specific timestamp. Some common use cases include financial transactions, contracts, and asset ownership records.

What about using blockchain for Identity?

We realized that identity data is neither transactional, nor is it tied to an exact point in time. Therefore, there is very little benefit in hosting identity data on a blockchain.

Can’t We Solve That?

These are very serious risks, and they have not gone unnoticed. Some companies who build blockchain-based identity solutions try to work around the problems by implementing one or more of the following workarounds:

  1. Only store a digital signature of the data on the blockchain, where the real data is stored on a separate private database
  2. Make the blockchain private — AKA permissioned blockchain
  1. If we only store signatures on the blockchain, then the data itself must be stored on a separate private database. In that case, the only value of the blockchain is to provide an immutable record of a person’s data. This may both expose the identity of the signer, as well as prevent users from being forgotten. Moreover, we are still creating a centralized database including all the data, which we would like to avoid.
  2. Finally, permissioned blockchains limit the number of companies who can access the data, but this does not change the fundamental exposure of privacy. In addition, the more successful a solution is, the more players have access to the data on the blockchain, making it ever less secure as the solution grows more popular. We cannot assume privacy or security solely by limiting access to the network. Security must be guaranteed at all scale if it is to be meaningful.

Blockchain and GDPR

Data leaks and privacy exposure

Finally, this data can then be further copied off of the blockchain, whether it is private or public, and sent to other unknown parties, similar to the way that Facebook data was copied and distributed by 3rd parties. With the escalation we’ve seen in consumer concern about their privacy, and the increase of data breaches and leaks in recent years (twice as much in 2018 as in 2017, which was itself a record year for breaches), companies wishing to protect their business reputation today have to be fully aware of any such risks before committing to any technological solution.

The alternative approach

We concluded that blockchain is not an appropriate solution for managing identity and private data. It introduces unnecessary risk by creating both additional complexity and a highly replicated centralized database of all identities.

Conclusion

Blockchain is poorly suited to manage identity data (or any other sensitive private data, for that matter).

Using blockchain for identity led to added complexity, and increased exposure of data leaks, without providing real value. It’s a poor fit, and a serious risk. Therefore, we looked in another direction, and were happy to find a true alternative that meets all our requirements.

About the Author

Uri Arad is the Co-founder and VP Product & Research at Identiq. An expert in risk, fraud, and data solutions, Uri was previously the Senior Director of Risk and Data Science at PayPal. He has over 25 years of experience building technology and product teams, an M.S.c in Computer Science from Tel Aviv University (summa cum laude), and served as an officer in Unit 8200 in the Israeli army.

IdentiqProtocol

The official Medium blog of Identiq - The Anonymous Verification Network

Uri Arad

Written by

Uri Arad

Uri is the Co-founder and VP Product & Research at Identiq. A technologist at heart, expert in risk, fraud, and ML, data solutions.

IdentiqProtocol

The official Medium blog of Identiq - The Anonymous Verification Network