After more than a quarter-century of the commercialization of the Internet (the first email was sent in 1989), we still struggle to verify our identities in the digital world. Despite the presence of technologies that enable only one digital identity, we are forced to create and maintain many versions of us on the Web.

On July 5th, 1993 The New Yorker published an image of a dog seated at a computer telling his companion that “on the Internet, nobody knows you’re a dog”. This image, authored by the artist Peter Steiner, has become a symbol of how anonymity works on the Internet. And it is as relevant to the digital world today as it was 25 years ago.

The New Yorker cartoon by Peter Steiner
Image by Peter Steiner published in The New Yorker in 1993

The Right to Identity is a Fundamental Human Right

And it’s protected by international law.

Yet, according to the World Bank, today, in the 21st century, around 1.1 billion people on Earth cannot prove their identity. Of which, 40% are children under the age of 18 (and around 74 million under the age of five; you can inspect the data set here).

This is a dead-end that prevents people from experiencing their citizenship to its fullest potential. They cannot exercise a wide range of rights or consume fundamental services. Without an ID, adults and children have no access to healthcare or education. Opening a bank account to perform a standard financial transaction is out of reach. The even darker side of these circumstances is, that these people become vulnerable to various crimes, human trafficking, child abuse, or prostitution.

To prevent an escalation of this condition, the United Nations Sustainable Development Goal 16.9 specified an aim:

“By 2030, provide legal identity for all, including birth registration”.

Verification of Digital Identities Is Nearly Non-Existent

On the Web, claiming your identity is somewhat complicated.

In the physical world, we use paper credentials such as ID cards, passport or birth certificate.

These documents, however, do not exist on the Internet. For years, we have been spreading personal data across many fragmented identity systems that lack the necessary portability. Moving identities between online service providers became cumbersome, if not impossible. As a consequence, we end up with many digital identities, multiple versions of us.

In a physical setup, a human can judge the authenticity of the paper document just by looking at it. Repeating this procedure online is hard.

While traveling cross-border, your passport is the single most important document proving your identity. It’s a standard that every country accepts. It has a machine-readable format and the issuer, your government, is a trusted source.

The key problem for adopting one trusted, digital identity is the lack of a standard way to verify and process digital credentials. In a physical setup, a human can judge the authenticity of the paper document just by looking at it. Repeating this procedure online is hard.

In fact, the W3C, World Wide Web Consortium, an organization responsible for defining Web standards is in the midst of solving these problems. W3C, led by the inventor of the Internet Tim Berners-Lee, has formed a task force mandated with the mission to find a way of expressing, exchanging and verifying the so-called verifiable claims (e.g. healthcare data, bank account information, or education qualifications) securely over the Web.

India’s and Estonia’s Experiments With Digital Identities

One remarkable example of how the digital identity changes a whole nation is the Indian’s Aadhar, a massive digital identity program with the aim to introduce one unique identifier for all India’s residents.

The effects are already visible. In only four years, the number of the unbanked population dropped from 557 to 233 million (between 2011 and 2015), a 40 percent decrease.

Under this scheme, the people are able to access a wide range of services and interact with the business using just their Aadhar number (available also as a card).

The effects are already visible. In only four years, the number of the unbanked population dropped from 557 to 233 million (between 2011 and 2015), a 40 percent decrease.

Experts argue, however, that with its centralized design, the Aadhar program is not free of flaws. Having one database with all its citizens’ data is a potential single point of failure and a desired honeypot within the hacker community. A whole nation’s compromised database would lead to a catastrophe.

Another example of an experiment with the concept of digital identity is Estonia’s e-Residency program.

Estonian X-Road Architecture
Estonian X-Road Architecture

The nation’s plan is to extend its citizenship beyond its physical boundaries. Unlike Aadhar, e-Residency is a purely commercial initiative. Since its launch in 2014, nearly 28 000 digital residents have been using this platform, establishing around 5000 companies.

It allows its e-citizens to perform a range of commercial actions across the public and private sectors, including company registration, the opening of bank accounts or buying reals estate.

Moving From Centralized to Self-Sovereign Identity

The cost of one lost or stolen record containing sensitive and confidential data is around 165 $. In healthcare, it could be as high as 363$ per record.

The Internet needs a common identity layer. The current setup has reached its tipping point. The organizations are not capable anymore of managing identities in their own silos, at the same time complying with various data protection regulations, such as GDPR.

