October 26, 2017 | Written by: Cole Stryker
Categorized: New Thinking
Share this post:
How do you know I am who I say I am? How do you know that I can be trusted? You might look for me on Twitter or Facebook. If you’re an app maker, you might rely on Apple or Google. If you’re an officer of the law, you may ask for my driver’s license, issued by the state government, or a passport, issued at the federal level. If I’m interested in renting your apartment, you might consult a credit reporting agency. All of these third-party organizations serve to verify identity claims and provide trust across the networks of their users.
Throughout our lives we give out personal information freely to such organizations in order to participate in communication and exchange networks. We hand over identifying information voluntarily to organizations as large as nations and as small as local mom and pop businesses. In return for divulging our personal data, we are granted access to participation in the modern world, with all of its conveniences. But at what cost?
Sometimes these companies mine and sell our data, often to less trustworthy companies, or governments who might not have their citizens’ best interests in mind. Sometimes these companies get hacked, allowing scam artists and identity thieves to exploit your personal information for their own gain. Sometimes vicious trolls are able to use your personal information against you, which disproportionately affects society’s already marginalized people (i.e. racial minorities, undocumented immigrants, women, trans people). Social justice activists and political dissidents often rely on their anonymity, especially in parts of the world where freedom of speech protections are weak (e.g. Saudi Arabia, Iran). Anonymity protects these people from being inundated with harassment and death threats, and in extreme cases, physical violence.
Our current identity paradigm is a mess. If we want to experience modernity’s conveniences, we must give out personal information. But we have little control over how this information is used once it’s handed over. As security expert Bruce Schneier has argued, we put our faith in “feudal lords” such as Google and Facebook in exchange for the secure handling of our data. He and others have suggested that a strict regulatory environment might curb such mishandling. This might prevent vendors who operate above ground from intentional bad behavior, but the problems presented by hackers and trolls are trickier. Good faith attempts to secure personal data fail all the time, and criminals are pretty good at routing around rules, whether that’s coming from inside a Terms of Service agreement, or a broader civic regulatory measure.
As the Internet of Things develops along with the continued expansion of the Web into every facet of modern life, these problems will only proliferate. The Equifax nightmare is only the beginning. But there’s good news—a disruption is on the horizon. Surprise, it’s powered by blockchain.
There are at least twenty organizations trying to crack the nut of blockchain powered identity management and authentication from various angles. Evernym is one of the most promising, having just closed a $7 million investment round. They are partially funded by the Department of Homeland Security via a Small Business Innovation Program award, which grants them some measure of institutional legitimacy, much-treasured in blockchain land. DHS has an interest in strengthening the security of networks of communication and exchange so that they aren’t as vulnerable to digital thieves and terrorists.
Evernym has released a “self-sovereign” identity platform to the open-source community called Sovrin, which aims to allow users to make and verify identity claims in a cryptographically secure way that doesn’t rely on any single third-party authority (such as a bank or a nation state or a Silicon Valley behemoth). The platform is a public distributed ledger governed by the non-profit Sovrin Foundation, who bills it as “a global, secure layer for storage of identity transactions.”
Evernym’s co-founder and CEO Timothy Ruff likens self-sovereign identity to a system that allows you to let others “subscribe” temporarily to your personal data. For example, instead of actually giving someone your email address, you merely grant them a subscription to it, which you are free to revoke at any time. People or companies now simply subscribe to as much or as little personal data as you want to give them. You can cut them off the moment you want, and they’ll no longer have access. It would work the same way with your credit card number, or your Twitter account access, or any other piece of personal data.
There are a number of benefits to such a system. It would present a leveling of the playing field between large tech behemoths and regular folks. These companies would have to find other ways to monetize rather than scraping and selling your personal data (unless of course you’re OK with that). Identity theft and other social engineering attacks would be tougher to pull off, and even successful attacks would be rewarded with lesser spoils. Self-sovereign identity presents a future where people who are being harassed online can block others much more effectively.
Ruff references Kim Cameron’s seminal 2005 paper, The Laws of Identity, which describes identity as a collection of claims. Today these would include biometrics, your home address, professional or academic credentials, your physical location. All of these are essentially claims that you are making that can be verified and synthesized by others on the network, giving you the ability to give access to other users, whether it’s your bank account or your friend’s phone number. Ruff paints a picture of my future:
Where things are going is behavior biometrics. The way you hold your phone. The way you move. Your voice. The cadence at which you type on a keyboard. Even your smell….If you go into a building that you’ve never been before, then that’s a red flag… But as soon as your coworker or your wife enters the building, the odds that you are Cole go way up.
There will be third-parties on the network that build a UX layer on top of all the cryptographic signatures being passed around. These organizations (some might be government agencies, others private) will, with your permission, monitor your behavior. Imagine a patchwork of data points, each representing a sliver of my identity. All of these factors would be weighted according to their value toward proving my identity, and aggregated into a likelihood that the person trying to access my bank account is, in fact, me. All of these calculations would be running in the background, 24/7, so that any time I want to interact with anyone else at various touchpoints throughout my day, I am seamlessly granted access (or just limited access, or no access at all, depending on my aggregated “identity score”), most of the time without even having to think about it. Important touchpoints, like mobile access to my checking account, would require a higher threshold of identity verification than what’s needed to prove to the bartender that I’m over 21. You would still be handing over some of your data to outside entities, but you’d be doing it in a way that’s limited, secure and easier to revoke.
Evernym gave away the blockchain platform in the form of Sovrin, but Ruff believes that the real way his organization will make money in blockchain-based identity verification will be in providing a UX layer:
The elephant in the room in all of blockchain is key management. Estimates are that up to ten percent of all of Bitcoin is lost because someone lost their keys. That’s irrecoverable. It is totally untenable that you have an identity system where Grandma loses her key and loses everything. It’s also untenable that you have to explain what a key is to Grandma… It all needs to be hidden from Grandma. We also can’t have a system where there’s one key to everything. It needs to be compartmentalized…In our world, Grandma has hundred, maybe thousands of keys.
Ruff declares that Evernym will be in the business of providing the world’s most advanced software for decentralized key management. This would involve actual human agents providing customer service, and eventually sophisticated artificial intelligence.
The companies that can create interfaces that enable people to participate in the network easily will be the next massive tech successes. “It’ll be like browsers,” says Ruff. “Safari vs Chrome vs Explorer. In the end, UX wins, which is why Apple does so well. You’re gonna see a similar fracturing in the decentralized identity ecosystem.”
He invokes Jarvis, Tony Stark’s robot sidekick from the Avengers movies. Jarvis, in Ruff’s estimation, is an improvement on Siri or Alexa, because Jarvis is controlled by Tony. Yes, Jarvis is hacked in the sequel, but that’s only because the data he controls isn’t sufficiently compartmentalized. According to Ruff, this is a problem easily solved by Sovrin. At any rate, when Ruff’s vision of the future arrives, you will need a sophisticated bot assistant of some kind in order to navigate a world of blockchain-verified identity. Wouldn’t it be better for you to have total control of it?