The ‘Digital Identity Crisis’ and what it means for Governments and individuals
Summary of the Master Thesis of Umal Ikram Nasir, written in collaboration with the Procivis Think Tank and submitted to Hertie School of Governance. The views expressed belong to the author and do not necessarily reflect those of Procivis.
The world is going through a digital identity crisis; with multiple online logins, many different access gateways, oversharing of personal data with online service providers, a variety of different Know Your Customer (KYC) procedures to access everyday services and the need to maintain separate databases for authentication and verification amongst different parties, individuals are not really in control of their digital identities anymore.
For governments around the world as well, maintaining digital databases of their citizens’ basic information for the issuance of identity documents, as well as allowing third parties in the public and private sectors to interact with these databases, has become a costly and risky process. So far, centralizing public databases, allowing control to Trusted Third Parties (TTPs) to manage the verification between transacting parties and making digital identity interoperable by connecting the public and private sectors through a common data exchange platform have been seen as some of the efficient solutions for identity management. However, as many recent data breaches and the rising costs of identity verification processes have shown, there are still major concerns around how efficient, private, secure and trustworthy such identity management systems are.
I wanted to look further into the public sector perspective and understand if the use of Blockchain technology in digital identity management could be a potential solution for improving efficiency and trust.
Blockchain, the technology behind Bitcoin cryptocurrency, is seen as a new way of solving digital identity problems through decentralizing the storage of data onto a distributed ledger, harmonizing many different KYC processes and protecting the integrity of data and systems through features such as issuance of anonymity preserving claims, time-stamping and cryptographic hashing to prove authenticity and integrity of documents etc.
In my thesis, I explored the potential use of Blockchain technology and the features it offers within digital identity management to understand whether there is a case for using this technology based on an improvement in public sector efficiency and perceived trust. The thesis also aimed at understanding the key motivations for the public sector to build an ecosystem or infrastructure for blockchain based digital identity vs. their existing systems (or lack thereof). Thus, the viewpoint of state actors, along with a perception of citizens towards current systems and future acceptability of developing solutions was also considered.
So, I looked towards Estonia’s decentralized PKI system and the Canton of Schaffhausen, Switzerland’s eID+ application for context and some answers
Since identity solutions are usually country-specific and developed nationally, the thesis looked in-depth at Estonia and the Canton of Schaffhausen’s (Switzerland) identity solutions and systems. Estonia has a state-of-the-art Public Key Infrastructure (PKI) operated by SK ID Solutions in conjunction with the public sector and while currently the country does not use the Blockchain for data storage and identity verification, yet it uses concepts of decentralization in its authentication processes, makes use of hash-linked time stamping for digitally signing documents and keeps a sequenced log of transactions to preserve the integrity of documents. The Canton of Schaffhausen in Switzerland recently partnered with Procivis to develop and implement an eID+ application to provide a new form of digital identity to the citizens. They started off this eID+ application with selected services such as document signing, online voting, e-authentication and personal data storage and are now ‘blockchain ready’ with their solution.
Measuring ‘Efficiency’ and ‘Trust’ in both these digital identity management systems required a layered evaluation methodology and speaking to 17 experts!
The efficiency and trust for both these cases was measured through two separate frameworks. In the ‘Efficiency’ framework, the accessibility, service delivery and regulatory compliance of each solution was measured while ‘Trust’ was measured along four levels i.e. trust in the identity management system, trust in the provider, trust in the digital identity and trust in the technology. Finally, functionalities of blockchain technology used within these systems were mapped to determine how they contribute and whether they strengthen efficiency and / or trust. Data sources included secondary data as well as 17 in-depth interviews and demo testing of two identity applications (CH’s eID+ & Estonia’s SmartID).
Some observations and insights that came out strongly from the above approach were…
Further debates are needed on: National level examples, decentralized vs. blockchain based systems, public vs. permissioned ledgers and the role of the government
The first observation that came out strongly was that while blockchain technology or decentralized storage of data onto a distributed ledger and issuance of anonymous verified claims is one way of creating an identity management system, there is still a long way to go in terms of having concrete examples and measurable results on a national level when it comes to the use of this technology in electronic identity programs created or managed by the public sector. A system can still be extremely decentralized, function very well and ensure the integrity of data without needing blockchain technology or run as a self-sovereign identity. There is also still a lack of knowledge on the possibilities of blockchain based identity management as there are many different consensus protocols and different types of ledgers one can create with blockchain which also include permissioned ledgers that might be a better fit for managing identities than public blockchains. Again, the use of a blockchain does not take away complete control from governments or remove the need for initial registration on public databases; rather it just eliminates the constant need to interact between the ID provider, the user and the central database, which makes the complete system more secure.
What is the real need when it comes to identity: Self-Sovereignty in terms of individual control or integrity and security of data on a broader level?
