If you’ve purchased a house, opened a bank account, applied for a passport, or pretty much done anything of material importance in recent times, you would be forgiven for becoming a little frustrated by the wasted time that it’s taken you to gather bank statements, have passports certified, find a proof of address that they’ll actually accept and so on.
… and then 4 months later when you need do something else of equal importance, you have to go through the whole thing again…. because the proof of address needs to be within the last 3 months…. Great. It’s a pain.
We can fly a spaceship into an asteroid at 15,000mph to a 17 metre accuracy but we can’t get past me having to cycle to a lawyer mate with an actual paper copy of an electricity bill that he has to stamp with a logo but the ink’s run out and it’s not valid because he did it in green rather than black ink... and it needs to be in capitals, please sir. Give me a break.
The promise of technology is that efficiency will prevail, particularly when faced with big problems held by a large number of people. As is the case with our digital identities.
Let’s get an overview of where we are, and then move to where we could be going.
At the moment, the most common form of identity is our passport. It’s issued by a government, carries certain characteristics that prove its validity, and that we hold physically and present to an airline when we want to go somewhere. The flow works something like this:
The ‘key’ held by the government is the number that they issue you that can be verified by a third party as being an indicator of validity if necessary. Your ‘locked wallet’ is your physical presence, which when combined with your photo, proves that you are who you say you are. Welcome aboard.
Now this is all very lovely and that, but let’s face it…. it feels like we’re living in an era when England actually won a football tournament.
Passports can be lost, stolen or damaged, they can’t be used online, can be forged, carry an expiry, and so on.
And the problems with how we manage our identity don’t stop there. The most common way that we prove our identity online is through a password combined with our username.
This is known as ‘centralised identity’ as the proof of the identity rests with you. But three big steamers on this: 1) it’s very difficult for us to remember hundreds of passwords, 2) if you use the same password all over the place it’s likely to be stolen (the ‘password proliferation problem’) and 3) they can be easily hacked. This has been significantly improved by Face ID and biometric ID, but those just provide access points to the data that is stored about you, rather than giving you control over the from and storage of the data itself.
The step up from this is ‘federated identity’. That looks something like this:
This is basically where you sign in to something (like your Google ID) once, and then you can use that to sign into other sites elsewhere without a username and password. As tech folks love acronyms it’s called SSO or Single Sign On. Smart.
The one website (in the example being Google) then becomes the IDP (Identity Provider - another juicy acronym) who issue an assertion to the website, basically saying that yes, this dude or dudette is who they say they are, you can trust us, and so access is given and the data flows. That’s all great and helps to a certain extent, but a couple of other stinkers associated with this.
Firstly, there is a massive amount of trust between us ‘the users’ and the IDP, since they have to hold all the data about us… and of course the next obvious question is, well, what data exactly does this IDP hold and more to the point, what of it are they passing on?!
You can check this out if you go to your Google account, go to Data & Privacy, and go down to ‘Data from apps and services you use’:
From here you can download all the data that Google hold about you. I clicked it just for bants, and I go this:
So there are 43 products just from Google alone that store data on me, that is going to take hours OR DAYS (!!!) to email to me… What the heck?! That’s a lot of data, no?! (Post note… I still haven’t got the email with the data….!).
More to the point, what is this data? I have no clue… but wait a sec… this is about the online version of ME?! Shouldn’t I know what’s being represented about me online? This is like you running to be a Member of Parliament but then deciding against it as you’re not sure what photos there are still on Facebook of you doing silly things in the corridors of university halls. And herein lies the problem with Federated Identity. You are a bystander in the digital version of yourself. You are a consequence of your digital identity, you don’t actually own it.
Now you may think we’ve heard this all before, and fair enough, if you know all this, then you’re probably tech savvy and love an acronym or two…. nice work. But don’t you think it’s totally insane that we do so much stuff online nowadays, but we actually have little control or knowledge about how we’re represented? In most cases our digital identity is what people (or Google) say about us, not who we actually are.
And so we glide neatly on to Decentralised Identity or DID. The promised land built on the foundations of Blockchain. Here we go.
The first step is to set up an identity wallet. This generates two key things, a public and a private key, both stored on blockchain. The private key proves that you own the access to the identity wallet, without revealing what’s in it, and the public key provides access to your data; this is what you’ll show to people that need to know that you are who you say you are. This is all based on cryptography, and you’ll need to read my blog on ZK Proofs if you want to know more about proving ownership of something without showing what that something is.
Next step is to create a digital passport, which carries the information about you, which can all be hashed (another blog to read if you haven’t already!) and then get the government to add their digital signature. All this goes neatly on to the blockchain… which is secure, transparent, and can be accessed anywhere.
Lovely jubbly. Now when you roll into the airport 5 mins before check in closes, you just provide the airline with your digital wallet and the public key, the airline checks that the digital signature on the blockchain belongs to the government, and you’re good to go. Now this is all done on a dApp of course, but for the sake of explanation it’s simplified. So long as the government have a public key, and so long as that public key sits alongside a digital passport as verification that is stored on a secure blockchain, then the airline knows that you have a valid digital passport.
And so the Trust Triangle is complete:
Now the key (s’cuse the pun) thing to note about this hypothetical scenario is that the airline doesn’t necessarily need to know your name, your date of birth, where you were born and so on…. all the information that is carried on a passport that is not relevant to your flight. All they need to know is that the government has issued you with a digital passport and that it’s valid. Using cryptography, you can prove that you own the passport, and the airline can check that its valid on the blockchain. But they don’t need any more data about you than that.
This is a super important step, as it puts us in charge of the data that we reveal. It’s a huge leap from my 43 products and 2GB of data that I’ve got no idea what it is in the email that I still haven’t received from Google….
This will go far. ALL of our personal data, our biometrics, our health data, our university degrees, our qualifications, our purchasing preferences, the places we go, the things that we interact with online…. all of this can be stored in our own personal digital wallets, that we hold the private keys to, and that we can allow access to (or where necessary) prove ownership of, whenever we need. Because blockchains are essentially strings of data that can’t be changed, but that are secured globally, they provide provenance and immutability - which are two key components of decentralised digital identities.