Blockchain and Digital Identity…Even though several steps have been taken to improve the identity industry, incorporating the blockchain can truly disrupt this space. In this guide, we are going to look into the problem with traditional centralized identities and how the blockchain can improve this industry.
What is Identity?
Personal identity is one of the fundamental human rights as per Article 8 of the UN’s Convention on the Rights of the Child. At its most basic level, identity consists of:
- First and last name.
- Date of birth.
- Some form of a national identifier such as passport number, social security number (SSN), driving license, etc.
The importance of identity can’t be overstated. Without a valid form of ID, one can’t own property, vote, receive government services, open a bank account, or find full-time employment. Without control over one’s identity, it is easy to become invisible and be unable to participate in society simply because one can’t prove that they are who they say they are.
However, there is a big problem plaguing this space. All this data, such as passport number, SSN, driving license are stored in centralized servers and databases. This leads to three major issues:
- Only these centralized entities can give out identities.
- These centralized entities can mishandle your personal data.
- Identity theft.
#1 Giving out identities
Since traditional centralized identity is maintained in centralized servers, these entities have the right to issue and validate these identities to anyone they want. According to the United Nations, 1.1 billion people worldwide don’t have a way to claim ownership over their identity. Without a valid identity, it is near impossible to open something as basic as a bank account. As such, the number of unbanked people around the world keeps increasing.
Check out the following graph:
Turns out that a staggering 2 billion people around the world don’t even have a bank account. Of these, 438 million people are unbanked in SE Asia alone, that’s 73% of the entire population living in the region alone. A study done by McKinsey shows that reaching the unbanked population in ASEAN could increase the economic contribution of the region from $17 billion to $52 billion by 2030.
#2 The Entities can mishandle your personal data
Take a look at the landscape that we are living in right now. There are multiple platforms online, and each platform requires you to create an identity to access it. You must create a Facebook profile to access Facebook, similarly, you must create a Reddit account to access Reddit.
Now, what is the problem with that?
Every single one of these platforms is creating their own identity silo. We are renting out our identity to them without having any ownership over it. This can lead to some pretty devastating results as we have observed with Facebook.
The Facebook Case
What really happened is as follows –
In 2014, Cambridge Analytica, a British affiliate of U.S. political consulting firm, hired Aleksandr Kogan, a Soviet-born American data researcher at Cambridge University, to gather necessary profile information as well as regarding the likes/preferences of Facebook users. Kogan developed an app called “This Is Your Digital Life” (a.k.a “thisisyourdigitallife”). The app is a series of surveys the purpose of the which was declared at that time to be academic and users were encouraged to complete it in exchange for a small amount.
Some 300,000 Facebook users downloaded the app knowing that it will collect their basic personal info, but what they didn’t know that app can also collect other personal information of them as well as of those people in their friend list. This was possible because of how Facebook is designed. It was discovered later that the app declared it will collect information of people in the users’ contact in terms of services, but then which general users read those?
The number of people hit by the data breach was assumed to be 50 million but later turned out to be around 87 million. Out of that 70.6 million users are from the US, and as per Facebook’s estimate California (6.7 million), Texas (5.6 million), and Florida (4.3 million) ranked top.
So what type of data was leaked?
After the report, Facebook intimated perceived affected users that the data breach includes public profile, birthday, current city, and page likes. But that was not all since some users granted the app permission to access their timeline, News Feed, and messages.
When we mentioned that it was a design flaw of Facebook, we mean that Kogan did have permission to collect such information in general sense. An email of Kogan retrieved by Bloomberg revealed – “We clearly stated that the users were granting us the right to use the data in broad scope, including selling and licensing the data.” Since 2007, the social media company has allowed third-party apps which, in case of Kogan’s app, if the user privacy settings allowed it, can collect information on friends of the users.
Facebook had claimed that the firm was lied to as it knew it was all for academic purpose and the company policy was violated when Kogan handed over the data to Cambridge Analytica. However, Kogan has claimed that the app’s terms and conditions specifically mentioned “commercial use.” Facebook’s statement is it was aware of this incident in 2015 and hence did demand all data given to other parties to be destroyed.
Cambridge Analytica claims that it has deleted all the data and also carried out an internal audit to make sure of that no backup exists. However, according to the New York Times’ March 18 report, several documents and emails suggest otherwise. Also, Michael Schroepfer, CTO of Facebook, agreed that since the investigation result is pending, he can’t confirm if and what data Cambridge Analytica still has.
Given the policy of Facebook, it seems possible that the firm may have sold user data to Cambridge Analytica for a price through Kogan. Financial records and emails suggest that Kogan was paid $800,000 by Cambridge Analytica and also the right to keep the data – which he can sell again if he chooses.
Note that the data included the locations of the users and was detailed enough to allow Cambridge Analytica to create a psychographic profile – a psychological map of people as per demographic. This map now can be used to decide what kind of messages would be most effective to advertise in Facebook or other online platforms to influence a particular group of people of a specific location for political campaigning – called psychographic targeting or modeling.
