An identity is a difficult thing to lose.
I found this out the hard way when my passport was stolen while backpacking through Asia and Africa earlier this year. The bureaucratic process to get a new passport gave me a glimpse at how broken our system of identity management is today.
Fortunately, technology is on the cusp of a major paradigm shift in the field of identity. Blockchain will create a major revolutionary transformation in this area — but many questions of how still remain unanswered. Companies, governments and NGOs are beginning to tackle this question in ways that hint at the profound impact this will have on how we live our lives.
Their promise is that our identities will be consolidated so that we have complete control over who accesses that information. This will protect us from increasingly sophisticated fraud and theft. It also will create unprecedented access for the “bottom of the pyramid” who are still off the grid. Imagine crossing any border, and qualifying for any service, with immediate access to your funds and accounts, all with one simple digital ID.
Tracing your fragmented digital signature
Almost everything we do today leaves an increasingly digital signature. Yet this signature is scattered among different services that use it primarily for their, rather than our, benefit. One first-order promise of blockchain is to rebalance that dynamic so we can reclaim and consolidate our digital identities.
When I refer to digitization, what I mean is that our rites live on in data long after they are performed: commutes are captured by a smartphone’s GPS, purchases by banks and credit cards, thoughts in texts and emails (and unsolicited voice recordings.)
This data has two features: it is widely dispersed and narrowly segmented. It’s dispersed in that different parties own different pieces of our identity. A social network (Facebook) may own our relationship architecture, while an e-commerce platform (Amazon) owns our purchase history and preferences. Their economics are built in part off their ownership of our data in the context of their network. It’s segmented in that each of these portions are narrowly relevant to the revenue-generating service provided by that party.
It is counter-intuitive, but the reality is that we don’t really own ourselves (in the digital sense). Though we can edit the profiles we create, third parties ultimately own our data. And it can be painful (or impossible) to wrest back control of that data. Imagine trying to sustain your personal relationships while deleting all your social network accounts, or put a down payment on a home without a credit history.
Why is this important? Well, to begin, as Jaron Lanier writes in Who Owns the Future, “You don’t get to know what correlations have been calculated about you by Google, Facebook, an insurance company, or a financial entity, and that’s the kind of data that influences your life the most in a networked world.” Lanier calls these services siren servers, and notes that we are eerily comfortable giving away personal data in a trade for convenience.
The implications of this paradigm are troubling:
We have no control. Each service has an abstracted model of who you are built into it. This information can be bought and sold, and also easily breached, without your consent. This setup is convenient (e.g. we get better-targeted recommendations), and also dangerous (e.g. we can be profiled and manipulated).
The segmentation is inefficient. What if all these data repositories played nice with each other? For instance — if your passport, driver’s license, bank and email were integrated — you could travel internationally, ensure your credit cards work, receive curated recommendations and alert people of your whereabouts, without any work required on your end. You could prevent identity theft. You could move around without identification.
We do most of the work for none of the benefits. This is Lanier’s primary contention. As has been noted, if services like Google Search are free, that is because we are not the customer, we are the product. In much the same way that Uber drivers occupy a grey area between employees and contractors, we act somewhat like workers for Amazon and Facebook, yet are only compensated with convenience, not payment, for giving up our data.
If you were to look at a complete model of your digital self, it would be a complex relational web. At the most granular level of that web are nodes, each representing actions (a text, a selfie, a purchase…). The connections between those nodes are formulas that infer relationships, record patterns and predict behavior. If you zoom out, you get the sub-web of a given service (Instagram account, Homeland Security profile, medical history…). These sub-webs then join together to form the larger web that is your digital identity.
At the risk of beating a dead horse, we should have ultimate control over our identity access points.
There are two key steps to reclaiming control of your digital identity: 1) establishing ownership of the nodes so you can grant or revoke permission for third-party services to access them, and 2) consolidating all these nodes into one location so your digital identity is no longer fragmented between separate walled gardens.
As Ron Miller writes, “The argument goes that if our identity were on the blockchain, it would give us more control over this information, and with proper applications allow us to present just the minimum amount of information a given party needs to identify us. That could be your date of birth at a bar, your credit score at a bank or a unique identifier to access an online service.”
Does this matter? Why sacrifice convenience for sovereignty?
People only tend to care about identity management when their identity is compromised. It’s fortunate for the sake of this article that, as I was writing it, Equifax suffered the most massive data breach in its history and Yahoo’s estimates of its data breach rose to 3 billion accounts. Enough ink has been spilled on that news, but I want to point to an excellent response by Chris Skinner using these breaches as a rallying cry for self-sovereign identity.
The concept of the sovereign individual is that people should have complete control of their digital selves. You would have to provide access to third parties to obtain benefits: to your passport to cross borders, to your medical records to get a new doctor, to your criminal history to pass background checks… But this data would all be permissioned by you and not by third parties without your consent. As Skinner argues, “only one constituent owns customer data and that is the customer.”
(Many trace this concept back to the 1999 book The Sovereign Individual, which discusses the advent of the internet for liberation from oppressive states. For what it’s worth, the book is full of unsubstantiated claims and is worth skipping.)
The Equifax breach encapsulates perfectly why sovereignty is so important: In a system where we are forced to relinquish our credit histories to a third party, it can use (and lose) that data in a manner that massively exposes us. These cases range from the trivial to the life-altering:
You forget a password and have to reset it (trivial);
Hackers impersonate you on social media (irritating);
Someone steals your SSN and defaults on a credit card in your name (serious);
An oppressive state spies on, tracks and arrests potential dissidents (life-altering).