The second observation that comes across very strongly is that currently the best developed and most obvious use of blockchain technology in e-Government is actually for preserving the integrity of (and protecting) public data by creating hash-linked, sequenced, time-stamped logs that are tamper-proof and provide an auditable trail. Use of the technology in digital identity is also related to these particular functions and not really towards the issuance of Decentralized Identifiers or even issuance of verifiable ZKP claims at this stage. Yes, the technology can eventually allow a person’s identity and authentication to become a standalone and remove the need for multiple federated models to talk to each other, but this can also be done via other means (such as Open ID Connect infrastructure) and does not necessarily mean a movement towards self-sovereign identity is happening very soon.
Efficiency vs. Trust: where does the current power of Blockchain technology manifest itself more strongly?
Another critical thing to note from the above is that when it comes to efficiency vs. trust, blockchain technology seems to be a better driver for creating trust within the identity management system than for providing significant, clear-cut efficiency gains at this point. It seems that the technology can be more useful in creating technical trust in countries that either do not have any functioning eID system or one that is not functioning very well (has had serious problems / breaches). In contexts where both human trust and technical trust are low, the use of a decentralized and independent ledger might help drive trust in the digital identity not from the trustworthiness of government databases or institutions but from the technology itself. For example, we can federate databases in Scandinavian countries with high trust levels, but in places like India or the US with more complex problems, varied trust levels, state differentiation and questions of turf and languages, blockchain might work better than federated models of digital identification.
Who is responsible: The Government, the Individual or the Provider Companies?
Another point to note here is that to a major extent, the responsibility of identity systems (or issues with them) lies with the public sector and any contexts where this link is weak, or this expectation does not exist strongly is a bigger case for decentralizing trust through blockchain technology. However, on the flip side, ‘trust in the code’ is also a narrow way of looking at any technology, and the same holds true for blockchain; digital identity standards are still being developed and need time to reach maturity. And so, the key source of trust will still derive from institutions, the complete digital ID ecosystem or via a reliable public-private partnership.
The question of Economics: Who profits from this alternative digital identity ecosystem?
One more issue that needs to be resolved when it comes to the ecosystem of identity and trust surrounding blockchain technology is the question of money and revenue. Who are the actors gaining economic power here? According to my understanding, it seems that the future of digital identity management is going to lie in the software – everyone will have application-based wallets to hold their credentials in their smartphones, open source codes will exist which allow solutions to be built on top (such as DApps) and individuals will have their own set of decentralized identifiers (DIDs). However, no one will really make money on this new web or data layer but rather from coding on top of this data layer/chain. For blockchain based identities, money does not lie in commodifying the digital identity itself but around building the ecosystem through which this identity operates.
In conclusion, there are a few important considerations when it comes to understanding the potential for implementing blockchain technology for identity management.
Public-private sector use cases can hit the sweet spot
Public-private sector blockchain use cases are critical in gathering support from all actors in the identity ecosystem and in helping to reach the tipping point where identity management systems based on this technology become viable enough to implement. Cases such as business registries that make it easier to do business and issue licenses through a blockchain ledger (such as what British Columbia has done) are opportunities where the public and private sector can get together to create the strongest business cases.
Blockchain is one way, not the only way
Blockchain based digital identities or Self-Sovereign Identity (SSI) will most likely not be replacing all existing identity solutions in the near future. Meanwhile other powerful functionalities of blockchain technology in strengthening the trust, security and privacy of existing identities / systems can be harnessed.
Playing with the regulatory system, not against
Another critical aspect here is around setting standards and easing regulations, whether national or regional, to make identity systems more flexible to adapt to blockchain (or other new technologies), especially in the context of the EU with GDPR and eIDAS. First steps must be taken towards resolving the paradoxes between features of blockchain such as immutability with the right to be forgotten under GDPR before considering it as the right technological solution.
The Devil is in the Details
When talking about blockchain based identities or SSI, the serious issues lie in the gray areas – areas such as key management, recovery of lost wallets and loss of smartphones. Globally, different solutions to these issues are being explored by different providers but there is still room for debate. This is why operation of an identity that is in some ways independent of the State also brings up questions of responsibility i.e. who the responsible party in case of these lost identities will be – whether it will be the individuals, the software provider or the State.
It is ultimately about the problems and not the solution
Blockchain technology makes it possible to create digital identities that can verify and authenticate individuals without having a technical connection to a database of records and operate as a standalone to solve complex identification problems. However, from a national perspective, digital identity management systems really depend on the specific public context and therefore need to be technologically agnostic – what is developed and implemented should ultimately focus more on the robustness of the systems it creates and the problems it solves rather than pushing the technology as a solution to concerns that ultimately are not top priority from a public sector perspective.