In May 2018, the most far-reaching legislation for the protection of personal data ever conceived took effect: The European Union's General Data Protection Regulation (GDPR).
The law was created by the European Parliament and Council to unify privacy regulation within the European Union and provides individuals extensive control over their personal data.
To accomplish this goal GDPR can impose severe penalties on violators. Companies not complying with the provisions of the law, face fines of up to 4% on worldwide turnover or EURO 20 million, whichever is higher.
The following month Governor Brown signed Assembly Bill 375, now known as the California Consumer Privacy Act of 2018, which grants Californians similar rights with respect to the collection of their personal information.
A lot has been written about how GDPR might affect not only European businesses but also the operations of non-EU companies and international corporations.
For the following analysis, we will assume that – outside of notable exceptions - the law will be enforced within and outside the EU and will govern how US-based companies treat personal data.
Personal Data – the making of Identity
Personal data is generally understood as any information relating to an identifiable individual; an identifiable person is one who can be identified, directly or indirectly, by reference to an identification number (i.e. social security number) or one or more factors specific to a person’s physical, physiological, mental, economic, cultural or social information.
Usage of personal data by third parties pretending to be the rightful data owner is considered “identity theft”. As such GDPR protects the individual’s identity.
GDPR prohibits the transfer of data outside of the European Economic Area to a third-party country unless the recipient country provides an “adequate level of data protection”
Though the United States has worked extensively with the European Commission on data security standards, it is currently not considered to be an Adequate Jurisdiction by the Commission.
Like fiat currencies, which enables governments to declare which money is legal tender, “fiat identities” are tied to government decrees over which documents it considers to be legitimate for the verification of a person’s identity. In the United States, the government began issuing Social Security Numbers in 1936.
To-date nearly 454 million different numbers have been assigned, according to the Social Security Administration.
While the original intent was to track U.S. workers’ earnings to determine their Social Security benefits, government agencies and companies soon found many new use cases for the number, gradually morphing it to a “proof of life system”.
When someone is asked for his/her "last four digits of your social" the answer is literally the government assigned serial number.
One of the more enlightened identity solutions thus far has successfully been deployed by the small European nation of Estonia. E-identity cards have already been issued to 98% of the countries citizens.
The card is a cryptographically-secured digital identity powered by a blockchain-like infrastructure on the back-end and enables Estonians to access public services, financial services, medical and emergency services as well as to pay taxes online, e-vote, provide digital signatures, and travel within the EU without a passport.
Profiling "Product YOU"
The Internet, and to a greater extend the emergence of the world wide web, have made personal data accessible to an ever-increasing number of data brokers, including those offering social engineering as a service (SEaaS).
Simultaneously, applications build on the web led to an explosion of the type of personal data that can be observed and recorded - i.e. click-throughs on web pages - which led to the creation of online identities (sometimes referred to as 'digital identities').
While most European nations have identified and battled the dangers of leaving online identity management to for-profit corporations for some years, it took a nationwide scandal - now simply referred to as Cambridge Analytica - to wake up U.S. citizens to the fact that their identities had been turned into products which are sold to advertisers and bad actors alike.
More troublesome, shockingly data brokers do not limit themselves to rent personal data to advertisers but trade this information among each other. Companies such as Acxiom (LiveRamp Holdings, Inc.) openly promote their prowess to sell personal data with statements such as
“LiveRamp IdentityLink is an identity resolution service that ties data back to real people and makes it possible to on-board that data for people-based marketing initiatives across digital channels.”
The primary (commercial) nature of Google, Facebook, LinkedIn and many of the most popular web and mobile applications is that of an advertising marketplace.
The "free service" of these companies are paid for in cash at a rate of more than $10 million each hour by marketing companies and loss of privacy by the user.
Blockchain to the Rescue?
Blockchains combine a number of features that make it desirable for the protection of sensitive data: decentralization, encryption, transparency and access controls. Many – and sometimes all – of these features are missing from most systems currently controlling personal data.
GDPR requires companies to secure personal data via multiple levels of protection to ensure that data is neither lost, destroyed, or disclosed to unauthorized individuals. This principle is shared with a characteristic of blockchain technology referred to as pseudonymization.
Consequently, a growing number of blockchain projects are attempting to tackle the topic of personal data and identity management, including Civic, SelfKey, Evernym, uPort and Shocard.
The importance of blockchain-powered identity solutions has also caught the attention of traditional technology companies such as IBM which advertises its commitment “to creating a secure, blockchain-enabled decentralized identity for everyone on the internet”.
Most often these applications are focused on improving processes around legal and regulatory burdens involving financial institutions – such as ‘know your customer’ (KYC) laws – using government-issued credentials.
Others subscribe to the idea that consumers might be interested in being their own data broker and thus profit from selling their personal information.
As shown above, current government systems and the treatment of personal data as commodities by commercial entities are at the center of the current problems surrounding identity management. As Franklin Foer in his book “World without mind” explains, Facebook and other social media applications owe their astonishing growth rates to the fact that they removed friction from the process of personal data exchange and defaulting to ‘opt out’ paradigms which required users to act to protect their data, while often signaling greater utility by unrestricted sharing of information.
In the light of GDPR, all future applications will have to adhere to privacy by design, requiring users to opt into the use of data while adding usage transparency and anonymization to their processes.
There can be little doubt that blockchains can be part of the solution to the current crisis in identity management. However, outside of the decentralization of data handling, any approach that does not address problems created by legacy systems is not likely to find widespread adaptation.
After all, there is little value in protecting a digital identity which has already been copied by data brokers and unauthorized users. Scalability is also a challenge for those companies that seek to enable users to profit from selling their personal information as data sets with low volumes have little or no commercial value for data brokers.
A truly innovative solution is more likely to emerge from those groups addressing the needs of the almost one billion people on the planet without government-issued IDs.
As seen with the adaption of mobile phones and later smartphones, users in the developing nations might leapfrog solutions encumbered by legacy technology debt.
Finally, just like email and voice required dedicated protocols to provide end-to-end control mechanism (SMTP; VoIP), identity will require its own protocol to be owner controlled at last.