top of page
Writer's pictureMarcia Klingensmith

Decentralized IDs - 8 areas of concern

I was recently watching a Verifiable Credentials Preview video by Azure AD (https://didproject.azurewebsites.net/docs/overview.html) and I can see a lot of practical/tactical thinking has gone into creating this solution, but to me it brought to mind so many questions that I think have yet to be addressed well.


Today's businesses thrive on knowing as much as they can about us - telecom companies, Google, Facebook, Amazon, Twitter, Uber, AirBnB- they all have so much data about us - our likes and dislikes, who we know, where we go, what we buy, how much we earn, where we spend it. Big Data is a double-edge sword. These companies tailor to your every whim, giving you things you didn't even know you wanted before you knew you wanted them. The trade-off? Privacy. These businesses can know more about you and your needs and patterns than you probably even know about yourself, and they will use this to manipulate you, and make money off of you and your data.


Conversations about the exploitation of personal data have been going on a long time, and we see various efforts to protect consumers privacy (examples like the European Union's GDPR and California's CCPA law). Grass-roots efforts to develop a solution to protect users and give them rights over their own digital identity continues to swell (it was certainly one of the hot topics at the October 2020 Money 2020 !)


Decentralized Identity is the concept that a user should be able to own their personal details and have control over who gets access to which pieces of them, when, and for what purpose. The miracle tool that is to enable this to happen is the blockchain. Every record, every transaction, in perpetuity and totally immutable. While this seems like a trustworthy infrastructure, what could go wrong?


There are 3 main players in the ecosystem:

  • Issuer: This is the organization that issues the identity credential (ex. drivers' licenses, highschool or college diplomas, hunting licenses, medical record numbers, etc)

  • Verifier: This is the organization looking to validate the identity data (ex. checking affiliation with university before getting discount, checking age before alcohol purchase)

  • Consumer: This is the individual that owns these digital identity elements


Here are just a few of the areas that came to mind where will need to spend some time thinking more about the validity of these digital identities:

  • True Source: What organizations have authoritative (incorruptible) data that you can truly trust about an individual, so that once that record has been created, you would not doubt the validity of the information that is presented

  • Identity Theft: How can you be sure that the initial credential established on the blockchain is the true person, and not someone just using someone's stolen credential. Also, once this fraudulent identity has been established, what measures are in place to remove/correct this record back to the right individual

  • Synthetic ID: How do you prevent someone from just making up a fake identity and establishing credibility with this new user. We see this in the ecosystem today, fraudsters are able to create fake identities that get deeply embedded in all aspects of society (including in credit bureau databases)

  • Organizational Legitimacy: Today it's easy to establish a business, request an EID, register it with the Secretary of State, but that doesn't necessarily lend it credibility as an organization that should be issuing credentials

  • Credential Legitimacy: Just because a "university" can issue a credential, doesn't mean it's a legitimate or an accredited organization. There needs to be a process to validate the organizations that are being added to the ledger

  • IP Domains: Organizations will need to establish their profiles on the ledger - but this is not full proof. Domains renew every year, domains can change hands. Domains with very similar names can get bought/used by unrelated entities, and just as with phishing scams, may at first glance appear to be the rightful signature, but on closer inspection, may not

  • Keeping track of certificates: Nice thought, but I know I can't even keep track of all the websites I visited in the last 3 days, or the purchases I've made over the holidays, how would you keep track of all those certificates - who has time to check how legitimate it is (until you get scammed that is!)

  • Stolen Devices: One of the benefits to the issuer and the verifier is that they aren't the ones holding all the precious private personal information, so if it gets stolen, they aren't liable - however, what happens to the individual that has all their personal information stored on a device, and that device gets stolen - how much irrecoverable damage happens when a fraudster gets ALL your certified data. How will you ever be able to prove you are you again?

I appreciate the intention and motivation behind protecting a consumer's right to privacy. I get the interest and excitement around the opportunity to leverage the blockchain as a tool to share only the data elements needed to validate that user in that instance, but this is a very dangerous place we are playing in and we need to tread lightly. We need to understand the risks and exposures that we are facing, and have a healthy debate about what could go wrong and design a system that is invulnerable or unbreakable, or if exposed, will not harm the individuals that we are trying to protect.


Comments


bottom of page