Digital identities are here to stay. The average person would probably struggle to even remember them all: between social security numbers, credit cards, smartphones, online accounts, social media and enterprise accounts; it’s safe to say that our personal information is stored all over the place.
In a way, these digital identities have become part of the fabric of society, and it’s hard to imagine them going away. With the spread of COVID19, the need to provide a method to uniquely identify people on a large scale has become paramount in developing a long-term response to this and future pandemics.
An ambitious project
Several projects are underway which are looking at blockchain technology in identity management. It addresses the idea that identities need to be portable and verifiable everywhere at any time to create a system that will allow people the flexibility to create encrypted digital identities that can be used across multiple applications without requiring a single, centralized identity store.
No central repository helps eliminate the risk today of hackers stealing large amounts of identity data from a single source like a company’s customer database.
Blockchain allows for the idea of zero-knowledge proof. This is the concept where a person can prove to another entity that they know a certain piece of information or meet a certain requirement without having to disclose any of the actual information. For example, a person could prove that they are over 21 without having to show their date of birth.
The person would have an indicator tied to their identity stating they are over 21. The entity verifying this would not need to know the actual date of birth, but instead would only need to validate the government’s digital signature who issued and attested to the information. This can all be done with blockchain technology.
This is similar to how we do it today in our paper-based world. They don’t need to record any personal data like our name, address, date of birth, etc. in some customer database. They just simply verify the information at the time of the request and then forget it. This is exactly what needs to happen in a digital identity world.
Why should we have a unified digital identity?
There are several examples of where having a unified digital identity is not only successful, but also the best way to overcome certain specific challenges.
Currently, the COVID19 pandemic has created new challenges for the Center for Disease Control and Prevention. The US federal government has started to use smartphone location data as an ad-hoc digital identity to help with its epidemic response. Since most people in the US have a smartphone, this has provided a simple way to track whether people are following the shelter-in-place guidelines, and to track where people maybe gathering in crowds.
An example is in New York City where they found a large number of people were gathering in Brooklyn’s Prospect Park. Using this information, the authorities posted warnings to encourage social distancing and where able to monitor the ongoing situation.
Unified identity and privacy
It sure sounds great to be able to have a single, unified digital identity. This, however, creates a whole new set of challenges in terms of privacy and human rights.
In the case of using a digital identity to respond to the COVID19 pandemic, North Dakota’s contact-tracing app, Care-19, provides a warning example. It was found that the app was covertly sending location and advertising data to third parties. This again creates an issue of trust as a major issue for all contact tracing apps will be getting people to use them.
The same technology that is currently being used to track people during the coronavirus pandemic could also be abused. Government officials in China have already started using facial recognition software to identify people going out in their pajamas, which is considered an uncivilized behavior. The rulebreakers’ pictures were posted online as a form of public shaming. But this is example is benign when considering the more obvious reasons why an authoritative government would have an interest in implementing a unified identity to track its citizens.
Are the risks worth the benefits?
As our digital identities evolve, there is a need to balance the benefits they provide with the risks they create.
The first step to make this work is to avoid monolithic systems, which have a single point of failure and a single point of abuse. These systems provide high assurance in identifying an individual, but can also be a double- edged sword and over-identify.
This is what has happened with Social Security Numbers and the US credit system. This information has proven far too easy to obtain and abuse that it has now created the basis for a whole identity-theft industry to be built around it.
The answer: contextual integrity
One key to approaching this problem is the idea of contextual integrity, as proposed by Helen Nissenbaum. The idea is that only the minimal required identity information is provided to the requestor based, on the context of the request. For example, a healthcare provider may need to know a person’s sex and weight, but a retail provider would not. Conversely a retail provider may need to know a person’s income as reported on tax forms in order to extend credit, but a healthcare provider may not need to know this.
Smartphones have started to become the first platform to enable this type of functionality. However, as smartphones have become a de-facto digital identity for almost everyone, there are concerns about how much personal data is being shared with third parties without the person’s consent and knowledge.
Ultimately, to address these privacy concerns, it is necessary to implement the idea of a self-sovereign identity along with contextual integrity within these systems. A person should be able to own and control all aspects of their identity. They should control which information is shared, where it is held and – most importantly – when it is forgotten. Individuals shouldn’t be asked to give up their control over their identity to any one single organization.
We, as individuals should be pushing for these changes, going back to the basics of freedom that were obvious before the modern age of technology – we own who we are, and we owe it to ourselves to take this issue very seriously.
- Bruce Esposito, Global Identity and Access Management Strategist at One Identity.