Bit by bit, the optimism of the early internet era has dissipated, replaced by widespread fear over a dystopian future.
Valuable personal information is exposed unwittingly and carelessly by users of social networks. Large, apparently untouchable monopolies then enclose, own and sell it. Making use of the information, dark actors run and win political campaigns from behind the scenes.
In early 2018 newspapers uncovered how Facebook users’ profiles had been exploited by external data analysts without their knowledge. Online ad campaigns, designed to target those same users, apparently helped to manipulate the results of elections in the UK, the US and beyond.
Profit-seeking corporations eager to exploit the psychological and physiological patterns revealed by large human datasets have managed to extend their reach into practically every area of life.
Data of 1.6 million patients from the UK’s National Health Service (NHS) were handed to a subsidiary of Google, DeepMind, without their consent.
In November 2018 Google said it was absorbing DeepMind into a new division, Google Health, to help develop its artificial intelligence tools. This corporate reorganisation apparently contravened an assurance about independence given by DeepMind just a year earlier.
“I know better than you do what you are going to do next”
Regulators and politicians are struggling to keep up. The UK’s Information Commissioner’s Office (ICO) could only levy a maximum fine of £500,000 ($650,000) on Facebook—a drop in the ocean compared to the company’s $40bn annual revenues—while Google escaped with the merest rap over the knuckles from the UK authorities.
Even anonymising social networks’ user details in such large datasets should give little reassurance, says Tony Fish, a specialist in digital identity.
“When you interact with people on the internet you leave a digital footprint which is extraordinarily valuable,” Fish told New Money Review.
“I don’t even need to know your name, but I know where you live, who you live with, who your friends are. I know better than you do what you are going to do next. That scares the shit out of people.”
A system of centralised storage of identity data, whether at social media firms or elsewhere, is vulnerable in other ways.
In 2017, consumer credit agency Equifax announced that hackers had infiltrated its network and stolen the customer names, social security numbers, birthdates and addresses of more than half the US population.
The introduction by India’s government of a biometric identity scheme covering over 99 percent of the country’s 1 billion-plus population, called ‘Aadhar’, has led to accusations of corruption, bribery, and the creation of fake IDs.
Quipping that Aadhar should be renamed “Hack Me”, computer scientist Andreas Antonopoulos asked rhetorically:
“Put all ID in a giant insecure database run by a notoriously corrupt bureaucracy. What could go wrong?”
Distribute and return to user
For some, recent scandals are an opportunity for a total rethink of how digital identity information is organised, stored and used.
Instead of people handing over identity attributes to a government or tech firm, say advocates of a new approach, individuals should be given an opportunity to recover from identity loss.
We would all then become the owners of our own digital footprints under a so-called ‘self-sovereign identity’ (SSID) framework.
“To date, every identifier you use online belongs to someone else”
SSID schemes start with an individual identifier called a decentralised ID or ‘DID’. A DID can be owned not just by individuals, but also organisations and even by objects on the internet of things.
DIDs are created and managed via software wallet applications and registered in blockchains or other decentralised networks.
Christopher Allen, a computer scientist and privacy advocate, explains why the shift to DIDs is important.
“To date, every identifier you use online does not belong to you: it belongs to someone else,” says Allen.
“For example, URLs (internet addresses) are leased to you by your domain name system (DNS) provider, who leases them from the generic top level domain (gLTD), who leases them from the Internet Corporation for Assigned Names and Numbers (ICANN),” says Allen.
“Phone numbers are loaned to you (and often ported away). Government-issued identifiers are often misused commercially. The management of identifiers is hard, and is being outsourced. This results in problems related to cost, data portability, data privacy, and data security,” Allen told the audience at a recent event in Zurich.
Kaliya Young, a consultant and identity specialist, told New Money Review how DIDs can be used to build a series of verifiable credentials.
“Now you can issue credentials to individuals that they own and control”
“A DID comes with a DID document, which may be posted to a ledger,” says Young.
“That document contains the DID and public keys associated with the DID, the method of authentification, the keys for recovery, a timestamp and a signature,” says Young.
“You can start to use those as an anchor to issue verifiable credentials to individuals, who collect them in their digital wallet, where they also store the private keys associated with the DID.”
