Blockchain ID Schemes Could Kill the Data Breach, But How Soon?

fingerprint
11 November 2017

Awareness of the serious drawbacks of centralized identity services is growing.

Spurred by the Equifax breach earlier this year, the problem isn’t relegated to the U.S. credit scoring company alone. In mid-October, a database leaked the personal information of more than 30 million South Africans (more than half the population). Further, searching “data breach” in Google news turns up a significant recent data breaches globally.

Yet, a new breed of entrepreneurs believes that by updating the underlying technology used by such services, consumer data can be better protected.

“This move to the cloud and greater digitization of government services has led to greater centralization,” said Brian Behlendorf, executive director of Hyperledger.

And if something isn’t done to distribute that data, the lead developer of one of the largest blockchain consortiums, one boasting membership from IBM, Baidu, Intel and more, believes breaches will continue.

This is the main reason Behlendorf believes stakeholders are more interested in exploring self-sovereign identity – a means of decentralizing identifying information so that the individual has control over their own data. The concept of a self-sovereign ID has “been percolating for awhile,” he said, but it wasn’t until the advent of distributed ledger technology that the notion started to feel somewhat attainable.

Behlendorf told CoinDesk:

“You’re using [distributed ledgers] simply to store addresses, pointers and hashes to data that is stored off-chain elsewhere. Recognition of that basic model is starting to become clear to the different organizations in [the identity] space.”

While it’s still early days, several stakeholders have taken the lead, with governments seeming most interested in utilizing blockchain technology to shape the future of identity management.

Governmental momentum

And that’s what’s perhaps most notable. Governments aren’t typically recognized as first movers, but some are proving responsive to a solution that might allow them to offload some of the risk of storing large silos of citizens’ data.

For instance, the state of Illinois, through the Illinois Blockchain Initiative (IBI), is exploring how it can implement blockchain technology in areas like land titles and birth certificates.

According to Jennifer O’Rourke, Illinois’ blockchain business liaison, “Moving to a model where you as an individual are responsible for your information as opposed to institutions carrying that responsibility was very interesting for us.”

In a birth certificates trial, Illinois partnered with blockchain firm Evernym, which uses the non-profit Sovrin Foundation’s blockchain.

“I think we’re starting to see a significant amount of momentum here, where the number of calls that we’re getting from our counterparts at both state and sovereign level to learn from the works that we have done has increased dramatically,” O’Rourke told CoinDesk, adding:

“It is clear that many people are focused on this in the government sector.”

The Brazilian government’s Ministry of Planning is also exploring a number of identity management use cases, recently piloting a program with ConsenSys’ uPort using the ethereum blockchain. And IBM – in the midst of an identity pilot with SecureKey and a number of Canadian banks – is seeing interest from government agencies as well.

“We’ve gotten interest from the U.S. and other countries that want to do something similar so we’re in discussions now with interested parties in those regions on how can expand what we’re doing,” Adam Gunther, director of blockchain identity offerings at IBM, said.

Hurdles for adoption

But with that interest also comes concern.

Many blockchain-based ID systems rely on decentralized identifiers (DIDs), which hold unique metadata that proves ownership of a particular ID. So, in Illinois’ birth certificate proof-of-concept, the actual birth certificate does not get stored on the blockchain, and the DIDs are meaningless outside one interaction.

And there aren’t yet standards for use case, which makes these kinds of frameworks even more complex to understand and utilize.

IBM’s Gunther believes DIDs need to be standardized in case of loss or theft. The reason? So they work more similarly to the way credit cards do, where consumers are able to call up a company responsible for safeguarding the data to see if it has been stolen.

“Then the damage someone can do with that is much less significant,” he said. “We need that same type of identity standard.”

Another concern is that, with an ever-increasing number of blockchains, a stakeholder chooses the one that doesn’t get the most traction in the end. Here, groups are also working on standards, in an effort to make blockchain ID systems interoperable.

“I don’t believe we will have only one blockchain platform used by the government in Brazil,” said Vinicius de Faria Silva, coordinator-general of the division within the country’s Ministry of Planning responsible for its blockchain work.

He continued, “Of course, there are a lot of questions, a lot of doubts, I don’t think [the concerns are] about security, much more about how to use this technology, how to implement the solutions and how this will grow throughout time.”

Regulatory triggers

Yet, some of these questions could be answered by new regulations.

Behlendorf is hoping Europe’s General Data Protection Regulation (GDPR) will be a catalyst for greater adoption of blockchain-based self-sovereign ID systems.

“It’s far easier to meet the GDPR requirements when you’re collecting data from individuals and … minimizing data you store,” he said. “You’re keeping the consumer informed about that data, giving them a chance to inspect it, correct it, that sort of thing.”

Behlendorf also sees a kind of chicken-and-egg problem in the space. “Who would adopt it with enough distribution for it to be worth people moving to?” he asks.

Regulation, as it has in the past with financial services technology, could spur a resolution. But many, including Evernym’s chief trust officer Drummond Reed, remain optimistic.

Reed told CoinDesk:

“This is going to be like the adoption of the web. It didn’t happen overnight, but it’s going to be inevitable.”

Digital fingerprint image via Shutterstock