Identity, privacy, and the blockchain
In the offline world, identity and privacy are rather straightforward. People’s “identities” are proven by simply being who they are, and privacy reflects the ability to control what others know about their identity. Occasionally, tangible objects such as driver’s licenses or bills are required to verify identity with businesses or government entities.
In the current interconnected and online world, we instead use various digital markers to demonstrate identity. These markers somehow prove we are who we say but are often only tangentially related to the service being accessed and require us to relinquish a significant amount of privacy. There are a number of problems with the current systems used as proxies for identity, but new technologies like blockchain might be able to help us reclaim our online (and offline) selves.
The “bundled” identity
Markers of identity are often required to be very personal pieces of data. Consider the litany of personal information collected when someone opens a checking account, such as street address and identification (driver’s license or passport). It’s easy to take these pieces of data for granted, as we’ve generally become accustomed to handing them over at the drop of a hat. But let’s take a moment to consider what giving up these pieces of identity really means and whether it’s really necessary.
In handing over a passport to a banker, a person gives the bank full permission to record not only their date and place of birth, but also everywhere he or she has traveled. This might not seem like a big deal, but what does place of birth really have to do with whether or not a bank allows someone to deposit money in their accounts?
This isn’t to say that banks shouldn’t require identity verification; regulations like KYC and AML exist for a reason. However, because our current identity system doesn’t offer a better solution, we’ve resorted to “bundling” a number of unrelated facts that ultimately result in tying an individual to his or her identity. This practice, however, grants third parties access to facts they don’t really need in order to provide a service. This, in turn, leads to a number of problems, including increased risk of data breaches, user friction, and limited access to services.
When bundled isn’t better
The increased security risks posed by current identity systems are twofold. First, bundled identities give hackers access to all of the data that’s been collected about an individual. In the checking account example above, not only would hackers know the total balance of users’ accounts, but they’d also have account holders’ home addresses, phone numbers, and likely photos of the person. This problem is compounded by the fact that third parties like banks generally hold user data in a central repository that can be hacked in one fell swoop.
In 2016, the number of data breaches in the U.S. reached an all-time high, and in the first quarter of 2017, nearly 500 breaches have already been reported. To be sure, many of these are minor, but the numbers don’t bode well for data security.
Bundled identity also leads to user friction when users balk at each piece of required data—particularly when it comes to financial services. One report compiled by a law firm specializing in financial services regulation indicates that some customers consider requests by financial institutions for data required by KYC to be an “affront,” while others believe that competing service providers do not require such information. Regardless of the reasons for consumer skepticism, additional friction points can lead to frustrations and even the loss of customers.
Finally, current identity systems cause barriers to access for those unable or unwilling to participate in these systems. Let’s take KYC and access to financial services as an example. KYC’s risk-based approach dictates that, after receiving a certain number of proofs of identity for an individual, an institution can more or less reliably say that the person is who they claim to be. This becomes a problem, however, for individuals who cannot provide these proof points—who, for example, may not have current identification or a stable address. In developing countries, the problem is even more obvious; nearly 2.2 billion of the world’s 2.5 billion unbanked live in Africa, Asia, Latin America, and the Middle East, all of which have their own identity verification procedures required to open a bank account And in countries where residents rely on remittances as a primary income source, a lack of consistent identity systems spells not only the inability to have a bank account, but also puts these people in danger of having no access to capital. Banks don’t want to make low-dollar transfers because the cost of conducting KYC on each is too high—either because the process itself is clunky, or because the banks are fined for their failure to complete appropriate diligence.
Unbundling with the blockchain
Some companies have started to use workarounds such as social media to verify identity—and this has been a successful means of expanding access to services for previously unbanked or underbanked individuals. But this doesn’t solve many underlying issues, including the fact that relying on third parties to safeguard our personal information is an inherent security threat.
According to some cryptocurrency professionals, the bitcoin blockchain is the solution. Its beauty reaches deeper than bitcoin to the underlying blockchain technology that powers the protocol—and has the potential to solve existing problems having to do with security, friction, and access.
The main security concern with current identity systems is that sensitive personal data is stored in vulnerable central repositories owned by third parties. The blockchain, on the other hand, moves control over data to the edges of a network and distributes it across multiple endpoints. With distributed data, attackers must hack each endpoint and overcome the layers of security associated with each, instead of gaining access to a single database.
In addition, identity solutions that leverage blockchain technology can eliminate user friction by putting individuals in control of which data they share with third parties. John Light, co-founder of Bitseed and “Bitcoiner” at Abra, talks about the concept of a “personal cloud”—a “portable data silo” that allows users to reveal individual pieces of information to different service providers as required, rather than handing over an entire bundle of personal information. Blockstack is a good example of how this works in practice.
Technology built on the blockchain also allows for greater access by those who cannot (or choose not to) conform to current standards of verification. Rather than relying on third-party forms of identification, such as government-issued passports or ID cards, this vision of the future allows services (such as bank accounts and remittances) to be accessed by validating one’s identity on the blockchain.
The ideal future in the bitcoin camp is an entirely new online experience built on the bitcoin blockchain, complete with blockchain-powered applications that reflect what we already have today (Facebook, Google, etc.) but that store identity tokens on a distributed ledger. Programs like OneName already exist, and allow users to log into applications using their public keys to verify identity, rather than, for example, using OAuth to log into an application with their Facebook account.
Though blockchain is poised to fix a lot of the problems with the current identity verification systems, we’re still early in the process. While the technology might be ready for such a system, a number of regulatory concerns and stakeholders with varying priorities will still need to buy into the blockchain vision of the future before revolutionary changes can be made.