Identity and Blockchain — Hype or Reality?
The hype cycle for blockchain is high; Gartner has it in the Peak of Inflated Expectations category for both 2016 and 2017. According to Google Trends, interest in the term has doubled since the start of the year. As opposed to hype, what is the reality for blockchain when it comes to identity? There are lots of promises, lots of investment, but how close to reality is it?
OWI labs examines the situation in a report: Don’t Believe the (Blockchain) Hype: The definitive primer on identity and blockchain. The purpose of the report is to give, “an accurate picture of the current parameters of the blockchain landscape as it relates to identity, defining the identity ‘problem’ and discovering potentially profitable areas for investment and future growth.” It covers five identity use cases and examines 40 key companies.
The report recognizes that not all identity needs and uses are the same. Thus, trying to lump the different identity uses into one overarching need is rife with problems. It’s better to examine each use case of identity and how it can relate to blockchain independently:
The initial creation of an identity, for example a government birth record or a new registrant into a system. Note, identity creation depends on the need of the organization; it can be as simple as creation of a new email address.
Confirming (at least) one data point of the created identity to confirm that the identity record exists. Each organization will have match rules to determine what data points to consider and how many need to match to attain verification.
Confirming identity data points are the same as before. A common example is the use of username/password combinations to enter a computer system. If a person can provide matching data for these fields, they are authenticated.
What can that identity do in the system, what permissions do they have? The authorizations determine what resources they can access, their ability to make edits and other access control parameters.
How can your identity be shared? Different verification, authentication or authorization parameters are potentially distributable to other parties to deliver a better identity experience. For example, by logging into Google, you can access services that trust the Google sign-in process. Any organization that delivers federated identity must be extremely careful with their permissions, data sharing and other privacy considerations.
The report states, “the primary, titular function of distributed ledger technology is to provide identical information across an entire community of participants without a centralized data repository or owner.”
Some of the advantages of blockchain are:
- It’s unalterable
- It’s defendable
- It’s verifiable
- It can run autonomously
In terms of identity, these features promise both potential benefits and pitfalls. The current model relies on centralized databases that control individual’s identity information. The user depends on the organization’s security, accuracy, and control to deliver their identity needs. If there is an issue — for example, a security breach — the individual can experience substantial problems, which are out of their control.
With the decentralized blockchain identity model, the user is in control; they determine who gets their information and what information they get. There’s no one central database to hack, so their identity information is more secure. There’s still trust, as the person’s identity is on the blockchain and is verifiable by any permissioned entity. As both parties have a transaction record of the permission, both parties have an auditable record to use in any dispute.
As Jai Singh Arun, Security and Blockchain Innovations Program Director at IBM, Blockchain states, “Digital identity networks built on blockchain drive trust among business and social enterprises by leveraging shared ledgers, smart contracts and governance to standardize management and reduce the cost, risk, time and complexity of decentralized identity management.”
Identity information is critical data, both for individuals and organizations, as it provides a framework of trust to enable a modern society to function. Therefore, changes to the identity bedrock have far-reaching implications and require careful consideration.
Significant laws are in place to regulate the use of personal information, both to safeguard privacy and to provide transparency to limit transactional friction. There are clear responsibilities and duties under the current model and the question is, who is responsible for the blockchain?
As the IMF notes, “existing legal frameworks protect data from disclosure as well as ensure access to necessary financial information by imposing obligations on intermediaries holding the data. This approach is difficult to take when the data is held within an open network, lacking a “data controller.” Moreover, ledger immutability that is characteristic of some DLTs may be at odds with a person’s right to rectify or erase personal data.”
There are numerous data controllers that have amassed valuable consumer, credit, and social data over many years. For these non-government data controllers, there are obligations to shareholders, partners and employees. Considering the current internet, while many companies use open-source there are many others that keep their data private on their own servers; do we really believe that data controllers will give up their competitive advantage and open up their data or readily change their security paradigm?
These organization have a history of properly handing data and have an incentive to continue to do so. In this era of big data, there’s extensive value in their information and multiple opportunities to add value. A robust identity system needs inclusion of multiple data types and sources.
There will always be a need for a legitimized, centralized data controller. As OWI points out, “digital identity, however, reflects a natural entity and fundamentally involves at least one attribute of a physical individual or thing. Some part of identity will always exist ‘off-chain.’ That means identity will always involve at least one intermediary between the physical human (or entity) and its on-chain digital representation, and that pivot point could be a source of inaccuracy, fraud, or exclusion.”
While blockchain might be useful for certain use cases, it’s doubtful that it will be the be-all-and-end-all of identity, as some are proselytizing. Current identity systems have a long history and have been thoroughly tested; it makes no sense to just throw these models out. Rather, the best of current systems should add the advantages of blockchain identity to create more powerful, inclusive, efficient and secure identity for all.