Select Page
Recently I attended DC Blockchain Summit 2017 put on by the Chamber of Digital Commerce. During one of the panels, they took a live poll asking the audience of about 300 people which use case they thought was most critical. Identity was by and far the number one use case followed by settlements. This is not really a surprise the last year has witnessed blockchain identity solutions popping up like crazy. In August of 2016, Chris Skinner listed “12 standout startups focused on blockchain identity”.  In 2016 I personally worked on a DHS sponsored grant to study the Applicability of Blockchain Technology to Privacy Respecting Identity Management that resulted in a specification for Decentralized Identifier (DID). DID is intended to provide the root of a verifiable digital identity that is self-sovereign meaning that you, the owner, are in complete control over your DID without depending on any centralized providers. However, this has me thinking. Is blockchain really necessary for solving the issue of digital identity?

Identity Registries:

I personally became interested in the issue of identity in the early to mid-2000s. At first, like many people, I felt that in the digital world there must be a searchable directory to look up people, similar to white pages in a phone book. So, as is the norm for internet services, I got involved in the standardization process and building a centralized service, modeled after the ubiquitous DNS. This service would allow everyone to get their identity. However, there was a drawback, in the end, a huge drawback. First and foremost it depended on trusting a neutral third party. This is common in DNS but instead of pointing to hardware we were pointing to people’s lives. How can you trust an entity today? If you find a way to trust them today what about tomorrow when people and organizations change? Second, identity is not something that can be put into one data store. Identity is much more than any one particular piece of data. Identity is a holistic idea that encompasses everything about us. The centralized service only stores identifiers that are intended to be the root of your identity. This is useless if the ability to pull in the many other aspects of your identity is not also present.

Given that centralization, rightfully so, proved to be a non-starter for rooting identity, an investigation of blockchain technologies became necessary. Blockchain, or Decentralized Ledger Technology (DLT), has emerged as an innovation to allow non-trusting, competing, entities to share a database (or ledger) of truth. The real breakthrough in DLT are patterns that allow non-trusting entities to achieve consensus (via a proof) on the committing of records (aka blocks) to a shared ledger. This, therefore, establishes trust over the shared state of information. This is mind-blowing if you think about it. Organizations can come together, agree to a consensus model, and share necessary data without having to engage third party neutral parties to establish trust. Surely through such a model we can solve the identity nut. We can now create our rooted identity and have it committed to an immutable ledger that once there can never be deleted and is only owned by you. Sounds like case closed … problem solved.

Is it?

Does DLT really solve the trust problem. Sure we can commit data that is immutable and self auditing – we can create a state of trust for the transactions contained within the ledger.  

How does DLT provide for trust?

  • Decentralization – DLT has characteristics where consensus needs to be obtained from multiple “ledger update” nodes whose operators are decentralized – that is that they are not controlled by any one authority. These nodes must execute an agreed to consensus algorithm or proof to decide which transaction should be committed to the ledger as a “block”. For example, the Bitcoin Blockchain uses a “Proof of Work” consensus model. Other blockchain solutions are investigating the use of other proof algorithms.
  • Immutability – Once transactions is committed to the ledger they are cryptographically linked together in such a way that the ledgers “state of truth” is unassailable and self-auditing.
  • Open Source code – A DLT network needs to operate on a shared codebase that is open to all on the network or publicly.
  • Governance – The way the network is managed requires agreement through a governance process. Governance is tending towards two general models – Permissionless and Permissioned.

Two general models for blockchain governance have become common, Permissionless and Permissioned.

  • Bitcoin is an example of a DLT that is operated with a Permissionless model. Anybody who wants to operate a node can update the ledger (be a miner) without asking for permission. Simply download the code and run it. In a network like this, the code and the miners are the kings of the kingdom. They control the governance of the network.
  • Permissioned networks are ones where those nodes that can update the ledger need permission to update the ledger. They introduce a human layer that forms a governance board. The combination of the governance board, the developers and the operators of the update nodes control the network.

DLT has introduced innovations enabling the movement away from centralized services. However, does it really mean we can rest easy and trust? DLT based trust depend on

  • Software that is managed by core developers who have been accepted to update the code and are willing to dedicate their time to the codebase.
  • The operators of those nodes that update the ledger
  • and potentially a distinct governance body

This provides for decentralized operations in an environment where collusion would be very hard to accomplish. This sounds great. Do these groups, unseen to most of us, engender trust? It will take time for us to see how well it works.

Let’s keep in mind that the internet itself was born out of similar constructs. The core code and standards developed were all decentralized, distributed and consensus driven. However, as we look at the internet today, there is a central governance body called ICANN, centralized registries that control huge swaths of digital land (domain names) that they rent out, centralized silos operating large web properties where most of us have gravitated to. This has all led to centralization and mass surveillance through massive correlation efforts.

We should keep in mind that it is human nature for centralization to occur. Power bases have a tendency to coalesce. In nature, Organisms tend to cluster together to protect against real and perceived dangers. Throughout human history, we have grouped together, leaders have come to power, eventually leading to rebellions as leaders took to much power, leading to new groupings and new power brokers. It’s a repeating cycle. Can we really trust that the cycle of blockchain will be any different?

Does identity need a single datastore, centralized or decentralized?

Getting back to the thesis, do we need a single repository that serves as the root of authority for our identity? In the normal world, we seem to survive just fine without creating a massive searchable store for our identity. Rather could we, as we did before the internet, create personal relationships with other people, groups, and organizations. Through those relationships gather credibility. Might it be better where we can enter into relationships and share without memorialization in any single repository — centralized or decentralized?

You could argue that we have this today. We do not have a single repository rooting our identity today. We interact with websites and join groups. We are able to be found and introduced quite easily. The problem, though, is that we do NOT own our identity. We cede control and leak information in order to belong. We open ourselves up for tracking, correlation, surveillance to belong. These tradeoffs seem too great. What if we could interact digitally while retaining control over our digital selves without a need for a global root of authority registry.

Some of the same cryptographic tools being used by DLT could be used to create personal and private id cards — virtual and physical ones. Each card could be shared peer-to-peer. Digital cards could contain as little or as much data as you want. In most cases, the digital card could simply be a certification of containing a certain quality, such as being over 21. The digital card could also contain identity-based identifiers for different personas.

How would discovery work? Well, just like it does in the normal world. We are discovered through relationships with others or by voluntarily listing ourselves in group directories. Friends and acquaintances make introductions that may be of interest. Each relationship we form adds to our network of acquaintances each which help us to discover new relationships furthering our personal networks.

While I am a big fan of the innovations that blockchain and DLT provide. The ability to have unalterable registers that validate, record and track transactions across a network of decentralized computers is enormously powerful. However does the recording of transactions, ones that are necessarily open, provide for a trusted rooted source of identity?