I. Introduction
Digital “you” is not effectively owned (or even controlled) by yourself, despite GDPR’s great contributions for that end. Currently, we enjoy none of the rewards of having third parties using our personal data. There is also lack of transparency over which services are processing our data and for which purpose . The lack of balance is aggravated by the fact that users (or data subjects) bear the high risk of data controllers and processors misuse or abuse[1] and of data breaches, which can cause “identity theft”, one of the most common cybercrimes that enables numerous fraudulent activities.
For users to have access to mainstream online platforms they are asked to loose the control over their data upon engagement – reducing users into a data-generating oracle. This data is later monetised by network operators, advertisers, governments, banks, social-media companies, search engines and online retailers. The collected data can be further used for profiling, prediction, and economic growth.
Interestingly, Dan Tapscott referred to the current system as a “feudalistic digital landlord” reality, where instead of farming, it aggregates, expropriates, and monetises data and identities. “We create the asset: They expropriate it. Yet we still thank them for the use of their land, rather than demanding what is rightfully ours.”
Even though there is an acknowledgement of a protected online identity, it is not sufficient. Therefore, it is crucial to find better ways for people to effectively own, control and manage their data independently. In this Insight we will briefly explore how DLT (Distributed Ledger Technologies, being Blockchain the most known) might contribute to that end.
II. Identity
To define “identity” while acknowledging the spectrum of what it is to be, as an individual, is a challenging task. Many areas of study have contributed to our current understanding of “identity”.
Two distinctively approaches can be made when trying to define what identity is: i) the naturalist and ii) the constructivist. The naturalist approach considers that “everything that resides inside the physical body or is more permanently connected with it” shapes the identity. It gives great importance on being distinguishable (“unique”) and considers that “expressions of the mind have priority over the physical body”. The constructivist approach is relational, which means the social structure has an important impact on identity[2]. The identity can be compartmentalised and shared.
Nonetheless, both approaches seemed insufficient which led to consider their combination. Despite disputes on what identity is, it seems to be consensual that it is i) an exclusively human quality; ii) unique; and iii) we need to consider the wholeness of the identity.
The GDPR guides us by defining “personal data” on Article 4(1) where it reads: “ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
As such, the concept “digital identity” can be explained as the collection of personal identifiable data. Such term is different from “persona” or “profile” since the former is the “subset available to the “user”, while the latter is the totality of data collect and augmented by the entity controlling the network or platform”.
Kim Cameron created the seven laws of identity while striving to achieve the concept of “universal identity” – i) the user must control and consent; ii) minimal disclosure for a constrained use (the use of the least amount of identifying data)[3]; iii) justifiable parties; iv) directed identity; v) pluralism of operators and technologies; vi) human integration and vii) consistent experience across contexts (which means tailoring which data constitutes identity depending on the context – for example, browsing, personal, community, professional, citizen, access to credit). Therefore, we shall strive for a universal identity resulting from a patchwork of identities.
To effectively take advantage of this “universal identity”, the concept of “self-sovereign identity” was brought forward to allow users to manage their own digital identities without depending on third party providers.
III. Power to the people through DLT
The use of DLT has potential benefits because it enables trust from all parties involved at a reduced cost; it is immutable; resistant to censorship and manipulation; transparent (which could enable people to track and consent the use of their data). Such goal can be achieved by having a central authority (like the government or the European Union) or in a decentralised way, through Decentralised identifiers (DIDs). However, DLT-bases identity solutions are commonly “intertwined with those in the public sector as some require verified credentials by governmental institutions”.
Examples include the ID-card of Estonia that secures travel within the EU, national health insurance, tax claims, access to bank accounts, e-voting (partly blockchain-based); Forus.io in the Netherlands or Kiva Protocol in Sierra Leone; and the World Food Programme pioneered Blockchain approach to biometric ID and digital payments in refugee camps in Jordan[4].
More generally, through DLT identity management systems users could control their personal information, documents, and the access by third parties almost like an identity digital wallet – including the possibility of customising the types of consent: i) consent for processing personal data in return for services; ii) consent for selling/access to personal data; and iii) consent for storing personal data.
At first it might seem contradictory to analyse the potential of a transparency- enabling technology to achieve privacy and control. Nevertheless, it has already been presenting solutions, such as “separating data rights from the actual data” for example, by using an off-chain repository to store the user’s personal data, while in the blockchain it is only stored an immutable hash data pointer (“a link”) to the storage location of personal data on the off-chain repository.
Such method would also make it possible to comply with GDPR’s right to be forgotten (Article 17 GDPR.), because when x or y information is deleted in the off-chain repository the hash data pointer stored in the DLT will be null and void, therefore, GDPR compliant. Currently, there are no suitable mechanisms that enable users to opt-out from a service gracefully in mainstream online media.
IV. User as the legal controller?
The identity issuer can be the State (or the user, in case of decentralisation), which issues personal credentials for identity holders (citizens). In the case of the State, it would also attest for the validity of the personal information. The functions of issuer and verifier can be held by anyone, however the trustworthiness they inspire in the public might be reflected in the adoption (or not) of this DLT-solutions by the users.
The controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”( Article 4(7) GDPR). As such, if users write on the Blockchain and decide to send data for validation by the miners, they shall be considered as data controllers, as they define “the purposes (objectives pursued by the processing) and the means (data format, use of Blockchain technology, etc.)”.
V. Conclusion
In order to effectively introduce DLT-based identity solutions it should be taken into consideration that i) further development of scalability and optimisation is needed; ii) they should have a pseudonymity enabling design; iii) users must trust the reputation of verifiers; iv) interoperability is critical; v) they shall beeffective and user-friendly especially for non-technical users.
Apart from the enthusiasm surrounding DLT, most of which relates to the possibility of true decentralisation, blockchain identity will not survive in isolation. Therefore, we shall strive for a balance between data decentralisation and self-sovereign identity. Additionally, we should attentively audit it, since it is possible that “business pressures lead us towards ’re-centralization’ and where, for marketing reasons, identifiers are called DIDs that are not really DIDs. We have witnessed this before with OpenID, which was designed as a decentralized identity technology but is often co-opted by various actors to fuel surveillance capitalism and violations of digital human rights”.
[1] For example, the Cambridge Analytica scandal where people’s personal information was misused by Facebook to influence voters in the US Elections.
[2] For an interesting take on how the social structure (friends) might impact decision making (going to events) see, for example, Mathias Bogaert, Michael Ballings and Dirk Van den Poel, “The added value of Facebook friends data in event attendance prediction”, available at: https://crm.ugent.be/Event_attendance_working_paper.pdf
[3] Similar to the idea of data minimisation (Article 5(1)c of the EU GDPR): “For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed”, in Kim Cameron, “The Laws of Identity”, p.7, available atThe Laws of Identity (identityblog.com).
[4] The innovative IrisGuard eye-scanning technology virtually eliminated the identity fraud, excessive bureaucracy and systemic corruption usually present in refugee camps across the globe. See: WFP Introduces Iris Scan Technology To Provide Food Assistance To Syrian Refugees In Zaatari | World Food Programme
