Imagine not being able to prove who you are or where you were born. The World Bank estimates that more than 1.1 billion people live without an official identity, and consequently have difficulty accessing public services or performing routine activities such as travelling and banking. In Canada, the physical possession of a health card often determines whether medical treatment is made available, despite the fact that cards can be lost or stolen easily. The importance of identity is underscored by article six of the Universal Declaration of Human Rights, which declares that “Everyone has the right to recognition everywhere as a person before the law.” Verifying that identity is an increasing challenge.
In most western nations, people generally trust their governments to provide and protect identity-related information such as birth certificates, social insurance numbers and passports. People don’t worry about identity theft until something goes wrong – a stolen credit card or a security breach, as happened with Equifax), for example. In some countries, however, governments may be less trustworthy; the hacking of the Aadhaar personal identity database is a recent example.
World events, such as the refugee crisis, have recently shone a spotlight on the significance of identity management and, specifically, on how Blockchain can secure, improve, automate and globalize a digital identity ecosystem. But why is the digital transformation of identity management necessary and, perhaps more importantly, can Blockchain deliver a global identity platform that improves the lives of all the displaced, “unbanked” and homeless people?
Identity innovation accelerators
In the physical world, identity can be proved with documents such as a photo enhanced driver’s license that provides facts such as name, age or eye color. Since the Internet has no equivalent to a driver's license, a patchwork of username-password systems has been invented for the multiple systems a user will negotiate. Each system has its own access controls, leading to the replication of personal information across the Internet, which in turn can compromise privacy and weaken the security of personal information. There has been much talk about how Blockchain creates an anonymous Internet, thereby avoiding the need to use personal information for identification purposes.
Today, there is no shortage of research initiatives focused on identity issues and on how Blockchains can secure digital identifiers. In June of 2018, for example, Ripple launched a $50 million fund to finance Blockchain and crypto research at universities. Industry consortia and open source projects are another strong indicator of both the need for and potential for innovation in this area. For example, The ID2020 Alliance, a public-private partnership formed in 2012, aims to set standards for a safe, secure and interoperable digital identity that is owned and controlled by the user. As part of their support for the ID2020 Alliance, Microsoft, Accenture and Avanade collaborated to develop a Blockchain-based identity prototype built on the Azure platform. The Digital IS & Authentication Council of Canada (DIACC) is a coalition of public and private sector leaders committed to developing a Canadian digital identification and authentication framework. DIACC members include federal and provincial governments as well as private sector leaders. Another organization, the Decentralized Identity Foundation, has more than 56 members including IBM, Microsoft, Hyperledger and Accenture, and is working with the W3C to develop identity system standards.
Formal standards bodies are also taking up the identity challenge. Several ISO committees have been involved in identity management: the ISO/IEC 24760 series, for example, provides a framework for identity management. A 2017 IEEE Standards Association initiative is designed to protect digital identity for the global community. The ITU, a part of the United Nations, has an interest both in identities as they apply to telecommunications and mobile communications and also as they support the work of the UN High Commission for Refugees (UNHCR). Finally, the NIST has developed guidelines for digital identity that have been published in Special Publication 800-63-3.
Self-sovereign digital identities
Mark Kovarski, co-founder and vice president of The Humanized Internet says that a “humanized Internet” and better ways to help people build a friendlier world are both needed, and that Blockchain can help. And a recent blog authored by one of Kovarski’s partners in The Humanized Internet, points out that “Identity is a complex and not fully defined concept that nonetheless today plays a central role in the debate within the social and political sciences.”
The basic idea of a digital identity may seem relatively straightforward – t answers the question “who am I?” for online interactions and transactions - but the devil is in the details, especially when the “digital self” may include IoT devices, business processes, applications, systems and even data. Previous attempts to define the “perfect” identity have been less-than-successful, as is well-described in an article by Garrison Breckenridge, chief content officer of Mattereum. Personal identities involve social, commercial and cultural aspects –if a universal identifier is viewed with suspicion, more is needed than to solve the technical puzzle.
An Internet user identity is certainly not a new concept; the famous 1993 cartoon by Peter Steiner – “On the Internet, nobody knows you’re a dog” – remains generally valid today. In a Sovrin Foundation whitepaper, Kim Cameron, architect of identity at Microsoft, was quoted as saying that the Internet was created without an identity layer, i.e., the Internet has no integrated way to identify users because Internet addresses point to network endpoints (i.e., network nodes), not to people.
The Holy Grail for the Internet is a universal identifier (also called a global name) that is unique, legally accepted, self-managed and securely linkable to a wide range of physical and virtual attributes including credentials, attestations, licenses and valuable personal information. The ID2020 Alliance claims that, for a digital identity to benefit both individuals and organizations, it must be Personal (i.e., unique to you and you only); Persistent (it lives with you from birth to death); Private (only you can control your own identity, and you can selectively choose what to share and with whom); and Portable (it is accessible anywhere you happen to be through multiple form-factors).
A digital identity ecosystem that gives direct control to the identity owner is referred to as a “self-sovereign identity” (SSI). An SSI replaces today’s siloed collection of cards and documents with an electronic wallet full of electronic credentials and attestations. An SSI is a basic step on the road towards meeting the human right to be recognizable.
