A Critical Look at Sovereign Identity Startups

Over the past few years, people have become increasingly uncomfortable with aspects of their identity being owned and controlled by governments, corporations, and other entities. Although a 2016 Pew Research Center study indicated that Americans are sometimes willing to give up their privacy in exchange for discounts, the vast majority of people surveyed found certain tradeoffs unacceptable. Many expressed concerns about the security of information they shared, and anger about third-party advertising, invasive customer profiling, and the gathering of location data. If the outrage over Cambridge Analytica has been any indication, that concern has hit a boiling point.

But Cambridge Analytica is symptomatic of a deeper problem: the widespread mining and misuse of personal data. These types of data problems are a feature, not a bug. When information is offered for “free” on the internet, users (and their data) inevitably become the product. The internet is fueled by personal information, and much of it is mined without individual’s full knowledge, let alone consent. It’s not hard to find dozens of examples: Google tracking movements of users even after they have turned location data off, clandestine trackers found in various Android apps, Dropbox allegedly sharing anonymized data with researchers, Apple storing metadata on its servers for years. And that’s not even mentioning widespread data breaches. (Think: Experian, Yahoo, OPM—the list goes on and on.)  

The ability to take responsibility for maintaining one’s personal information in an electronic form, and choosing when to share or retain it is an intriguing prospect. Having control over one’s “identity wallet,” so to speak, would also allow users to transfer data that had traditionally been stored on one profile to another. For example, a rideshare driver, or user, currently can’t transfer their five-star rating from Lyft to Uber. They must work to build a new profile from scratch when switching services. “Owning” one’s data could, at least in theory, allow users to decide whether to transfer trust or reputation from one environment to another, rather than that information being siloed by specific companies.

With the way data is mishandled, sold, or stolen, the idea of sharing information with companies on a need-to-know basis is also appealing. People in the blockchain world call this self-management of personal data “self-sovereign identity.” It would allow individuals to decide how and when to selectively share their own data (or not), without relying on a third party to validate their identity. Beyond taking back one’s own identity, the vision is to create a new type of internet where users are consumers, rather than the product.

While stopping the shadowy world of data brokers from scooping up and selling information without regulation seems unrealistic, choosing which information to share in the first place seems a better bet. What if an individual wants a company to know they are over 21, for example, but doesn’t necessarily want to share their specific date of birth? Sovereign identity evangelists go far beyond that, asking questions such as, What if governments weren’t the entities responsible for doling out passports or ID cards at all? What if these solutions could work in developing countries where some people don’t even have banks?

A new wave of startups is offering a fundamentally different approach to data collection and use, and blockchain is a part of the picture, but not the whole picture. Various startups including Civic, uPort, ShoCard, and SelfKey all aim to offer variations of sovereign identity solutions, and they incorporate blockchains, though it’s not always entirely clear why. But the way these startups work is a little different than the way sovereign identity has been envisioned by enthusiasts.

Related: The U.N.’s Powerful New Way To Aid Refugees

As someone who puts a lot of time and money into trying to stay off of data broker sites, I became interested in sovereign identity startups both because the end goal is intriguing but also seems so implausible. I decided to take a critical look at these startups, addressing some of the misconceptions about how sovereign identity works as well as the divide between what you’d hear in discussion at a blockchain meetup and what some of the startups are actually doing.

Digitally Scanning, Not Replacing, Government IDs

The vast majority of these identity-management platforms are simply scanning and digitizing government-issued IDs rather than attempting to replace them. “We are platform agnostic as to how verification takes place,” says Armin Ebrahimi, CEO and founder of mobile digital ID startup ShoCard. “Financial institutions and airlines do need government ID in order to be able to authenticate someone.”

It’s possible that some countries may use different forms of authentication if, for example, many of its citizens don’t have government IDs and identity of individuals is established by their communities. But, again, none of these startups seem to be in the business of creating and issuing official identification documents. (This is probably for the best, at least from a business perspective, as startups predicated on the premise that governments would be likely to cede authority to them would probably be in for a rude awakening.)

The idea of working with unbanked people who have smartphones is even more far-fetched when you consider how much it costs to keep a phone charged relative to how much a poor person makes. (And keeping a charged phone is, of course, critical if your digital identity is stored on that device.) While it’s true that blockchain-based authentication has been used with poor populations, that’s to aid in transparency, and has been coupled with SMS: Aadhaar uses fingerprints and iris scans, MPesa uses SMS messages, and the United Nations uses iris scans for Jordanian refugees.

