For a full list of DID protocols see here (feel free to add any if I missed them)
In light of the recent Cambridge Analytica scandal, important questions have been raised on personal data processing and the case against large conglomerates such as facebook self-regulating. Witnessing Mark Zuckerberg’s recent court testimony, it was interesting to see the benefits that come with self-regulation: that of non-liability, which comes in handy when business’s need a quick get-out-of-jail-free card. But let’s examine a more pressing issue that was repeatedly investigated by the Senate and Zuckerberg, that of data security and the impending matter of data governance.As Senator Jon Tester, of Montana, told Zuckerberg…
“You’re making about forty billion bucks a year, and I’m not making any money — it feels as if you own the data,”
Of course, it is Facebook’s prerogative to request data from their users to enable them to sell ads and to power their business. However, when users provide consent to facebook for using their data, it is generally expected that their personal data is protected and not fall into the hands of shady 3rd parties that violate personal data to swing elections.So what can be done to regulate data privacy and tackle the problem of data governance?
**Give power back to the people.**One step in the right direction is the EU’s GDPR initiative (25.05.18) that expand personal data rights for EU residents.
Get to know your rights!
By now most businesses or entities that deal with EU consumer data are on their way to full GDPR compliance.To get a more comprehensive understanding of your rights as a data subject you can view the official GDPR document here.
Before diving into decentralised identities I would like to add that the founding principles of GDPR are a much needed and welcoming solution to some of the problems individuals experience with personal data processing. They ultimately give consumers further power to regulate the data they provide to centralised entities and 3rd parties… But herein lies the problem — If you want to use platforms or apps “for free” that monetise through ads, you don’t have a choice but to hand over your data as a substituted payment. Furthermore, most of us are unaware of the amount of unnecessary data that we are providing centralised service’s like Google, Facebook or Linkedin for using their services— Just conduct a data request on Facebook to see how many GB’s of unnecessary data they have stored on you, no doubt you’ll be surprised.The familiar phrase— “if you are not paying for it, you are the product” could alternatively interpreted “If you are not paying for it, your data is”. But if our data is governed and monetised by external authorities, should we not have the power to do the same? I mean it is our data.
The Next Step.
Luckily for us, recent developments in distributed ledgers offer disruptive solutions that are set to change the way we, as individuals, control and govern our data.Let me explain how. The official GDPR document I mentioned above uses the term ‘data controller’ to refer to a body or entity that handles and processes our data for legal or profitable purposes.**But what if the data subject (individual) could equally act as the data controller…..?**Well, for a start, we would have ultimate control and ownership of our own information. We decide what data of ours gets processed and by whom.Furthermore, we can profit from it… Already, we are witnessing initiatives such as Datawallet, Madana, and Sovrin who are paving the way to building shared data economies built on incentive protocols that allow individuals to monetise from their own data (just like Facebook does with our data). Sure, it means heightened responsibility, but that’s what self-governance is -personal responsibility.Imagine a world where we don’t have to rely on centralised authorities to manage our personal data or access our sensitive information to validate us.Through truly owning our data, we can choose who has access to it online and allow centralised authorities to access only the necessary data needed to use their services. Two questions to consider:
1) Will large data-powered business’s such as Google/Facebook even need to conform with ‘individual governance of data’ given that we currently rely so heavily on their services? —Probably not. In the case of GPDPR, they are required to comply with EU law, so perhaps lobbying for a legislated personal data protocol could be the answer.
2) How could individual data governance even work?
Enter Decentralised (self-sovereign) Identities - DID’s
Due to the immutability of cryptographically “sealed” ledgers and the architecture that DID’s provide, we are able to enhance our ability to govern our personal data in a much more secure and portable way than before.For instance: Current digital identities, such as passports, rely mainly on a centralised process that involves a personal claim (individual assertion) backed up by a proof (a valid document) which is then validated by an external authority who stores, or has a copy of your personal data on centralised servers. Every time we submit our data we are habitually storing our sensitive information across multiple centralised databases, making it difficult to track and update not to mention vulnerable to violation.Decentralised identities aim to achieve individual global uniqueness without the need for a central registration authority.
Christopher Allen helps to summarise this well:
“The user must be central to the administration of identity. That requires not just the interoperability of a user’s identity across multiple locations, with the user’s consent, but also true user control of that digital identity, creating user autonomy.”
