Self Sovereign Identity & Decentralized Identity - Control Your Data
Let's take a deep dive in to decentralized identity! Why are we not taking back control of our most valuable asset, which is data? Data is the key to our privacy and identity. Governments, tech giants like Facebook, the apps on your smartphone, banks, hospitals, hotels, and even super markets. They all use someone else’s data or the data of many people combined, often without consent, violating basic human rights and individual’s privacy. Even with all regulations such as GDPR, HIPAA, PDPA, APPI, and data breach notification laws, and even with endless security measures in place, the amount of data breaches is out of control. Data breaches become bigger, and profiting off of someone else’s personal digital identity is the business model of many large enterprises.
As one can imagine, large enterprises like to keep it that way. And we’re not only talking about Facebook, it’s much bigger than this. The truth is, to own and control your own identity is ‘simple’ with today’s technologies. The question is, which company or organization with a large impact is brave enough to be the first to integrate, or enforce, the use of DID’s? We can fix a lot of Facebook’s privacy and data issues already, today, with Factor.
New to Factor? Here are more details about our decentralized identity solutions.
What is decentralized identity (DID)?
Decentralized identity allows individuals to maintain full control over their privacy, as well as decide how and what data is shared. It enables people to monetize their personal information themselves. It reduces the risk of abuse and large data breaches violating people's privacy. Decentralized identity is much broader than the name may suggest.
If you think about it, ‘centralized decentralized identity’ is a more accurate name, although it sounds even more complex. Since the individual to whom any identity data is attached and only this individual should act as the central authority to control with whom to share specific personal information for a specific need. Right now most of the world's data is owned and controlled by giant centralized tech companies, no longer the individual.
What is self sovereign identity (SSI)?
Self sovereign identity (SSI) is - at this moment - not very different from decentralized identity. There is no consensus yet on what both of these terms mean exactly. Same as decentralized identity, we have yet to define what self sovereign identity truly is. There are no standards yet, but development and innovation is moving fast.
Aaron Fernando explained self sovereign identity as follows: ‘’Simply put, a self-sovereign identity on the blockchain is a permanent identity that can only be accessed in full by the person or entity to whom it belongs, yet portions of that identity can be shown to any individual, organization, or agency whenever it becomes relevant. Since self-sovereign identities are decentralized and encrypted, identity theft or incidents become much less of a problem’’.
If any, what is the difference between self sovereign identity and decentralized identity?
Stephen Hyduchack, CEO of Bridge Protocol, explains the difference as follows, but this is not defined as the standard:
Self-Sovereign Identity: This is an identity concept where people and businesses store and control their data on their own devices; providing this data when someone needs to validate them. This is all done without relying on a centralized database.
Decentralized Identities (DIDs): This is slightly different than the self-sovereign concept. A DID is completely under the authority of the user. There is NO central registry, identity provider or certificate authority that gives the receiving entity a “thumbs up” on the validity of the data.
What are decentralized identifiers?
Decentralized identifiers are so called factors, labels, variable names, and such. A different, decentralized, cryptographically verifiable, approach of identifying and verifying, specific parts of your personal decentralized digital identity. Any identifiers added by the individual, are designed to enable and to prove control over this information. These can be implemented independently of any centralized registry, identity provider, or certificate authority.
A more technical exploration of decentralized identifiers, also referred to as DID (so confusing, we really need clear standards), can be found here.
Why do we need decentralized identity?
Decentralized identity drastically reduces any form of abuse of the world’s most valuable asset, which is personal data, who we are. The value of data surpassed the value of oil in 2017, according to Economist.com. History has shown over and over again that we simply can not trust a centralized authority to possess control over the data of millions, even billions of people.
Profit, governance, micro targeted psychographic advertisements affecting real world behaviour, ‘anonymizing’ data for research purposes, this all happens without providing consent or permission. Are decentralized applications based on blockchain technology ready to disrupt the way we share, access, control, and monetize people’s personal data? The answer is yes.
