On several WhatsApp groups I am subscribed to a joke sarcastically captured the spirit of the moment on innovation:
What triggered technological change in your organization?
☐ The IT Department
☐ The CEO
☐ The CTO
☐ The Agile Team
As is the case with most jokes, this one is based on true facts: public and private sector alike are running against the clock to implement technological changes that may ease the severe disruptions caused in social and economic life across countless areas.
One of these areas, is notably how we prove our identity online. Until the crisis stroke, doing so was only needed on occasion – and for serious matters there was practically always an offline alternative. When the COVID-19 crisis stroke there were already countless of processes in which we were required to demonstrate that we are who we claim to be, from banking, to paying taxes or registering a new business.
An identity is important because it links one entity to a single set of properties which no other entity may have. In the so called continental legal tradition, states have taken over the construction of single identities for each citizen, which they usually store in central registries (often Ministries of Interior, police departments, etc.). The German Personalausweiss, the Spanish DNI, or the Resident Identity Card in China are examples of centralized identity. Countries belonging to the Common Law legal system, however, normally lack a centralized identity system and rely on the contrary on the collection of evidences leading to prove someone is who they say they are. For example, a bank in the United States may demand that someone opening an account provide copy of their driving license.
Both traditions have had in the past a gradual crossover to the digital world. When requiring proof of age, for example, many sites have become reliant on credit card information. More importantly, public administrations in many countries have put in place cryptographically secured digital certificates linked to their central identity databases. In the European Union space these efforts have been standardized as the eIDAS regulation on electronic identification and trust services for electronic transactions.
Such digital identity systems have allowed millions of citizens to access a wide range of services from their public administrations which previously demanded personal attendance to public offices and processing forms and paperwork.
But even where these systems have been put in place, their adoption has been slow. Century old traditions linked to ink-and-paper processes and personal presence like notary certifications have been hard to streamline.
And suddenly, we all must stay home. Being physically present becomes a complete impossibility. For a sizeable part of the world, at the moment, not even dropping a form at the post office is even an option.
Public and private organizations worldwide are faced today with the pressing need to identify millions of citizens – many of whom have had no previous experience with any existing electronic ID system – and at the same time secure the survival of essential services.
The first and most obvious strategy was easing some technical requirements for the systems already in place like, for example, extending the expiration date of digital certificates. In many jurisdictions getting such a certificate requires that you attend a government office. This however, only provides a solution for whoever was in possession of such a digital certificate before the crisis and is limited to those identification processes which were already served by such certificates.
Getting hold of a digital certificate on physical government offices is now impossible. This led the Spanish government very recently to turn to evidence-based proof of identity like those already accepted by money laundering prevention authorities.
Indeed, a new Spanish emergency regulation stipulates that as long as the crisis goes on, authorities issuing legally binding “advanced certificates” (the encrypted digital replacement for physical presence and signature) may do so by using a now pervasive method in the online-banking industry: video conferencing.
These methods have been in use for several years now. If you ever opened an online-only bank account you may have struggled with them already: you place some official form of ID in front of a camera in such ways as for the system to recognize the several security measures embedded in the document. At the end of the process your identity has been validated by the bank – and is deemed compliant with KYC regulations.
A Spanish citizen can now, instead of traveling to the –now closed – government registries that previously issued advanced electronic certificates, get one of these without the need to move from home.
And here comes the interesting part: to get this electronic certificate a large array of different “evidences of identity” may be deployed: apart from the obvious official ID cards, one may use a driving license, or other documents commonly accepted as proof of identity in real life.
Similarly, the violent drop in real estate transactions have fostered further adoption of e-notarization schemes which were already in place. This is the case of the U.S states of New York, New Jersey and Wisconsin, which have rushed to pass legislation allowing for remote notarization of documents. Deployed technologies normally combine the sending of electronically signed documents to a human notary, video validation of some form of physical ID and video chat with the said legal professional.
But emergency measures like these will only go that far. Obtaining advanced identity certificate is often a cumbersome process that requires more than average knowledge and patience. Video validation of physical IDs has also clear limits. Many jurisdictions lack any form of acceptable ID. There is also a scalability bottleneck: current systems are not prepared to serve millions of citizens demanding this kind of services.
