A Case for a National Decentralised Digital Identity

Utilizing Blockchain for Digital Identity: A Unified, Interoperable, Tamper-proof Infrastructure

Blockchain is a technology that will change the world. Blockchain for Digital Identity is poised to be one of the most significant blockchain applications in the next few years, as it solves many of the problems with traditional identity systems. It can bring much-needed security and interoperability to digital identity management, making it much more robust and reliable than ever before. In this post we will explore how blockchain enables more secure management and storage of digital identities by providing unified, interoperable, and tamper-proof infrastructure.

This journal entry will outline the following concepts and how they pertain to the plausibility of implementing a National Decentralised Digital Identity:

1. How traditional identity systems work?
2. What are the benefits of utilizing blockchain for identity?
3. How could decentralized digital identities work?
4. Explore common use cases of blockchain based identity management?
5. What benefits could decentralized identity bring to society?

How traditional identity systems work?

The Identity and Access Management” (IAM) system is the core of an organisation’s identity management. It caters to processes and integration in important areas such as identification, authentication, and authorisation; identifying who you are, proving your identify through certain procedures or methods to gain access to services that this specific organisation offers.

In the traditional identity systems of today, digital identities are fragmented across various providers. This lack of interoperability between these service providers leads to both security and privacy risks, that ultimately cause frustration for users.

Identity Systems For Individuals.

Identifying ourselves and our property is an integral part of a functioning society, enabling us to create thriving communities with successful economies. At its most basic level, identity is the process of ascribing information about oneself or one’s possessions. A person’s identity is currently based on a combination of their name, date of birth, nationality, and some form of ID such as a passport number or social security number. These data points are issued by centralized entities (governments) and stored in centralized databases (central government servers).

Traditional methods of identification, like passports and driver’s licenses, aren’t an option for everyone. About 1 billion people don’t have access to these forms of ID even though they’re usually required for things like banking or interacting with law enforcement. One-seventh of the world’s population is left without access to these life essentials; they cannot vote in elections, take out a mortgage, or find employment. Their inability to attain officially recognized forms of identification leaves many with a lack of access to financial services, as their data is not universally recognized.

Identity Systems For Companies.

Businesses will often collect sensitive information from their customers and store that data alongside less-sensitive routine data which they collect. Data within companies is relegated to small, closed databases, and becomes less valuable in driving improvements, as well as understanding the customers of those businesses. With the rise of user privacy-centric regulation such as GDPR and the shift of industry focus to corporate IT responsibility, enterprises face a multitude of new business risks. Leaving enterprises that choose to ignore data security and pursue corporate or revenue goals, without considering the users, taking a costly risk to all parties.

Security and identity are complex and ever-evolving issues for enterprise and government systems alike. Organizations are rapidly migrating to cloud-based and mobile services in order to cut costs and boost productivity. Despite this, the benefits of these technologies only exacerbate the challenge of verifying user identities and managing access to applications and data by consumers, employees and business partners from multiple devices and locations. Large businesses, governments, and even non-profit organizations have built up organizational silos over several decades. ID management processes require key data that allows this system to operate, however, because of this silo approach, ID management and IAM hard to implement. 

What are the benefits of utilizing blockchain for identity?

To understand the benefits, we should first understand the challenges current identity systems face. Identity is subject to varying types of problems such as potential loss, theft or fraud. Along with the previously discussed silo implementation, and lack of an authoritative ID repository. As well as often suffering from ID processes which are often manual and slow, and this adversely impacts the productivity of organizations.

Several industries suffer the problems of current identity management systems:

1. Government: It’s not uncommon for there to be a lack of interoperability between departments and government levels. These types of inefficiencies, and a lack of communication between departments, limit the effectiveness of government agencies. Ultimately wasting valuable resources that could be put towards improving public services like healthcare or education for citizens.
2. Healthcare: The global healthcare system is broken. Half of the world’s population does not have access to quality health care, and this lack of interoperability between actors in the space (hospitals, clinics, insurance companies, doctors). Patients are often left frustrated and receive delayed care because of inefficiencies by all parties involved.
3. Education: The rise in the sale of fake academic certificates has led to an increase in the hiring of unqualified professionals, which is both damaging for universities and the productivity of companies as well. The danger lies not only with those who purchase these fraudulent credentials but also with employers who are left with very few options in verifying the legitimacy of these credentials.
4. Banking: It is a known fact that banking institutions require passwords and login details to be used for authentication which decreases the security of users. This creates an opportunity for hackers, as stated by a study from British-based security firm Imperva. They found that 73% of Internet bank clients share online banking password with non-financial sites, and 47% re-use both their online banking user name and password. The results are based on a sample of 4 million users.
5. Businesses: Corporations are in a tough spot when it comes to storing their clients and employees personal data as it is a source of liability for companies. A personal data breach may result in huge fines due to GDPR infringement. When British Airways experienced an enormous breach that leaked 400 thousand customers’ information last year, the company was hit with fines of £20 million pounds and consequential damage to the organisation’s brand.

