In the physical world it is easy for an individual to prove their identity. Trusted centralized bodies, like governments, issue physical proofs such as passports, driving licences and health cards. These forms of identification can be used to prove credentials such as your name, your age and whether you are eligible to drive or get a bank loan. In the physical world, there is one copy of this ID and it is held and used by the owner at their discretion. In the online world, this is not the case. User credentials are stored in data silos all over the Internet, sold to third parties and often get stolen. Blockchain technology has the ability to re-invent online identity making it more secure and bringing ownership back to the individual. This month we are going to look into why online identity is broken, the architecture behind the blockchain solution and how this will impact the world.
In order to understand how blockchain will radically improve digital identity, it is helpful to understand how the current system came into being. The Internet has allowed individuals to connect with each other at a scale unlike any medium before it. As more interactions have taken place online, so it has become necessary for users to upload and transmit increasing amounts of personal data. Ecommerce websites need home addresses in order to deliver goods, airlines need passport information to book flights and social media websites are happy to absorb as much information as possible to better target their advertising. In today’s digital world, human identity is stored in data silos all over the internet.
This form of data feudalism is dangerous. Valuable data sets sit on centralized servers with varying levels of encryption and security. These servers are subject to targeted attacks by the smartest hackers in the world, who are hoping to exploit security holes to steal and sell the data. In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale. In 2017, the Equifax hack alone led to half of all American citizens losing their social security numbers to cyber criminals. Blockchain technology is one way to solve this problem. It is a more secure form of database that is decentralized and distributed, and is not subject to a single point of failure.
To grasp how digital identity works on a blockchain, there are four base concepts that need to be understood:
1. Owner: this is an identity owner that can be an individual or an institution.
2. Agent: this is a piece of software that works on behalf of a single owner. There are two types of agent; an edge agent and a cloud agent.An edge agent runs on devices controlled by the owner, like a mobile phone. A cloud agent runs on devices controlled by someone else, like a server hosted onAmazon.
3. Wallets: these are used by owners and agents to store “secrets”, which are attributes belonging to the owner.
4. Sovereign domain: this is a set of things (agents, devices, storage, services, software) under the control of the owner.
When an action takes place in the digital identity space, these concepts come to life. For example, if Alice wants to send a message to Bob, then Alice will use her wallet and her edge agent (perhaps her mobile phone) to encrypt a message. This message will then be sent to Bob’s sovereign domain. This domain may include a mail delivery service that causes the message to be displayed to Bob. Bob could also have his own cloud agent that is collecting messages and routing them elsewhere. Crucially, cryptography allows the system to distinguish between different agents that are under Bob’s control. Regardless of how the message is picked up, we can be sure that it was picked up by software belonging to Bob and not someone impersonating Bob.
Now that we understand the base concepts of owners, agents, wallets and domains, we can dive into the most important concept in digital identity; the decentralized identifier (a DID). A DID is the core component of decentralized digital identity. It has been suggested that this component could have as much impact on global cybersecurity and cyber privacy as the development of the SSL/TLS protocol did for encrypted Web traffic (this is the basis for web browsing and email today).
A DID is one owner’s “identifier” for a relationship that the owner has with another entity. It is made up of two things: a unique identifier and an associated DID document.
DIDs are at the heart of decentralized identity as they are used to make verifiable claims about an owner. Such a claim has three attributes:
- Subject: this is usually the owner, but could also be a company, pet or anything that can be described
- Issuer: this is an organization of some sort, like a bank, a government ,a university, etc
- Claim: this is any statement that can be made about the subject, such as “is over 21 years old” or “lives at this address” or “has this name on their passport”.
A verifiable claim is when an issuer makes a claim about a subject. For example, a university (the issuer) could state that a first class degree in economics (the claim) was achieved by John Smith (the subject). This verifiable claim is trustworthy and tamperproof as it has been cryptographically signed by the issuer, in this case the university. The claim is stored on an immutable blockchain and secured by the many nodes running the blockchain network. John Smith (the subject) is now the holder of this verifiable claim and he can add it as a secret in his wallet. At any time John Smith can choose to share this secret with an online entity, who will immediately know that the claim is true owing to the university’s digital signature.
Verifiable claims, enabled by DIDs, will make browsing the internet a different experience in the future. No longer will users need to repetitively sign up to new websites with personal details. Instead, they will select attributes from their wallet to share with websites when requested. The architecture of this system also allows individuals to retain control of their own data rather than handing it over to third parties. This eliminates the risk of a single database being hacked that stores millions of personal data records.
The need for digital identity is growing rapidly. Government bodies and large institutions are increasingly trying to digitize their processes and need a way to store and verify personal information. Added to this is the growing sphere of regulatory compliance through initiatives like GDPR, which increases the need for credential verification. There are a number of different platforms building decentralized identity solutions to service this growing demand. A leader in the field is Sovrin, a project that coined the widely used term “Self-Sovereign Identity” to describe user owned and controlled digital identity.
CMCC was one of Sovrin’s first investors in 2017 and the project now has 75 organizations operating validation nodes on the network, including IBM, Deutsche Telekom and Cisco. Sovrin is working closely with the Hyperledger team (an IBM creation) in order to provide Sovrin’s identity solution for the enterprise market and for IBM clients. On the government side, it was recently reported that the Department of Homeland Security in the US has contracted one of the Sovrin Stewards to develop blockchain services for customs and immigration. The Government of British Columbia in Canada is also using Sovrin for digital credentials and verification. We remain convinced that blockchain platforms like Sovrin offer a unique solution to the secure storage and sharing of our digital identities. This technology will radically change how we interact online and could become one of the first mass market uses for blockchain technology.