After more than a quarter-century of the commercialization of the Internet (the first email was sent in 1989), we still struggle to verify our identities in the digital world. Despite the presence of technologies that enable only one digital identity, we are forced to create and maintain many versions of us on the Web.
On July 5th, 1993 The New Yorker published an image of a dog seated at a computer telling his companion that “on the Internet, nobody knows you’re a dog”. This image, authored by the artist Peter Steiner, has become a symbol of how anonymity works on the Internet. And it is as relevant to the digital world today as it was 25 years ago.
Identity Verification Has No Equivalent in the Digital World
On the Web, claiming your identity is somewhat complicated. In the physical world, we use paper credentials such as ID cards, passport or birth certificate. These documents, however, do not exist on the Internet. For years, we have been spreading personal data across many fragmented identity systems that lack the necessary portability. Moving identities between online service providers became cumbersome, if not impossible. As a consequence, we end up with many digital identities, multiple versions of us.
While traveling cross-border, your passport is the single most important document proving your identity. It’s a standard that every country accepts. It has a machine-readable format and the issuer, your government, is a trusted source.
The key problem for adopting one trusted, digital identity is the lack of a standard way to verify and process digital credentials. In a physical setup, a human can judge the authenticity of the paper document just by looking at it. Repeating this procedure online is hard.
This calls for solving two major problems:
- Format – similar to paper-based credentials, we need an ecosystem that accepts one standard protocol for exchanging data
- Process – a standard process for verification of the credentials and their issuers. The system works only when the verifier of the credential (e.g. a merchant) can rely on the source of the credential (issuer, e.g. bank).
In fact, the W3C, World Wide Web Consortium, an organization responsible for defining Web standards is in the midst of solving these two problems. W3C, led by the inventor of the Internet Tim Berners-Lee, has formed a task force mandated with the mission to find a way of expressing, exchanging and verifying the so-called verifiable claims (e.g. healthcare data, bank account information, or education qualifications) securely over the Web.
The Right to Identity
The right to identity is a fundamental human right, protected by international law. Yet, according to the World Bank, today, in the 21st century, around 1.1 billion people on Earth cannot prove their identity. Of which, 40% are children under the age of 18 (and around 74 million under the age of five; you can inspect the data set here). This is a cul-de-sac for the affected, a dead-end that prevents the people from experiencing their citizenship to its fullest potential. They cannot exercise a wide range of rights or consume fundamental services. Without an ID, adults and children have no access to healthcare or education. Opening a bank account to perform a standard financial transaction is out of reach. The even darker side of these circumstances is, that these people become vulnerable to various crimes, human trafficking, child abuse, or prostitution.
To prevent an escalation of this condition, the United Nations Sustainable Development Goal 16.9 specified an aim: “By 2030, provide legal identity for all, including birth registration”.
Furthermore, the organization’s ICCPR (International Covenant on Civil and Political Rights) states clearly in its Article 1 that:
“All peoples have the right of self-determination. By virtue of that right they freely determine their political status and freely pursue their economic, social and cultural development.”
Digital identity on a national level
The concept of digital identity could provide the necessary capacity to protect an individual’s rights. One remarkable example of how the digital identity changes a whole nation is the Indian’s Aadhar, a massive digital identity program with the aim to introduce one unique identifier for all India’s residents. Under this scheme, the people are able to access a wide range of services and interact with the business using just their Aadhar number (available also as a card). The effects are already visible. In only four years, the number of the unbanked population dropped from 557 to 233 million (between 2011 and 2015), a 40 percent decrease.
Experts argue, however, that with its centralized design, the Aadhar program is not free of flaws. Having one database with all its citizens’ data is a potential single point of failure and a desired honeypot within the hacker community. A whole nation’s compromised database would lead to a catastrophe.
Another example of an experiment with the concept of digital identity is Estonia’s e-Residency program. The nation’s plan is to extend its citizenship beyond its physical boundaries. Unlike Aadhar, e-Residency is a purely commercial initiative. Since its launch in 2014, nearly 28 000 digital residents have been using this platform, establishing around 5000 companies.
It’s not a residency in its traditional sense. Holders of the e-Residency passport do not have all the rights that come with a normal passport. It merely allows its e-citizens to perform a range of commercial actions across the public and private sectors, including company registration, the opening of bank accounts or buying reals estate.
Deloitte, Estonia’s e-Residency advisor, estimates that the return on every €1 invested in the program is expected to reach around €100 (X-Road Factsheet).
The program leverages the X Road software, a data exchange platform. It is a middleware that connects, using a standard protocol, all the system participants. Besides Estonia, countries like Finland, Azerbaijan, Namibia and Faroe Islands also use this software. And since 2017 Estonia and Finland exchange data automatically via X-Road.
