Blockchain and other distributed ledger technologies (“DLT”) have attracted widespread interest. Blockchain is more commonly known as the underlying technology behind Bitcoin, while DLT is synonymous with cryptocurrencies generally. An increasing number of industries are looking to or have already deployed this transformative technology to improve inefficiencies that plague their respective fields (see our previous comment on the application of DLT to maintain corporate records on the blockchain). Another novel use case of DLT is identity verification and self-sovereign identity.
The problem with identity verification
Often issued and used by governments, financial institutions and third-party institutions, globally unique “use it everywhere identifiers” – such as Social Insurance Numbers (“SINs”) – link all of your activities together, potentially creating massive vulnerabilities and privacy issues.1 Knowing the right amount of information about a person allows bad actors to take action “as” that person.2 Names and dates of birth are publicly available, while SINs are widely shared, both legitimately and illegitimately, which means that gathering sufficient information to steal someone’s identity has become trivial.3
In March of this year, SINs belonging to an estimated one million Canadians were compromised in a breach involving a credit card issuer that affected six million individuals in Canada, and 100 million individuals in the United States. The hacker also accessed names, addresses, postal codes, phone numbers, email addresses, dates of birth, and self-reported income, all information collected and stored by a “trusted third-party”. Unfortunately, as of late, data breaches are no longer the exception but the rule. Former FBI Director Robert Mueller went so far as to state that “there are only two types of companies: those that have been hacked and those that will be”.
Clearly, the potential for large-scale security breaches puts companies storing personal information at risk of financial loss, and puts consumers at risk of identity theft.4 One popular alternative to globally unique identifiers is the use of biometrics (voice/facial recognition, iris scans and fingerprints) to verify a person’s identity, but, similar to any other data, biometrics would have to be collected and stored, often by trusted third parties, and, similar to any other data that is collected and stored, ultimately prone to breach.5
Another solution is a self-sovereign identity scheme.
Digital identity is a set of attributes that allows an individual or entity to be represented in digital form. Although we demand sovereignty over our physical selves, many are unaware that we lack sovereignty over our digital selves. Often, an individual may keep their birth certificates, SIN cards, passports, utility bills and income taxes at home while their driver’s licenses, health cards, and gym memberships are in their wallets. While we perceive that these measures allow us to keep this information under our control, the unfortunate reality of identity verification and data dissemination today is that this information is widespread among many third-party institutions. Often, the level of information they have far exceeds that which they require to perform their service or function. Furthermore, these third-party institutions often issue their own identifiers in exchange for use of their platforms, with such identifiers remaining under their ownership and control, including how they might share or sell this information.6
Self-sovereign identity is the notion that rather than having our information held by third parties (often without us knowing what that information is), individuals and entities instead have the ability to store and ultimately control their own digital identities. They can choose to provide select data points about themselves under conditions that they set when there is a need for such information collection,7 without having to rely on a central repository to store this information.8
For example, you may want a prospective employer to have access to information about your educational qualifications and previous work history, but not see that you are the president of the One Direction fan club. Currently, this information is kept separate by virtue of the fact that different third parties hold such information.9 However, it also means that the individual has little to no control over when and to whom the information is shared.
DLT and cryptocurrency were originally introduced to address the “double-spend problem” inherent in virtual or digital currencies. However, DLT platforms have emerged as an alternative mechanism for storing and transmitting all types of data, by giving users access to a decentralized, synchronized record of transactions. DLT platforms are constructed as networks of computer nodes in such a manner that, once a transaction is verified by the network nodes, it is combined with other transactions to create a new block of data for the ledger. This is then added to the existing blockchain in a way that is virtually permanent and immutable. The ledger is replicated across the DLT network nodes, and is simultaneously updated as new blocks are added to the ledger, providing all DLT platform users with a single, reliable source of truth. These unique characteristics have made the notion of self-sovereignty a reality.
How DLT could “fix it”
Self-sovereign identity provides individual control, security, and portability of identity-related information by removing centralized, external, third-party control. Previously, there was never a practical alternative to control globally unique identifiers aside from relying on governments, financial institutions and third-party institutions.10 DLT has made it possible to store such globally unique identifiers on any number of distributed and immutable ledgers, while public and private keys allow an individual to restrict the output of information that is disseminated, holding all of the different elements of their online identity in a “digital wallet”.11 This removes the need for any central database as a rich source of identity information,12 and significantly reduces the risk of widespread, massive data breaches.
Self-sovereign identity on DLT retools the current identity model by taking ownership, verification and authentication away from third parties (trusted and untrusted), and giving it to the individual or entity who is being identified. In this model, the individual or entity owns their own identity, and can allow access to aspects of this identity on demand.13 DLT could provide bundles of attested claims for everyday situations, such as “over 19”, “over 65”, “has valid driver’s license”, or “spouse”, as well as claims for more nuanced situations, such as “licensed lawyer”, “accredited investor”, or “director, executive officer or control person of a corporation”.14 Thus, an individual looking to purchase age-restricted products need not provide their driver’s license, which contains their full name, address, height, sex and date of birth, but only a verifiable statement that they are over the age of 19, and can therefore legally purchase the desired product.
