Identity as a Bottleneck for Blockchain

The Road to Self Sovereign Identity

Bottleneck

Blockchain and smart contracts have the potential to radically reduce transaction costs and cut out the middle man. However, it is important to recognise that any structural fulfilment of this potential relies on first solving the fundamental question of identity: can we trust the entities who will be involved in these transactions, and how will we identify and verify them?

Imagine a new delivery service, let’s call it DeSendtralise. With DeSendtralise, you order an espresso machine directly from the factory without using an online shopping platform like amazon. This machine will be less expensive, as you have gotten it directly from the producer, and in case of product malfunction, the return and exchange process will be quicker and easier as you can deal directly with the factory.

However, DeSendtralise offers only the delivery service but does not take care of verification, so when you place the order, over email or over telephone, how can you be sure that these are the identity attributes of the factory? And how can this factory know that you are, indeed, the buyer of this particular machine?

The current model of digital identity does not provide these answers. Blockchain itself does not provide an adequate identity layer that would be necessary for many real life value transactions. In fact, the Internet itself misses an adequate identity layer. In the past, this has created considerable operational-, opportunity- and usability costs for the internet economy, both for the companies and users.

Because the Internet currently misses a native identity layer, companies and public institutions have implemented adhoc systems of workaround — like internal databases — where they manage the identities of people and things in their data ecosystem. Unfortunately, these databases are incompatible data silos that produce a lot of problems:

• It is expensive to maintain security of identity data (theft or loss of data).
• Data compatibility with other institutions comes at a high cost.
• Users have no control of their data, and do not know when it is passed on to other institutions.
• Users waste a lot of time creating and managing multiple user names for single app or new service they register for.
• No control over their own data: The user doesn’t have a consolidated digital identity, but rather tens or hundreds of fragments of themselves scattered across different organisations, with no ability to control, update or secure these fragmented identities effectively.
• Fraud: (a) Companies cannot uniquely identify bad actors that might order goods they never pay for; (b) Users might be paying for goods of services online that they never receive.

Some numbers (Source: Sovereign white paper)

• 30–40% of contact center call volume is related to password and account recovery.
• 18% of shoppers abandon their shopping cart due to username and password issues.
• 82% of businesses struggle with fake users and on average 10% of a web-facing organisation’s user base will be fake.
• The average retailer cost for each stolen record containing sensitive and confidential information is $165.
• 25 people in the US fall victim to identity theft every minute — leading to $15 billion in losses from 13.1 million consumers in 2015.

Blockchain based transactions across jurisdictions will face these same problems, and as agreements become auto enforceable and entries in the database immutable, these problems may become even worse. To understand how we could work towards fixing this issue, we first need to understand where we are today, and how we got here.

History of Identity

Historically, our identity documents that we need in our day-to-day interactions — passports, driver’s licenses, social security cards, serial numbers for goods, etc. — are issued by centralised institutions like nation states and private institutions. While this might have been the method of choice in the analog world, it also created a host of issues for the users of this style of identification:

• Individuals can lose their identity if a state revokes their credentials.
• Identities are issued by nation states and often not accepted by other states.
• Centralized control of issuing and managing identities, that are only valid within one jurisdiction or one online service.

The increasing importance of the digital world, created not only new opportunities for issuing identification, but also the necessity of redefining analog-derived concepts of identity.

Evolution of Online/Digital Identities

The Internet was built around connecting machines, not people. It was built without a way to know to whom or what you are connecting, which was fine in the early days, as we were just using email to send messages and the WWW retrieve information. However, in Web 2.0, as applications became more complex and e-commerce and social media became prevalent, the question of identity became more pressing, and various solutions for this question were implemented on the application layer.

• Centralized identity
• Federated identity
• User-centric identity
• Self-sovereign identity

Source: Sovreign White Paper

Centralized Identity

Though the early days of the Internet focused on building a network which would decentralize the world, this decentralized network ultimately operated on a base layer of centralized identities. Centralized organizations like IANA (1988) determined the validity of IP addresses, and ICANN (1998) arbitrated domain names. Eventually, trust became an issue on both sides of ecommerce. Can I trust my customer to pay their bills? And can I trust the service provider to deliver my goods? Therefore, in 1995, certificate authorities as well as centralized institutions stepped up to help Internet commerce sites prove they were who they said they were.

Unfortunately, the granting of control over digital identity to centralised authorities of the online world suffers from the same problems as its counterpart in the physical world: users are locked into a monopolistic identification scheme controlled by a single authority who could potentially deny their identity, or even confirm a false identity.

Centralisation of the digital identity innately grants access to and control over identity data to the centralised entities, not to the users to which it should belong.

As the Internet grew, as power accumulated across hierarchies, a further problem was revealed. Every service provider started issuing their own identity. They multiplied as web sites did, forcing users to juggle first dozens, then hundreds of identities on different websites, ultimately resulting in the user having little to no control over any of their personal data stored on the servers of those websites.

Still today, most Internet identities are centralised. They are owned and controlled by a single entity, like an e-commerce website or a social network. We therefore live in a world of data chaos and data slavery:

• Data Chaos
  Fragments of our identity and other personal data are scattered all over the web. Users have to manage hundreds of usernames and passwords
• Data Slavery
  We do not own and control our own data. Digital identities are owned by certification authorities, domain registrars and individual sites (facebook, google, your bank, your university…), and then rented to users or revoked at any time.

Federated Identity
Administrative control by multiple, federated authorities.

