Commentary: How Blockchain Could Put an End to Identity Theft
We lack control of our personal identities, and that’s a problem. Birthdates and home addresses have long been accessible through a quick Google search, but now a trip to the dark web will turn up the information many of us still hold precious: Social Security numbers, bank accounts, health insurance details, and whatever else a criminal may desire.
We got to this point because we consumers have historically favored convenience over privacy. Most of us don’t read the small print or do deep technical assessments before sharing information online. We don’t want to remember a different password for each account or re-enter credit card numbers every time we make an online purchase. Instead, we transferred ownership of the details that make us who we are, and as a result, we effectively put every company and government institution in the identity management business—whether they realized it or not.
But with the emergence of blockchain technology, the word privacy may regain its meaning. Blockchain’s ability to control information and avoid duplication means that self-sovereign identity, or the idea that individuals can control their personal data no matter where they are, could be a reality for the first time. For example, the Illinois Blockchain Initiative is managing a pilot program to put birth certificates on a blockchain. Their hope is to create self-sovereign, digital identities that can remain under a user’s control, capable of quick and secure validation without the need for a centralized repository.
The end of identity theft
Self-sovereign identity isn’t just a nice idea; it can put an end to many issues that impact consumer privacy, including, importantly, identity theft. Last year, 16.7 million people in the U.S. were victims of identify fraud, a 1.3-million-person jump since 2016. But these numbers only show half the story. Oftentimes, individuals have no idea that their digital identities have been compromised until they attempt to buy a home or take out a loan and find their financial lives in ruins.
Using a blockchain ledger to manage identities would make it extremely difficult for fraudsters to wreak havoc without leaving an obvious digital trail. Here’s how it works: Each block in the blockchain builds upon its predecessor, and the cryptographic nature of these blocks makes it hard to alter information stored in the existing blocks. The resulting record is immutable, meaning that changes to every single identifier associated with an individual must be logged. This system prevents malicious actions by data custodians, and ultimately makes identity theft more difficult to execute.
Putting individuals back in charge
A blockchain ledger’s immutable record is also what empowers individuals to take charge of all the information tied to their identity and ensure its accuracy over time. For example, since there isn’t a universally accepted digital equivalent for offline identity, such as a passport or a driver’s license, people are issued a unique set of identifiers for every single application they use. The result is a sprawling web of private information that end users struggle to keep track of, and organizations fail to keep secure thanks to inconsistent and lagging security postures.
But with blockchain-based Decentralized Identifiers (DiDs), individuals could regain complete control of their data. DiDs are basically a secret URL (which actually stands for Uniform Resource Locator) stored on a blockchain ledger, with each being assigned to the different parts of a user’s identity, such as their name, birthdate, and Social Security number. Using a digital wallet app on their smartphone or desktop, users have the power to temporarily grant access to the DiDs of their choosing. For example, when you sign up for a new app today, you typically have to share your name, email address, and other basic information. With DiDs, the process is faster and more secure. The app shows a QR code, you scan it, your digital wallet app automatically transfers your relevant DiDs over the blockchain, and the app grants access.
The changing parts of our identity, like phone numbers, job titles, and home addresses, further complicate individual privacy because it is possible for a single identifier to become associated with more than one person at different times. Think about all the details that must be updated if you get married and change your last name—you must change your passport, driver’s license, social media accounts, bank accounts, health insurance, etc.—the headache-inducing process takes months at least. DiDs empower individuals to swiftly update these details; when the DiD is updated, the services using your DiD automatically have the updated info. This process is much better than letting misinformation run free.
Caution: work in progress
Any transformational technology needs time to bake. For example, TCP/IP, the conceptual model and communications protocols behind the Internet we know today, was around for 30 years before it started disrupting legacy industries like retail and transportation.
The idea of self-sovereign identities on the blockchain is certainly promising, but there’s still a lot to figure out. There’s the issue of incentive: Why would incumbent businesses want to lose control of their customers’ identity data? Self-sovereign identities aren’t in enterprises’ best interest, so we’ll need a brand new player to build a blockchain ledger for identity.
There are other technical issues to overcome. First, is immutability really possible? In theory, a blockchain is immutable and would take the role of critical infrastructure, but this idea requires intensive testing before it can be trusted in the wild. We also need to determine how to securely and accurately connect individuals’ physical and digital identities. Blockchain only exists in the digital world and cannot guarantee the physical identity of the user, so this puts the burden on businesses to verify, link, and navigate the two.
These issues reinforce the need for strong privacy infrastructure. An integral piece of that is regulation; in the absence of legal precedent, the entities involved in a blockchain-based identity ecosystem would have to accept risk, uncertainty, and unbounded liability. We need a trusted entity to establish some legal and enforceable rules for how it will all work, infrastructure to bridge the physical and digital world, and the security groundwork to guarantee basic protections for consumers. If we can do these things, privacy will become standard, not a thing of the past.
Frederic Kerrest is the cofounder and COO of Okta.