Digital identities reduce bureaucracy and delays within organisations as well as allowing for more efficient ways to communicate without compromising security. However, if this digital identity is stored on a centralised server, it once again becomes a target for manipulation or theft by hackers. To be usable, identities need to be portable and verifiable any time anywhere. Digitization can enable this but not by itself, identities also need to be secure and private.

The modern internet era has brought about 2 types of digital identity management, which has taken to contrasting approaches for user authentication. The first being a Siloed Digital Identity Management system, where users are issued an identity credential for each organisation or service they use online. Ultimately this has provided users with a poorer experience online, and inadvertently led to widespread security concerns caused by inadequate user generated passwords.

This has led us to the Federated Digital Identity Management systems offered by third-party login services. The most common of which are “Facebook Login” and “Google Login” etc. Companies are opting to outsource their identity management, but that is not without risk. Outsourcing their identity management to major corporations looking to amass large databases of personal data for their own economic interest. This leaves us in an unenviable position where we are continuously surveilled by these corporations while simultaneously being forced into giving up more information about ourselves than ever before as they vie for our attention span.

Blockchain-based digital identity solutions provide a unified infrastructure where all stakeholders can securely store their own data with access control rules applied at the granular level. The Blockchain acts as a verifiable data registry, similar to an encrypted “phonebook” that anyone can consult to verify what decentralised verifiable credentials belongs to which individual, organisation or even which internet of things (IOT) device.

How could decentralized digital identities work?

A digital identity naturally emerges as you use personal information online, and ultimately create a “shadow data” trail based on what you do while being online. A person’s complete online persona may include data points linked to their device’s IP address, for example, a randomly-generated unique ID, but that alone may not necessarily have any relation with you in real life. Other data points that can help form a digital identity include usernames and passwords, drivers license number, online purchasing history, date of birth, online search activities, medical history, etc. Biometrics, Behavioural, Biographic are also data points of a person’s identity that could be digitized to strengthen their digital identity.

To explore a more technical explanation of how a digital Identity can be created. A user / citizen can sign up to a self-sovereign identity, through a national data platform to create and register a DID. During the sign up process, the user is issued a pair of private and public keys, similarly to how a citizen is issued an ID / social security number. Public keys or what we can refer to as “Entity ID'” could be stored on the blockchain and distributed throughout a network maintained by the entire population of a nation. Additional data associated with an “Entity ID'” such as attestations can be anchored on-chain, however, the full version of the data should not be stored on-chain to maintain scalability and compliance with privacy regulations.

An alternative school of thought explorers the use of decentralized identifier (DID) as a method to offer additional privacy to users. These are pseudo-anonymous identifier for a person, company, object, etc. Each DID is secured by a single private key held by the user / citizen and only the private key owner can prove that they own or control their identity. However, this creates the scenario where one person may have many DIDs, which limits the extent to which they can be tracked across the multiple activities they participate in online and in their lives. For example, a person could have one DID associated with a social media platform, and another, entirely separate DID associated with their credit reporting platform. 

Each decentralized identifier (DID) can be associated with numerous attestations (verifiable credentials about the user or citizen) issued by other DIDs, that attest to specific characteristics of that DID (e.g., residence location, age, diplomas, certifications, proof of salary or payslips, etc). These credentials would be cryptographically signed by their issuers, which would allow for the owners of these decentralized identifier to store these credentials themselves instead of relying on a single Federated Digital Identity Management systems provider (e.g., Google, Facebook). Similarly, non-attested data such as browsing histories or social media posts can also be associated to DIDs, which are entirely managed by the user. Allowing for data sovereignty unlike anything we have today with the valuable data we generate with our day-to-day browsing habits.

With the revolutionary system of decentralized identities, privacy and security ultimately are the more pertinent questions that need to be answered. Securing decentralized identities cryptographically requires the management of both private keys, which are known only to the DID’s owner, while public keys are disseminated widely throughout the blockchain network. The pairing does two things. Firstly, authentication, where the public key verifies that a holder of the paired private key sent the message. Secondly, encryption, where only the paired private key holder can decrypt the message. Which was encrypted with the previously mentioned public key.

