Similar to the internet, blockchain technology is sector-agnostic. However, similar to how internet applications differ from government to gaming, blockchain’s innovation principles are expressed differently as well. One of the areas in which blockchain unlocks tremendous potential is identity.
Want to listen to Spotify? Log in with Facebook. Want to travel abroad? Don’t forget your passport. Want to rent a new home? Obtain a proof of address. Want to read a text? Face-ID.
In our data-driven society, we use identification in countless of different ways. Frankly, identity has become a bit of a mess.
At MintBit we’ve defined three identity interfaces within today’s society.
On a daily basis, our interaction interface is split between institutions, infrastructure and corporations. Every permission linked to a service or product is contingent on the provision and acceptance of certain information. Sometimes a human completes the verification process, sometimes a machine.
These new forms of interactions can be convenient and welcome. Completing your taxes online, in your own time. Replacing a visit to the embassy with an online visa application. An Uber driver that knows where you live at 2am if you’ve temporarily forgotten.
To many companies, data is the gift that keeps giving. More data; better models. In essence, your behaviour is abstracted to a collection of data points. Yuval Noah Harari famously said: “The digital revolution threatens to de-individuate us all.”
It can also be annoying. Forgetting your government log-in details, resulting in a fine for late tax submissions. Google’s autocorrect enthusiastically pre-filling details for flights, resulting in additional charges at the airport to correct your name. Bank cards that stop working abroad because they didn’t realise your free spirited cousin likes to move around.
However, identity mishaps can also be down-right dangerous. Identity theft could result in never qualifying for a credit card again. Never being able to buy a home. And much worse.
Do you know who knows who you are? Do you know how many algorithms make decisions daily based on your past behaviour? Do you even know who has access to your passport data right now?
Now consider this. Who provides your passport in the first place? Governments. A stable government is not a given. Governments can corrupt. Governments can go rogue. Governments can even collapse.
What happens to you if you lose your identity?
For many Syrian refugees, this is not a hypothetical question.
Refugees have no way of proving their identity. Actually, over 2 billion people have no documents, leaving them financially and physically at risk. Without a formal identity, you don’t count. You’re no-one. These people, with hopes and dreams, are reduced to numbers. No papers, no prospects. Even basic human rights, such as claiming aid for food and shelter, become difficult.
Thankfully, technologists such as Jimmy Snoek, co-founder of Tykn, don’t sit idle in face of such injustice.
Solving this problem is our lifeblood. My co-founder, Tey, was made a refugee in the Netherlands on the account of his birth certificate having been destroyed during the Gulf war; he’s invisible. At the same time, we realised that we can’t just go to the coal face and start handing out identities. This is why we work together with NGOs and governments. We want them to be able to help people better.
Let’s untangle this mess we have made.
The levels of authentication are an internal tool we’ve developed to analyse what identification components of individuals in data-driven societies look like, ranked by level of disaster if it would fall in the wrong hands.
A closer look at the digital ecosystem today unveils all kinds of odd situations.
‘Login with Facebook/Twitter/Email’ (OAuth2 for the initiated), does not proof personhood. It anchors your respective account as a reference point — a proxy if you will — to attach a profile to. It cannot unequivocally determine that you are you if you’ve for example provided a fake name, picture, or nationality.
We’ve all seen the consequences of this fault in reasoning. Fake news. Fake followers. Online scams. Marketing to people who don’t exist. Or the alternative: marketing to people who do exist, but who are not aware their identity is stolen.
In 2017, 16 million people in the U.S. were victims of identity fraud. In that same year, Equifax was hacked. Over 140 million US residents were at risk with their personal information exposed to the hackers. That is over half the country.
DNA tests are all the rage right now. Let’s be clear here. Companies such as 23andMe definitely are selling your data to third party companies, research institutions and nonprofits. Probably not your genetic data, but de-identified, aggregate data for research, if you give them consent. It is part of their business model.
It’s clear that today’s situation is already not ideal. Even less so when the identity interaction interface person:infrastructure becomes more prominent.
Machines deal in absolutes. If the algorithmic input is incorrect, the results could be disastrous. But we might be going about this all wrong — a sentiment underlined by Vinny Lingham, Civic CEO and Co-Founder.
Right now, we’re living in an era when people have lost control over their personal information — hacks, identity theft, impersonation are all too common. But imagine a secure, trusted digital identity, that you can access from your mobile device, protected with biometrics, and is accepted anywhere you go, from going through airport security to opening a bank account. Blockchain technology opens up these opportunities to transform the way we think about sharing information, in particular sharing, and protecting our personal information. That’s why Civic is leading the development of Identity.com, a decentralised ecosystem that will make secure, trusted identity verification more accessible to people around the world.
Today, when you fill in a form, questions expect absolute information. How old are you? How much do you earn? What is your reputation score within this system? Where do you live?
Interestingly, what the inquirer really needed to know was: Is this a person above the age of 18 able to afford the vehicle they expressed interested in.