There are many ways to approach this problem. Password managers (e.g. LastPass) try to consolidate digital access points to limit exposure risk. These services reinforce the existing paradigm, though: They may use APIs to access data, but the access is still controlled by third parties. e-Passports (like those rolled out by the DHS) use biometric identifiers. But as Skinner points out, biometric ID is as hackable as data, and can introduce more complexity and failure points. Today, many financial services offer two-factor authentication, but, as has been shownrepeatedly, this also is vulnerable
None of these solutions fully protect us. So what kind of solution would?
Panacea of the year: The blockchain silver bullet
Blockchain in 2017 is a crystal ball: everyone from scrappy entrepreneurs to large incumbents to central banks looks into it and sees their future business model. Opinions on blockchain’s revolutionary capability run the gamut; some compare it to the internet in the early ’90s, others to catch-phrases like “big data” — oft used but poorly understood.
In an age where: 1) we are increasingly reliant on our digital identities to open up access and participate in the modern economy, and 2) we are increasingly vulnerable to sophisticated data theft and impersonation, what would an ideal solution look like?
No reliance on third parties. At the risk of beating a dead horse, we should have ultimate control over our identity access points. The decentralized structure of blockchain ledgers is a good first step in this direction, and requires personal verification methods as a second step. This could take many forms: biometrics, trusted backup connections (friends and family) or cross-referencing personal identity knowledge.
Homomorphic encryption. One of the breakthrough features of blockchain is its usage of zero knowledge proofs to manage data. This allows users to disclose their ownership of certain certifications and grant access without revealing the information contained within. The dream of this type of encryption is that end-services can verify identity while the data is hashed. For example, imagine a bank running a credit check on you, while only handling your credit history data in encrypted form, so that even if that data were stolen it would be useless.
Consolidation to one record of truth. All of your identity information should live in one place. This is well encapsulated in the seminal Blockchain Revolution: “What if ‘the virtual you’ was in fact owned by you — your personal avatar — and ‘lived’ in the black box of your identity so that you could… reveal only what you needed to, when asserting a particular right.” To approximate to the real world, your entire digital identity could be stored in a wallet. (Credit to Skinner for the carve-out.)
We are still early in the first act with regards to blockchain and digital identity. Many of the promises of this technology are as of yet untested; there will likely be some painful learning curves in developing a good identity management solution, including hacks and loss. But we are increasingly tied to our digital signatures, and the promise of a solution that can consolidate and protect those signatures from third parties is too important to ignore.
Revolution: global protocols and one universal identity
The world of individual sovereignty would look remarkably different from today’s.
Seven years ago as an undergraduate, I wrote about the shifting paradigm toward a “consolidated wallet for everything.” An informal talk from Christian Catalini, professor of digitization and entrepreneurship at MIT’s Sloan School, two years ago blew me away with a broader vision of blockchain as the central access point for all personal data. Today, the beginnings of that vision are being realized.
The World Bank and UN, among others, recently announced the ID4D initiative to help the estimated 1.1 billion people around the world who can’t access basic services because they lack ways to prove their identity. I wrote last year on the transformative efforts of parties such as the Indian government, which rolled out a biometric system of national IDs to bring people onto the “services grid.”
In the future, it will seem absurd that people’s lives were once entirely dictated by where they were born.
Companies like ObjectTech are piloting programs to drive forward an increasingly important human right: the right to identity. As part of ObjectTech’s program, currently being piloted in Dubai, participants would get one hashed identity, which they could use to move across borders or open bank accounts. This follows what Vinny Lingham refers to as Musk’s recursive innovation strategy: build a sexy, useful consumer product (like a Tesla), then use that product to drive real change (like energy independence).
Imagine a world in which refugee crises were eliminated because neighboring countries could porously admit “good actors” while screening out prior and potential criminals. This would be a world without political debates about asylum or border walls or travel bans. Labor could move freely around the globe; your digital identity would be encoded with your work visa in it, and the terms and conditions of its expiration, for instance, so you could cross a border to work with no hassle. In the future, it will seem absurd that people’s lives were once entirely dictated by where they were born.
Iceland recently became the first country to give citizens full control of their medical records. This is an enduring problem in the U.S. Stored and permissioned through the blockchain, you could travel anywhere in the world with open access to medical care, qualification for life-saving prescriptions, freely available allergy information, etc.
A consortium of companies, including uPort and Microsoft, recently announced the creation of the Decentralized Identity Foundation. One aim of the DIF is to create universal protocols for identity verification — similar to global standards for financial transactions, or DNS protocols, which transcend borders. If successful, this collaboration would help sovereign identity systems avoid the major pitfall of the internet paradigm, where information is narrowly segmented within walled gardens.
Finally, even in a decentralized world, as noted by Charles Race at Okta, “A trusted entity will need to establish some legal and enforceable rules and policies for how it all works, they’ll need to make it easy for the average person to use securely, and they’ll need to convince a critical mass of people and service providers to adopt and trust the ID — all while finding an economically viable business model.” By definition, this must be a joint collaboration by governments, companies, nonprofits and individuals.
The future is evolving quickly, and will open up previously unthinkable levels of access and opportunity at the top and bottom of the pyramid. All we can predict for certain is that, when identity control is restored to individuals, it will look nothing like the past.