Various political organizations used information from the data to attempt to influence public opinion. Cambridge Analytica received payments from politicians to use information from the data breach the following political events – 2015 and 2016 campaigns of United States politicians Donald Trump and Ted Cruz, 2016 Brexit vote, 2018 Mexican general election for Institutional Revolutionary Party.
Cambridge Analytica denied using the Facebook data from Kogan’s firm in the 2016 election or employing psychographic modeling techniques on behalf of US presidential candidate Donald Trump’s campaign. But it’s not clear whether the firm used the data in other ways to better understand and target voters.
The U.K. has data-protection laws which ban the sale or use of personal data without consent. In 2011, Facebook settled privacy complaints by the U.S. Federal Trade Commission by agreeing to get explicit consent from users before sharing their material. The FTC is now investigating whether Facebook violated the terms of that 2011 consent decree. The company would face millions of dollars in fines if it were found to have violated that pact. Lawmakers in the U.S. and U.K. are conducting their inquiries.
In the aftermath of the report, political parties from both the US and the UK demanded answers from Facebook, eventually forcing Mark Zuckerberg to finally testify in front of the US Congress later in 2018. The UK’s Information Commissioner’s Office has fined Facebook £500,000 ($663,000) for failing to safeguard user information as per the data-protection law.
Facebook is now under the U.S. Federal Trade Commission (FTC) investigation as it did agree to by getting explicit consent from users before sharing their material against the privacy complaints in 2011. In March 2019, a court filing by the U.S. Attorney General for the District of Columbia alleged that Facebook was aware of Cambridge Analytica’s improper data-gathering practices months before they were first publicly reported in December 2015.
However, the rabbit hole doesn’t end there.
According to this article by End Gadget, Facebook has been a bulletin board for identity theft sales. Cybercriminals have been “advertising stolen information like addresses, credit card numbers, dates of birth and social security numbers on Facebook.” Turns out that this has been going on unchecked for years.
Image Credit: End Gadget
Hearing stories like these make it pretty clear that siloed identities are merely outdated and not good enough anymore. A solution was desperately needed.
#3 Identity theft/Hack
Another recurring issue with the digital identity space is constant identity theft. Identity theft can occur because of multiple reasons.
It could be a simple case of duping. Take this case for example:
From 1997 to 1999, in San Diego, California, one of the most infamous cases of identity theft happened. Bari Nessel would be hiring people for a job, and in the process, she obtained their personal information. One of the people she duped was Linda Foley. She accrued large amounts of debt on Foley’s credit card.
However, there is another instance of identity theft that we want to look into. This instance has far more severe repercussions than the case discussed above. In 2017, Equifax, one of the top credit-reporting companies disclosed that they were hacked. The hackers stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. This attack affected half the US population.
Now, what is so scary about this attack?
- You had no control over your data. You trusted some third-party to keep it secure for you, however, since everyone’s data is kept with this party, it becomes open for hacks and attacks.
- The company probably knew that they were getting hacked and yet they didn’t inform the people in time. This lack of transparency can be a huge problem when dealing with these companies.
So, let’s summarize everything that we have learned so far.
- The digital identity industry, as we know it, is broken.
- Some third-parties are responsible for issuing and storing identity data.
- These third-parties are vulnerable to attacks.
- They can be irresponsible and downright corrupt when sharing your data.
Incorporating the blockchain into this space can solve all these problems. Before we go any further, let’s look into what the blockchain is. If you are already familiar with the tech, then you can skip the following section.
Blockchain: Definition and Features
A blockchain is, in the simplest of terms, a time-stamped series of immutable data that is managed by a cluster of computers and isn’t owned by any single entity. Each of these blocks of data (i.e. block) are secured and bound to each other using cryptographic principles (i.e. chain).
The reason why everyone is so excited about the blockchain is for its following three features:
- Decentralization: None of the data in the blockchain is owned by one centralized entity. All the nodes in the blockchain’s network hold the data.
- Immutability: Once data has been entered in the blockchain, it cannot be tampered with. This happens because of cryptographic hash functions.
- Transparency: All the nodes of the network can see all the data that has been entered into the blockchain.
The Three Main Problems That Blockchain Will Solve
What are the three main problems plaguing the digital identity space which the blockchain can solve?
- Digital units shouldn’t be easy to replicate.
- Digital files should be tamper proof.
- Digital processes should be tamper proof.
#1 Digital Units Shouldn’t Be Easy To Replicate
Anything of immense value should be complicated to replicate. The same is true for personal digital identity. It shouldn’t be possible for two people to use the same identity details. This is not just limited to identities. In the cryptocurrency space, this problem is called “double spending.”