There is a different model of identity we need to consider. Enter blockchain.
We propose a user-centric self-sovereign identity application for the next generation of the internet: Web 3.0.
Passionate teams are working hard on making this vision a reality, such as Ashish Gadnis, Founder/CEO at BanQu.
“Identity on blockchain is old news. The real value of blockchain is its unmatched ability to create and secure an Economic Identity for the world’s billions living in extreme poverty today. The fully traceable, transparent transactions [on the blockchain] empower the unbanked to formally participate in the global economy while owning and monetising their own information. This is truly a revolutionary opportunity. BanQu delivers Dignity Through Identity.”
There are four layers:
TLDR: Put virtual identities on the blockchain. Access them through smart contracts.
In the Authorisation Domain satellite identities allow to do stuff. What can you do rather than who are you. You don’t want to use your identity in transactions wherever possible. In the Authentication Domain trusted parties vouch for your identity. Your personal Identity Hub is protected with a private key, binding your identity claims to your proofs of those claims. The Identification Domain is the physical manifestation of those claims.
Satellite identities can have many expressions. For example, your ‘health care Class A satellite identity’ is signed by 1) your own public key and 2) signed by the NHS (public healthcare in the UK) private key. When your insurance queries this particular satellite identity, NHS checks a) if the insurer is privy to the information requested and if so, b) responds in line with the verified or rejected identity claim. This is a relatively inexpensive cryptographic operation.
Certain questions the smart contract will accept, e.g. are you over 18. Certain question it will reject, e.g. what is your religion?
Imagine the US Postal Service deploys their own claim issuer contract, offering verifiable claims about an identity’s postal address. Any contract requiring a verified address can simply look for a claim issued by the US Postal Service contract before allowing interaction.
The ledger would hold the transaction history, so we would finally be in control of who knows what about us, and who asked what and when. We would be better off and the identity provider could still earn with this model.
James Monaghan, VP Product at Evernym, puts it differently:
“In a multi-source self-sovereign identity model, the individual and the institution are on a much more equal footing than in conventional identity systems. The individual still relies on credentials issued by trustworthy institutions to prove things about herself, but she is in control of how much she shares and from which of her relationships, which is a significant step forward in terms of privacy. Similarly, institutions consuming proofs of identity can verify their source and integrity without needing to contact the issuer, which opens up a whole universe of new use cases.”
Manage a private key is a lot of responsibility.
Ideally the private key is managed by a regulated institutions that you have legal recourse against if something goes wrong. This is a massive opportunity for trusted custodians.
A bank will be a place where you store your identity, not your money. You can store money anywhere, but identity is important.
They could earn revenue providing personal data-as-a-service to partners. When a user opens an account with a bank or a telco, a identity hub would be created. Its private key could be safely stored with the user, inside their phone, credit card, or other device. The provider then creates a satellite identity, using a public key from the identity hub.
A trusted entity will need to establish some legal and enforceable rules and policies for how it all works. They’ll need to make it easy for the average person to use securely, and they’ll need to convince a critical mass of people and service providers to adopt and trust the ID — all while finding an economically viable business model.
Some institutions are uniquely positioned to solve all of these chicken-and-egg issues at once and bring this big idea to life — first among them are our citizen-facing government agencies.
As the world becomes further interconnected and digitalised, the boundaries between what we consider our ‘real’ and ‘virtual’ identity begin to fade, with physical boundaries dissolving.
Our decentralised, ad hoc nature of identity in the physical world is obvious.
It is odd that you use the same information to cross a border as to prove you are old enough to drink in the bar. The current over-collecting is because of lack of a better system.
In the physical world, people collect and manage identity credentials from various sources including governments, financial institutions, schools, businesses, family, colleagues, and friends. They also assert information themselves. These various credentials serve different purposes. People collect them and present them in various contexts. When presented, the credential verifier is free to determine whether to trust the credential or not.
Online, identity doesn’t work that way. Online identity has traditionally been single-source and built for specific purposes. Online, various, so-called ‘identity providers’ authenticate people using usernames and passwords and provide a fixed, usually limited set of attributes about the subject of the identity transaction. The identity information from these systems is usually used within a specific, limited context. Social login allows it to be used across contexts but the kind of information shared is limited and its provenance is often difficult to determine. These identity systems are not interoperable, making it hard to combine attributes from one with those of another. Consequently, online identity is one-dimensional and has limited value.
Without reimagining identity, decentralised applications will never reach scale, because their is no model to interact with them.
Digital identities allow for the storage of a lot of personal information, but also provide a vital link for transfers of assets, whether they are human, animal, tangible or non-tangible etc. In other words, digital identity is the gateway to a functioning decentralised system, and navigating the data society as a whole.
Arguably, decentralised identity could even unlock the universal basic income. But that’s a story for another time.
Any information missing that should be there? Tell us in the comments!
Many thanks to all who contributed. In particular Dave Birch, who continues to be trail-blazer in this space.