The future of digital identity?
The CEO’s of America’s tech giants Twitter and Facebook were grilled by the Senate on the Hill this week putting social media and free speech in the spotlight. At the forefront of this debate are the rules governing the immunity from liability social media companies have which is created by section 230(c) of the Communications Decency Act in the U.S.
Section 230 means that users on social medial platforms can say whatever they wish and the social media companies are not liable for it, or the repercussions. I can think of no other sector or industry that enjoys this immunity – it appears a licence to print whatever drives user volumes to deliver advertising revenues with little consideration for the content or the identity and provenance of the individual who’s voice we are hearing.
Now, most of us in the free world wish to protect our right to free speech, but only ten percent of Americans think social media are beneficial with two-thirds believing they cause harm. This is not surprising with reports of fake news, foreign actors manipulating news and communities, the rise of identify politics and hate speech, and social media companies themselves accused of misusing our private data.
Where social media falls down is that the identify of the individual making inflammatory or false statements most often is not identifiable as a real person or company, with a real address, in a real community. There is no requirement to identify who one really is in social media, one can hide behind an anonymous pseudonym whether a real citizen, a representative of a business, agency, or foreign power, or whether a robot.
Identity is also a big issue surrounding next week’s 2020 U.S. presidential elections where the reliability of mail-in ballots has become a big election issue. The risks of the ongoing COVID-19 pandemic mean that postal voting is a preferred method for many voters though incidences of voter fraud are actually quite rare, whether votes are mailed in or otherwise.
The global financial system is held to account when it comes to identity, a process that is know as Know Your Customer or KYC. To open up a bank account, you need to provide proof of who you really are. This proof includes items like a birth certificate, driver’s licences, passport, and proof of your residential address. Though the KYC process can be a bit clunky, it can be done online and efficiently these days and must be a serious consideration for policy makers when it comes to social media or postal voting (which should be done from your phone).
One of the biggest emerging use cases for blockchain is in the realm of decentralized digital identity, wherein governments and enterprises collect, verify and manage citizens’ personal data on-chain. The aim is to replace the legacy of various storage systems and databases governed by unwieldy and often insecure centralized authorities and agencies.
It is an ambitious objective, but so are most things related to digital identity. In our increasingly networked society, a digital identity is a passport will enable us to travel freely from application to application without the friction of having to create a new user account, and identify ourselves again, and again. A survey of U.S. users found that they had an average of 90 online accounts. A single digital identify is a recorded means of proving we are who we say we are, a digitized, verifiable ledger of our name, date of birth, nationality, residence, and other material data, recorded once.
Given the sensitivity of such data, a blockchain-based identity system has its strengths with features such as hashing functions, digital signatures, and zero-knowledge proofs protecting our information against theft or loss. In the context of elections, these properties of blockchain offer several other attractive possibilities. Digital signatures are completely secure, acting as a timestamped confirmation that a vote has been cast. This confirmation can be viewed transparently on the blockchain, with the zero-knowledge proof acting as evidence that the vote was cast without identifying the individual. The vote itself is an immutable record - it cannot be changed after the fact.
The pandemic necessitated the distribution of emergency funds to citizens, which were partly calculated based on the taxes they’ve paid. With individual records shared between departments, allocating funds became cumbersome and confusing, potentially resulting in some people being left short-changed. A single, blockchain-based identity record could overcome these challenges by providing a single point of truth for government departments.
According to an estimate by the World Economic Forum, 150 million people will have blockchain-based identities by 2022. And yet challenges remain as all parties grapple with the implications of these innovations on the power balance between the individual, government and corporations.
Technical knowledge among users is limited, access to self-sovereign identities can be lost, and malicious actors might combine user information to create fraudulent identities. Moreover, those seeking to utilize public blockchains face the dilemma of preserving identity-holders’ privacy and anonymity while satisfying regulators who wish to know who exactly is on the system and what their information shows.
Concordium, a public enterprise blockchain solution whose development team includes Professor Ivan Damgård, one of the world’s most renowned cryptography researchers, solves trade-offs between privacy and compliance thanks to something called an anonymity revocation tool, a means by which it can deanonymize users – but only those identified as acting illegally by authorities. Reassuringly, only authorized courts can set such a chain of events in motion making this compliant with jurisdictional laws and regulators.
Beni Issembert from Concordium, explains: “The identity governance and administration sector (IGA) sees many challenges when it comes to practical deployment, privacy and liability. Aside from the known limitations mainly based on the versatility of cloud infrastructure entitlement management (CIEM), one of the main issues is that digital identities still are highly dependent on document-centric identity proofing and mobile multi-factor authentication. The process is heavy and the necessary resources are countless.”
This document-centric process is once of the the reasons that all digital identity management has yet to become the norm, next to an absence of global and interoperable technical standards.
The digital identity arms race continues at pace and is seeking to address the challenges in various ways. Microsoft’s
Microsoft is also part of the ID2020 Alliance, a global organization of partners working together with the UN High Commissioner for Refugees. I had the pleasure of helping to launch ID2020 at the U.N. in 2016 with founder John Edge and sat on its first steering group - I am a fan. The premise of the Alliance is that the ability to prove one’s identity is a human right, and it aims to create an accessible means of digital identity that can be used by everyone, including 1.1 billion people without access to a government-issued ID.
Fellow tech giant IBM
These solutions raise the issue of centralization versus decentralization. Private blockchains developed, implemented and overseen by multinationals might satisfy governments and large enterprises, but may not be welcomed by pro-privacy end users who are not keen to have a central body of record about everything they do for the government to (potentially) abuse, whether intentional or as an unintended consequence of malicious actors.
The solution to this dilemma may very well lie in public blockchain solutions.
Earlier this year, Ardor, a public blockchain was utilized by QualiSig to facilitate secure, traceable, COVID-related communication between the Austrian government and citizens. The country is no stranger to the concept of digital identities - its eID system already enables unique identification and secure authentication for all citizens. It’s not the only country to do so. Since 2017, 98 percent of Estonian citizens have been equipped with a digital identity. Singapore is another example – 70 percent of its 5.6 million citizens now have e-ID cards.
“Widespread adoption of standards based digital identity systems has far-reaching consequences, enabling us to efficiently prove our identity without exposing repeatedly private information, as is commonplace with existing KYC solutions,” says Lior Yaffe, co-founder of Ardor’s parent company Jelurida.
“Digital identities will empower and improve the lives of global citizens in the future by helping them regain control over their data in the borderless digital world,” predicts Concordium's Issembert, “It depends on finding the correct balance between overall transparency and local privacy, between people’s freedom and regulatory compliance, and between the accessibility and user experience combined with speed and security.”
So, where is digital identity headed next? A clue may be found in the recent partnership between Civic Technologies and Circle Medical that enabled companies with over 500 employees to verify whether their staff had been tested for COVID-19. Or the announcement by the Australian Government that it would spend $250 million to implement biometric facial recognition for online user authentication.
What is clear is that the way in which digital data is verified, stored, and shared will continue to evolve, and be debated, in the public sphere as in the private as policy makers grapple with what is best for their citizens, and citizens become more vocal about their choices and rights through the use of digital technologies.
What is also clear is that, in addition to a compelling use case for citizen digital identity for government services and voting, there is a burning platform for digital identity with users of social media. Though libertarian skeptics may roll their eyes, by making social media platforms conduct an equivalent to KYC before users can publish their comments and views may go some way to making identity more transparent and reducing the fake news and inflammatory speech.