As alluded earlier, third-party institutions issue their own identifiers in exchange for use of their platforms, with such identifiers remaining under their own ownership and control, including how they might share or sell such information. These companies then use this information to generate revenue with targeted advertising campaigns.15 It is quite possible that the control self-sovereign identity gives individuals over their identity data could enable everyone to monetize their own personal information should they so choose.
Although we are optimistic about the transformative nature of DLT, it’s worth noting that less than 10% of dedicated identity apps are expected to use DLT by 2023. In spite of this statistic, the self-sovereign identity movement is experiencing an average yearly growth of 35%.16
Current progress in the field
Sierra Leone’s national digital identity platform
A financial institution’s inability to verify the identity of a prospective borrower increases lending risk, which ultimately affects the cost of borrowing. Sierra Leone is looking to implement a national identity system enabled by DLT to mitigate this problem. The National Digital Identity Platform (“NDIP”), a collaboration between the United Nations and San Francisco-based non-profit Kiva, will provide Sierra Leone’s citizens access to affordable credit and financial services, while giving financial institutions the ability to verify identities and build credit histories.17
NDIP is being deployed in two phases: (i) digitizing identities; and (ii) using the digital identity to create non-duplicating, non-reusable and universally recognized National Identification Numbers.18 The first phase has been completed, and the second phase is expected to be completed by the end of 2019. NDIP is built on principles of self-sovereignty. Individual citizens own their data, and ultimately decide with whom they share their data and how that data may be used.19
NDIP is the proposed solution for providing credible and affordable financial services to a population that is estimated to be 75 percent unbanked, and forced to rely on informal community institutions.20 Such institutions rarely disclose credit information, and charge extremely high interest rates. NDIP assigns prospective borrowers a digital wallet to access funds, and each transaction is recorded using DLT to provide a means of verifying identity and of ultimately building a credit history.
The government of Sierra Leone believes NDIP will provide greater access to credit and financial services for its citizens, allowing farmers in rural communities to access much-needed capital, or extend to women, young persons, and persons with disabilities meaningful financial inclusion.21 While DLT-based proposals present creative solutions to real world problems, the Information Ministry in Sierra Leone estimates more than 85 percent of its citizens lack Internet access,22 which could significantly affect access to NDIP given borrowers’ need to access the digital wallet online.
Other use cases
Empowering stateless refugees
The freedom of having one’s own self-sovereign identity on a single, secure and immutable identity record that is portable and does not depend on any centralized authority may not be something of value to most people living in developed countries. However, self-sovereign identity could have significant benefits for marginalised groups, or for those who find themselves in contexts where reliance on third parties is no longer possible. A digital identity that is not linked to citizenship, but rather, is owned and controlled by the individual, could empower stateless refugees who might otherwise leave their legal identity behind when forced to flee their native country.23
For example, for a qualified engineer fleeing Syria, it may be impossible to find work in a new country that make use of his or her skills because they cannot prove they have an engineering degree or are licensed. As a result, they are forced to either take low-paid, unskilled work or rely on government benefits, if any.24 Self-sovereign identity could open doors that were historically closed due to the absence of the requisite pieces of paper, given that the attributes and credentials associated with an individual’s identity can now be taken anywhere they go.25 Underscoring the potential importance of this application is the United Nations’ target of providing everyone in the world with a verifiable identity by 2030.26
MONI, a start-up company in Finland, is currently offering individuals seeking refugee status in a European country, a prepaid MasterCard linked to a unique digital identity on DLT.27 A MONI account functions as a bank account, allowing asylum seekers to transact with Immigration Services so that the agency can monitor their movements in a more secure and legitimate way, while being able to purchase products, pay bills and receive deposits from employers.
Estonia’s electronic ID cards
The government of Estonia issued electronic ID cards for keeping track of public, financial, medical and emergency services, and for its citizens to use while driving, paying taxes online, and e-voting. Rather than being stored in a centralized database, the Estonia ID card uses a DLT-based system, giving its citizens greater control over their personal information, and allowing them to access their encrypted data electronically.28
The Sovrin Foundation’s self-sovereign digital identification system
The Sovrin Foundation launched the first self-sovereign digital identification system using DLT known as the Sovrin Network in September of 2016.29 It was developed to use a public DLT that allows individual users and entities to create protected identities, and regain control over their identifying information, with an aim toward security and certainty.
