Although there are many initiatives and steps already taken towards the improvement of identity and identification in the business world that try to incorporate Blockchain as a disruptive technology, the truth is that the traditional problem of identification through centralized entities has not been successful; an equanimously agreed answer or solution has yet to be found.
Personal identity is one of the Fundamental Rights recognized internationally by a large catalog of norms and agreements; The European Convention on Human Rights (arts. 7 and 8), in the Universal Declaration of Human Rights (art.12) and more contemporary, the European General Data Protection Regulation and the Organic Law on Data Protection and Guarantee Digital Rights have managed to establish themselves in Spain as our archetypal pillars capable of defining a regulatory body where respect for privacy and the protection of personal data are the central nucleus.
To better understand the collision between the Blockchain and different legislations, we recommend reading this analysis where we covered the problematic. It seems that, after the recent positive attitude adopted by several international bodies and opinions from different countries, a possible clearer solution might be a real manifestation soon.
At its most basic level, personal identity consists of:
- Name and Surname
- Date of birth
- National identifiers, such as passport number, Social Security affiliation number, driving license number, etc.
The importance of an individual and own identity is undeniable. Without a valid form of identification, effective social participation would become impossible simply because individually it could not be proven that someone is who they say they are.
However, there is a huge problem in relation to this issue. All this information is generally centralized in servers and databases, which leads us to face new challenges:
1. Generally, those centralized entities are capable of validly issuing those identities:
In this way, these would be the only ones empowered to issue and validate those identities to the subjects they choose, and under the conditions they stipulate. According to the United Nations, around 1.1 billion people worldwide do not have a valid way of claiming ownership of their own identity.
2. These entities may be carrying out an incorrect treatment of our personal information:
Let us take as an example the infinity of online platforms that currently exist, and more specifically let us think of social media platforms. Each of them, to allow us to use them, requires us to create an identity associated with your system. As users we are renting our identity to these agents without even having a true ownership over it, even enabling these entities to be able to sell and license our personal information. This scenario can lead us to really worrying situations such as the famous Cambridge Analytica case that affected millions of personal data of Facebook users.
3. Identity theft:
Attacks and security breaches are currently one of the biggest threats that affect these databases and servers that host our personal information, configuring these “third parties in the privacy chain” as vulnerable parties to those attacks and theft of information that, remember, finally belongs to us as users. Or that is at least trying to determine the General Data Protection Regulation and our Organic Law on Data Protection. In addition to this, we can see that in many cases these “non-trusted third parties” may not always act in the legally established manner when sharing our personal data with other third parties, and that in numerous other cases, us, the users, may not be correctly notified about mismanagement of our personal data.
The incorporation of Blockchain technology and Distributed Ledger Technology DLTs elements in this scenario could solve all these inconveniences since it provides its participants with an emancipatory capacity never seen before, even creating the possibility of generating a kind of “micro-control” over the information transactions on an unprecedented scale. We could call this capacity a true “self sovereignty”.
There are a number of areas where blockchain technology can potentially contribute to new digital identity architectures.
1. For publishing self-issued Decentralised Identifiers (DIDs); a blockchain can create decentralised agreement on the uniqueness of a new DID and the binding of a user-generated key pair to that DID.
2. For recording revocation and revocation checking events (aka identity state changes) to provide a decentralised source of truth for revocation information without a central authority or reference point.
3. A registry of root public keys (aka trust anchors) in an SSI system replacing the traditional public key directory of PKI.
Re-designing how identity is managed through decentralised and blockchain technologies enables the development of new system architectures where applications seek permission to access their users’ data rather than having their users’ data stored with the application.
Three defining characteristics of this technology are:
– The blocks that contain information, generally encrypted, cannot be easily replicated without a consensus from the Internet.
– It allows the creation of an immutable record that, in principle, would be configured as unalterable and that is currently one of the basic pillars of this technology.
– It makes digital processes can also be understood as immutable since they would be recorded in that registry of which any participant in the network would have an available and updated copy downloaded to their own computer.
One of the most interesting solutions that are currently configured as available are “Sovereign Digital Identity” (SSI) systems, capable of allowing entities that need to verify our identity, to receive official records that contain particular personal information. With the specialty that these, go to be the sole and exclusive ownership of the part that shares, or what is the same, us as operators in the chain making in the specific case that one of these entities that need to verify our identity request access to personal information.
The power to share it with a third party or review that information, may only do so with the express authorization of the owner of the data.
That is an enormous improvement for the data subject (the real owner of the personal information) in the direction of retaking control of what could actually be done with it and limiting not only in time, but also the finality of the data collection, storage and transfer to third parties.
Think about it this way: If the data subject is to control who can access his/her data and for a concrete reason, when the goal is reached, the owner can simply deny further use or transfer of that data.
That is true power.
We recommend you to take a look at the SSI solutions provided by our collaborators Verida where user data is privately and consensually used to create new products and services.
Let us think of the infinity of problems that the fact of being effectively able to control who has access to our personal information, under what conditions, for what specific purposes and, all this, in a certain time frame, also determined by the user, could save us.
While a mobile application is not technically required to implement Sovereign Digital Identity systems based on blockchain technology, the truth is that it is currently the most convenient way to generate private keys, to send public keys to those who request our identification, as well, such as the possibility of being holders of digital records that can only be accessed with the corresponding private key or a decentralized identification system.
The simple creation of immutable records in the blockchain or of environments in which users can store their personal information, does not effectively empower the holders of personal data; We must be able to control access, with a specific and revocable time limit, to those records, and we must also be able, as owners of that personal information, to carry those records to any other storage system that we choose, as well as to save that information. independently of the systems that those institutions that request our identification use. The icing on the cake is that, above all, we must be able to prove through these systems that we are the true owners of that information.