The costs are staggering, too. According to the Ponemon Institute, alone the cost of one lost or stolen record containing sensitive and confidential data is around 165 $. In healthcare, it could be as high as 363$ per record.

Thus, it’s time to move from siloed, centrally-managed ecosystems to a scheme where people own and control their identity in the digital world. This is where the idea of self-sovereign identity (SSI) — a lifetime, portable digital identity for people and organizations — becomes an important factor.

Evolution of Digital Identity
The Evolution of Digital Identity

SSI solves not only identity-related challenges. Ctrl-Shift has estimated, that by using the SSI concept, the cost of identity assurance could fall to as little as £150 million from £3.3 billion, in the UK alone.

Businesses could again concentrate on more added-value services.

On the other hand, the business of collecting data is a lucrative one. Companies such as Facebook or Google have built their business models around data collection and analysis. To use these “free” services, you pay with your identity (data).

After all, there ain’t’ no such thing as a free lunch.

Beyond the legal way of making money with our data, there is a whole market for stolen personal data. For example, a Social Security Number is traded for $1 on the Dark Web, a drivers license $20, full credit card info (with CVV) $30. A full medical record may cost the buyer even up to $1000 ( data provided by Experian).

Prices are subject to discounts. And are tax-free.

Bye-Bye Middleman, Hello Blockchain

Blockchain technology is a significant step towards self-sovereign identity. It’s a shift from centrally managed identities towards decentralized governance where people own and control their sensitive and confidential data. In a transparent and secure way.

With its secure-by-design characteristic, it might be the solution to govern digital identities. No organization or individual owns blockchain (private, permissioned blockchains are an exception). An attacker cannot alter a verified transaction on a blockchain (payment, identity) without compromising other approved transactions.

There are however certain design constraints.

Quantum computers will be able to instantly break the encryption of sensitive data protected by today’s strongest security measures.

One of them is the storage of identity-related data. Experts strongly advise keeping the data in a secure, digital vault, outside of the blockchain. Especially biometrics tend to be very sensitive and should avoid blockchain at any cost.

There are indications that future technological advancements, like quantum computing, will be able to decipher information protected by today’s strongest security measures.

But the IT community has already come up with a clever idea that addresses this constraint — DID, or Decentralized Identifiers.

Instead of placing the data on the blockchain, DID’s are used as pointers to the data which is stored elsewhere (off blockchain). The Decentralized Identifier is pushed to the blockchain, together with the DID document containing a public key. And since the owner of this DID has the private key, he is in full control of it.

Companies such as Microsoft and Blockstack are already working on a solution for storing off-blockchain identities. Their idea is to create a digital hub for storing identity data (check out the project on GitHub).

Challenges We Must Resolve

The current way of how we identify ourselves on the Internet must change. It’s not a sustainable model. Nor for the consumers of online services, nor for companies offering them.

On several occasions, organizations have proved themselves as incapable of guarding the user’s personal data. Take for example the Equifax breach with 140 million people affected, or Yahoo with 3 billion customer accounts hacked. And Facebook with its data leaks, possibly affecting the US 2016 presidential elections. Government agencies are also to be blamed for — the security flaws in their systems affect millions of citizens (191 million US voters data exposed). The cases are piling up.

The issue is the centralized root of the trust model. The man-in-the-middle. The hacker’s honeypot. For now, blockchain emerges as one possible solution. This technology replaces trust in humans with trust in mathematics and cuts out the middleman. But it also comes with many unanswered questions.

Challenge: The 51% attack

For example, how to deal with a “51% attack” when an actor controls more than half of the mining power on the network. This would give him the power to overwrite all the transactions. According to Dr. Greenspan, if one wants to control the mining on the Bitcoin network, an investment of around $400 million in equipment would be sufficient.

Challenge: Computer literacy in less developed countries

Moreover, such an ecosystem requires a certain degree of computer literacy. This might prove difficult in less developed nations with limited access to computer services. To place a digital identity on a digital hub, the user must be able to access it in the first place.

Challenge: Losing access

And what happens to someone who lost his or her private key used to access the digital identity data? Is he or she now considered as “identityless”? Without the right to use fundamental services like the 1.1 billion of “uncounted” and unbanked?

This and many other difficulties require a thorough discussion around blockchain and self-sovereign-identity.

As a final note, repainting verbally the illustration of Peter Steiner, in the era of the blockchain, that dog may need to say to his canine friend:

“On Blockchain, once you’re verified as a dog, you’ll always be a dog”