How to solve the digital identity and bring privacy to a whole new level?
In this post, Kaspar Triebstok, Partner and Systems Architect of Rubiks Digital will debate on the subjects of how to solve some of the biggest challenges of the Internet with digital identity, what is it and how can governments and people leverage from it substantially. Also, what is blockchain and how could it solve the biggest challenge of digital identity — the trust?
The problem of privacy
The most common way to create digital identities is through government agencies — the same agencies that before issued your passport, will now enter your information to the government databases. This is called a centralized system — all the information is located in one place and its access is controlled by a single authority called Certificate Authority.
With a centralized system, human trust is added to the world of data security. Because privacy is nothing more than confidentiality, availability, and integrity of your data then it has the exact same problems like in protecting any other information. Thus to give all your information to a central holder is bound to end up being misused in some given time.
“Put another way when building security systems if you have an assumption that includes trust (in keys, in human administrators) then with sufficient time you will be compromised with probability 1.” Mike Gault, Co-founder and CEO Guardtime
But this is exactly what is happening in today’s digitalized world. Information is available to the government and it acts as the Certificate Authority over your data. Indeed, in most cases, your information is protected and there are multiple laws in place to back it but as mentioned above every trust anchor is bound to fail at some given time. This is why we have seen huge privacy violations by the governments as well as unintentional leaks in the form of hacks from the public as well as private sector. Not to mention the recent US state election hack.
Although these incidents are talked about in media for some time, not much is changed, like any news, it is quickly forgotten and life goes on. Thankfully there are governments and companies that are working on innovating solutions to give their best shot at protecting the privacy of their people. One of these government approaches to the privacy problem is Estonia and it’s decentralized information infrastructure backbone called the X-Road.
Estonia’s X-Road
Estonia’s Information System is built in a decentralized manner meaning that it contains different technology stacks built in different time frames where the personal data is scattered and kept in a variety of databases. For these islands to be able to communicate with each other there needs to exist a data exchange layer that provides its members’ autonomy, confidentiality, integrity and availability.
There are still plenty of countries that could not imagine giving away the kind of power and control that they managed to achieve with the conception of Internet
In Estonia, this system is called the X-Road which was started in 2002 by the Estonian Information Technology Center. In 2003 the Estonian government passed a legislation that demanded that every government agency must be connected to the X-Road data exchange layer by the year 2005 and today they have more than 219 separate databases, 939 institutions and 1723 services connected, both from the government as well as private sector.
Because the Population Registry, Health Insurance Fund, and many other institutions are connected to X-Road, it means that one’s personal information is also available on the network. The security over the data is solved by signing each data transaction with a digital stamp (signature) by the person who distributes the data. This means that at any given point you are able to query who, when and why has requested and received information about you. Each member can control separately who can access the data they hold. It is the capability of the individual data holder to decide over its access control that provides the autonomy part.
When talking about privacy one of the most significant areas is the health care. There are multiple laws in place to protect this data, one stating that people own their personal data giving them access to see who has viewed their data (for example their doctor, police official or other). While the X-Road still has a Certificate Authority that decides who is who in the network, the government is acknowledging the issue of integrity in cyberspace and working consistently to improve it.
“I have AB blood, I don’t particularly care that people know that. But if somehow that information was changed, well then I could end up dead.” Toomas Hendrik Ilves, President of Estonia
Although X-Road, the layer itself and the core technology have been around for more than a decade already, it is how it is improved on that solid foundation that creates the true innovation. Today we are seeing the involvement of blockchain with the X-Road data layer. Estonian government is collaborating with Guardtime — an industrial blockchain platform powering digital transformation to accelerate adoption of blockchain based transparency and auditability to improve security in the lifecycle management for patient health care records.
Read also: 6 technologies that are changing the way we live and how to use them for your business
Blockchain — how it can help to improve data integrity — make data transactions more transparent and auditable
Writing about digital identity and decentralized systems today, one cannot skip the subject of the blockchain. For all those who are unfamiliar with the term or have heard it but don’t really know what it stands for then blockchain is simply a database technology. To be more precise blockchain is one form of decentralized database technology where the entire information of a network is present in each network computer. Each of these computers or nodes hold the entire history of the transactions done on that network. The most famous example of blockchain-backed technology is the Bitcoin but there are also different protocols built on top of it like Etherum or the possible successor to HTTP, IPFS — A peer-to-peer hypermedia protocol.