Here are 5 reasons why decentralized identity is important:
- A user should be able to fully own it’s personal digital identity.
- A user should be able to monetize its own data.
- A user should be able to choose which data to share with other parties, and trust that their data is not sold to other parties without consent.
- A user should have the ability to isolate itself from data breaches.
- A user should be able to revoke access to trusted third parties, and have proof that it must be deleted from their servers.
The challenges of using blockchain for identity.
So why are people not able to control their own identity in a decentralized manner yet? Dragonchain has come a long way, and has the right technology and product to give people decentralized identity. The company has solved many hurdles, such as scalability, interoperability between blockchains, ease of use, and being compliant with regulations such as GDPR.
Innovation in the field of decentralized identity, or DID’s is moving fast, but just like blockchain itself, is still in its infancy. On August 13th, 2019, the W3C community group published its final report on DID’s. It is not a W3C Standard nor is it on the W3C Standards Track, but it gives a good overview of some of the key features that define a decentralized identity, or suitable self sovereign identity solutions moving forward. ‘’The next step toward the DID spec becoming an official W3C recommendation is the creation of a DID working group. The charter for a W3C DID working group is under review by the W3C right now. We will find out soon if the working group has been approved’’, said Brent Zundel, a blockchain community, in a response to Dragonchain. Brent is working closely with the W3C community, hoping that the DID working group becomes a reality. As of August 27, 2019, it’s still not too late to support the creation of the DID Working Group. Check this link for more information.
- Decentralization: Eliminate the requirement for centralized authorities or single points of failure in identifier management, including the registration of globally unique identifiers, public verification keys, service endpoints, and other metadata.
- Control : Give entities, both human and non-human, the power to directly control their digital identifiers without the need to rely on external authorities.
- Privacy: Enable entities to control the privacy of their information, including minimal, selective, and progressive disclosure of attributes or other data.
- Security: Enable sufficient security for relying parties to depend on DID Documents for their required level of assurance.
- Proof-based: Enable the DID subject to provide cryptographic proof when interacting with other entities.
- Discoverability : Make it possible for entities to discover DIDs for other entities to learn more about or interact with those entities.
- Interoperability: Use interoperable standards so DID infrastructure can make use of existing tools and software libraries designed for interoperability.
- Portability: Be system and network-independent and enable entities to use their digital identifiers with any system that supports DIDs and DID Methods.
- Simplicity: Favor a reduced set of simple features in order to make the technology easier to understand, implement, and deploy.
- Extensibility: When possible, enable extensibility provided it does not greatly hinder interoperability, portability, or simplicity.
This is far from a complete list, and some would argue ‘existence’ should be included too, among other things. Christopher Allen covered this in a 4200 words long article by the name of ‘The path to self-sovereign identity’ in 2016. Many of its content is rightfully used in the W3C report, as Christopher Allen is one of the authors of that same report.
As you can see, only having a reliable identity product ready to use is not enough. Having a blockchain platform like Dragonchain, with privacy at the core of its design, is not enough. It’s just not that simple to give everyone in the world control over their own personal identifiable information (PII). We’ll dive more into Factor towards the end of this article. First we’ll explore another critical piece of the puzzle that we solved with our identity product: pseudonymity.
We’ll give a short example right away to quickly understand. If someone enters a bar in the US, this person is required to show a government identification, such as a passport. This passport will prove that the person is over 21, because the date of birth is there. But a passport gives away much more personal data than needed. The server does not need to see the name, social security number, address, nor any information besides whether the person is over 21 years old; yes or no. Showing a complete date of birth would not even be necessary. With Factor, all data a person has to share with the bar is whether or not the person is over 21, nothing else. A person simply grants the bar permission to have a blockchain based certification that only proves whether or not the person is over 21.
