Colleague Marvin van Wingerde is doing research on blockchain technology
Identity. It is the very starting point for nearly every interaction between two or more parties. Who are you? Are you who you claim to be? Are you allowed to perform this action? These are the three main processes when we discuss identity management; identification, authentication and authorisation. Since the rise of the internet, a significant amount of engagements occur in a digital environment. Our world is digitally connected through numerous devices, from smartphones to cars and fridges to watches.
Trusting third parties
Traditionally, identity is managed via central authorities. Banks, governments, and telecom providers are among the institutions which we as the public trust to handle our personal data. This has given them a great position of power, after all, they are the central point through which all data flows. For the past years, an important question has bogged many minds. Should we continue to trust these central authorities? Are they capable of securing our sensitive data while at the same time respecting our privacy? Many examples over the past five years have shown that some are in fact not capable of managing our digital identities. The most recent and catastrophic example is that of Equifax. Equifax provides credit scores for US citizens, serving more than 140 million people. Their database has been breached in March of 2017, leaking social security numbers of all 140 million customers which are now potentially available on the dark web.
Self-sovereign identity management
Inspired by examples like Equifax, and the line of thinking by peers, led me [or: us] to question if there is another way of managing identity. Could we do it ourselves? Can we be self-sovereign? If we could securely manage our own personal data, sharing only what we want to share, we would not have to put trust in other parties. This vision of self-sovereignty would be highly disruptive, and call for innovative technology and progressive regulation.
Blockchain technology: the introduction
Enter, blockchain technology. It is the technology claimed to solve a great deal of the world’s problems. As our colleague Yoginder Rambocus has pointed out in an earlier story [link to story?], blockchain has the characteristics of a mythical dragon. We have all heard of its abilities, but few have seen it in action. Simply put, blockchain technology enables a trustless network in which peers can securely exchange value, without the need for a trusted intermediary. Public blockchains make use of a distributed public key infrastructure, letting any user enrol on the network by generating a public-private key pair.
In a ‘blockchained’ self-sovereign identity ecosystem, users would be able to self-assign attributes to their public key. An example would be your date of birth. Based on these attributes, they can ask counterparties to verify claims about these attributes. A claim would be that I am older than 21. I could then go and transact with all kinds of third parties – be it governments, private institutions or peers – and let them attest my claim. One would then be able to collect many claims, all having a number of attestations, which he or she can freely share with others.
The common perception is that institutions and governments would not want to give up their place of power and control. However, the amount of personal data they must manage is becoming a significant liability. Recent regulatory advances like the GDPR and PSD2 force organisations – among many other things – to only share personal data with consent of the data owner. I [or: We at iquality] believe that these recent developments – both in technology and regulation – call for a new, self-sovereign, identity management paradigm.
World e-ID & Identity World conferences
The challenges within identity management led me to visit the World e-ID & Cybersecurity conference, as well as the Identity World conference, both hosted in Marseille. These conferences were part of the Smart Security Week, which took place from the 25th to the 27th of September. These two conferences were primarily focused on new forms of authentication – remote, mobile, biometrics – and governmental e-ID advances. During the grand opening, the chairman of the EEMA stated several problem categories we must face within identity management: fear of technology failure, uncertainty over security, and doubt over governance. In 2017, there are 300 – 500 million devices sold per year, resulting in more connecting things than people. How are we going to guarantee end-to-end security, clear privacy statements, and transparent practices?
IrisID argued that biometric techniques will likely play a large role in more secure and usable user authentication, with many forms of biometrics integrated in mobile devices. Innopay firmly acts on the power of strong data encryption, and states the challenge lies in discovering personal data. Various regulatory changes, such as PSD2, the GDPR and eIDAS, drastically changes how identity should and will be managed.
During the conference, blockchain technology has been mentioned a few times. Consensus seems to lie in further exploring the technology, to formalise the technology and determine which identity problems it can actually solve.