What partly provides this autonomy is allowing the individual to essentially create and request ‘claims’ to their identity and other data such as driving licences or reputation on distributed ledgers that are cryptographically verifiable by the external party they are communicating with. By using ‘verifiable claims’ we never actually need to share our personal data with anyone in the first place. I will examine this in more depth below but first, let us get a better understanding of the DID objectives as specified below by the W3C decentralised identifier design goals. (built on Christopher Allens A life with Alacrity )
Integral components of DID’s and what they aim to achieve.
It’s important to note that the concept of decentralised identities are a product of over 13 years development. Only now, thanks to a multitude of technological advancements, refined principles, decentralised protocols and the hard work of the W3C community, are we beginning to see real world DID applications come into existence. (see here for a list)
Effect of GDPR.
Before we explore the architecture of DID’s it is important to quickly investigate the effects GDPR has on distributed ledgers.Irritatingly, since the EU commission began devising GDPR legislation early on in 2009, world application of blockchain technology was still in its infancy and not considered as a solution to the issues facing data privacy. As a result, it has bought a few contradictory issues regarding GDPR and on-chain data storage to fruition.The main issue is the GDPR’s ‘right to be forgotten’ act (erasure of data). Due to the immutability of data stored on-chain, it is impossible to erase data that has been written to a block. As Andries van Humbeeck excellently concludes in his article: The Blockchain GDPR paradox:
“Since throwing away your encryption keys is not the same as ‘erasure of data’, GDPR prohibits us from storing personal data on a blockchain level. Thereby losing the ability to enhance control of your own personal data.”
Humbeeck goes on to argue that blockchain is a more secure and accessible system for personal data storage compared to centralised servers. However, quantum computers have already began posing a threat to the standard key encryption protocols we currently use and is predicted by some to be rendered obsolete in the next ten years.Interestingly, the W3C DID specification also takes GDPR into consideration in section 5.4:
“Although a core feature of distributed ledgers is immutability, the DID method specification MUST specify how a client can revoke a DID record on the target system, including all cryptographic operations necessary to establish proof of revocation.”(note: revocation may now actually be possible using CL proofs)
So how do DID’s get round this ‘right to be erased’ conundrum?The simple answer: Don’t store your data on-chain, store a ‘claim’ instead..
Enter Self-Sovereign architecture.
A few companies such as Sovrin (built by Evernym) are already using protocols that provide on-chain ‘verifiable claims’ (proof) which validate the individuals data to the questioning authority without revealing the actual data.It does this by storing an on-chain encrypted verified claim (individual assertion) in the form of a hash which also acts as a public key to cryptographically validate the users data. To help clarify, below are a few of the fundamentals that make self-sovereignty work.
Source: Image provided by Soverin’s white-paper
1: Zero knowledge proofs (ZK proofs)— A questioning authority can use an issuers/merchants key to validate if your claim is true using a mathematical proof equation that the data provided is indeed valid without the need to reveal the actual data to anyone.
2. Public and Private keys — They allow users to safely decrypt messages between each other using a set of mathematically relatable numbers/hashes. Multiple key consensus is used and stored with service providers to prevent loss or theft of a key.
3. DID Descriptor Objects (DDO’s) — They are the on-chain ‘vessel’ for public keys and prove governance of the individual by storing the timestamp and digital signatures needed to prove a ledger.
A simple use case could be: If I needed to set up an account to purchase an online product, which is currently very common, I would need to provide bank account details…information that the company could use to market further products too. However, If I showed my DID they would only need to verify the claim to assure that the information was true, not my banking data.
So it seems that we have a robust solution that takes into consideration GDPR while also utilising the security and accessibility of a blockchain to offer an interoperable identity that can be issued to external parties to validate without compromising the users data.
A matter of consent.
At the moment, anybody can still request data from anyone as long as consent is given.The matter of individual consent and trust between parties has, until now, been contested in the past through written documentation, signatures and legislation.In comparison, the above protocols use the truth of mathematics to successfully bypass the issue of consent in a polluted data economy. Trust is put into the reliable hands of mathematics.
Further documents referenced and thanks from:w3C community group — https://w3c-ccg.github.io/did-spec/#dfn-didhttps://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf — The ICO points out a recommended code of conduct for data sharing
With thanks to Kedar Deshpande and Julio Santos.
Zeff is a community and marketing expert at Fractal Blockchain: We believe in raising the status of crypto-communities by advocating self-governance and freedom of choice through transparency and trust.
Join our forward-thinking community to receive live updates on our partner projects, latest blockchain developments and exclusive token launches that solve real-world problems. www.trustfractal.com