Many articles on the Internet state that X-Road is an implementation of blockchain technology. But the company’s former CTO, Peter Kivimäki, debunked this myth and explains in his article that “the common factor between blockchain and the X-Road is that they both use cryptographic hash functions for linking data items to each other. Besides that, there are very few common factors between the two as they serve very different purposes and use cases”.
Moving From Centralized to Self-Sovereign Identity
The Internet needs a common identity layer. The current setup has reached its tipping point. The organizations are not capable anymore of managing identities in their own silos, at the same time complying with various data protection regulations, such as GDPR.
The costs are staggering, too. According to the Ponemon Institute, alone the cost of one lost or stolen record containing sensitive and confidential data is around 165 $. In healthcare, it could be as high as 363$ per record.
Thus, it’s time to move from siloed, centrally-managed ecosystems to a scheme where people own and control their identity in the digital world. This is where the idea of self-sovereign identity (SSI) – a lifetime, portable digital identity for people and organizations – becomes an important factor.
The inventors of the Public Key Cryptography (Diffie, Hellman, and Merkle) laid the groundwork for privacy protection in the 1970s. But only in the last few years, after the explosion of interest in blockchain technology, the concept of SSI has gained momentum and starts to be a viable option for creating and managing identities in the digital world.
SSI solves not only identity-related challenges. Ctrl-Shift has estimated, that by using the SSI concept, the cost of identity assurance could fall to as little as £150 million from £3.3 billion, in the UK alone. Businesses could again concentrate on more added-value services.
On the other hand, the business of collecting data is a lucrative one. Companies such as Facebook or Google have built their business models around data collection and analysis. To use these “free” services, you pay with your identity (data). After all, there ain’t’ no such thing as a free lunch.
Beyond the legal way of making money with our data, there is a whole market for stolen personal data. For example, a Social Security Number is traded for $1 on the Dark Web, a drivers license $20, full credit card info (with CVV) $30. A full medical record may cost the buyer even up to $1000 (data provided by Experian). Prices are subject to discounts. And are tax-free.
Bye-Bye Middleman, Hello Blockchain
The blockchain technology is a significant step towards self-sovereign identity. It’s a shift from centrally managed identities towards decentralized governance where people own and control their sensitive and confidential data. In a transparent and secure way. With its secure-by-design characteristic, it might be the solution to govern digital identities. No organization or individual owns blockchain (private, permissioned blockchains are an exception). An attacker cannot alter a verified transaction on a blockchain (payment, identity) without compromising other approved transactions.
There are however certain design constraints. One of them is the storage of identity-related data. Experts strongly advise keeping the data in a secure, digital vault, outside of the blockchain. Especially biometrics tend to be very sensitive and should avoid blockchain at any cost. There are indications that future technological advancements, like quantum computing, will be able to decipher information protected by today’s strongest security measures.
But the IT community has already come up with a clever idea that addresses this constraint – DID, or Decentralized Identifiers. Instead of placing the data on the blockchain, DID’s are used as pointers to the data which is stored elsewhere (off blockchain). The Decentralized Identifier is pushed to the blockchain, together with the DID document containing a public key. And since the owner of this DID has the private key, he is in full control of it.
Companies such as Microsoft and Blockstack are already working on a solution for storing off-blockchain identities. Their idea is to create a digital hub for storing identity data (check out the project on GitHub).
The current way of how we identify ourselves on the Internet must change. It’s not a sustainable model. Nor for the consumers of online services, nor for companies offering them. On several occasions, organizations have proved themselves as incapable of guarding the user’s personal data. Take for example the Equifax breach with 140 million people affected, or Yahoo with 3 billion customer accounts hacked. And Facebook with its data leaks, possibly affecting the US 2016 presidential elections. Government agencies are also to be blamed for – the security flaws in their systems affect millions of citizens (191 million US voters data exposed). The cases are piling up.
The issue is the centralized root of the trust model. The man-in-the-middle. The hacker’s honeypot. For now, blockchain emerges as one possible solution. This technology replaces trust in humans with trust in mathematics and cuts out the middleman. But it also comes with many unanswered questions. For example, how to deal with a “51% attack” when an actor controls more than half of the mining power on the network. This would give him the power to overwrite all the transactions. According to Dr. Greenspan, if one wants to control the mining on the Bitcoin network, an investment of around $400 million in equipment would be sufficient.
Moreover, such an ecosystem requires a certain degree of computer literacy. This might prove difficult in less developed nations with limited access to computer services. To place a digital identity on a digital hub, the user must be able to access it in the first place.
And what happens to someone who lost his or her private key used to access the digital identity data? Is he or she now considered as “identityless”? Without the right to use fundamental services like the 1.1 billion of “uncounted” and unbanked? This and many other difficulties require a thorough discussion around blockchain and self-sovereign-identity.
As a final note, repainting verbally the illustration of Peter Steiner, in the era of the blockchain, that dog may need to say to his canine friend: “On the Blockchain, once you’re verified as a dog, you’ll always be a dog”