It gets even more interesting to do this in a digital and decentralized manner, since the bar can now also send this person special offers on drinks, a bar membership, or even loyalty rewards, if this person opted in for it. After leaving the bar, the person can simply revoke access again. Now assume this person comes back to the bar next week. All that’s needed is to authorize the bar to access the necessary data again, the person can enter just like last week, even build up loyalty score, without ever enabling the bar owner to build a large database of personal customer information. This would also be interesting in regards to safety and security, as the bar owner can see which people or how many are inside the bar at any given time.
You might wonder now where this story is going. Well, this example in a bar leads to one of the existing challenges with decentralized identity. Beyond the need for the people to create and own their identities, it needs integrators too. It would be cool to have control over your own identity in the comfort of your own smartphone. And what if nobody accepts this? Whether it is the bar next door, a hospital down the road, or your (local) government. Ultimately it is up to the organizations that collect these massive amounts of data and profit off it to do better and behave smarter. They must integrate and accept when a person prefers to control its own data. This person is free to share only data necessary toward a specific purpose, service, or goal. On top of this, the business/enterprise must be compliant with a person’s right to be forgotten.
Once a person revokes access, or requests removal of data with just the push of a button, the company must cryptographically agree to do this automatically. When years later it turns out a company, government, or organization failed to actually remove the data from its servers, and that data is now part of yet another major data breach, this person has eternal proof that a request to remove data was not respected.
Another crucial capability for decentralized identity solutions is that the solution must be generic by design. This is something Joe Roets, CEO and founder of Dragonchain, tackled from the beginning with Factor ID. It’s not only generic, the dragonchain that Factor is built on was built with privacy by design, and with interoperability by design. This gets a bit more technical, but here are some of the key takeaways that W3C pointed out in this regard:
- DIDs from other DID methods may not be interoperable, just as URIs from different URI schemes may not be interoperable.
- DID methods may also be developed for identifiers registered in federated or centralized identity management systems. For their part, all types of identifier systems may add support for DIDs. This creates an interoperability bridge between the worlds of centralized, federated, and decentralized identifiers.
- Entities may need multiple DIDs to support different relationships, as the other party may only support certain DID methods, just as some browsers may only support certain URI schemes.
- Entities may need multiple DIDs to support the different cryptographic schemes of different DID methods, as not all parties will support the same cryptographic schemes, just as not all browsers support the same URI schemes.
- Managing multiple DIDs, and tracking which DID belongs to which relationship, under which cryptographic scheme, introduces similar logistical challenges as managing multiple web addresses and tracking which address belongs to which website, or tracking which email address belongs to which relationship.
Identity theft and protection against identity theft.
Identity theft is a big concern for people who share personal information regularly. The Identity Theft Resource Center found that a total of 1,579 data breaches and 178,955,068 records were exposed in the United States alone in 2017; while Varonis found that “58% of companies have over 100,000 folders open to everyone.”
Especially in the crypto world, users send selfies along with their passport to various exchanges who need it for Know Your Customer (KYC) purposes. On most exchanges, without completing KYC, you can only withdraw a certain amount of cryptocurrency, if any. The same goes with banks. Without providing them a copy of your passport, and a bunch of other personal information, a person won’t be able to open a bank account.
It’s near impossible to keep track of all the unknown sources and companies holding personally identifiable information (PII). Even closer to impossible is finding out how often it is shared with additional third parties without your consent. Nobody knows how many different servers and in which countries copies of our passports are stored. Nobody. And since people don’t have access to this information, they are forever unable to request removal of all or any known amount of their data.
With Dragon Factor, users will be able to control their digital identity on different devices. When they log into their account through different devices, it generates a token which records which device was trying to access the account. A user can view their tokens and delete access to devices if their data was accessed through an unauthorized device. Users will also get a notification if there are multiple attempts to view their Dragonchain Certificate ID. If that’s the case, users are able to invalidate that certificate and generate a new one.
Proof of human
Dragon Factor can provide two-way authentication between two individuals on its app.
If two individuals were to meet up in person, they will be able to exchange selfies, which can prove each person is not a bot. When the individuals meet, their Factor app on their phone would be able to take a photo of each other in real time, which will be recorded with their signature and added onto a hash.
