This Harvard Business Review article suggests blockchain technology combined with personal encryption keys should replace centralized storage of our personal identity credentials. I’m not ready buy into this quite yet!
First the article identifies the problem:
“It’s a strange world we live in when large companies such as Experian, Equifax, and TransUnion are able to store huge quantities of our personal data and profit from it in a way that doesn’t always benefit us. And when those same companies lose our personal data and make us susceptible to identity theft, there’s virtually nothing we can do about it. Equifax lost the data of more than 140 million people, and recompense is not forthcoming. Meanwhile, the CEO may be stepping down with a pension worth $18 million. Clearly, the system is broken, and it’s time to stop and ask ourselves why we continue to rely on a system that doesn’t stand up to the challenges we face in a digital society.
Credit-referencing agencies benefit immensely from our data, but there are many other data privateers — from online shopping sites to retailers to media firms – that are doing the same, including our own governments. U.S. Social Security numbers, or UK National Insurance numbers, were originally created to keep track of the earnings history of workers for entitlement and benefit programs. Both have since morphed into critical numbers assigned at birth that can be used by government agencies not just to collect taxes, but to identify individuals. They are also now used by private industry to track our financial and commercial histories.
The article then transitions to a discussion of national identity systems, such as those in China and India, which at minimum represents an important building block for a totalitarian state. The article however identifies state operated solutions that operate on distributed ledger technology, including Estonia’s ID-kaarts.
“Still, numerous smaller countries, such as Singapore, are exploring national identity systems that span government and the private sector. One of the more successful stories of governments instituting an identity system is Estonia, with its ID-kaarts. Reacting to cyber-attacks against the nation, the Estonian government decided that it needed to become more digital, and even more secure. They decided to use a distributed ledger to build their system, rather than a traditional central database. Distributed ledgers are used in situations where multiple parties need to share authoritative information with each other without a central third party, such as for data-logging clinical assessments or storing data from commercial deals. These are multi-organization databases with a super audit trail. As a result, the Estonian system provides its citizens with an all-digital government experience, significantly reduced bureaucracy, and significantly high citizen satisfaction with their government dealings.”
This is where the article moves into areas that I question. One is the argument that personally encrypted credentials in a distributed environment are inherently safer than those same personally encrypted credentials in a centralized database. I don’t think this is necessarily true:
“This characteristic of encrypted distributed ledgers has big implications for identity systems. You can keep certified copies of identity documents, biometric test results, health data, or academic and training certificates online, available at all times, yet safe unless you give away your key. At a whole system level, the database is very secure. Each single ledger entry among billions would need to be found and then individually “cracked” at great expense in time and computing, making the database as a whole very safe.”
In reality this would also be true if I encrypt my records as an individual and put them in a centralized database. This is purported to be the solution used in many cloud solutions including password managers. Despite the centralized database I personally hold the decryption key. One advantage to this approach is that it is relatively easy to implement a new encryption algorithm. All the data is located centrally and so the conversion can be done one user at a time with all user data re-encrypted.
The National Institute of Standards has already deprecated multiple encryption algorithms since the first was released in 1975 and NIST warns that existing encryption is likely to be vulnerable in 20 to 30 years. That may be optimistic given recent advances in quantum computing.
A distributed solution needs to include a mechanism by which all my data, across all the nodes where my data exists and for all of the entities I have given permission to access my data, can be upgraded to a new encryption standard. I don’t believe a highly distributed solution is required to provide individuals control over their own data. I do believe the world needs a self-sovereign identity solution; the problem in achieving this is less about technology and more about the wish of governments and businesses to control our identity. Technology can’t fix this.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here