Blockchain security
Why blockchain has received a lot of attention lately is because of the inherent trust it brings. What makes it so secure is that transactions can only be added to the database, never removed, with each new record cryptographically linked to all previous records in time. This form of linking creates a chain of blocks. If you now want to hack one block of the entire blockchain you not only need to hack one but simultaneously all the preceding blocks as well. Since there are millions of blocks each using highest levels of encryption then that task requires at least 51% of all the computing power of the entire network. That is a difficult task.
“By cryptographically linking the records it is impossible for one party to manipulate previous records without breaking the overall consistency of the database.” Guardtime
Thanks to its characteristics explained above, blockchain has a 100% crime detection ability meaning it is fully auditable. People like Don Tapscott also call it the trust protocol:
With the trust coming from cryptography and not established by some big institutions, blockchain will act as the trust anchor itself. What is especially fascinating about the blockchain is that you can use it to improve the systems already in place as we saw in the case of it being used with the existing Estonian X-Road system.
The use of any decentralized system may it be blockchain or anything else is useless in the face of data privacy when there isn’t a way to identify people online. It is only possible to guarantee auditability of any network when every member of that network has a digital identity.
What is digital identity?
Digital identity is a set of attributes that can be related to an entity. In the context of this post the entity is a person that acts online. Digital identity is an umbrella term and may include the entire collection of information about a person’s online activity as well as his civil and social identity. In the context of privacy and distributed systems, the information in the digital identity is used by the computer to make decisions about how to interact with a specific person. Identity allows a computer to tell with whom it is interacting with and thus what access that person has to any data. Keeping this in mind let’s treat the term digital identity as a proof of someone’s real civil identity and everything immediately relatable to the physical world.
Blockchain has a 100% crime detection ability meaning it is fully auditable
There are many private sector initiatives started to provide people this secure digital identity. Many of them also built on top of the abovementioned blockchain technology. For example, there is Bitnation that provides the same services traditional governments provides, from insurance to security — but in a geographically unbound and decentralized way.
Another digital identity provider relying on blockchain technology is BlockStack.
“On Blockstack, identities are referred to as “blockstack identities” and they come with profiles and globally unique names. Profiles can contain both private and public information, which is attested to by the user and can be verified by peers and select authorities. Identities can be registered for people, companies, websites, software packages, and more.” BlockStack
Recently Deloitte released Smart Identity proof of concept to provide digital identity management on the Blockchain.
“The Smart Identity solution will take the first step in evolving digital identity from a disparate record-set into an empowered and verifiable digital entity” Stephen Marshall, head of financial services at Deloitte UK
As you can see there are many private sector identity providers and I am confident this number will rise in the upcoming years. But addition to the private sector, the governments have started to see the economic benefits in providing digital identities as a service. This brings us back to Estonia — country whose citizens have had a secure digital identity since 2002 when the first e-ID card was issued. Now, fourteen years later Estonia is handing these ID cards out to everyone willing to apply and pass the background checks. It is called the e-Residency program. Not only are people receiving a digital identity from the government of Estonia but they can now interact with the country and its online services digitally as they would in a physical world.
Read also: Case Study: How Estonia became the global digital leader and what businesses can learn from it
This form of government-backed digital identity really represents the top kind of secure identity. There are government security agencies doing background checks to eliminate the bad guys from reaching the network. The distribution of these identities is done in a controlled manner (each person receives the card after she has shown her document and face to a qualified person). And what is more, the provided identity is now accepted by any member state of the European Union — this is something no private sector company can compete with. In the growing world of digital identity providers, the backing of a government body means one has access to a much greater marketplace.
Your privacy
Whether it is built on X-Road technology or blockchain or the combination of those with the digital identity, it is possible for either the government or private sector to build very secure networks that are auditable to a very high level while not having one trust anchor or Certificate Authority. When there isn’t a central anchor, the network itself can decide over the data usage thus acting as the trust anchor itself. All the personal data is on a layer that is much harder to cheat. Any transaction done is recorded and signed by a government-backed digital identity. This is a level of security that has not been seen from the beginning of governments.
With a global network of digital identities, everyone using the Internet through their secure digital profile it is easy to see the future with less cyber crime, cyber attacks, spam, fake traffic and so on. This is something that every government should strive for and people should demand. Unfortunately, there are still plenty of countries that could not imagine giving away the kind of power and control that they managed to achieve with the conception of Internet and the ensuing digital surveillance.
by Kaspar Triebstok, Software Architect