For example, a host of credentials, such as driving licences, membership certificates, university degree certificates and other useful personal information, could be attached to a particular decentralised ID.
Any third party could then challenge the authenticity of the information associated with the DID, using the technology of public and private key cryptography.
According to Young, a stand-alone self-sovereign identity network would be fundamentally different from centralised, government-administered identity schemes.
“The breakthrough in self-sovereign identity is that now you can issue credentials to individuals that they own and control, and which are believable,” says Young.
“By contrast, in solutions like India’s Aadhar identity scheme or Estonia’s e-citizenship programme, any time you use credentials from those systems, you would still have to check with the respective government to see if they are true,” she says.
A blockchain or coopted future?
It’s not a coincidence that interest in SSID has risen in tandem with the recent cryptocurrency boom. Even cryptocurrency sceptics agree that self-sovereign identity systems could be a valuable application of public cryptocurrency networks like bitcoin and ethereum.
“Blockchain is useful for not many things, but this might turn out to be one of them,” says Kaliya Young.
Yet decentralisation—perhaps the key selling point of a blockchain network—is not a given.
A variety of SSID startups have come to market in the last two years. Some seek to hitch their fortunes to a public, cryptocurrency-based network like ethereum or bitcoin. Others are developing their own blockchains, usually with a native currency or token thrown in.
One self-sovereign ID scheme that’s attached to an existing cryptocurrency blockchain is uPort, which is owned by ConSensys, a venture capital firm. uPort allows its users to register their own identity on the ethereum network.
By contrast, Sovrin, another SSID initiative, is seeking to launch its own blockchain using a native Sovrin token. Similarly, Everest, a California-based digital identity firm, plans to use a utility token, called the ID, and a USD-pegged token, called the CRDT, to run its network.
The Veres One network, launched earlier this year, takes a different tack, charging a fee to those wishing to created a DID, rather than seeking to join the token boom.
But governments and established tech firms are also taking a close interest in SSID.
Veres One has received funding from the US Department of Homeland Security while Evernym, developer of the Sovrin network, took money from the same source in 2017.
“what’s more disruptive than giving people back their data?”
Microsoft and IBM have both recently beefed up their SSID teams and have been vocal on the benefits of blockchain-based identity. Both companies could see decentralised digital identity as a way of stealing a competitive edge.
“IBM and Microsoft, looking at Facebook and Google as their competitors, are thinking, ‘what’s more disruptive than giving people back their data?’” says Kaliya Young.
However, Facebook and Google are also investing in internal blockchain projects, while other large technology firms—Apple and Amazon—are busy registering blockchain-related patents.
The involvement of big tech firms in new identity schemes worries some SSID advocates.
Past attempts to develop a system of user-owned internet identities, such as the OpenID project, were stymied by tech giants’ ability to create and enforce their own identity protocols.
Facebook, for example, managed to convince many of its platform’s users to adopt its Connect sign-on application, allowing them to access a variety of websites through a single (Facebook-owned) identity.
The firm also encouraged the developers of third-party apps to adopt the Facebook Connect system, largely by offering access to its users’ data—the same practice that eventually led to the Cambridge Analytica scandal.
“One of the reasons more sites support Facebook Connect is that they get a piece of the user pie,” Scott Gilbertson, a Wired journalist, wrote in 2011.
“Someone could follow the rituals of SSID but not the spirit”
“There’s a risk of a repeat of the past, when the internet giants took over the first generation of user-owned identity systems,” Pelle Braengaard, chief technology officer of uPort, told New Money Review.
“That does keep me up at night. Someone could turn up and say they are doing self-sovereign identity, follow the rituals of it but not the spirit. I’d be worried if someone like Facebook said they were getting involved.”
Privacy above all
This article is the second in a three-part series on identity, money and privacy. In the first, we reported on how identity confers power when linked to money.
Some see online privacy for all, especially in financial transactions, as the only safeguard against unfair sanctions regimes, abusive governments and monopolistic, profit-seeking internet giants.
In the third and final article of this series, we look at how cryptocurrency pioneers have tried to engineer money to ensure total anonymity for users, and how governments are so far fighting a losing battle to arrest this trend.
Want to stay up to date with the latest content from New Money Review? Sign up here.