Trust & Identity: Problems We Face Now
Today it is clear that Trust is fundamentally broken in the online world:
- each day armies of hackers break into various online facilities and steal valuable records,
- people’s online identities and information are misappropriated and mined for profit by corporations,
- billions of dollars in fraudulent online credit card transactions are made annually, and
- the world is awash in fake news and disinformation that is falsely portrayed as trustworthy.
How did we get here? To put it simply, we are here because the Internet and the Web lack foundational layers of identity and trust. Online identity has been generated by the web sites and web/mobile applications that people frequent, while trust has been generated by large online players that provide services to millions of users.
The foundational layers of the Internet are TCP/IP (the Internet protocol suite), which are messaging protocols, while the Web is based on HTTP and HTTPS which enable web site access, content exchange, and linking. These protocols have created a powerful and low-cost medium for sending and receiving digital messages and information quickly from one location or person to another. This is the main reason that communications (email and chat applications) and web/mobile applications and sites have been able to flourish and grow rapidly.
Trust online is mediated by large organizations that hold user information in large centralized databases. These large organizations might be banks, social media giants, email providers, health systems, insurance companies, etc. Identity is ‘secured and protected’ by weak authentication systems that rely on usernames and passwords. Transactions are protected by public-private key systems where private keys are stored centrally and all transactions are mediated by a Trusted Authority.
So here are the key problems with our current situation:
- There is significant financial incentive for large ‘trusted’ players to mine and/or sell user data for profit (i.e. Facebook)
- There are cost disincentives for large ‘trusted’ players to encrypt user information and make it more difficult to obtain (encryption-decryption incurs cost + processing delays)
- Users (the average online person) do not own or control their online data and find it difficult to remember complex usernames and passwords (i.e. 123456 is most common)
- Hackers can reap large financial rewards by attacking centralized systems because their rewards (quick access to millions of valuable records) may outweigh potential penalties
We can summarize these issues more succinctly as follows:
- Large, insecure, centralized repositories store valuable data
- Large organizations, rather than users, ‘own’ online identities and personal information
- Centralized repositories use weak user identity verification and protection procedures
- Large centralized repositories are a source of profit for owners and attackers
Any solution that protects user data and recreates a sense of trust online must address all of these issues simultaneously.
Creating a New Foundation of Trust & Identity
Blockchain has the potential to create foundational layers of trust and identity for the Web/Internet because it can address the four issues outlined above simultaneously. With current technologies blockchain can enable:
- Decentralized, ultra-secure data storage — protected by consensus algorithm
- Decentralized data encryption — all data cryptographically signed with user’s private keys
- Users own their information and set rules for access — fundamental blockchain principle
- Strong identity verification and protection — powerful, but easy to use, cryptography
The first three items above are provided by three pillars of blockchain disruption:
- Ultra-secure and immutable store of information
- Decentralized transactions
- Built-in gamification
A fourth item — strong identity verification and protection — is essential for the other three to function properly. Therefore, in order to create a true trust and identity layer for the Web/Internet there needs to be a mechanism for proving and protecting identity.
Identity, Personal Information, and Trust
In the centralized online world we live in today, our identity and personal information is owned by the companies which we frequent online. So, for example, our banking identity and information is stored with banks, our social media identity and information is stored with social media providers, and government identity and information is stored with governments. These organizations can change our login credentials and can restrict access or even delete our accounts without our permission. In essence we have access to our online identities and information, but our online identities and information are controlled by other players.
Interestingly, even though the paradigm for today’s online world is centralized, from a user perspective identity and personal information is distributed and fragmented. There is no one master identity for each user and so no identity layer. With no identity layer, there can also be no real trust layer, as your identity can be hijacked and fairly easily bought and sold by third parties.
In a decentralized blockchain-based online world, we the users can create our own identities and control our personal information. This type of identity and the resulting identity layer it creates is called ‘self-sovereign’ identity. Self-sovereign identity means that only we can modify our online identity information and all online information is controlled by us. Since identity information must be validated to be useful, a person’s identity is verified by having a significant number of people in the network vouch for the validity of the information in a user’s profile. A leading provider of this type of identity in the blockchain world is the Sovrin Foundation.