Patterns in identity management
A digital identity ecosystem includes four key actors: an owner that is the entity (person or object) represented by the identity; a user that is the entity needing to use the identity for business or application purposes; one or more providers who make the identity’s attributes available; and, the validator who provides assurance that either the person or the identifier are valid.
Four patterns, based on models outlined by Chistopher Allen here, which encompass the dimensions shown in the diagram above, have been defined for digital identity systems. These also represent a form of maturity model:
Centralized: A central authority provides administrative control and attributes are offered in a siloed manner (as is done today with passports); identity owners have no control over the issuing authority or how the identity information is used.
Federated: Multiple authorities cooperate to provide administrative control; a valid identity from one is accepted by the others; providers may agree to community outsourcing (as with the Interac payment system in Canada); identity owners still have no control over administration or the use of their identities.
User-centric: Interoperable federated identities with centralized control; some level of user consent about how to share an identity (and with whom); identity owners have increased say in the use of their identity and provide consent (an example is the use of Facebook credentials to logon to another site with explicit permission); not fully user autonomous.
De-centralized (self-sovereign): The identity owner controls their information and decides where and how their identity is used; the owner has control across an arbitrary number of issuing authorities; the identity must be secure, user-controlled and portable (i.e., useable anywhere) to be self-sovereign.
Blockchain as an identity platform
Blockchain technologies have made scalable self-sovereign identities possible, which has led to a renewed interest in developing globally recognized identities for refugees. Blockchain's immutability, distribution, standardization and elimination of a central manager are all desirable features for an identity platform. However, current social and economic conditions have also been important stimuli driving the creation of a more general solution for digital identities. When digital identities are integrated with Artificial Intelligence processing, the outcomes are even more intriguing: rather than simple presentation of credentials as static facts (e.g., what is my birth date?), intelligent answers to questions can be provided (yes, I am old enough to drive in Ontario!), while increasing privacy as less personal information is revealed.
While the jury is still out on how Blockchain technologies will evolve and what related applications are likely to be the most commercially successful, there is huge potential for the digital transformation of personal identities using Blockchain. With this approach, everyone in the world would be a user of an identity ecosystem, and good user identification would be key to the globalization of a wide range of social and commercial applications. Digital identities will be a critical component of any digital roadmap.
The achievement of self-sovereign identity is not a theoretical future state – products are now available for use, including Sovrin, Evernym, SecureKey, ShoCard, Blockcerts and uPort. Sovrin, for example, is a decentralized, global public utility for self-sovereign identity. Blockcerts is “an open standard for creating, issuing, viewing, and verifying Blockchain-based digital records that are registered on the Blockchain, cryptographically signed, tamper-proof, and shareable. The goal is to provide individuals the capacity to possess and share their own official records of achievement.”
Expected to go live in the fall of 2018, the Verified.Me service is being built by SecureKey to provide a Canadian digital identity validation service that is accessible from a mobile application. The solution verifies identities using the IBM Blockchain technology, based on Hyperledger Fabric V1.0. Users install the mobile app, confirm their identity and then use the application to present and confirm their identities elsewhere. The idea is that the validation of an identity with one organization is deemed acceptable to all others. The major Canadian banks are participating as is Sun Life Financial, with the federal and provincial governments expected to join later.
In British Columbia, the Verifiable Organizations Network (VON) is being developed using Hyperledger Indy for the initial test implementation with the possibility of using Sovrin later. The purpose of the VON is described as: “This work and our first demonstration effort is about the discovery, design and development a suite of digital capabilities which moves us closer to enabling a trusted digital ecosystem for BC businesses.”
A measure of progress in the “identity industry” is how well any new solution solves the five problems of Internet identity. The Proximity problem occurs when interactions are among people who are not physically present, so traditional means of knowing who we’re dealing with aren’t effective; the Scale problem, which currently relies on identity information hubs and “identity providers” such as Facebook or Google; the Flexibility problem which reflects the limitations of fixed schema or attribute sets seen in many of today’s identity solutions; the Privacy problem which occurs when solutions rely on collections of data, often collected without subject’s knowledge, that are re-used and replicated; and the Consent problem when data is shared with others without the owner’s consent.
Taking the next step
The key goals of any universal identifier are the protection of privacy (privacy-by-design is inherent); establishment of trust in the identifier and attribute data; support for monetization of personal data; and the removal of friction from the identity supply chain. All of these objectives are arguably better achieved using a Blockchain-based solution.
An important next step for self-sovereign, Blockchain-based identity management is to define the roadmap that leads from early adopter to widespread, cross-industry deployment. Helping “those with no face” (with apologies to the Game of Thrones) offers a strong incentive for organizations to move quickly to a more modern digital identity ecosystem that can address the immediate needs of migrating people, while also laying the foundations for mass scale deployment for all Internet users (both human and machine).
As Mark Kovarski observed, improving the world through better identities is a large scale endeavour that includes social and political as well technical questions. The Humanized Internet organization has been talking to a wide range of people including the United Nations, the Massachusetts Institute of Technology and various startup companies, all with the goal of applying “new technologies to defend the rights of vulnerable people, and give every human being worldwide secure, sovereign control over their own digital identity.” Kovarski fully believes that Blockchain is the right answer and will, when combined with Artificial Intelligence, change the world.