Global digital IDs
Companies such as PWC, Microsoft and MasterCard are working collaboratively to develop global digital IDs. The goal is to enable access to digital identity for every person on the planet by 2030, ultimately reducing the ability of bad actors across the world from accessing and manipulating personally identifiable information.30
Enterprise blockchain software firm R3 recently launched a know-your-customer (“KYC”) application on its Corda DLT platform. This application seeks to implement a unique self-sovereign model that allows customers to create and manage their own identities, and grant permission to multiple participants to access this data, thereby eliminating the need for various financial institutions to individually manage KYC records.31
South Africa is developing DLT-based platforms to provide a digital identity for young children, and ensure that each child has the specific funding allotted for his or her education. Such efforts are intended to prevent fraud where subsidized schools claim to have more students than they actually teach.32
DLT has been lauded as the technology that will change the world. It can be used to address many of the deficiencies that currently plague the use of globally unique identifiers, and can have a significant impact on the industries that store, use or commercialize personal information. Although still in its infancy, the numerous and varied current use cases using DLT for self-sovereign identity indicates the technology could revolutionize how we manage our digital selves over the next 10 years.
A special thank you to Anthony Scalia (student-at-law) for his assistance with this article.
- # Kaliya Young, “There’s a Facebook alternative, it’s called self-sovereign identity” (6 April 2018), CoinDesk, online: <https://www.coindesk.com/theres-alternative-facebook-called-self-sovereign-identity> [Young]. ↩
- # Ibid. ↩
- # Ibid. ↩
- # Kevin DiGrazia (2018) 13:2 J Bus & Tech L 271 [DiGrazia]. ↩
- # Ibid, at 272.↩
- # Young, supra note 1.↩
- # Amy Schmitz & Jeff Aresty, “Blockchain Can Empower Stateless Refugees” (2 December 2018), Law 360, online: <https://www.law360.com/articles/1095148/blockchain-can-empower-stateless-refugees> [Schmitz]. ↩
- # Antony Lewis, “A gentle introduction to self-sovereign identity” (17 May 2017), Bits on Blocks, online: <https://bitsonblocks.net/2017/05/17/gentle-introduction-self-sovereign-identity/> [Lewis]. ↩
- # Rhodri Davies, “Knowing me, knowing you: Self-sovereign digital identity and the future for charities” (21 July 2017), Charities Aid Foundation, online <https://www.cafonline.org/about-us/blog-home/giving-thought/the-future-of-doing-good/self-sovereign-digital-identity-and-the-future-of-charity> [Davies]. ↩
- # Young, supra note 1.↩
- # Lewis, supra note 8.↩
- # James Moar, “Three Trends Accelerating the Growth of Digital Identity” (July 2019), Juniper Research, online: <https://www.juniperresearch.com/document-library/white-papers/three-trends-accelerating-the-growth-of-digital-id> [Moar]. ↩
- # Chris Skinner (13 September 2017), BankThink, online: . ↩
- # Lewis, supra note 8.↩
- # Davies, supra note 9. ↩
- # Moar, supra note 12. ↩
- # Sarah Clark, “Sierra Leone puts national ID cards on the blockchain” (2 September 2019), NFCW, online <https://www.nfcw.com/2019/09/02/364222/sierra-leone-puts-national-id-cards-on-the-blockchain/> [Clark].↩
- # Ibid. ↩
- # Ibid.↩
- # Max Boddy, “Nonprofit Launches Blockchain Platform for Credit History in Sierra Leone” (22 August 2019), CoinTelegraph, online: <https://cointelegraph.com/news/nonprofit-launches-blockchain-platform-for-credit-history-in-sierra-leone> [Boddy]. ↩
- # Clark, supra note 17.↩
- # Boddy, supra note 20.↩
- # Schmitz, supra note 7. ↩
- # Davies, supra note 9. ↩
- # Schmitz, supra note 7. ↩
- # Jeffrey D Quayle, “The Future of Financial Services – Developments in Policy, Regulations, Enforcement, Technology and Litigation” (November 2017), Baker & Hostetler LLP, online: <https://www.lexology.com/library/detail.aspx?g=a0628cab-e166-468a-ad9e-881af135d654>. ↩
- # Pam Ly, “Blockchain technology: its ability to transform corporations’ corporate social responsibility practices” (2019) 22 Intl Trade & Bus L Rev 15. ↩
- # Daniel J Marcus, “The data breach dilemma: proactive solutions for protecting consumers’ personal information” (2018) 68:555 Duke LJ 590.↩
- # Judd Bagley, “Sovrin Foundation Releases World’s First Public Distributed Ledger for Self-Sovereign Identity” (14 September 2017), Globe Newswire, online: <https://www.globenewswire.com/news-release/2017/09/14/1121456/0/en/Sovrin-Foundation-Releases-World-s-First-Public-Distributed-Ledger-for-Self-Sovereign-Identity.html>. ↩
- # DiGrazia, supra note 4 at 274.↩
- # Melonia A Bennet et al, “Risk and Regulation in AML/Tax, ICO Scrutiny, Provenance POCs” (13 July 2018), Baker & Hostetler LLP, online: < https://www.lexology.com/library/detail.aspx?g=cf99ee1c-2cac-41e4-a455-56ea2082562d>. ↩
- # Paul Kohlhaas, “Blockchain for Social Good: Revolutionizing Pre-School Funding in South Africa” (29 March 2017), Medium, online: <https://medium.com/@Paul.Haas/blockchain-for-social-good-revolutionizing-pre-school-funding-in-south-africa-f0c7c63ee2ee>. ↩