An alternate, or hybrid approach to securing identity, is one in which we control our personal information but our online identity is validated through ‘attestation’ by a trusted authority (i.e. a government body). For example, when signing up for a cryptocurrency exchange account or carrying out know-your-customer (KYC) procedures for an initial coin offering (ICO), users can only be registered and verified by supplying government issued identification (i.e. a passport or driver license). A leading provider of this type of identity in the blockchain world is Civic.
From a user perspective our identity under a decentralized blockchain paradigm can be handled most efficiently if it is resides with us. Think of it this way, it is much easier and safer for the average person to work with a single master identity that they control rather than multiple distributed identities controlled by others. As a result, the blockchain in combination with self-sovereign identity makes it possible to create an identity layer for the Internet/Web that is built up by the users in the network.
To be useful this identity layer must be highly secure. Fortunately, blockchains can create the most secure networks known today. Additionally, blockchain systems can employ novel cryptographic techniques so that data transfer to and from the ledger can be nearly impossible to hack. As a result, the combination of self-sovereign identity plus blockchain can create a layer of trust in the online world. Trust is built because everyone can be very certain that my online identity is really me and I have full control over all my information.
Let’s take a look in more detail at one of these novel cryptographic techniques for securing identity and information.
Zero Knowledge Proof
Identity verification and protection are items that have received significant attention in the blockchain community over the last five years. The reference implementation for this capability is known as a Zero Knowledge Proof (ZKP) of identity. ZKP is an advanced cryptographic technique used between a ‘verifier’ and a ‘prover’. ZKP enables a ‘verifier’ to verify that a ‘prover’ knows something without the ‘prover’ disclosing what it is.
So, for example, you can prove that you are indeed who you say you are without disclosing any identity information to prove it. Or, you can verify that you know a secret without sharing the secret. Since you have not disclosed any secret information in the transaction there is zero knowledge that can be shared with other people.
Today, we often have ‘challenges’ that ask us to divulge secret words (passphrases), identity information (social security number, birthdate) or passcodes to prove our identity before gaining access to services or information. So, you may wonder, how can you prove identity or that you have knowledge of something without divulging any information? Let me first say that ZKP is based on quite complex mathematics, but the process works something like this:
- Let’s say that you claim to be Jane Doe
- To prove that claim you typically provide an identity number, birthdate, and address or other information which is checked directly by a verifier against their centrally stored data
- Under ZKP you do not give this information to a verifier and they do not store it or have access to such data
- Instead the verifier gives you some tasks or tests that can only be successfully carried out if you have the identity information
- So, the verifier asks you to complete some tasks and if you do them successfully they can see the results and then they verify that you are who you claim to be
- If you cannot carry out the tasks successfully then they deny your claim
- The end result, in any case, is that they never receive any high value information — zero knowledge trades hands
A similar process can be carried out with secret or important information. For example, let’s say that you want to qualify for a mortgage but you don’t want to disclose your assets or net worth. In this example you could use ZKP to prove that you satisfy the conditions to qualify for the mortgage without having to provide bank statements or tax returns.
As is clear, use of ZKP significantly increases the difficulty level for hackers. If they hack the verifier they receive no identity or secret information (nothing is stored except the log of transactions) about you. Also, most ZKP verification tests on the blockchain require both a user’s private keys and identity knowledge, which are very difficult to obtain simultaneously and use in combination for a battery of tests.
ZKP was originally implemented on the blockchain in Zcash — a token that enables users to conceal specific information about their transactions. The implementation is known as zk-SNARKs, which has also been implemented on the Ethereum blockchain. SNARK is an acronym for ‘succinct non-interactive argument of knowledge’.
Self-Sovereign Identity & Trust
Under a system of self-sovereign identity, we control all of our information online. As a result, everyone we interact with including companies, governments, organizations, and other people will ask us for permission to access our profiles. No other entity can provide this information and no entity will have rights to store our identity and personal information.
Since we will be the only arbiters of our personal information, we can control the information disseminated to third parties through a capability called ‘selective disclosure’. This capability enables us to provide just the information required (i.e. verifiable claims) for the transaction and no more. Alternately, if we don’t want any of our information to be viewed, we can use ZKP or completely bar specific third parties from any access.
