One hundred years ago, the British Empire covered 24 percent of the world’s land, with territories on every continent. In every colony, they trained and disciplined an effective civil service, a force of about 120,000 people around the globe, sending, signing, stamping, and filing bits of paper. Bureaucracies like this seem complicated, but at the bottom of it, they’re just doing two things: tracking ownership of assets (money, IOUs, company shares, land deeds, etc.), and proving identity (passports, articles of incorporation, etc.).
A hundred years later, empires and paper are gone, and it’s time to think about a way of tracking ownership and identity in a digital world without imperial powers.
Designers of computer systems have been working on these two problems for decades. They proposed several schemes to digitally prove ownership of assets – Digicash, e-gold, WebMoney, Paypal – until Satoshi Nakamoto finally came up with a pretty satisfactory solution in 2008. His invention – the blockchain – is now used to represent ownership of all sorts of assets, not just money, but company shares, land titles, government bonds, and every asset class.
The advantage of the blockchain is not just that it’s digital – all databases are nowadays – but that it is decentralized. It cannot be taken down by taking down one part of the network, and it cannot be corrupted by bad actors who control one part of the network. Unlike with Paypal or a traditional bank, there is no gatekeeper who can deny you access to your funds.
Blockchains are becoming the favored technology for proving ownership, but the other bureaucratic function – identity – does not yet have a good digital replacement. Designing a solid digital identity system may be the biggest problem of the digital age. Being able to prove your identity turns out to be really important; without identification, you can’t vote, earn academic certificates, get healthcare or social welfare – you are essentially stranded from the institutions of civilization. The World Bank estimate that 1.5 billion people are currently stranded from civilization like this, relying on the islands of their local black market. An identity system could connect them to the mainland.
A verified, secure, universal digital identity would change the world. You could send and receive money, be recognized as the owner of land or other assets, sign your creative works, sign contracts, and vote on the board of a company or the Village Green Preservation Society. And you could do this instantly, without bureaucracy, whereas now these things involve paperwork and overhead. Organizations and companies would also be ‘identities’ in such a system. (Just as in the pre-digital era, land, or a bank account, could be in a person’s name, or a company’s.)
We already have identities in the digital world, of course – such as our email addresses, or my by-line on this article – but they aren’t robust enough to be very useful. One weakness of current systems is the difficulty of tying digital identities to real-world identities. We’ll look at that in part two, but for now, consider the problems that come with digital identity systems being centrally owned. Facebook accounts are stored on Facebook’s computers, Google accounts on Google’s computers, etc., and if those computers are compromised, all our data is compromised.
Last year it was revealed that a billion Yahoo accounts were compromised by a hacker. But moreover, between 2007 and 2012, all Google, Facebook, Hotmail, Yahoo, and Apple accounts were compromised when these companies handed their data over to the Five Eyes governments in the PRISM program. Unlike Bitcoin, centralized systems do have a gatekeeper. Facebook can censor, surveil, harvest, or block anything my Facebook identity does, because I am playing in their house.
No identity system housed in a privately-owned computer system will be free from the whims of the parent company. ‘Where do we store our identity-data?’ is a question we must be very careful about in designing a new identity system. The other key design-question is: what form does the identity take?
Bitcoin’s inventor, Satoshi Nakamoto, came up with a revolutionary and novel way of storing data in a distributed network, but for identities, he used an old cryptographic trick called public-key cryptography.
In public-key cryptography, every identity is a ‘keypair’, consisting of a public key (used to send data to, like an address), and a private key, needed to read private data, and send data from. In the case of Bitcoin, the public key is used to generate the address people send money to, while the private key authorizes you to send money from your address. In another public-key cryptography system, Pretty Good Privacy (PGP), you scramble secret messages to me using my public key, and only my private key can unscramble them. PGP also features digital signatures; these combine my private key (which only I possess) with the data I want to sign (such as a letter I have written) to create a unique signature.
PGP is a great way of creating an identity; I can use signatures to prove my ownership of a product, and anyone can communicate securely with me by encrypting messages to my key.
PGP doesn’t really have an answer to the other question, the question of where identities are stored. Just as everyone has their own way of storing their photos – some people use external hard drives, some use Dropbox accounts, some just keep them on their laptop’s hard drive – so it is with PGP. Due to the lack of a robust storage system, people often lose their keys, and this is a common problem among PGP users.
Several projects are already underway that aim to create a self-sovereign identity system by combining the decentralized storage of the blockchain with the mathematical elegance and power of public-key cryptography. One is Blockstack. Their software adds a layer of data on top of the Bitcoin blockchain. Users buy a namespace in this data (similar to how you’d buy a domain name from a registry), and can then associate other personal data with that identity, such as profile pictures, PGP keys, or biometric data.
uPort is another identity project, built on the Ethereum blockchain, using Ethereum’s more complex logic. uPort users create an Ethereum smart contract, whose address then serves as their persistent identifier. Through this contract, users can interact with any other contracts in the Ethereum space, signing contracts, transferring money, and more.
The uPort whitepaper says –
“[The] blockchain can itself help make public-key cryptography more usable and secure by acting as a decentralized public key infrastructure (PKI). The blockchain can be viewed as a decentralized certificate authority that can maintain the mapping of identities to public keys. Smart contracts can furthermore add sophisticated logic that helps with key revocation and recovery, lessening the key management burden for the end user.”
Blockstack have already registered over 70,000 identities on the blockchain, indicating that people do understand the importance of being in control of their own digital identity, and not handing it over to some corporation. This is encouraging. If formalized civilization depends on identity, free civilization depends on self-sovereign identity.
The ‘identities’ discussed here are not necessarily people; they could be companies, groups, or pseudonyms as well. One person could have as many identities as they like; this pseudonymity has always been beneficial to the internet and encouraged free speech. But if someone has multiple identities in the social welfare system, people might get mad about that. So next week, we will be looking at how to tie digital identities to actual people.
Image from Public Domain Pictures.