When individuals authenticate each other, they are adding value to themselves. When they add more truths to their own hash, the individual becomes more reliable. If that person is more reliable, they can offer themselves as an authentication service for others. There’s a lot more to it, of course, but we’ll save that for another time. Think about artificial intelligence and obvious patterns to recognize bots. Factor is grandma proof, as she would only have to make a call to someone to get back access to her digital identity.
When we think about data breaches, the first coming to mind right now may be Cambridge Analytica. As shown in The Great Hack on Netflix, this data company ‘came to symbolise the dark side of social media in the wake of the 2016 U.S. presidential election’, as uncovered by journalist Carole Cadwalladr. For the first six months of 2019, the number of data breaches increased by 52% compared to the same time last year. That's according to a new mid-year report by RiskedBased Security.
‘’Through June 30, 2019, 3,813 data breaches had been reported, exposing more than 4.1 billion records. The business sector accounted for 67% of reported breaches, with medical coming in at 14% and government at 12%. Over the first two quarters of 2019, eight breaches exposed 3.2 billion records or 78% of all records exposed through June 30. Hacking remains the No. 1 tool for breaches, accounting for 82% of all reported incidents. About 70% of the data exposed was email addresses. Passwords made up about 65% of data exposed in breaches. Already in 2019, three breaches have made the list for the ten largest breaches of all time’’.
Facebook’s data breach
Last April 2019, Facebook said that it has "unintentionally uploaded" the email contacts of 1.5 million new Facebook users since May 2016. A security researcher recently noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was "importing" your contacts without asking for permission first. Facebook has now revealed to Business Insider that it "unintentionally" grabbed 1.5 million users' data, and is now deleting it.
Mariott’s data breach
The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million (\$123 million) fine for a data breach that exposed up to 383 million guests.
Marriott revealed last year that its acquired Starwood properties had its central reservation database hacked, including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018. Marriott later pulled the hacked reservation system from its operations.
Quest Diagnostics’ data breach
A massive data breach has struck Quest Diagnostics and the information of up to 11.9 million patients has potentially been compromised.
The US clinical laboratory said that American Medical Collection Agency (AMCA), a billing collections provider working Quest, informed the company that an unauthorized user had managed to obtain access to AMCA systems.
Equifax’s data breach
In September of 2017, Equifax announced a data breach that exposed the personal information of 147 million people. The company has agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The settlement includes up to \$425 million to help people affected by the data breach.
US citizens can file a claim at the Federal Trade Commission (FTC), same as the Cambridge Analytica breach, but the process is complicated.
MyFitnessPal data breach
The MyFitnessPal app disclosed a data breach last year affecting as many as 150 million users. Now, some of those stolen credentials are popping up for sale on the dark web. Not only is data from Under Armour’s MyFitnessPal, a diet and exercise community, being offered, but hackers also have their hands on credentials from 15 other websites. The asking price: Less than \$20,000 in Bitcoin, according to a report from The Register.
Privacy laws to consider
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.
The California Consumer Privacy Act (CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018.
On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) was placed into effect. which gives users more control over their personal data. Users have the right to share as much Personal Identifiable Information (PII) as they want, but they also have the right to be forgotten. PII includes information that can be tied back directly back to an individual (e.g. name, social security number, phone number, and address).
Singapore Personal Data Protection Act 2012 (PDPA) is a law that governs the collection, use and disclosure of personal data by all private organisations. The Act has come into full effect on 2nd July 2014. Organisations which fail to comply with PDPA may be fined up to \$1 million and suffer reputation damage.
Online privacy in Japan is primarily governed by a general law, the Act on Protection of Personal Information (APPI), rather than a specialized law on online privacy. The APPI applies to business operators that hold the personal information of 5,000 or more individuals. Japan has other personal information protection laws that apply to the government and public organizations.
The APPI does not provide the details of personal information protection, but establishes basic rules. It requires all business operators handling personal information to specify the purpose for which personal information is utilized. Data subjects can request disclosure of their personal information that the business operators hold.