Transactions on a blockchain-based system are typically programmed to use trustless smart contracts. They are trustless in the sense that they don’t require trusted intermediaries to mediate the transaction. Instead, the verification of identity (as I’ve described above) plus standard checks required for the smart contract to operate will create a trust layer for the online world. Obviously, smart contracts will also need to pass through a mathematical validation process so that users will know that they have been verified to work correctly.
A consequence of these identity and trust layers brought about by blockchain technology will be the ability for each of us to monetize our personal data and information. This is quite different from the current paradigm where other entities can and do monetize our identities and personal information without our permission (i.e. Facebook).
Ben Bartlett, a prominent Berkeley lawyer and candidate for California State Assembly, believes that self-sovereign identity can serve as a foundation for universal basic income (UBI). His blockchain platform includes the concept that communities can fund UBI through the personal agency of private data in the marketplace. Specifically, “by declaring personal data to be a sovereign property right, …individuals and communities can become involved in the robust monetization of their data”.
So far, I’ve discussed how blockchain can create the foundation for robust identity and trust layers for the online world. Let’s now look at a few use cases spanning healthcare and finance:
Healthcare (section provided by Radhika Iyengar-Emens)
In a prior blockchain article, Jorden and I posited that blockchain technology has tremendous potential in healthcare and particularly for healthcare data. Clearly, healthcare data can enable optimized care to patients, from providing diagnosis and treatment, to personalized medicine and preventative care.
Currently, healthcare data is distributed and highly fragmented with our identity and personal information spread across diverse ecosystem players, including doctors, health systems, insurance companies, clinics, labs and others. With such data fragmentation, healthcare is anything but optimized.
Many industry experts recognize that one of the holy grails of healthcare is the Personal Health Record or PHR. A PHR enables each person to own his or her own comprehensive personal health information and share this data across the ecosystem to receive optimized care. PHRs have not gained widespread adoption because of significant security and identity concerns. Blockchain technology paired with self-sovereign identity makes it possible to achieve a true PHR by simultaneously addressing these concerns in a single system.
Once PHRs achieve widespread adoption, there is still a concern regarding the implementation of PHRs — particularly the unauthorized copying, sharing and storage of healthcare data during transmission, arguably when data is most vulnerable. Hackers are persistently attacking health data repositories to get access to medical records, especially identity information. Mechanisms such as zero knowledge proof (ZKP) can ensure that no actual identity knowledge changes hands at any time during any transaction.
Since healthcare providers will need to be able to read patient information for optimizing care, other cryptographic techniques and approaches will be required to ensure that the data cannot be copied, transmitted, or stored at any time. Each person can provide selective disclosure of critical historical personal information to authorized healthcare providers and other ecosystem players to minimize the potential for unauthorized access.
While the PHR may take a while to become a reality, it is becoming increasingly evident that blockchain technology in combination with advanced cryptographic mechanisms and other technologies such as artificial intelligence (AI), machine learning (ML) and IoT provide transformative and exciting opportunities in healthcare.
Blockchain was developed first for the financial industry and so it is the home of the original use cases. In finance and banking trillions of dollars in transactions take place on an average day. With such vast amounts trading hands, errors in identity verification can lead to fraud and loss of significant amounts of money. Identity is also used to track funds for anti-money laundering (AML) purposes.
The standard element used by anyone interacting with blockchain-based online financial products is the digital wallet. Pairing a digital wallet with self-sovereign identity and ZKP, like in the healthcare use cases above, can create a much more secure and powerful way for each person to manage their assets. We can call this new financial asset a personal financial record or PFR.
Since information in the PFR is quite valuable to nearly all businesses, an added value of the PFR is that it will enable people to monetize their financial information. They can do this by opting in to focus groups and/or behavioral studies and charge businesses and other entities for access to their financial and identity information. Like in the healthcare example, people can use selective disclosure to ensure that only the requested information is provided and no more.Civic
With greater control and higher security, blockchain-based financial products can empower people in many tangible ways as I’ve noted above. The exciting thing is that I have only scratched the surface of what is possible with my example, and there is much more scope for innovation that can unlock significant benefits for billions of people.
Blockchain has the potential to revolutionize trust, security, and our relationship with our personal data in the online world. In the next few years radically new concepts like self-sovereign identity and zero knowledge proof (ZKP) will usher in a new era that can positively impact all areas of commerce and society.