From the 3 billion Yahoo email accounts compromised in 2013 to the credit and identity data of 143 million Americans stolen from credit bureau Equifax (and myriad other attacks) massive data breaches have become all too familiar.
The frequency and severity of these attacks, combined with their victims’ high level of security and technological sophistication, has prompted both public outrage and questions about whether sufficient protection against future breaches is even possible. Gemalto, an international data security company, summarized this sentiment in its Breach Level Index Report from the first half of 2017: “More and more organizations are accepting the fact that, despite their best efforts, security breaches are unavoidable.”
While cryptocurrencies and cryptocurrency networks such as Bitcoin and Ethereum continue to flood headlines, the future applications of blockchain technology may be what ultimately solve a range of pernicious issues that affect businesses and people alike.
Some have seen a promising future solution to this problem in the rise of blockchain technology. As a recent Toptal Insights article explains, blockchain technology refers to a peer-to-peer distributed, immutable ledger of information. Every “block” of information contains a complete and accurate record of every transaction, which cannot be altered once verified and is secured cryptographically. A defining characteristic of this technology is its distributed, peer-to-peer structure, which theoretically obviates the need for intermediaries like Yahoo or Equifax to house data. While cryptocurrencies and cryptocurrency networks such as Bitcoin and Ethereum continue to flood headlines, the future applications of blockchain technology may be what ultimately solve a range of pernicious issues that affect businesses and people alike.
With regard to identity protection, some have argued that blockchain technology can potentially eliminate the need for intermediaries and allow individuals total control over their digital identities, while others have suggested that companies can still process personal data but use blockchain technology to access and verify this data without using easily-hacked servers. This article will explore each of these solutions in greater depth, focusing on one example of each approach. In doing so, we will gain an understanding of the approach each company advances, their challenges, and their relative merits.
The Problem: Centralization
To understand how blockchain technology can serve as an identity management solution, it’s important to first understand, at a basic level, how weaknesses in the current system have manifested.
The internet was originally designed as a peer-to-peer, decentralized web of connections, meaning that any user could communicate and connect with any other user without relying on an intermediary. As the internet became increasingly privatized, however, third party intermediaries emerged and became more fundamental to the internet’s structure.
Servers can (and, as we know, have) been hacked, and the concentration of personal data in the hands of a small group of companies increases the risk of these breaches continuing.
A small group of companies gained control over everything from issuing website security certificates to patrolling access to the world wide web to curating individual online identities. This centralization of control allowed these companies to amass huge volumes of personal data, housed on servers, from everyone who uses the internet. These servers can (and, as we know, have) been hacked, and the concentration of personal data in the hands of a small group of companies increases the risk of these similar breaches occurring in the future.
Blockchain Identity Management: A Theoretical Solution
Blockchain technology provides a potential solution to the problem outlined through enabling people to store data on a blockchain, rather than hackable servers. Information, once stored on a blockchain, is secured cryptographically and cannot be altered or deleted, thus making massive data breaches very difficult, if not theoretically impossible.
While storing data on a blockchain as a general, high level solution seems clear, there are multiple theoretical approaches for implementing it. One strategy is to eliminate the need for intermediaries through enabling individuals to store their identities and data directly on a blockchain that a user carries with him or her everywhere online. With users’ digital identities cryptographically stored directly on a blockchain within an internet browser, users would theoretically no longer need to provide sensitive data to any third party. Another approach is to allow users to encode their personal data onto a blockchain that can be accessed by third parties. This approach does not eliminate the need for intermediaries entirely, but rather eliminates the need for intermediaries to store sensitive personal data directly on their servers.
Below are two case studies highlighting these strategies.
Blockstack: Building a New and Improved Internet
In 2013, Ryan Shea and Muneeb Ali founded Blockstack (originally called the Onename app). Using blockchain technology, Blockstack aims to solve the aforementioned security challenges through eliminating the need for digital intermediaries and allowing individuals to retain full control over their data. Rather than relying on external third parties to store data, individuals can use Blockstack’s browser to run decentralized applications, and user information is encrypted and housed on users’ personal devices.
Blockstack’s broader, fundamental mission is easily defined but could scarcely be more ambitious: to create a new, decentralized internet. As Blockstack’s technical white paper begins, “The internet was designed 40 years ago and is showing signs of age.” Blockstack aims to replace what we currently think of as the internet with a system that is both more secure and actually more closely aligned with what the internet’s designers had originally envisioned.
“The internet predated what we call the web… and that was designed to be decentralized,” says Shea. A recent New York Times Magazine piece provides a useful explanation of the internet’s original architecture. The internet was initially designed using open protocols – communication between computers via the internet was free and not owned by any centralized body.
But as the New York Times describes, the internet’s architects “failed to include some key elements that would later prove critical to the future of online culture.” In particular, “they did not create a secure open standard that established human identity on the network.” Without a mechanism for marking personal identity built into the internet’s structure, private companies stepped in to fill this void.
“Even the original designers of the internet now agree that they missed out on certain key things in the core architecture. Most of those things basically revolve around security.”
As certain applications, such as Google and Facebook, enabled people to establish and communicate individual identity online and gained popularity, the internet became increasingly centralized around a small group of powerful players. This concentration of power has had obvious economic implications and, most relevantly for Blockstack, a profound impact on how personal data is stored, transmitted, and used.
