Decentralized Identity Management Systems (DIMS) on Blockchain

CryptoTech is the new Orange.

As cryptocurrencies are rapidly spreading the knowledge of blockchain technology, it is time to talk about broader blockchain possibilities in future world ecosystem. There are already plenty of pilot solutions for supply chains, energy sector, payments, etc., but the most profitable and groundbreaking solution, in my opinion, will come for defining YOUR identity. Decentralized identity.

Ever wondered why simple procedure of identifying yourself when buying, or receiving service usually requires filling identity documents for 10, 20, 30 minutes, or more? For example, last week I had to rent a car, and I had to spend 30 minutes for filling in the forms, scanning the passport, driving license, and other ‘relevant’ documents. All of them hold my identity private details beyond what a car rental would need. Additionally, as I step out from the door of the rental company I do not know where those papers will end up – rubbish bin, or somebody’s pocket.  The same procedures of identifying ourselves we all have to go through when going to the doctor, lawyer, different agencies, or service providers…even hotels!

That’s where the blockchain technology comes to help you save time, money and your privacy, only exposing the exact amount of information needed and only for a specific time period. This will be available through Decentralized Identity Management Systems (DIMS).

Figure 1. Biggest identity problem now?

The Identity on blockchain and DIMS has been the public topic from day one when blockchain appeared. However, it intensified in the last months, after the revelation of hacking of Equifax. The organizations currently store private identity information in a centralized way.  Big data aggregations at Google, Facebook, Amazon, or Microsoft, to name a few, are selling your data to marketers, data brokers or other government or private institutions. Facebook takes your third party cookies on your browser just to create your identity. Google scans through your email and sells ads reflecting the content of your email. And that is only the tip of the iceberg! Thus, there is no surprise that some people have started looking for solutions to decentralize the identity network. The main goal is to take the private data back to its users and build a trusted ecosystem on blockchain.

The Problem is numbers

Big Data is becoming the new asset of the digital economy: how it is extracted, analyzed, valued, and traded could determine the rise and fall of many companies. Data is now considered ‘capital’, just as physical assets used to be.

As Big Data is on the rise, more advanced technologies are coming to corporations, agencies to help process that data appear. The one that is on everyone’s mind currently is Artificial Intelligence (AI). If we say, data is the oil, artificial intelligence is the refinery, and blockchain technology could be oil rigs and the pipelines which bring it to the refinery. All together they create a new technology stack that many companies, government aims to own. The blockchain technology in this case and specifically DIMS would help to keep the private data in the consumer’s hands.

By year 2020, the average internet user will generate 1.5-4.5 GB of data per day. (Source: DataWallet, Intel 2017). For comparison today the enterprises only generate ⅓ of the data, and consumers generate the majority of data – ⅔. Currently, corporations provide free services in exchange for your personal data. This is mainly due to the persons not knowing what is the value of their provided data. In the most recent study (see table below) Trend Micro did an evaluation of the personal data. The findings are astonishing. The data which you owe was evaluated more than 3000 USD (on average). Some estimates state that it could be 7000 USD based on the income of the customer. However, if the customer’s net income is more than 100k USD per year, I would believe the cost of customer’s data would be proportionally higher. In future when more IoT devices come along and serve and data generators the personal aggregated data owned data could be valued even in higher dollar/bitcoin/ether numbers.

Worth of data.jpg
Figure 2. Value of your private data

An interesting fact is that in 2017 Hitachi Insights has launched a new program, City Data Exchange, which is a platform marketplace that allows any entity in a city to post and trade aggregated data, including telecoms vendors, police department or utility providers (source: IHS Markit 2017). Having the first step taken by an enterprise, more centralized and decentralized exchanges would follow in other cities, countries for aggregated enterprise and consumer or their device’s data. This could be a perfect trading space for aggregated personal data from you or your owned devices.

Sadly to say, currently, this role is done by data brokers, which are on the rise. By current estimates in the US alone, the market for personal data is valued at around 426 billion USD. These data brokers in the US have as many as 3000 data elements covering every US customer. The data of the customer is traded, and little or no money lands in customer’s hands.

The future of identity in EU

The European Union has already started looking into projects of how to make use of blockchain. There is the initiative from EU to give 5 million euros to blockchain created for social good. I would assume some of these projects proposed would be in the space of the Identity Management.

EU also took first steps to empower the customer’s and provide them the framework to retrieve the data. EU has announced the law which simply states that companies need to provide private data or knowledge of it to the customers. The law takes effect on May 25th, 2018 and is called General Data Protection Regulation (GDPR).

Figure 3. EU GDPR

The GDPR would protect and empower all EU citizens’ data privacy and reshape the way organizations across the region approach data privacy. The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

The GDPR regulations state that company would need to have the ability to respond to a data request from the customer and give data to the customer in a portable format. Furthermore, the company or organization has an obligation to have procedures and processes as well as ability to do data retention and destruction if data subject requests it. One more interesting point is that GDPR obligates companies to discard all unnecessary customer data.

Having these obligations, companies and corporations will have/is having the enormous headache of how to divide the data between personally identifiable data and unidentifiable data. This regulatory situation will make blockchain shine in all its beauty!

The companies will search for an effective solution where it would be easy and cheap to discard personal data (or not even use it). Furthermore, EU data subjects or EU citizens will search easy solution for only sharing a limited amount of private data for receiving goods or services. I would imagine half of those EU citizens would request companies to delete their data after the transaction is done, service is received, etc. This and other regulatory requirements could be achieved using DIMS. Of course, data aggregators are not happy by this regulation.