The logical outcome will soon be for governments and businesses everywhere to seek for alternate ways to ascertain an individual’s identity.
Blockchain-based identity systems have been proposed for use in as disparate cases such opening a bank account, fraud prevention, proof of funds, credit risk evaluation, ownership, exchange, and trading of financial assets, asset traceability, issuance of employer-verifiable school transcripts and diplomas, health prescriptions, and health insurance claims, and the issuance of all kinds of government certificates and licenses (driving, liquor stores, birth certificates, voter registries, etc.).
There is no single specific architecture for a proof of identity totally or partially built on evidence retrieved from Blockchains. Some of them are based on top down organizational structures, meaning there is a central authority that has control over the issuance of electronic identities. It secures control and privacy for the users while keeping ownership of the system and control of its governance. Example of such system could be the European authorities issuing eIDAS electronic certificates, if they acted as the gatekeeper for recording these identities on a blockchain.
In a bottom up approach there is no central authority controlling the issuance of e-identities. Participants manage them without requiring any permissions, though they must still follow the rules of the system (often enforced through a set of smart contracts).
Between the two extreme cases, an identity may be registered on the blockchain using schemes that involve a curation market, a so-called decentralized autonomous organization (DAO), or a consortium (in which the public authorities may take part). These may lean towards a top-down or bottom up approach depending on how the permissions are implemented and controlled by the participants.
At present, European eIDAS identities are issued off-chain by centralized authorities and stored on their servers. A different level of identity strength is assigned for varying degrees of certainty in the registering process. This has worked fairly well when there was no rush to transition from previous analog identity proofs. But emergency situations like the present COVID-19 crisis have demonstrated the need for loosening formal requirements so as to make the registration of e-identities accessible in a context of pervasive population lockdown and extreme restriction of government services.
Even in a system like this, where a centralized, permissioned authority has the initial monopoly for registering electronic identities, blockchains’ immutability can play a crucial role. If a critical mass of government and private sector services feed their identity needs from a blockchain, where a myriad of different day to day operations for (identified) individuals and businesses begin to be recorded, we could see the emergence of a self-reinforcing identity system. Each new undisputed transaction made by an entity would strengthen the validity of their identity claim. So even if the initial register was conducted at a low level of security, the availability of contrast information on each identity would turn them ever more secure.
Say, for example that you register your own identity as John Doe, resident of Lagos, Nigeria. Initial security threshold may be low because of the practical impossibility to access governmental offices to ascertain that it is really you. So, this would be a weak identity, inadequate for sensitive transactions.
But if that identity is subsequently used for ever more critical operations like opening bank accounts, buying a car, registering on social security and taxes, etc., then its reliability will increase dramatically. There would be no need for John Doe to provide hard, government-issued evidence of his identity. His reputation, linked to a unique and indelible identifier carved into the blockchain for eternity would speak for its credibility.
Blockchain based identity systems have also the potential to help overcome interoperability issues present even within the public administration, while at the same time revealing personal data on a need-to-know basis. Medical records, including such sensitive information as test results or drug prescriptions, could be stored on blockchains to then be shared with third parties.
Blockchain based ID systems have also been proposed to bridge the need for identification, while at the same time preserving all non-essential information from being disclosed. In several fields like healthcare management and research, or smart-grid administration a tension can be felt between the need of massively identifying and processing sensitive data and protecting the privacy of the data originators.
The corona-crisis has caught us off-guard amid several incomplete electronic identity projects – many of which are Blockchain based. The urgency for action will make most efforts now seem improvised and unsatisfactory for use in “normal” times. But they will most probably lay the foundations for radical change in how we construe our digital selves when we really want to talk business.
Salto de página
blockchain technologies for identity management
can support the ability for users to control the custody of their own identifiers and credentials
transform data governance models,
reduce dependence on trusted intermediaries,
Users can manage their identity data themselves and disclose it directly to relying parties on a need-to-know basis (through self-custody of their identifiers and credentials or designating third-party custodians).
Businesses can streamline their operations by relying on verifiable user information without having to act as data custodians themselves and dealing with the associated costs and risks (e.g., for infrastructure, security, and regulatory compliance).