Colleague Marvin van Wingerde is doing research on blockchain technology
Identity. It is the very starting point for nearly every interaction between two or more parties. Who are you? Are you who you claim to be? Are you allowed to perform this action? These are the three main processes when we discuss identity management; identification, authentication and authorisation. Since the rise of the internet, a significant amount of interactions and transactions occur in a digital environment. Our world is digitally connected through numerous devices, from smartphones to cars and fridges to watches.
Get Smarter Every Day!
Do you want to dive deeper into self-sovereign identity? Download our whitepaper to read more!Download
Trusting third parties
Ever since we started using computers, identity is managed via central authorities. Banks, governments, and telecom providers are among the institutions which we as the public trust to handle our personal data. This has given them a great position of power, after all, they are the central point through which all data flows. For the past years, an important question has bogged many minds. Should we, and can we continue to trust these central authorities? Are they capable of securing our sensitive data while at the same time respecting our privacy? Many examples over the past five years have shown that some are in fact not capable of managing our digital identities. The most recent and catastrophic example is that of Equifax. Equifax provides credit scores of US citizens, serving more than 140 million people. Their database has been breached in March of 2017, leaking social security numbers of all 140 million customers which are now potentially available on the dark web.
Self-sovereign identity management
Inspired by examples like Equifax, led us - and many others - to question if there is another way of managing identity. Could we do it ourselves? Can we be self-sovereign? If we could securely manage our own personal data, sharing only what we want to share, we would not have to put trust in other parties as much. This vision of self-sovereignty would be highly disruptive, and call for innovative technology and progressive regulation.
Blockchain technology: the introduction
Enter, blockchain technology. It is the technology claimed to solve a great deal of the world’s problems. As we have pointed out in an earlier article, blockchain has the characteristics of a mythical dragon. We have all heard of its abilities, but few have seen it in action. Simply put, a blockchain enables a trustworthy network in which peers can securely exchange value, without the need for a trusted intermediary. Public blockchains make use of a distributed public key infrastructure, allowing users to identify themselves on the network by generating a key pair.
In a ‘blockchained’ self-sovereign identity ecosystem, users would be able to collect attestations about their personal data by themselves. An example of such an attestation would be that a bank claims that someone is older than 21. This attestation would be given by the bank through a digital signature, so that other parties can verify that this bank truly gave the attestation.
The common perception is that institutions and governments would not want to give up their place of power and control. However, the amount of personal data they must manage is becoming a significant liability. Recent regulatory advances like the GDPR and PSD2 force organisations – among many other things – to only share personal data with consent of the data owner. We at Iquality believe that these recent developments – both in technology and regulation – call for a new, self-sovereign, identity management paradigm.
World e-ID & Identity World conferences
The challenges within identity management led me to visit the World e-ID & Cybersecurity conference, as well as the Identity World conference, both hosted in Marseille. These conferences were part of the Smart Security Week, which took place from the 25th to the 27th of September. These two conferences were primarily focused on new forms of authentication – remote, mobile, biometrics – and governmental e-ID advances. During the grand opening, the chairman of the EEMA stated several problem categories we must face within identity management: fear of technology failure, uncertainty over security, and doubt over governance. In 2017, there are 300 – 500 million devices sold per year, resulting in more connecting things than people. How are we going to guarantee end-to-end security, clear privacy statements, and transparent practices?
IrisID argued that biometric techniques will likely play a large role in more secure and usable user authentication, with many forms of biometrics integrated in mobile devices. Innopay firmly acts on the power of strong data encryption, and states the challenge lies in discovering personal data. Various regulatory changes, such as PSD2, the GDPR and eIDAS, drastically changes how identity should and will be managed.
During the conference, blockchain technology has been mentioned a few times. Consensus seems to lie in further exploring the technology, to formalise the technology and determine which identity problems it can actually solve.