Data breach notification laws
Security breach notification laws or data breach notification laws are laws that require an entity that has been subject to a data breach to notify their customers and other parties about the breach and take other steps to remediate injuries caused by the breach. Such laws have been irregularly enacted in all 50 U.S. states since 2002, with the last 3 states having no privacy laws protecting citizens as late as 2016. New Mexico only passed their privacy law in 2017 and South Dakota and Alabama in 2018 . These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information.
The first such law, the California data security breach notification law, was enacted in 2002 and became effective on July 1, 2003, according to Wikipedia.
Invasion of privacy
Factor enables individuals and businesses to:
- Determine where data will be stored, including the geographic region, and allow for tighter control over jurisdictions where nodes are operated.
- Keep data private and ensure it never leaves the private blockchain unless explicitly granted, or by including references to the underlying data (stored elsewhere) in the form of a hash value in the payload.
- Comply with requests to be forgotten. This is accomplished by removing the underlying data (“off-chain”) reference via a hash value.
- Filter access control to applications, providing selective exposure of specific factors.
- Eliminate liabilities, such as the retention of PII or other sensitive data.
Who should own your digital identity?
The simple answer is every individual should have complete ownership over its own personal data and digital identity. This does not necessarily mean the individual is the only one with access to his or her own data. The companies a user trusts with specific information will have ownership and responsibility over that data too, until the individual revokes access or asks for removal of any data.
It's not one size fits all. And we are still very far away from the ideal situation where identities are no longer owned by tech giants such as Facebook or even governments. Ultimately, in some cases such as governments, we might never experience in our lifetime the day that rather than governments, the people themselves and the people alone have control over their own digital identity.
Different identities with different identity platforms and products.
This leads us to a great question asked on Twitter by OnchainAi: ‘’If a provider does not accept your preferred decentralized identity platform, what can be done to prevent having to set up multiple identities across multiple platforms (civic, Microsoft, dragonchain, etc)?’’
This is one of the many challenges to overcome in time, with great minds coming together, and with large corporations working together. It is possible, and only requires mutual agreements, integrations, and support between the various identity providers. A user only needs to create a Factor ID without needing to use 100 different identity providers. The person then must only give permission for sharing specific data with the other identity provider, so it can then be delivered to the organization, who only decides to use x identity provider. Just as we enable interoperability between all blockchains, we should ideally also enable interoperability between all DID providers
Another Twitter user, BitBuyTheCoin, had a follow up question regarding this, furthermore demonstrating how early we are with decentralized identity systems, and how much more thinking and regulations are needed: “Also it occurs to me, how does this work for parents or guardians of children? The parent is ‘in charge’ of their children's identity until the age of 18?”
Again a great question. Parents should be in charge of their children's data, yes. And parents should also be able to hand over control of some factors and providers to their children as they grow older. A parent can control at what age the child can decide to have its own ID. A parent can also control which factors the child is allowed to have in its Factor ID, in order to send it to Facebook or other parties to complete the sign up process for their own profile once age 13. It would be a great way to teach children early how important and valuable their digital identity is, and how to properly handle it. The beauty of Factor is how generic this identity product is, so any feature can be added and integrated, as needed or requested.
The potential and use case examples.
Personal Identity Providers (PIP)
Factor’s PIP will be partners who will supply their services to Factor. PIPs have a need to expose their services to a more general audience. They all have a goal to provide a better solution for global identity and access management. Factor will bring together PIPs in the industry.
The users are individuals who need a solution to protect their identity. They want more control of their data and want to monitor who has access to it. For some users, they will be able to use Factor as a way to earn revenue, such as allowing research or advertisers to use their data for advertisements. With Factor, users can trust that they will be in control of their PII.
Enterprises have a need to do background checks on their employees and their customers, depending on their business. With Factor, enterprises can use our trusted PIP to request background checks. Enterprises will have the assurance that Factor will not hold data or expose data.
