Before you read past this paragraph, take a moment to think about how you’d define digital identity. Is it just an aggregation of access rights? How much of your physical, real-world identity does it represent? How much should it represent?
Christian Lundkvist, a blockchain engineer at ConsenSys, defines it from a high level as a “digital object that maps to a physical entity.” Lacking a universally accepted definition, I’ll move forward here with this understanding of the concept. But, of course, that really only represents what digital identity should be, not necessarily what it is.
In most of the web applications we use, our accounts don’t have to correspond to a single physical thing at all — any person, group of people, or program can do whatever they want with them if they can provide a password. That password is all that stands between most peoples’ private data and the rest of the internet, and that’s a huge problem. Password protection has always been unreliable, and lately, it’s become a trivial barrier for hackers to overcome, even with all the popular guidelines meant to make them more complex. Other approaches — two-factor authentication, for instance — have fallen short, too.
In 2017, these methods just aren’t enough to provide any real security. So how could we possibly expect that these accounts, which are easy to create, easier to access, and completely vulnerable to attack, would map to discrete physical entities with any level of reliability?
Maybe the reason there isn’t a universally accepted definition of digital identity is simple: we don’t really have any working concept of it to begin with. Sure, your browsing history and all those accounts — tiny fragments of your digital self — are strung together in giant folders at a dozen corporate server farms, but we can’t access them. That means we also can’t use them to validate that composite image, which might actually be something like a true digital identity, in any usable way.
And validation is really the fundamental challenge in establishing a trustworthy identity, digital or otherwise. Any time you need to prove an attribute of your identity — for instance, if you claim you’re older than 21 in order to buy some beer — the first response you should get is “Ok, who says?” You can then provide your driver’s license as proof, because if the license passes security checks and states your age, the “challenger” can reasonably trust your claim. Wouldn’t it be great if we could create some digital object like that driver’s license, complete with its security measures, its authority, and its universal acceptance?
A young man proves he’s old enough to purchase alcohol in this flawless example of the effectiveness of modern authentication
The answer — of course — is blockchain technology. This isn’t meant to be a comprehensive overview of blockchains, but if they’re new to you, here’s everything you need to know in the context of this article: a blockchain is a big ledger of data (collected in chunks called “blocks”) that anyone can download. Once it’s synced, you can contribute to it and compare it against other peoples’ copies of the chain to verify its contents. Based on some pretty cool algorithms, this network of users can come to a consensus on what’s valid in the chain and deter invalid behavior.
This is how cryptocurrencies enforce scarcity — in other words, they make sure you can’t spend the same dollar twice and that the supply is limited — and its use has expanded to include executable code (i.e. “smart contracts”). When a contract is deployed to the Ethereum blockchain, its users know it will be executed in the same way by every party involved: this means you can trust the network and the code, so you don’t have to worry about whether you can trust the people you’re interacting with (just like traditional legal contracts offset trust in non-digital business relationships).
In other words, a smart contract could be a digital object like that driver’s license: if a valid source attests to your age in a trusted contract, the clerk now has proof that you’re old enough to drink, and will then finally sell you that Smirnoff Ice you’ve been trying to buy since four paragraphs ago.
A smart-contract-based identity on the blockchain could validate practically anything — that you’re a real person and not a robot, your association with a particular Facebook account, your credit score — and you could selectively prove whatever attributes are relevant on a context-by-context basis. In fact, you don’t even need to reveal any of it to anyone: Ethereum has already begun validating zero-knowledge proofs, which are crazy math operations that can satisfactorily prove that you know (or digitally possess) a thing without actually revealing that thing.
And even as some critics call it far-fetched, progress continues: for example, uPort (a project built on Ethereum) has successfully built a usable alpha and a talented team of developers, and at least one city government has already started to leverage the technology to manage its population’s legal identities. Concerns about privacy on a blockchain — motivated by the public nature of the data on the chain — fail to account for Ethereum’s capacity for zero-knowledge proofs.
Skepticism is granted in any bleeding-edge space, but the unavoidable truth is we desperately need a new approach to how we manage identity online. The riskiest path forward is the one we’re stuck on now.
How many followers would Trump have if Twitter forced its users to prove they were human? One in five election-related tweets in 2016 came from fake accounts, and at least 13,000 bots suddenly disappeared after pushing for Brexit. This problem has been around for longer than that, though: for years, authoritarian regimes have been using bots to spam hashtags their people rely on to organize, or to misrepresent their support and spread propaganda, or to engender viral, divisive content meant to destabilize populations. Even back in the 2012 US election, an incredible 92% of Newt Gingrich’s followers were bots.
These networks of bots are cleverly designed to push their fake news on people who will retweet it, and to obscure the real truth from anyone who might try to verify its often-bonkers claims. They’re getting bigger, better, and cheaper, too, and today represent an imminent and substantial threat to the freedom and agency of everyone, worldwide. And people talk about this problem like it’s impossible to fight: how could we filter all the news on a social media platform? How could we possibly fact-check every post?
Artist’s rendering of a bot network spreading fake news
If we could just require a user to prove they’re a human before giving them an account, though, we wouldn’t really need to do any of that. Suddenly, there’s a real concept of digital reputation, and of course, these false narratives are dramatically less likely to catch on in the first place. It’s just that weird dude from high school posting about PizzaGate, without the support of fancy-sounding strangers with phony credentials, and the unfiltered story now looks to everyone like the lunacy it truly is.
And that’s just one of many implications that come from a robust mechanism for digital identity: maybe we could begin to do something about the 1.1 billion people worldwide without a verifiable identity in any form, which could help them get access to healthcare and education while protecting them from the forced labor and human trafficking they’re exposed to now. Or maybe we could avoid the next Equifax-level data breach, since we wouldn’t need those giant repositories of hacker-bait anymore.
If you’re thinking, “this guy is just caught up in blockchain hype,” you’re not totally wrong. But I’d remind you that I never claimed a purely self-sovereign model is necessary to fight these problems. What I’ve discussed is really quite similar to how we have always validated our identity: by providing the attestation of a mutually trusted third-party. All we need to make the current system better is a way of avoiding fraudulent attestations and providing trustworthy ones, and a blockchain happens to be a tool designed to do just that. And whether or not you’re with me on the hype, we can at least agree that the problem of digital identity could really benefit from a fresh approach.
And, really…what’s fresher than blockchain?