Fintech firms, software makers, telecom providers and other businesses have joined forces develop a blockchain-based network that will enable anyone to exchange digital credentials online and without the risk of unintentionally exposing any private data.
The companies are part of the Sovrin Foundation, a new nonprofit organization now developing the Sovrin Network, which could enable anyone to globally exchange pre-verified data with any entity also on the network.
The online credentials would be akin to identify information you or I might have in our physical wallets: a driver's license, a bank debit card or a company ID.
Instead of a physical card, however, the IDs in our digital wallets would be encrypted and link back to the institutions that created them, such as a bank, a government or even an employer, which, through the blockchain, would automatically verify that information to a requestor.
The owner of the digital wallet can determine what information a requesting business receives, and no more.
"They control who has access to their wallet and also can revoke that access at any time," said Adam Gunther, IBM's director of trusted identity.
This week, IBM announced it had joined the Sovrin Network to assist businesses, nonprofits and governments in building out the infrastructure and applications that will enable consumers to transact with them.
Along with other members of the Sovrin Foundation, IBM has been working with an industry standards body, the Decentralized Identity Foundation, to ensure a homogeneous interface. IBM will also dedicate hardware, security and network capacity to assist in the operation of the self-sovereign identity network.
In addition to IBM, Sovrin Founders include 22 businesses from a wide range of industries, such as ATB Financial, SICPA, a maker of security inks used in paper money, and T-Labs, the research and innovation unit of Deutsche Telekom. Evernym, another fouding member, develops self-sovereign identity applications that run on the Sovrin network.
In a digital economy, where consumers and businesses buy merchandise, apply for mortgages and loans, and send identify verification information for a myriad of purposes, ensuring data privacy has become paramount, particularly after many high-profile data breaches.
Solving an online insecurity problem
Last year, more than 2.9 billion records were compromised from various security incidents across industries, including 143 million American consumers whose sensitive personal information was exposed in a data breach at credit reporting agency Equifax.
To address what it sees as an internet infrastructure flaw, the Sovrin Network will add a missing identity layer to it based on an immutable blockchain record, making secure and private self-sovereign digital identity possible for the first time, according to Phil Windley, chair of the Sovrin Foundation.
The network is currently in beta, with pilots taking place among various Sovrin Foundation members, Windley said. It should be generally available to businesses sometime this summer.
"I don't believe there's a ton of people who are suddenly going to wake up this summer and say, 'I need to download a self-sovereign identity wallet for my phone,' " Windley said. "What's more likely to happen is they're going to go into their bank or credit union and they're going to say, 'We have this new way of logging into your account.' You'll download an app."
Behind the scenes, the bank and customer will exchange non-correlatable identifiers; they'll simply scan a QR code and will be signed up for the new identity service.
"Later on, they'll see that as an [icon] on their phone," Windley said.
One pilot the Sovrin Foundation is currently testing with IBM is verifying employee identification. IBM workers scan a QR code provided by their company, and they're automatically given an icon that a bank on the network can use to verify employment.
Sovrin is not alone
While Sovrin may have a groundswell of support among its members, it is by no means the first use blockchain to link identifiable data to a user through a blockchain distributed ledger.
Microsoft plans to pilot its own blockchain-based digital ID platform that would allow users to control access to sensitive online information via an encrypted data hub.
"This new world needs a new model for digital identity, one that enhances individual privacy and security across the physical and digital world," Ankur Patel, a principal product manager with Microsoft's Identity Division, wrote in a blog post. "Rather than grant broad consent to countless apps and services, and have their identity data spread across numerous providers, individuals need a secure encrypted digital hub where they can store their identity data and easily control access to it."
In January, Microsoft joined the ID2020 alliance, a global partnership working to create an open-source, blockchain-based digital identity system for people in the U.S. or other nations who lack legal documentation because of their economic or social status. The ID2020 alliance is targeting people who lack fundamental rights and services such as voting, healthcare, housing and education that are tethered to legal proof of identification.
Tech-savvy institutions like MIT have started issuing graduates diplomas via blockchain so that future employers no longer have to verify degrees and transcripts with the university.
Michael Fauscette, chief research officer at G2 Crowd, a business-to-business software review site, expects that in the next five years, decentralized verification will no longer be a novelty; it will be the norm.
"Imagine hiring without reference checks or transcript verifications, where all that an applicant needs is a blockchain hash,” Fauscette said.
The digital wallet
The concept behind digital wallets has been used for years by cryptocurrencies such as bitcoin to verify whether someone has the actual funds to purchase the digital currency, while keeping their identify anonymous. A financial services institution that is part of the bitcoin network, for example, simply verifies that there are sufficient funds for a bitcoin purchase without the need to disclose the identity or actual account balance of the banking customer.
In cryptography, the concept is known as zero knowledge proofs, a method by which someone of which information is being requested can link back to a verifying person or institution, without conveying any additional information except that which they are being asked.
So, for example, a bank may request to know you earn above $75,000 a year for the purposes of a loan; as a member of the blockchain network, your employer could verify only that you make more than $75K without disclosing your actual annual salary. Or a government could verify that a consumer is older than 18 for voting purposes or older than 21 in order to purchase alcohol. The information would be verified by the consumer by simply bringing up an application on their phone and presenting an icon.
The Sovrin Network will ensure three things: The individual is their own identity provider; the individual controls who has access to their information, a privilege they can revoke at any time; and the Sovrin Foundation becomes the central governing authority, determining who can join that permissioned blockchain network so that people can do business across it.
Businesses or government organizations that verify consumer identities and their private data would be known as "trust anchors" on the network. Those trust anchors could also delete and reissue user authority.
"So if my phone was stolen, I could have my keys revoked and reissued, so now that wallet is unusable," Gunther said. "Just like today, if your credit card is stolen, a bank can invalidate that card and reissue one.
"We need that model across everything for identity. Imagine if you could do that with your social security number — how much better life would be," he said.
Underpinning a new trust economy
A blockchain-based self-sovereign identity network also has the potential to satisfy new, more stringent requirements for businesses to know with whom they're doing business.
So called "Know Your Customer" regulations were enacted over the past four to five years to address an increase in money laundering and terrorist activity funding. Through a blockchain identifier network, banks would have pre-verified who their customers are, and whether or not they're tied to any nefarious activities, Gunther said.
There are many blockchain specifications, and many of them are based on open-source software. The Sovrin Network is based on the Linux Foundation's Hyperledger Indy specification, which was built from the ground up for verifying a user's identity.
Blockchain networks, or distributed electronic ledgers, can protect the identity of users behind a randomly generated hash table, a type of cryptographically signed credential, to prove the digital identity information in the identity owner's possession. Once a business or organization has verified information about a person, a simple icon can be used approve a transaction.
Besides being used for bitcoin and other cryptocurrency transactions, blockchain has most recently been adopted for business transactions, such as automating supply-chain management and cross-border money exchanges.
In short, many businesses and governments believe blockchain could underpin a new trust economy, one constructed of person-to-person (P2P) transactions and not dependent on more traditional methods such as credit ratings or guaranteed cashier's checks.
"Rather, it relies on each transacting party's reputation and digital identity — the elements of which may soon be stored and managed in a blockchain," Deloitte analysts said in a recent report.
Permissioned blockchains — which, like a relational database, are centrally managed — can combat cybersecurity risks and protect "consumers' financial information and the integrity of the global financial system," the researchers said in a white paper highlighted in a Microsoft blog.
The distributed ledger technology, the paper argues, offers significant cybersecurity capabilities, as well as some of the same cyber risks that affect other IT systems, "all of which merit further evaluation by regulators and industry."