Searching for “data breaches” on Google news lists the significant recent data breaches globally. Are we defenceless? Will the EU’s strong move towards “Privacy by Design” (GDPR enforced from May 2018) help?
Centralized identity services are under growing inspection. User accounts affected by data breaches in 2017 stand already at 3,833 reported incidents and exceed the 7 billion records mark. Identity Force cautions that you may just see 2017 data breaches get even more messy and serious than in previous years.
Disrupting the trust business
A recent article in The Economist says: “The trust business is little noticed but huge. Startups deploying blockchain technology threaten to disrupt it, and much else besides.”
Some years ago the term of “self-sovereign identity” was coined by Moxie Marlinspike, former head of security at Twitter and co-author of the Signal Protocol. He was early on along with the folks who started the Internet Identity Workshop IIWS in 2005 to build awareness in this field.
‘In a blockchain world, having such a “self-sovereign identity” may well be a fundamental human right. Moxie Marlinspike, an anarchist entrepreneur, and others have already called for the abolition of the “ID-slavery” imposed by current national registration systems. A slew of startups, including Evernym, Jolocom and uPort, are working on services that will allow people to register identities.’
The idea is that shifting the underlying centralized technology used by most services today towards decentralized technology will help to better protect personal data.
More data breaches and the enforcement of GDPR drive the stark interest from both industry and governments in self-sovereign identity — where the individual controls and owns their own data. As mentioned above, the idea of an identity that is owned by the individual has been moving over time, away from the concept of centralized identity (controlled by a single authority), to federated identity (control lies by multiple, federated authorities), to user-centric identity (control across multiple authorities without requiring a federation), to now self-sovereign identity (individual control across any number of authorities) [The Path to Self-Sovereign Identity]. Although good intentions were there to create an identity that is in the user’s’ interest, none of these schemes could withstand some sort of re-centralization of control into the hands of some authority.
An Identity for the Web3
We are early on creating the Web3, yet for a growing number of stakeholders it becomes clear that a decentralized identity that is owned and controlled by the individual is inevitable. Drivers are not only centralized control and data breaches of the old web, but also the need for an identity scheme that allows people to interact with blockchains, and with that, opening up a whole new universe of business models built on blockchain technology. Interestingly governments seem to be especially interested in utilizing blockchain technology to shape the future of identity. Several pilot projects are underway, including Switzerland, Brazil, Estonia and hopefully soon Germany. this is really notable. Governments are not necessarily known as early adopters. But the increasing risk and administrative burden to store citizens’ data securely on centralized servers, which represent honeypots for hackers, seem to facilitate the change towards decentralized technology.
An outcome of the excellent work the German Blockchain Bundesverband is: “All variations of use cases have the above basic theme in common: Firstly, the interfaces to the databases must become digital and, secondly, digital identities must be sufficiently legally secure. Only in a country with digital interfaces to its databases and legally secure digital identities can an ecosystem of the Internet of Treaties flourish.”
Still early days
The number of projects and startups working on decentralized identity literally exploded over the past year and this trend is likely to continue. However one of the biggest challenges is the fact that there aren’t standards for decentralized identity yet, which makes it for all stakeholders more difficult. Nevertheless the flourishing activity in the sector catalyzes the pace of innovation. Although a group has formed already, to draft a standard specification (DID, Decentralized Identifiers), to which a number of projects intend to contribute to, it will be a long way before we see a truly reliable identity standard to emerge.
The Blockchain Bundesverband formulated the following legal requirements for the German government in order to enable the use of blockchain technology:
- Digital signatures, as they are used in connection with common blockchain protocols, as well as the high evidential value of blockchain entries, require legal recognition.
- The documentation of access to personal data in accordance with the European General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) is to be based on a blockchain register instead of a conventional digital storage facility.
The reasoning is:
“In an increasingly digital society, it is necessary to be able to carry out legal transactions and the transfer of values and data in a legally compliant manner in the digital space. Digital identities are a prerequisite for this, which enable the population in the digital environment to act by unambiguously assigning them to a digital environment. Since no digital identity standard has been able to establish itself so far, the development of a sovereign and self-governing digital identity, in which the citizens themselves are entitled to the sovereignty and management of personal attributes and data, makes a meaningful repositioning in this area possible. A technically mature concept of such an identity, which puts the citizen at the centre of attention, opens up new perspectives in the implementation of legal regulations such as the European GDPR or the eIDAS regulation, and sets a counterpoint to the parallel world of digital identities created by social networks (especially companies such as Google, Amazon, Facebook, Apple).”
Why is a decentralized identity scheme inevitable?
Interestingly, we see a very wide range of stakeholders lining up which demand a decentralized identity scheme:
- risk-averse companies and governments that want to reduce their liability for personal data
- innovative companies and governments that want to spearhead shaping the Web3
- business savvy companies that recognize cost benefits and new business models
- companies and governments that need to comply with the GDPR regulation
- startups disrupting the old trust models with blockchain technology
Call to action
To disrupt the trust system in a good way, we need to make sure that the following points are addressed by all stakeholders in the field.
- As suggested by the Bundesverband Blockchain in Germany we need a Digital identity for businesses and citizens. In a first step, companies need to be able to provide a digital proof of identity using the blockchain (by linking to the commercial register). In a second step, citizens should also be able to identify themselves digitally by means of a blockchain certificate (by linking to the identity card).
- Digital identity MVP for B2B and B2C.
- A digital identity for DApps (Decentralized Applications). Startups can use a fully open source identity solution for their blockchain applications. In a first step this provides one click registration with a user’s self sovereign identity. In a second step GDPR compliance and in a third step KYC compliance will be enabled.
- We need to ensure that efforts towards standard setting in the field of digital identity are transparent, productive and well funded in order to enable a vital playing field for innovation.
This stimulates us to continue building what we believe is needed to create a self-sovereign network where identities are safe again.
Thanks especially to the following people for inspiring conversations that helped to put this post together. Sabine de Witte, Kai Wagner, Shermin Voshmgir and all the great discussions and outcomes from everyone at Bundesverband Blockchain.