This method of implementation allows users to present the verified identifier in the form of a QR code. Which would prove various aspects of their identity and efficiently allows them to access certain services. The service provider can reliably verify the proof of control or ownership of the presented attestation by utilizing an automated blockchain explorer. The attestation would associated with a DID, and the user / citizen signs the DID with the previously mentioned private key. Efficiently allowing access to the requested piece of data.

As explored above only references and the associated attestation of a user’s verified credential are put on the ledger. Individuals can maintain privacy by using pseudonymisation to correlate different data sets. So, instead of storing actual private information, the only things stored on the ledger are entirely controlled by the identity owner. DIDs are independent of centralised registries, authorities or identity providers.

Additional privacy can be implemented through the use of something called Zero-Knowledge Proof. Which is a type of authentication that allows one entity to prove they know certain information or meet specific requirements without having to disclose any details and makes it so the verifying party has “zero knowledge” about what is being verified but still feels confident in its validity. This method can be useful when an entity may not trust another and needs proof, but doesn’t want them knowing anything more than necessary, but this is for a deeper dive in a future journal entry.

Common use cases of blockchain based identity management?

Decentralized and digital identification can be used in many ways, and impact various aspects of a user or citizens professional, social, legal lives. Along with major improvements to their financial lives, by being a cornerstone in the implementation of a National Decentralised Digital Currency. Some key use cases which are revolutionary, and currently not possible through current systems are concepts such as Self Sovereign identity, Data Monetization and Data Portability.

Self Sovereign Identity is the idea that individuals and organizations can store their own user IDs on their devices. They choose which pieces of data they will share with validators without relying on a central repository of identities. These identities could be created independent of governmental institutions, corporations or other global organizations. The Facebook Cambridge Analytica scandal showed us how large corporations like Facebook and Google control and manage users’ digital identities, and how risky this can be.

As the world looks at ownership and profit from user-generated data, blockchain-based self-sovereign identities and asset distribution models give users control over their own data. Users also have a path to monetize their own data by controlling who has access to it. Data monetization is best summarized as the use of personal data for economic gain. Personal data has intrinsic value, but insights are derived from personally identifiable data that substantially increases the underlying value. Data is being created in gigantic quantities every day. By 2022, it is estimated that over 60% of the world’s GDP will be digitized and personal data will continue to grow even more valuable.

Right now, the data you create online is intangible and invisible. Ownership can be difficult to determine with many processes as well. SSI makes it possible for your personal instance of data to be mapped back to its initial material source so that ownership again becomes clear. Under the new data protection model, individuals could either keep their personal information hidden, rent it to advertisers or AI-training algorithms, or sell it for a profit.

The EU grants the Data Portability principle, which applies to the data subject’s right to have their personal electronic data transmitted directly from one controller’s (i.e., website) system to another when technically feasible. With a DID and verifiable credential, users can migrate their identity from one system to another without having to constantly verify their identify.  DID data portability also allows for reusable credentials that let users quickly re-verify themselves while meeting regulatory requirements suc Know Your Customer (KYC) requirements.

Benefits of a decentralized identity in society?

Regulations such as the European Union’s General Data Protection Regulation- Commonly known as the EU GDPR- ultimately aims to strengthen identity standards that require modern identity solutions. The regulation mandates governments to provide identification to citizens who don’t have any, and it also protects personally identifiable information from misuse or hacking. Which could further be improved by mandating the use of distributed ledger technology.

Digital identities are expected to contribute significantly towards economic growth throughout the world by 2030, and will be inclusive in nature since it benefits individuals as well as satisfying global market demand. A study by researchers at McKinsey & Company, reveals that it’s estimated that if this untapped banking population of the ASEAN (Association of Southeast Asian Nations) is reached, the region will see economic gains from $17 billion to $52 billion by 2030.

More and more studies have also shown that given proper privacy controls and sufficient benefits, most consumers are willing to share their personal data. To ensure that the flow of personal information continues, organizations therefore need to make the benefits clear to consumers. They also need to embrace responsibility, transparency, and user control.

Decentralized identities are a new way of thinking about the self and what it means to be human. It’s an idea that will shape how we understand ourselves in society for generations to come. With its mission being to provide individuals with the tools and means for self-expression, privacy protection, and data security in today’s digital world. Through the rise of blockchain technology, we are closer than ever to a more decentralized world. What do you think? Would you want to live in a more decentralized society where your data is not controlled by one entity like Facebook or Google? Let me know if this article has piqued your interest and what questions it may leave unanswered!