Luckily, not all myths surrounding sovereign identity point to areas in which solutions are missing the boat. One widely believed myth about sovereign identity startups is that they put unencrypted copies of people’s identification information on the blockchain. Luckily, they’re a bit savvier than that. For the most part, the information stored on the blockchain is a public key and an attestation. (An attestation, traditionally, is a claim that other entities endorse. In this case, pre-existing credentials are verified, and that information is stored on the blockchain, linked to the appropriate person.) The app creates a one-way hash of the individual pieces of data, and that information is signed with the user’s key. The digital signatures are proof that the entity provided the data. So basically, a user can send information to an entity—say, a bank—and that bank can look at blockchain records to verify that the data is authentic.

I’ve Got 99 Problems, and Onboarding is One

At the Consensus 2018 conference, Civic did a proof of concept demo with Anheuser-Busch in which attendees could scan a QR code with the Civic app and get a free beer if they were over 21. This, so far, seems to be one of the main use cases or applications to speak of. Which other existing entities are incorporating sovereign identity solutions? Not very many. Civic, arguably the largest startup in this space, has around 50 partners listed on its website, though most are hardly household names.

In the example of Civic’s crypto vending machine (and other similar use cases), trying to verify someone’s age in this model has challenges on its own, not least because it’s susceptible to abuse. “Who is going to be vouching for that correspondence between addresses and real-world identities? This is the difficult part,” writes information security professional Cem Paya in an email. “There are already companies who perform those services today (such as Jumio) by scanning IDs, and they offer verification services with a proprietary API, without any blockchains in the picture. How will those assertions get revoked when keys corresponding to the blockchain address are compromised? What prevents someone from selling or ‘loaning’ an already verified identity, especially when it involves only piecemeal attributes? You would not let a stranger borrow your driver’s license, but what if all you had is a piece of paper saying you are over the age of 21?”

Companies onboarding users to this type of tool have an uphill battle. Users have to leave the onboarding process, register with an identity wallet, scan their ID (sometimes with selfies for comparison and facial-matching, as well as liveness testing to determine that they are a real person holding the phone), respond to a multi-factor authentication message, unlock their phone to get the code they need, come back to the original site to enter that code, and then continue with the process… if a third-party vendor has even validated their identity documents, that is.

Why Blockchain?

Surprisingly, many of these sovereign identity startups have difficulty explaining why they’re on a blockchain to begin with, instead pointing to white papers or providing a somewhat opaque checklist of characteristics of the blockchain. They point to the immutability of ledgers, although ledgers can be appended, and the fact that there are other auditable, verifiable databases using, say, digital signatures and Merkle trees.

Blockchains come with downsides, too, and many of the benefits can be found using other technologies. For example, companies could issue an X.509 certificate or some other certificate structure that allows for the authenticity of edits or redactions to be verified. X.509 public key certificates are used in many internet protocols, including TLS/SSL (the basis for HTTPS), as well as electronic signatures and other offline applications. These certificates contain a public key and an identity (such as an individual, organization, or hostname). They are either self-signed or signed by a certificate authority.

Startups also point to the transparency of public ledgers, in spite of the fact that many of these startups use private blockchains, which enable shared databases but are not public-facing. Additionally, sharing data publicly doesn’t necessarily require a blockchain—just look at usaspending.gov, or Companies House in the UK. Many of these startups point to the pseudonymity of the blockchain, but it’s possible to hash public keys outside of the blockchain. They point to blockchain network decentralization, and that one would need to control 51 percent of the network to either fork it to submit a fraudulent transaction or successfully alter recorded data. But it’s worth noting that the number of entities controlling the majority of bitcoin mining can be counted on one hand. One only needs a few people to collude, rather than the entire network.

There are other ways to cryptographically sign information and make it verifiable, and it’s unclear that there’s a reason to put this on the blockchain, which, again, requires new users to punish themselves with an opt-in process when the value proposition isn’t quite there.

Some apps, like SelfKey, appear to merely be recreating the system required to provide public-key encryption and digital services, public-key infrastructure or PKI, on the blockchain for reasons that aren’t entirely clear. It’s worth noting that the blockchain isn’t necessary for publicly verifying identity information or other information with limited third-party trust.

