A global, decentralized interoperable digital ID system based on blockchain is possible, but it will take a long time – in fact it needs to, if we stand any chance of getting it right.
The concept of digital identity – the ability to prove online that you are who you say you are and are thus authorized to access a particular digital service or make trusted online transactions – has been around for as long as the internet has existed, but somehow we still haven’t really gotten it right.
Tp be sure, many of us already have multiple digital IDs – one for each service that we use (Gmail, Facebook, Spotify, online banking, etc), and each one backed by an extensive and organically cultivated digital profile. But they’re not that secure, and they’re susceptible to fraud. Also, it’s a pain to juggle multiple IDs and password, while solutions like single sign-on are often limited to a single platform (Google services, for example).
This isn’t a sustainable situation in a world where everything is increasingly going digital. The ideal solution would be a single digital identity that is the online equivalent of a passport, driver’s license, photo ID card or similar real-world document – something that certifies online that you are you, regardless of your physical location, where your online credentials are stored and who can verify their authenticity.
The GSMA is pushing its MobileConnect and Digital Identity initiatives as the most logical and scalable approach to digital identity by leveraging the security and relative ubiquity of mobile networks and smartphones. But in the past couple of years, distributed ledger technologies like blockchain have emerged as a sexy solution for creating a secure digital ID system that can verify any credential in any context – and without revealing more credentials than necessary.
At the Hong Kong Blockchain Week conference earlier this month, a panel of experts debated whether blockchain was a viable platform to enable digital identity. The answer: probably, but there are a lot of technological and legal hurdles to get past, and standards to be agreed upon.
Put another way, creating a global, decentralized interoperable blockchain-based digital ID system is going to take a long time – not least because decentralization in general needs to be a very slow and painstaking process if we stand any chance of getting it right.
Trusted information flows
Tackling the digital ID problem starts with the realization that digital identifiers are already everywhere, but they all operate and interact in very different contexts, said Nathan George, CTO of Sovrin Foundation and Hyperledger Indy.
“Blockchain technology makes it possible to have the ability to verify and understand the information in a way that they can be public, and it can be global,” he said.
Blockchain-based digital ID aims to establish decentralized trusted information flows between disparate parties who normally don’t trust each other or even interact with each other, at least not in the same way.
A key element of this is “zero knowledge proof” technology, which makes it possible to prove that you possess a valid credential without having to provide all your credentials.
“A classic example is using a driver’s license as proof of age,” explained George. “They can see your photo is correct, the correct person is presenting it and that you’re over a certain age, but they don’t need to see your birth date or your driver’s license number or other information on the license.”
Zero knowledge proof also means you don’t have to use the same identifier everywhere, he added. “You can say, ‘I am the same person that this other authority knows and trusts’ without telling them exactly which person you are.”
To run with the driver’s license example, if you want to create a digital version of one, you want to create something standardized and decentralized that the police can verify without harvesting and storing tons of personal data about everyone.
A decentralized digital ID eliminates the need for the police officer to access a database in the first place, George said. “Instead of the data flowing from the police officer to the database and back to the police officer, now your credentials that you hold in your own identity wallet can actually be presented directly, and the police officer can know and trust the app they’re presented with.”
The broader implication here is that this kind of credential exchange keeps the owner of the data in the loop rather than being disintermediated, he added.
George cautioned that while blockchain technology can help enable a decentralized digital ID, there are a lot of technical challenges involving scalability, contextual information flows and interoperability.
Also, not all blockchains are created equal. For example, a smart contract-based system is good at making sure state changes happen correctly, but it’s not good at making sure that no one can see anything about what’s going on inside of them – in which case you want to keep as much identifier data off the chain as possible, George explained.
“We are transitioning to a system that tries to be the ‘least possible’ blockchain, which means that we need to make sure that information flows don’t happen on-chain, and we’re not storing past information,” he said. “We want a system that serves essentially as a root of trust, instead of a system that serves as the sole source of truth for every transition that might occur.”
Stitching it together
The obvious question is that if we’re going to have various blockchains managing various digital identifiers and present the minimum amount of credentials in the right context, how do we stitch it all together?
Conceptually, said George, “We want to be able to have focused, non-overlapping webs of trust where different governance frameworks can exist simultaneously, but the information can flow between them in a trusted way.”
Establishing that framework at the very least is going to require peer-reviewed cryptographic standards (such as the efforts of various working groups in W3C) “to help the regulators understand what’s going on, and also to make sure that the community has the opportunity to vet and understand exactly how to apply these standards,” George said.
There are also a host of legal issues to sort out regarding digital ID, observed Urszula McCormack, Partner for the Financial Regulatory and Emerging Technology practice at King & Wood Mallesons, from how much of the data behind that ID is verified and verifiable, and how much control the owner of that ID have over that data.
“When we’re looking at creating digital identity, we need to be mindful of the need to protect data, ideally the ability to control access to our own data for conditioning and consent,” she said.
And that’s before you throw decentralization into the mix, she adds. “We run up along a lot of really interesting issues when we start to use decentralized platforms like blockchain technology, where we need to have the ability to correct the data – we may need to even destroy or anonymize that data, and that’s where it starts to get really interesting.”
There’s also new legal questions that arise – for example, whether a blockchain address itself counts as personal data, McCormack said. “Likewise, that even hashed data does not lose its character as personal data and you still need to protect it to the same standard. That absolutely starts to starts to pose a very significant challenge for public blockchain.”
In the end, the creation of a single trustworthy decentralized digital ID is a massive and complex undertaking that’s going to take a long time to construct.
On the other hand, that’s not necessarily a bad thing, said Jason Dekker, CEO of GoChain, who gave a separate talk on decentralized apps in which he urged a go-slow approach to decentralization – partly to mitigate the inevitable unintended consequences, and also to make sure that some sort of governance is in place to maintain trust in the system as the kinks are worked out.
“We could probably get about, say, 70% of the way [decentralized], but there still needs to be some form of centralization to handle and resolve disputes,” Dekker said. “It’s about knowing that humans make mistakes … and putting a framework in place so that when things break, they break properly, and that there are teams of people with systems in place to catch that and they can respond immediately and fix it.”