Federation gives a degree of data portability to a centralised identity, for example enabling users to login into one service using the credentials of another. Single sign-on mechanisms allow a user to access multiple separate services.

During the 1990s, every single online service required you to register a proprietary username and password (incl. more data if needed) with their services. Password management became chaotic. Microsoft’s Passport in 1999 was one of the first initiatives to provide a solution. It imagined federated identity, which allowed users to utilise the same identity on multiple sites. However, it put Microsoft at the center of the federation, which made it almost as centralised as traditional authorities.

In response, Sun Microsoft organised the Liberty Alliance in 2001. They resisted the idea of centralised authority, instead creating a “true” federation. But, the result was instead an oligarchy — The power of centralised authority was now divided among several powerful entities.

While federation improved on the problem of fragmentation, where users could wander from site to site under the system, your identity data still remained under the centralised authority of each individual site.

User-Centric Identity
Individual control across multiple authorities without federation

In 2001, the Identity Commons began to consolidate all works on digital identity with a focus on decentralisation. This lead to the creation of the Internet Identity Workshop working group in 2005.

The IIW community focused on a new concept that countered the server-centric model of centralised authorities: user-centric identity. This concept suggested that the process of determining digital identity should be established around the user, and underlined the need to put users front and center of their online identity.

Idea: Individual fill their own data store with information. This information is then provided to other organisations with the permission of the individual, and a record is kept of these provisions.

This definition of a user-centric identity soon expanded to include the desire for users to have more control over their identity, and for trust to be decentralised. User-centric methodologies tend to focus on two elements:

• User consent
• Interoperability
• Full control

By adopting them, a user could decide to share an identity from one service to another and thus consolidate his or her digital self. As a result, a user could theoretically register his own OpenID, and use it autonomously. However, this took some technical know-how, so the casual Internet user was more likely to use an OpenID from one public website as a login for another.

This was one of the reasons why Facebook Connect (2008) became more successful than OpenID: it had a better user interface. Unfortunately, Facebook Connect did and does not offer choice of provider. With this system, Facebook became the default identity provider.

Facebook has had a history of arbitrarily closing accounts, censoring artists for using pictures of naked people, as well as questionable actions such as those sparking the real name controversy. As a result, people who access other sites with their “user-centric” Facebook Connect identity may be even more vulnerable than OpenID users to losing that identity in multiple places at one time, and again fall victim to the classic issues of centralised authority. The comparison could be made to state-controlled authentication of identity, but without a constitutional layer to protect user rights.

To cut a long story short: without true decentralisation, being user-centric simply isn’t enough. While user-centric designs were an important step toward true user control of identity, the next step requires full user autonomy.

Self-Sovereign Identity
Individual control across any number of authorities.

For the last two decades, there’s also been a growing push to return control of digital identities to the users to whom they belong. From a humanistic point of view, individuals should have an established right to an identity, but national registration of identities destroyed that sovereignty.

Around 2 billion people world wide lack state recognised identities. The refugee crisis showed how people — refugees — suffer from this, having to wait for months if not years, that their identities can be proven to the countries they are seeking asylum with. On the other hand it produces enormous bureaucratic costs for the countries integrating refugees into their society, producing anxieties and costs for all stakeholders involved.

In a globalised and data driven world powered by blockchain an smart contracts, we could solve many of these problems, with new decentralised solutions.

The move to self-sovereign identity is, accordingly, a move from a silo mentality to a layer mentality: In order to have true self sovereign identity, we need to decouple the data layer — where I make claims about who I am and what i can do (my driving or language skills, my university degrees) — from the verification layer — where one could verify if that information is true. This concept is very much pushed by the Web of Trust initiative, and has its roots in PGP.

In 1991 PGP introduced the “Web of Trust” established trust for a digital identity by allowing peers to act as introducers and validators of public keys. Anyone could be a validator in the PGP model. This created a decentralized trust for the management of identities. Unfortunately, this initiative only focused on email addresses, which meant that it still depended on centralized hierarchies like ICANN which issued these email addresses). For a variety of reasons, PGP never became broadly adopted, but the idea had been planted.

Individuals like Christopher Allen, and initiatives like Rebooting the Web of Trust, continued these thought in the light of blockchain technology. They advocate that autonomy is the heart of self-sovereign identity. Rather than just advocating that users be at the center of the identity creation process, self-sovereign identity requires that users be the rulers of their own identity.

A number of startups have started implementing self sovereign identity solutions — an extensive list of which can be found here. While many of these startups claim that they are doing self sovereign identity, the way they define it, or the approach to implement it, differ widely.

In the next two blog posts we will go into details of self sovereign identity and analyse and compare the startups that are claiming to provide self sovereign identities.

Thanks Valentin Kalinov and Charleen Fei for input and feedback!

Sources

• Establishing Identity without Certification Authority, 1996, Carl Ellison
• Rebooting the Web of Trust, Papers and Specs
• Sovereign Source Authority, Feb 2012, Moxie Marlinspike
• Pretty good Privacy, PGP, Web of Trust
• Self Sovereign Identity, how the term has evolved, Marlin Spike
• The Promise of managing identities on the blockchain, Sep 10, 2017 by Ron Miller
• SPKI/SDSI project. Its goal was to build a simpler public infrastructure for identity certificates that could replace the complicated X.509 system.
• The Augmented Social Network, White paper, 2000
• Sovereign White Paper, Drummond Reed, Andrew Tobin

Originally published at BlockchainHub.