Identity management on blockchain: a new era of data privacy is dawning
The internet was not designed for digital identity management
The architects of the internet intended it as an open platform to share information and collaborate, not to authenticate personal identities. As a result, organizations have had to find creative means to track and authenticate users.
Currently, each organization is forced to collect and guard its own user data - a pain point for both organizations and users. Recall how often you have painstakingly uploaded a picture of your passport to register yourself for a service or needed to make yet another account on a new website using the same email address. Your data is subsequently stored in dozens of databases scattered around the web. Such repositories are commonly referred to as ‘silos’ as, despite the fact that they all store user data, each one is independent and stands alone.
While the silo approach has obvious inefficiencies, the major issue is that each organization guards its data with a different level of security. Consequently, a person with malicious intent has a myriad of targets to obtain user data, explaining why such attacks have been increasing exponentially over recent years. If you have a LinkedIn or Yahoo account you can unfortunately count yourself among the victims. If you haven’t checked the safety of your own account yet, you can do so here. As digital identity related frauds and inefficiencies are reaching epidemic levels, the current situation seems to become increasingly untenable.
Current regulations mirror this chaotic landscape
It is understandable that regulators have stepped in to tame this siloed landscape. Reforms such as the EU cookie regulation or GDPR have made laudable steps in an effort to protect both personal and identity data. While this is positive direction, regulations do not address the root problem: the internet was not designed for identity management. Although there has been considerable innovation in this field - biometrics is a prominent example - it is the advent of distributed ledger technologies (DLT), or blockchain, that promises a complete demolition of the current silo approach. We have recently laid out this vision of a digital identity layer, or self-managed identity (SMI).
SMI is the future of digital identity management
In a nutshell, SMI returns control of your data without having to rely on third parties. Instead, data claims relating to you, ranging from diploma credentials to your date of birth, are verified and stored in a secure container to which only you have access to. Verifications could be done through credible institutions, such as the municipality attesting your home address. Third parties may request access to information (for example, a bank may need to know your date of birth), and you would be able to share such information as you are in control of proof of verified credentials. As a result, the vulnerable silo repositories are demolished, removing any obvious targets for malicious actors.
With SMI, identity management will finally have caught up with the digital nature of modern life.
Furthermore, recent advancements in both cryptography and DLT ensure that your data is virtually tamper-proof and inaccessible to others. Only with your express permission does it become possible for any external party to view verified claims. Another huge advantage of SMI is that only data that is absolutely necessary for a particular service need to be shared. For example, if a liquor store needs to ID your age, you can simply prove the date of birth found in your container while protecting superfluous personal data from exposure (place of birth, name, ID number, etc.). Such a system would make fraud or identity theft significantly more difficult, if not impossible.
SMI will drastically improve the way companies, governments, and individuals interact. The ID2020 initiative for example, which aims to give 1.1 billion people who lack any form of valid identification a digital identity using blockchain, attests to the commitment of its vision. If SMI is permitted to flourish, an unprecedented public utility will be created, and identity management will finally have caught up with the digital nature of modern life. It also achieves or even exceeds the data protections expected from current data regulations, such as data portability and minimization, thus killing two birds with one stone. However, before this is realized, governing institutions must ensure that the road is paved for such a transformation.
How does identity management fit into the context of data regulations?
It is unclear how storing personal data on blockchain (and therefore SMI) exactly fits into the present regulatory environment. Especially vague is GDPR article 17 which requires ‘the erasure of personal data’ on request, commonly referred to as the right to be forgotten. The immediate problem is that the precise meaning of ‘erasure’ is left undefined. While crafting the text, regulators likely had traditional databases in mind that allow hard drives to be wiped clean. The tamper-proof nature of blockchain makes a ‘clean-wipe’ of data difficult or sometimes even impossible. Instead, data can be rendered inaccessible making it effectively erased; however, data protection officers could take issue as it may not fit their interpretation.
It is unclear how storing personal data on blockchain exactly fits into the present regulatory environment.
The regulation does attempt to be technology agnostic by stipulating that data controllers should ‘take account of available technology’ to realize an erasure. The technology is intentionally left vague, recognizing that it is likely to change frequently. This lack of clarification could permit blockchain’s immutable nature. It, however, remains unclear if this would then exempt it from the ‘clean-wipe’ interpretation of the right to be forgotten. We have advocated for the storage of data off-chain while maintaining the hash and reference on-chain. However, our technical proposal might run into similar difficulty as it may be seen as an immutable reference to personal data. GDPR Article 17 is just one example; the ambiguity doesn’t stop there.
Even more uncertainty arises in the realm of the stringent rules surrounding how companies must perform due diligence on clients (also known as KYC regulations). The primary European legislation against money laundering, for instance, mandates customer identity verification based on ‘documents, data or information obtained from a reliable and independent source’. The acceptance of reliable data or information could provide sufficient grounds for SMI verifications, as described above, to satisfy this KYC regulation. Despite there already being five amendments and/or additions to the original AML Directive, which should be incorporated into local laws by January 2020, there is still little clarification of the criteria that could render data reliably and independently. Such clarification from lawmakers will be needed before financial institutions can accept SMI data for KYC checks.
Calling on regulators to pave the way for SMI to flourish
There is an implicit irony in the current European regulatory environment. While sweeping regulations, such as GDPR or AML, have noble intentions that go further than any previous attempt at protecting personal data, they are not bulletproof. As long as the current chaotic siloed landscape and the digital identity infrastructure remain synonymous, fraud and data breaches will continue to be rampant. Therefore, if current laws and regulations fail to embrace the opportunity to create a secure digital identity layer, they will undermine their very intentions.
Fortunately, positive developments are on the horizon. The EU parliament, for example, has signaled intent that blockchain will play a prominent role in the future of data through the recently accepted DLT resolution. National legislatures, however, could take more immediate action. Providing certainty for KYC compliance could be as simple as a ministerial decree defining SMI verifications as an acceptable means of delivering verified credentials.
Also, it should be clarified by EU member states how ‘available technology’ can be taken into account to realize an erasure. Germany, which has recently adopted the newly adjusted German Federal Data Protection Act, outlines a different interpretation of the GDPR article and exempts controllers from their obligation to erasure if ‘it would be impossible … due to the specific mode of storage’. By doing so, Germany clearly sets a precedent for allowing blockchain technologies and SMI.
Time for a regulatory revolution?
It is the ‘erasure’ of regulatory ambiguity around self-managed identity that should take priority at both national and EU institutions. We’re contributing towards this effort through our active involvement in global thought leadership, standardization organizations, and blockchain ecosystem alliances. These groups are working around the clock advancing this technology and promoting regulatory acceptance. By providing legal certainty, your digital identity may soon finally catch-up with the times. Are you ready to revolutionize your digital identity management?