Double spending means that you are using the same coin to conduct more than one transaction. Think about it like this. If you had a $10 note with you, it should be impossible for you to spend that money in more than one transaction at a time. If you are in a shop, then it should be impossible for you to buy two $10 items at the same time using the same $10 bill. You can mitigate that in fiat scenarios because:
You are either physically transferring cash from one hand to another.
- You have a centralized entity i.e., a bank which oversees all the transactions.
Digital money is different from fiat in that regard. When you are making a transaction, you are simply broadcasting to the network that you want to send a particular amount of money to someone else. What is stopping you from making another transaction with the same coins before the entire network agrees to validate your previous transaction? How will the network know which transaction is genuine and which isn’t?
Bitcoin mitigates this via the utilization of blockchain technology:
- Each transaction has to be verified by the users of the blockchain network.
- The miners validate the transaction in exchange for a fee.
- If the miners don’t catch a double spend transaction, then they will lose the fees.
If someone attempts to double spend using the same Bitcoin, then both the transactions will get automatically rejected. Once a transaction is verified for a particular bitcoin, its details get added into a block.
All the blocks in the blockchain are linked via a hash pointer. Each block stores a hash of all the data that is stored in the previous blocks. Plus, as we have said before, the blockchain is transparent so all the data inside the blockchain can be visible to everyone who is part of the blockchain’s network.
So, applying this logic in Bitcoin, every single bitcoin can be accounted for via its transparency. Also, any attempt to change the coin’s history will be impossible as the transactions stored in the blockchain are hashed cryptographically to the previous blocks. The immutability and transparency of the blockchain prevent double spending.
#2 Digital Files Should Be Tamper-Proof
Back in the day, all the personal record files used to be physically stored in registers, this brought in a host of problems.
- Anyone can steal the registers.
- It is very simple to bribe someone to tamper with the records.
- Registers are susceptible to wear and tear.
Even when the system was made digital, specific problems persisted.
- The system could always be hacked.
- The bribe angle still remained. Anyone could bribe an official and make them change the records.
What was needed was a system that could store all these files and make them “non-tamperable” or immutable so to speak. The blockchain could bring this feature into the system.
Each block in a blockchain has its unique digital fingerprint called “hash”. Once the files go inside a block, they cannot be tampered with because the cryptographical hash functions will prevent that from happening.
A cryptographic hash function is a particular class of hash functions which has various properties making it ideal for cryptography. There are specific properties that a cryptographic hash function needs to have to be considered secure. One of those properties happens to the “Avalanche Effect.”
What does that mean?
Even if you make a small change in your input, the changes that will be reflected in the hash will be huge. Let’s test it out using the SHA-256 algorithm:
Do you see that? Even though you just changed the case of the first alphabet of the input, look at how much that has affected the output hash.
So, anytime someone tries to change the data inside the blockchain, it becomes instantly evident that a tampering-attempt has been made.
Plus, all the blocks are also linked to each other via hash functions. Each block in the blockchain has the hash of the previous block. As such, if tampering does occur, it changes the entire structure of the chain, which is an impossibility.
#3 Digital Processes Should Be Tamper-Proof
The third problem that the blockchain can fix is securing a trustless process. Every official institution has a process for each and every activity but they may not be strictly adhered to. This could happen for two reasons:
- General human negligence.
- Malicious intent.
As you can see, these problems are both human-related.
To secure something as important as personal identities, a set process should be followed which cannot be tampered with. A lot of actors need to follow specific steps every single time to ensure the safety of the process and to eliminate any corrupt human behavior.
The blockchain pretty much solved this problem a long time back through “consensus mechanism.” Think about it, a blockchain is a distributed system with a large number of actors. To make any decision, all these people need to come to a majority consensus, how do they do it? Several mechanisms help them to achieve so such as Proof Of Work, Proof of Stake, etc.
The main takeaway is that a blockchain can ensure a seamless, secure data storing process which is free from human emotions/negligence.
Projects working on Digital Identity
While several blockchain projects are working on digital identity, we are going to focus on these three:
- Sovrin: The Sovrin Foundation is a non-profit organization dedicated to enabling self-sovereign digital identity. Sovrin brings trust, personal control, and ease-of-use of analog IDs to the internet.
- Civic: Civic is a personal identity verification protocol that leverages distributed ledger technology to manage digital identities better. Using the digital identification platform, the user can create his / her own virtual identity and store it together with personal information on the device.
- uPort: uPort was developed by ConsenSys and is a self-sovereign identity system based on Ethereum. It contains smart contracts, developer libraries, and a mobile app. Users can create and store personal information and identity through smart contracts with the key being held by the mobile app, but the identity can be recovered if the device is lost.
The digital identity space is ripe of disruption, and the blockchain technology can do that. The various features that it brings in can change an industry which is on the verge of being broken. Several blockchain projects are working on digital identity. While the potential is massive, we need to wait and watch if any of these projects explode and hit the mainstream market.