Consequences of the Crisis, Part II: Digital identity to the forefront


In part 1 of this series, I identified the politicization of digital payments as one blockchain-related consequence of the ongoing crisis. Number two on the list is how the crisis will accelerate the need for true digital identity. No lesser an authority than Bill Gates commented on this in a recent Reddit AMA. Asked about the changes the business world would have to make to accommodate social distancing, he said:

“Countries are still figuring out what to keep running. Eventually we will have some digital certificates to show who has recovered or been tested recently or when we have a vaccine who has received it.”

What he was referring to was the fact that to bring the economy back online while preventing another flare-up of the virus, governments will have to figure out an efficient means of authorizing who is allowed to be where. This may include essential workers, those who’ve recently tested negative and those who are demonstrably immune. The simplest way to do that is via digital identity, but there are two conflicting approaches to providing it. To understand how they differ, we need to review some history.

The internet has always had an identity problem, best understood through the lens of how identity used to work. Back in the pre-web era, your identity was established by a series of physical documents. They were issued by governments (your driver’s license) and corporations (your bank statement) and organizations (your college degree).

Proving your identity, or some aspect of it, was done by presenting those physical documents in person. The most important ones included a picture to make authentication easy. For greater assurance, the verifier may have reached out to the issuer to confirm authenticity. The system wasn’t perfect, but worked well enough. Security was provided by the fact that people are difficult to impersonate and physical credentials are hard to forge.

That internet challenged that model because digital presence is easy to spoof and digital documents are easier to counterfeit. The first solution to this problem was the clunky username and password (and your mother’s maiden name, and your Authenticator code…) login method we’ve all grown to hate. It’s not secure and doesn’t scale, so something better was needed.

That something turned out to be the federated approach. Instead of establishing your identity with every website independently, you establish it with a single online authority who has built the infrastructure to share your info with others and provide some level of attestation upon request. So long as you trust the purveyor with your sensitive data, only a single login would be needed. Federated ID sounds like a solid solution on paper, until you realize that one of the largest providers is Facebook.

There are other, less shady providers of a “login with XYZ” solution, and various industry consortium and even governments are rolling out their own versions, but the fact remains that all federated solutions require users to surrender personal information to a third party. At best, they only occasionally abuse the privilege and slightly monetize your data. At worst they get hacked and spill everything. The incentive structure is all wrong, and the more popular a federated solution becomes, the more likely something bad will happen.

Blockchain technology enables a third way. There is still third-party infrastructure for the sharing of digital credentials (in the form of a distributed ledger) but its only function is to authenticate the source and originality of a credential. The actual data of that credential (address, credit score, etc) is stored inside your mobile wallet and shared with the recipient of your choosing in P2P fashion. That’s why blockchain-based digital identity is referred to as “self-sovereign identity”, or SSI. There is no data play for a corporation or honeypot for hackers. The ledger is transparent, but its data is useless to anyone other than the two parties involved.

This brings us to the present, where most people agree that some kind of digital identity solution is very much needed. The question is which approach. The centralized federated approach or the decentralized self-sovereign one?

Ironically, the best thing the more advanced blockchain-based solution has going for it is how much it resembles the pre-internet way of doing things. There was no need for any third party when the DMV would mail you a license that you’d use to get into a bar. SSI works the same way, but substitutes a digital wallet for a physical one and a blockchain for the unique plastic and the hologram. SSI also enables new features that the physical model didn’t, such as revealing your DOB to the bouncer without revealing your home address.

The federated solution on the other hand requires an additional intermediary for storage and sharing. There is no old-world analog to this approach, other than perhaps the credit bureaus in the US, and we know how that went.

I am very much in favor of the SSI approach. It respects the importance of issuing authorities (like the DMV, or a medical test center) but eliminates the dangerous middle layer that only exists due to the inherent flaws of the web’s architecture, flaws that are now being addressed with blockchain tech. There is already a sophisticated SSI community in place, and its members have rallied to respond to this moment. There are also cool startups such as MedCreds building easy to use end to end solutions to empower this approach.

But I fear that society is not ready. Decentralization still scares people in too many ways that it shouldn’t, and the back-end infrastructure hasn’t been battle tested enough. What’s more, there’s something about a pandemic that scares everyone into the arms of the big and powerful — like the mega tech companies that are dying to get their hands on all of our data, including our medical data. They’ll say the right things about privacy and protection, just as they have been for years. Then they’ll break those promises (just as they have been for years).

The resulting backlash might be just what the SSI community needs to make its case. Either way, the need for digital identity will now be thrust into the limelight.

The opinions expressed here are strictly my own and not that of any client, employer or associate.