Having this regulatory problem, the solution could be enforced smart contracts, e.g. I, as a customer, provide you, the company, with my private data for 30 days while I am using your service, and you, the company, would delete/not have access to my private data after this period. The private data could be stored encrypted on your private blockchain with claims encrypted in the public one. This would give the effective possibility to choose which data you are willing to share with the company or you want to do transactions, service with. The company itself would have a simpler implementation of its IT systems, as there you have to store private data, answer customer one-by-one requests of where his/her data is used, etc. A smart contract could be signed by customer and company to legally secure that the deletion of data is completed, which could define that if the company does not delete data, then it gives customer X amount of crypto/fiat money and alert the authorities.

DIMS main concepts

The DIMS work principle is pretty easy to understand. DIMS are currently available for test or in an alpha version in multiple products. However, as products are similar, the basic concept of what they do, and how they function is the same. In this paragraph, I will go through 4 main concepts. The figures I used to illustrate them are be taken from Sovrin technical whitepaper.

Firstly, all identity networks would have users, which would be called addresses, keys, identifiers, or IDs. The reason to use addresses in identity systems and all blockchain ecosystem is based on the usability of the public and private key functionality to identify owners, users, pseudo-users, etc. There are multiple implementations of this identity. Some implementations would have as many as possible pseudo-identities so it would be hard to correlate the information and identify the user. Some of the identity systems would have one identity which would be used. The identity would be alphanumeric address.

Secondly, claims in identity systems are attestations where 2 or more parties cryptographically sign a claim. The claim could be that I, as a citizen of A country, and government institution Y, who issue driving license, sign cryptographically that I have a driving license. The claim we put on public blockchain where if required everyone can check that the driving license exists, and was issued on a specific date. The claims in different products can be called attestations or assertions. One key feature of claims is that claims could be:

  • Self made claims/attestations/assertions;
  • Verifiable claims/attestations/assertions;

Shortly, every claim would have claim description. Claim description is the description, document, certificate, which defines what the claim is about. Shortly, as an example, it could be your driving license, birth certificate, house lease, bank customer card, etc. These descriptions could be made by you and signed by you only, which makes it self-made claim, or official government institution, bank, etc.

Thirdly, the systems would have disclosures. The disclosure is a revelation of one or multiple claims to some party. For example, you as a user want to open an account in a bank, and you provide multiple claims, for example, your birth date claim, your identity claim, your social security claim, etc. All these claims you combine into one and disclose to the party, user, it was indented to be.

Fourthly, there must always be in the identity systems smart contracts or consent receipts. The smart contract is programmable code where the code identifies all or part of the legal contract. The smart contract is cryptographically signed by two or more parties depends on the complexity of the issue. In identity ecosystem, the usual case would be that I as a user A allow to use my private data for 30 days or the length of the contract, and you the company B should delete the data after using it. If not the company B must pay me some amount of cryptocurrency and would be reported to authorities.

These 4 are the main concepts for DIMS on the blockchain. In the next chapter, these concepts would be added to practice using examples.

DIMS in future life

To provide understandable future life replication of identity on blockchain, I would use the figures provided from Sovrin foundation technical paper. To start with, we have a person named Jane, who hold her keys and identifiers on her private device/cloud/etc for storing her identity. Currently, it is empty (Figure 4).

identity slide 1.png
Figure 4. Jane’s Identity

Jane decides she wants to become a customer of a bank. Jane shares her pseudo-identity public key ‘A’ with a bank and holds the private key ‘a’ inside her storage. The bank validates Jane to become a customer of the bank and signs the claim of Jane (Figure 5).

identity slide 2.png
Figure 5. Jane sends public Key ‘A’ to bank

The claim signed by both parties are stored on the ledger. Jane holds now the claim ‘3 K’ inside her private storage, which if needed could be revealed. Additionally, she creates multiple other claims which are asserted and signed and could be verifiable. Other claims could be self-asserted (Figure 6).

identity slide 3
Figure 6. Jane creates multiple claims

Jane currently holds 5 claims:

  • Self-defined claim ‘1 ?’ and ‘4 ?’;
  • Government verified claim ‘2 G’;
  • School verified claim ‘5 S’;
  • Bank verified claim ‘3 K’;

All these claims are issued using different pseudo identity, where claim definitions are defined and stored in an institution, organization, etc.

However, Jane wants to be employed at an institution and she needs to disclose some of her private information. She does not have to disclose all her private information like we do now when we present a passport or driving license. Jane combines multiple claims, where she picks the attributes she wants to share, and uses master secret, special key, to create a disclosure using zero-knowledge proof.

identity slide 4
Figure 7. Jane makes a Disclosure

Furthermore, claims work both ways. As Jane goes to the retailer, she would love to find out if the retailer pays taxes in her country and is own by local persons. She can request disclosure from retailer (Figure 8) of this. The retailer can have this claim made by contacting chamber of Commerce, or other authority, e.g. tax authority.

After retrieving disclosure and feeling she wants to use the service of the retailer, Jane makes a concent receipt with a retailer. As Jane shares her private information, the retailer provides consent receipt that, for example, her data will be deleted after 30 days of usage. If not deleted – the action will be reported to the government institution (Figure 8).

identity slide 5
Figure 8. Jane request Disclosure from retailer and signs Consent receipt

In the end, the most important point of having private ledger is that Jane can track the orders, time and have full log details of what she was doing and where and who used her private information (Figure 9).

identity slide 6
Figure 9. Jane can store details in her private ledger

This is only the basic example of possibilities of identity management systems. As our technology evolves, the more advanced cases will appear.

What next?

In the next blog post, I will review current solutions of DIMS on the market, e.g. Uport, Civic, Sovrin, etc. Additionally, I will take a step further and discuss vision and implementation of these networks and what the future of identity on blockchain would look like.

Stay tuned.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s