20 years ago, few of us had more than a handful of online accounts. The same doesn’t hold true today. Think of all the email services, social media networks, banking applications, blogging platforms and messaging apps that you’ve signed up with over the years.
Each of us has a digital identity that spans across a vast amount of data. This includes friends, contacts, preferences, education and employment history, religious and political tendencies, etc. Where does that identity exist? It hides behind the walled gardens of dozens (and maybe hundreds) of centralized online services.
However, we have little control and ownership of that identity. It’s fragmented, inconsistent and insecure. Each of those services holds its own image of our information. Much of it is redundant. Some of it is old, some of it invalid. We don’t know how much information each of those services collects and stores. Consequently, we have no other choice than to trust them with keeping our data secure and use it responsibly.
Given the amount of sensitive and intimate information they handle, these services have a heavy burden to bear. And oftentimes, their knees buckle under the weight of that burden, at our expense. Long story short, our online identities have become too valuable and complicated to entrust their safekeeping and management to anyone else but ourselves. This is why we should be taking back control of our digital life and profiles.
What can possibly go wrong?
First of all, it involves a lot of redundancy. Every time you sign up for a new service, you’re required to fill extensive registration forms. You have to answer the same security questions and select a unique, complex password you haven’t used elsewhere. And you have to keep all that information up to date. For instance, if your home address changes, you’ll have to update your profile information on all services that depend on it. Maintaining consistency among your many online accounts can become a real pain when their number grows.
There’s also a security risk involved in giving up your personal information to centralized services. Those services will have to store it on a database along with the information of millions of other users. This large amount of email addresses, phone numbers, credit card numbers, and answers to security questions in one place draws cybercriminals like bees to honey.
Do the services do enough to keep that information secure?
They often don’t. Just look at the recent Equifax data breach, which spilled sensitive financial information of more than 143 million U.S. citizens. Unfortunately, the customers, the real victims of the incident, had totally no power in preventing the breach. However, the credit rating agency could have easily avoided the hack had it taken the proper standard measures to secure customer information.
Privacy is another problem that centralized identity information storage suffers from. As the user, you have no visibility over how much information you’re giving up, and how those services use them. And as you give it away bit by bit, you gradually lose your sensitivity. As an example, when tech reporter Judith Portail asked Tinder to hand over the data it stored about her, what it returned overwhelmed her. In another case, Gizmodo’s Kashmir Hill found out that Facebook knew more about her family relations than she herself did. Unlike Portail however, Hill never got to know what exactly Facebook stored in its databases about her and her family ties.
Moreover, there’s always the looming threat of those services monetizing your data without your consent, or giving it away to government agencies. China’s citizen score program, which gives the Chinese government full access to the digital lives of its citizens through tech companies, gives a glimpse of what can happen if Facebook and Google decide to turn evil.
Last but not least is the “lock-in” effect. As you give up more and more of your data to these services, you become more dependent on them. You’re forced to stick to Facebook and Google, because no other service has a more complete profile of your digital life. If you decide to sign up with an incompatible service, you will simply have to start building that profile from scratch. And if any of these companies decide to lock you out of your account, you’ll have no means to recover your data.
How can we regain control of our digital identity?
To be fair, none of these companies are entirely to blame for the broken state that internet information has (though they are to blame for taking advantage of it). Until recently, there was no viable alternative to the centralized architectures. As a consequence, internet services were forced to create their own independent silos where they store user data.
But with the advent of bitcoin, things changed. Bitcoin made it possible to make financial transactions without the need to rely on banks or other third party brokers. This was made possible thanks to blockchain, the distributed ledger technology that underlies bitcoin and other digital currencies. While bitcoin was the first application for blockchain, its principles apply to any sort of digital information.
Basically, blockchain assures the security and integrity of data by making it public knowledge instead of locking it away in a centralized server. Blockchain replicates every record across thousands of independent computers that constitute its network. It uses cryptographic equations to tie those records to encryption keys that only their owners hold. Blockchain effectively made it possible for online user data to exist independently from centralized application servers.
Smart contracts, bits of code that run on blockchain, took the notion a step further and made it possible to run applications without the need for centralized servers.
In recent years, plenty of startups have emerged that employ blockchain and smart contracts in different domains and industries.
One of the areas that these startups are exploring is enabling users to regain ownership of their digital identities and personal data. The idea is to provide users with ways to store, access and update their profiles without relying on any centralized service.
An example is SelfKey, a blockchain-based platform for creating, controlling and managing digital identities. SelfKey calls the system Self-Sovereign IDentity (SSID).
Users install the SelfKey wallet app on their smartphones and register their identity on the blockchain, which is marked by a public/private key pair. Other entities use the public key, which is transparently available on the blockchain, to validate a user’s identity. The private key, which is in the sole ownership of users, serves to sign documents and transactions and provide proof of ownership.
SelfKey encrypts all personal data is stores it exclusively in the wallet application. Users decide and control what information they want to share with applications, and sign that information with their keys to prove its authenticity.
SelfKey will launch with a marketplace for compatible applications, including a citizenship and investment program, cryptocurrency exchanges, money remittance and transfer, token sales, and more. The storage of keys and transactions on the blockchain obviates the need for a centralized server.
The Pillar Project, another blockchain application, is working on a similar solution. Pillar’s “smart wallet” provides a secure storage for personal digital assets, including contact lists, cryptocurrencies, health records, etc. Like SelfKey, Pillar’s users will specify which entities or applications will be able to access their data. Pillar also plans to add a smart assistant which will make it easier for users to manage their personal data.
Another project, Blockstack, gives users the option to store their identity information on a third party cloud storage such as DropBox, Google Drive or any other storage service of their choice. Blockstack encrypts all data with the user’s private keys, making it impossible for those services to access the data. Blockstack applications can’t access users’ information without their consent, and store whatever information they create in the user’s data store.
These projects solve a fundamental challenge. They obviate the need for service providers to create large stores of user data. This will be a win-win situation for both users and service providers.
For the user, it puts them in total control and ownership of their digital profiles. They can rest assured that their data is not being abused for evil ends. They don’t need to sign up with every service and fill up lengthy registry forms. Instead, they give those services access to parts of their self-owned profile. No service can lock them out of their own profiles. No one can manipulate their data. And they only need to update their profile in one location when there’s a change.
For the service providers, it makes them a less attractive target for hackers, since they no longer hold user data. It also makes it less likely that they run afoul of the complicated data storage and privacy regulations that vary widely across different countries and regions.
The future of digital identities
Despite its promises, blockchain remains a nascent technology. A lot of hype surrounds the industry, and a lot of the projects and startups fail to live up to their promises. Blockchain still has to overcome its mass adoption problem in face of established cloud services. It also has to deal with compatibility and scaling issues.
Nonetheless, the technology is here to stay, and it’s drawing attention and interest from large tech companies and governments. There are now several nations that are exploring blockchain-based identity systems as an alternative to paper-based ID.
This will help overcome the regulatory hurdles and iron out other kinks such as interoperability. The outlook is to see the merging of digital and physical identities in one, secure platform truly owned by users.