Public blockchains are the right place to store your encrypted personal data and then use it as needed to login to different services. There is no need to trust one big company to do this for you. Here’s how that will work.
Does it make you uncomfortable how much personal information Facebook owns and controls about you? If it doesn’t, it should. Allowing Facebook (or any other company, for that matter) to own and control your identity on the Internet certainly isn’t safe, but fortunately, new technology means it also isn’t necessary. Using a public blockchain to store your identity, you can login just as easily to different places, can’t get hacked, and you stay in control of who knows what about you.
There are a thousand interesting things going on with blockchains, but for this discussion, this simple definition will suffice: A public blockchain is a new kind of database, one that is maintained by thousands of different people and companies, at the same time. Information written to that database is permanent — it can’t be changed and it can’t be lost, because all these different people have a vested financial interest in keeping the exact same database up to date. If they can’t agree on the contents being identical, they don’t get paid! So, for example, I can write the message “Philip loves High Fidelity” to a public blockchain and it will stay there — forever — for everyone to see. That little chunk of data lives at a certain “address” on the blockchain, and when I write it, I also create a password that lets me prove to someone else that I am the person who originally wrote it. And that’s actually all you need to know about the blockchain to understand its use for identity.
Identity Service as Notary
To get started, you first use a third-party identity service to inspect your identity information and then write a proof that they verified it to a public blockchain. This is similar to how you use a Notary Public to verify that you signed something important, though in this case you won’t usually have to do it in person: The notary checks your ID, watches you actually signing it, and then puts their seal on it to certify that it was signed, along with recording the fact in a registry of some sort.
In this new process, the ‘notary’ is the identity service, and the ‘registry’ is the public blockchain. This is a one-time thing, and the identity service can throw away the data after they inspect it for you. Several startups like uPort and Civic, as well as big companies like Microsoft and IBM are either building or have solutions. Note that the identity service isn’t the same service (social network, etc.) that you are ultimately going to be using, and therefore won’t know anything about which services you later use, or what you do there. And actually logging into a particular service (as described next) leaves no ‘digital exhaust’ on the public blockchain that can be connected to you or used for marketing, etc. This process decentralizes online identity by breaking it into two parts: verifying your identity, and then using that verified identity to actually log in somewhere, the next part.
Later, whenever you login to a new website, access a virtual world, or want to buy something, you will use an app or browser plugin to prove to the site or service that you are who you say you are. It’s as easy as that. Because you have a password to the public information that was initially verified by the identity service, you can prove at any time that you own that piece of data (say your email, phone number, or a credit card number).
The actual public record can also be encrypted, so that when you prove that you ‘own’ the data (by cryptographically signing a message with your password), you also tell the service how to decrypt it. Having your phone number stored on the blockchain doesn’t have to mean that everyone can read it. The service provider doesn’t need to store any of your identity information, because they can ask you for it anytime they need it and verify the authenticity of what you are telling them against the blockchain.
You may have noticed that this process is similar to how you ‘Login with Facebook’ or ‘Login with Twitter’ — you are now trusting the blockchain to store your identity facts, where formerly you were trusting one of these big services to essentially ‘forward’ stuff about you to another service. Where before you had to trust at least one big company, now you have the choice to manage your identity yourself, and trust no one.
Resetting Your Password, and Two-factor
You may have read scary stories about people losing their bitcoin passwords and being unable to recover their money, but this isn’t necessary either. That same identity service provider I mentioned earlier can also offer you a ‘locker’ service where you store your various credentials and assets together under one password that can also be reset if you lose it, in the same way you request a password reset today on a centralized service. This same mechanism can be used to require a second level of authentication on important transactions (for example spending money beyond a certain amount).
These lockers will be offered by many different providers, in the same way we have numerous certificate issuers and password services today. And this means that even if you use a dumb password on your locker (please don’t, though), an attacker would still have to guess which locker provider you used — hacking into a service you use wouldn’t give them anything.
Why It’s Better
Time and convenience: You only need to verify/enter your identity information once to be able to give it to any service you need to use. So no re-typing of email addresses or phone numbers.
All types of identity can be stored: This same technique can be used to validate and store things like payment methods, government ID, voter registration, driver’s licenses, group memberships, or anything else you’d like to store. Facebook isn’t interested in keeping your passport on file, and you wouldn’t want to let them do that anyway!
Strong protection against identity theft: Because each of your identity facts are stored encrypted at separate locations on the public blockchain, you only give out the specific information that a given service needs, and only for so long as it is needed. For example, you wouldn’t need to give a website your home address — you’d only give that to someone trying to ship you something. If someone knows just your email, they will have no way of looking through the blockchain and finding a phone number or address connected to it. Today’s solutions (like Facebook or Equifax) mean that a hacker or internal employee can view the database and see all these pieces of information together in one place, allowing them to easily steal your whole identity.
Cannot be altered, revoked, or censored: Blockchain database entries can’t be changed once they are made. Today, Facebook could decide to stop allowing you access to another site where you use Facebook to login, just because they wanted to. Equifax could decide they didn’t like you for some reason, and start reporting you as having a lower credit rating. This cannot be done with blockchain — once your identity has been written to the blockchain by an identity service, that verification cannot be taken back or altered.
Too big to fail: If Facebook or Twitter were to someday go out of business and shut down, you would be unable to login to the many sites where you now use them. The blockchain can’t go out of business — it is made up of thousands of different individuals and institutions with a shared and equal interest in seeing it and its data survive.
A New Gold Standard
In summary: Whether logging into a virtual world, giving payment and shipping information, or posting to social media, the way to do it safely and with full control over your own privacy is to use a public blockchain to store your verified identity and other information. Cryptographically secure, decentralized public databases built on top of blockchains will likely become a gold standard for safety and security against which private companies and institutions are measured.
As consumers, we should all be demanding no less — that we are in full control of when and which identity facts we disclose to use online services, and there is no way that information can be leaked, stolen, or aggregated to be used without our permission.