Monetizing your own personal data
When the Facebook/Cambridge Analytica problem was exposed, users found out their data was sold to a large variety of third parties, and then again sold to fourth, fifth and who knows how many more parties, without their permission. With Factor, Dragonchain gives users the chance to earn money with their own PII if they choose to. Factor will allow users to sell their data to third parties, and earn money in the process. With Factor, users will have control over which companies have access to their identity.
Internet of Things (IoT)
Devices need to have automatic verification without a human authorizing it. Factor will be compatible with IoT (Internet of Things).
Factor is a GDPR-compliant decentralized authentication identity service. It provides the tools necessary to protect and control data, while utilizing Dragonchain’s hybrid public/private blockchain platform. This allows users to completely own their data, and dictate who can have access to it. Factor users will have access to an array of Personal Identity Providers (PIP) who provide identity factors.
Now let’s look at a possible real world use case for your Factor DID. You already have your Factor profile with all your personal factors inside the app on your device. Which only you own, and you control who is granted permission to access specific factors.
- You go to the doctor
- Doctor sends you a request for factors
- You accept to share it with the doctor (can even demonstrate you deny access to some factors that he doesn't really need)
- He receives certificates about your identity, that automatically fills in the form fields for the intake (no need to fill in the form from scratch there, you just checkmark the factors you want to provide to the doctor)
- Next you go to specialist
- Again you receive a request
- Just needs 3 additional new fields that aren’t in your profile yet.
- New fields are also added to your personal profile's factors for future use.
Instead of a form, you simply receive a request with a list of factors. And the three missing factors from your profile required by the specialist, will have an infobutton that says 'This factor is not available in your profile yet, would you like to create it?' After creating it, you can checkmark that factor too in order to proceed with the confirmation.
Now let's say you have a car insurance policy with X company. You sell your car, and cancel your car insurance. In the past you granted them permission to the factors they need. Now you can revoke access in Factor, if they haven't done so yet on their own after cancelling the insurance. Just browse the list of providers that you granted access. Find the car insurance. Revoke access. This sends an automated email to the car insurance.
''Hey, I'm not a customer anymore. even though I might be one again in the future, you have to delete all my data from your server. This includes, but is not limited to, my credit card information. I have it saved in my Factor profile, and you can request access again when I return as a customer. Please respect my right to be forgotten''.
If you’d like to learn more about Factor, or work together on decentralized identity, please contact us.
Joe Roets, founder & CEO at Dragonchain: "We think that blockchain and decentralised identity (DID) can be applied in many areas in healthcare. I'm particularly interested in using blockchain technology and decentralised identity features to control administration of medicines and other tracking. Imagine if you were able to apply a workflow process wherein you'd be guaranteed to have multiple human checks on dosage, treatment, timing, etc., combined with machine learning/AI for a sanity check. The human approvals would be tracked and could be incentivized for accuracy/success (and liability), and the entire process could be overridden by humans if necessary. Advanced workflows could be modeled wherein a single human or AI participant raising a red flag would require added interaction with other humans before the medicine could be administered. Also, remote site interaction/verification could be required. With all of the above though, a big issue (especially with use of blockchain technology) is HIPAA and other healthcare records privacy requirements and regulations (including general privacy regulations including GDPR)."
"For this reason, we have a DID product (Factor) that is GDPR capable and allows the identity owner (in this case the patient) to own their data, which allows the user to control (1) where individual data elements (Factors) are stored, and (2) access to that data. The interesting point for healthcare is that flexibility for integration into existing systems, where even if we don't get the most ideal implementation where a user actually holds their own data, at least the user will (1) have transparency into use/access of their data by healthcare professionals, and (2) be able to change access rules and execute deletion or a transfer of that data per GDPR or other privacy features."
"It's probably a discussion too long for here, but the Dragonchain platform itself is what makes all of this workable. It's philosophy and architecture are focused on scaling blockchain for real business use cases. On top of this platform, we have a solution for interoperability (Interchain) to connect both blockchain and traditional systems for any purpose which would likely have a purpose in healthcare implementations."