“Blockchain offers the ability to transfer value around the world using cryptocurrency,” says uPort Community Manager Kames Cox-Geraghty. “To have your same identity have symbiotic relationships with cryptocurrencies and other distributed applications makes interoperability much easier.”

Some, like Civic, pointed to low costs, since no intermediary was needed to manage information or impose uncompetitive fees. But databases are cheap, though they become cheaper if one is not relying on third parties to verify information. It’s possible that centralizing KYC (Know Your Customer) and AML (anti-money laundering) efforts could reduce costs for businesses and therefore customers if the businesses and customers are willing to rely on them for that. Ironically, it is centralization that creates the cost savings, since sovereign identity companies are building an ecosystem system which puts themselves in the middle.

Leveraging Blockchain Sometimes Makes Sense

In some instances, building identity solutions on the blockchain is logical. Using a blockchain-native authentication for a product that requires identity information as well as cryptocurrency makes sense.

For example, uPort hopes to connect decentralized identities to cryptocurrency, so it makes sense to use a system that’s not built in its own isolated environment. “Blockchain offers the ability to transfer value around the world using cryptocurrency,” says uPort Community Manager Kames Cox-Geraghty. “To have your same identity have symbiotic relationships with cryptocurrencies and other distributed applications makes interoperability much easier.”

Another example is Cambridge Blockchain (not to be confused with Cambridge Analytica!), which is based on a private Ethereum blockchain. It’s taking advantage of new General Data Protection Regulation rules with which  businesses must comply. GDPR is a regulation on data protection and privacy within the European Union. Cambridge Blockchain is working with a consortium of banks in Luxembourg. Its solution allows users to share encrypted data between parties and verify that the data was shared and that it provides some validation.

“We’re basically trying to replace a bank’s existing KYC infrastructure that would allow for reuse of testing information,” says Andrew Trainor, a software engineer at Cambridge Blockchain. “If one bank checks all your information, and decides that you don’t launder money, and is going to give you a bank account, there’s no reason that another bank shouldn’t be able to say, ‘Oh okay, we trust that first bank that you’re already a customer with; therefore, we’re going to make you a customer and skip all of those steps.’”

But getting banks to agree to this and to talk to each other’s systems may not be as easy a sell for banks that are not in need of a new system as a result of GDPR. Not all banks are organized in a consortia; others may be worried about exposing themselves to risk of fines. And it’s not just banks that might not be excited about jumping through hoops to work with sovereign identity start-ups.

“The other challenge is bootstrapping,” writes Paya. “There is a feedback between users possessing a certain type of identity (such as Facebook account) and sites willing to recognize that identity (by, for example, offering a “Sign in with Facebook” button). This can lead to fast growth and emergence of oligopolies where a few ID providers dominate the space such as Facebook and Google for online authentication, or it can mean the incumbents face a difficult uphill climb.” Since so few individuals have signed up for blockchain-based identification, Paya says, merchants and websites don’t feel the need to accept it. Conversely, because there’s so few places for people to use blockchain IDs, they have little incentive to get one.

Basically, users need a better value proposition to go through the process of signing up for sovereign identity solutions, and the companies able to provide that value need more users to justify putting resources into it. A competitor in the scope of authentication is FIDO, which now has Google, Firefox, and Edge support, in addition to  a hardware system to keep keys safe. Although privacy enthusiasts might prefer the decentralized nature of a blockchain-based authentication tool, they represent a niche community rather than the majority of the public.

To adopt a new system, users must be confident in it. Unfortunately, right now, there are more questions than answers about how sovereign-identity startups might work. If private data is stored locally and users can encrypt it on their own devices (or back it up on the cloud), who is responsible if it’s not stored properly and the information is compromised? How would lost passwords work? What mechanisms would be in place for recovery of social media profiles? How would revocation be handled?

The Path Forward

Another ironic twist in decentralized sovereign identity solutions is that multiple startups are competing to be the key players in this space. It’s unlikely that one entity will become the major player. If the idea doesn’t fizzle and die, the way forward for sovereign identity startups is for a company with an enrolled base of users to adopt a centralized standard around which an ecosystem could develop, with different startups adapting to that standard. There are some attempts at standardization via the W3C Verifiable Working Claims group, and a private attempt at standardization through Sovrin.

Companies with an enrolled base of users could adopt a standard to interoperate with each other, and startups can become players in the ecosystem. If friction is eliminated for user signup, and there’s a clear incentive for the user to sign up in the first place, sovereign identity solutions may yet prove the doubters wrong.