In January
the Government Chief Scientific Advisor, Sir Mark Walport, published a report
setting out the findings of a review exploring how distributed ledger
technology can revolutionise services, both in government and the private
sector. This 88-page report explored a
vision of how distributed ledger technology could reshape how government
interacts with its citizens.
Whilst the concept
of “Identity on the block chain” has been talked about for a while, the seeming
endorsement from the Government Office for Science for this idea has triggered
the rush for the bandwagon. In the weeks since there have been a number of
blog posts saying how block chain technology will solve the problem of how we
establish our digital identity, will increase security, will prevent fraud,
will either provide gold standard trust or do away with the need for it
altogether, will end world hunger, eliminate bureaucracy, give privacy, return
control of data to the individual… in fact it will do so many wonderful things
we’ll all wonder how we lived before it.
The trouble
is, the people forcing their way on the bandwagon often don’t understand block
chain technology, or they don’t understand identity, or they don’t understand the
problems that they’re claiming putting one onto the other will solve. And here I’ll lay my cards on the table – I’m
not a block chain guru; indeed when I blogged about this topic back in August
2015 - Unblocking
Digital Identity – my conclusion was inconclusive.
So why
then, while every one else fights to grab onto the bandwagon – backed by the
Chief Scientific Advisor and other people far more intelligent than I am – am I
stood pointing and shouting that the emperor is naked? Well, leaving stupidity aside, there are a
few reasons.
Firstly, identity
isn’t transactional. When you ask how
old I am I tell you my age, I don’t transfer it to you. So if we’re talking about attributes of my
identity that can be associated to a transaction – did the supermarket checkout
operator get confirmation of my entitlement to buy alcohol? – so this could be
written to a distributed ledger as immutable evidence for compliance
purposes. Though this is putting
supermarket sales on the block chain, not my identity.
Secondly,
identity and entitlement often get interlaced.
So one of my identity attributes
is my date of birth, which when I hit 18 entitled me to buy alcohol (in the UK)
– so actually the supermarket isn’t interested in my identity, they’re interested
in my entitlement. When claims are made
of fraud prevention by putting my identity on the block chain it doesn’t
address the fact that people claim things that they’re not entitled to… even when
they’re known to the organisation they’re defrauding.
Thirdly,
when it comes to security there’s a great comparison to most things in
life. The amount of reward to be gained guides
the amount of effort we’re prepared to put in.
Bad people spend a lot of effort trying to break into bank systems
because they know that there’s a lot of reward on offer. And the banks put a lot of effort into
protecting their systems because they have a lot to lose. Now if you’re being attacked – the best thing
is to know about it – so you can do things to prevent it. If I give you a copy of the identity of every
citizen – I tell you what the prize is - and let you take that away and do
whatever you want with it – no matter how secure I think it is now, I’m not
sure that I feel comfortable in leaving it with you without knowing what you’re
doing to it.
Finally,
and most importantly, identity isn’t about what was, it’s about what is. People do strange things – like move house,
change name, die. So if I verify your
identity and write an immutable record of it to the block chain, it is
immediately worth less than at the point that I did it. So being able to point to that transaction in
10 year’s time offers very little benefit. If I go to rent a car, the car hire company
don’t care that I was given a driving licence 30 years ago, they want to know
if it’s still valid now. If I write the
event of my marriage to the block chain and have that signed by Government, I
can prove that I got married; I can’t prove that I am married unless I go back
to Government for them to confirm that I haven’t since got divorced… or died…
or that my partner died (which is about their identity, not mine).
Which
brings me to the same conclusion as before, though now with much more clarity. Distributed
ledger technology will have a role to play in identity – though not in the way
that the bandwagon would currently have you believe. What that way is – I don’t know… though I do
know it currently has no clothes on.
Read my other posts
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business AnalysisI have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing - Poor security practices are putting users at risk
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Unexpected Customer Behaviour - The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business
One Small Step - The practice of greatness
In pursuit of mediocrity
Connect with Bryn on Linked In: Bryn Robinson-Morgan
Good post Bryn. Hopefully you'll be interested in participating in the upcoming OIX UK project on this very subject to look into the pros and cons and figure out what will and won't work.
ReplyDeleteThanks Andy. Absolutely. Taking an objective look to see what real benefits block chain technology could bring to identity is exactly what our industry should be doing. OIX is a great forum to do that.
ReplyDeleteProbably the only use for identity on the blockchain is for the censored and underserviced. Which (IMO) is highly interesting, though not what most people are inclined to need. Here's one such example: https://github.com/17Q4MX2hmktmpuUKHFuoRmS5MfB5XPbhod/dropzone-lib/blob/master/Drop%20Zone%20-%20Whitepaper.pdf
ReplyDelete