“Even the original designers of the internet now agree that they missed out on certain key things in the core architecture,” says Ali. “Most of those things basically revolve around security.”
Blockstack fixes the original internet’s aforementioned design flaw by building individual identity directly into the Blockstack browser, allowing people to communicate directly without the use of a third party, such as Facebook. Through its decentralized identity system, domain name system, and storage network, Blockstack aims to give people full ownership over their digital footprint. In doing so, massive centralized data breaches can theoretically be avoided in the future, as there will no longer be a need for third parties to store data or facilitate communication.
“Over the past few years, there have been many breaches, and these breaches have gotten larger and more severe over time,” says Shea. “In the coming years, we will see more of that surfacing, and it will become very, very clear to everyone that once you allow data to get out, it can’t be put back into the box.”
Blockchain technology forms the basis of Blockstack’s product and vision. As described in the aforementioned white paper, the blockchain “provides the storage medium for operations and it provides consensus on the order in which the operations were written.” Blockstack specifically uses Bitcoin (the network, not the currency) as its underlying blockchain upon which the rest of the Blockstack architecture is built. Put simply, blockchain technology enables Blockstack’s internet to remain decentralized and secure.
Yet a key challenge, as described in the white paper, that Blockstack faces in using blockchain technology is the risk that the blockchain can come under the control of a single entity – in other words, that it can go from being decentralized to centralized.
Scaling the Blockstack network represents another hurdle. Indeed, the success of Blockstack’s new internet depends on positive network effects – how many people use it and, more specifically, how many applications are developed for it. Currently, there are nearly 15,000 developers in the Blockstack community and over 76,000 domain names have been registered. Blockstack will ultimately need a far larger ecosystem to achieve its stated goal.
Blockstack has raised conventional venture capital funding and has recently completed its Initial Coin Offering, with $50 million Blockstack tokens allocated to accredited investors and another $50 million that will be allocated to non-accredited investors who have the option to purchase tokens at a later date. While still in its relative infancy, Blockstack presents a potentially revolutionary solution not just to current problems in identity management and security, but to the monopolized power structure of the current internet.
Civic: A Targeted Identity Protection Solution
Civic, founded in 2016, advances a different blockchain-based identity management solution. Rather than removing the need for third parties and creating an entirely new internet ecosystem, as Blockstack aims to do, Civic seeks to work within an existing framework and focuses specifically on identity management and security. Through blockchain technology, Civic enables individuals and companies to verify their identities without having to store this data on centralized, breachable servers.
A recent Forbes article explains this process. An individual first signs up for Civic’s app, which verifies the user’s identity through official (e.g. government) records. Civic then cryptographically encrypts this information and stores it on a blockchain. From there, other entities requesting such personal data can verify the information an individual provides against the information on Civic’s blockchain, thus obviating the need for any party to store sensitive data on a centralized server.
Vinny Lingham, Civic’s CEO and co-founder, also explains this process on his blog, where he writes frequently about cryptocurrency and the future of blockchain technology:
“Basically, Civic validates your personal information and identity, stores it on your mobile phone and only you can see or use that information. It is never stored on our servers! This means that if Civic was to ever get hacked, your information would never be released because we just don’t have it.”
Civic faces many of the same obstacles as Blockstack: its blockchain could ultimately fail, and its success depends on user adoption. But which approach holds more promise?
Some may prefer the solution proposed by Blockstack, as the hugely ambitious goal of creating an entirely new internet has profound implications well beyond the field of security or identity management. Blockstack advances an elegant solution to many of the internet’s most pressing issues. Its approach has the potential to fundamentally redefine the economics of the internet and the way people interact virtually.
But the relatively limited, targeted scope of Civic’s goal may hold the same, or more, appeal to others. Civic is not aiming to completely change, or replace, the internet’s architecture. In eschewing this goal and instead zeroing in on the specific problem of identity management – a complicated, ambitious issue in its own right, but one narrower than creating a new internet – some may argue that Civic has a better chance of successfully accomplishing what it has set out to do.
The growth and development of this space – and the mere fact that these potential solutions exist – should provide those of us concerned with the security of our private data a sense of hope for a better future in identity protection.
The question of which approach will ultimately prove more successful remains unsettled. Still, the growth and development of this space – and the mere fact that these potential solutions exist – should provide those of us concerned with the security of our private data a sense of hope for a better future in identity protection.
The Importance of Tokens
Blockstack and Civic each offer identity management solutions predicated on using blockchain technology to decentralize and secure personal data. They also both use tokens (their own cryptocurrencies) to fuel and incentivize the utilization of their platforms. In Blockstack’s case, developers consume tokens in building applications on the Blockstack network, and users consume tokens when registering Blockstack usernames. For Civic, users can receive tokens for utilizing Civic’s app.
These tokens have served as a source of funding for each venture – $50 million so far for Blockstack (to be accessed once a series of growth milestones are reached), and $33 million for Civic. But as regulators, and entire countries, crack down on trading cryptocurrencies, the full impact on projects such as Blockstack and Civic remains an open question.
As Muneeb Ali noted in a December 2017 interview, the Securities Exchange Commission (SEC) has largely stayed on the sidelines during the recent cryptocurrency frenzy: “I actually feel that the SEC is being very smart about this space… they’re actively just watching, and so far all the steps they have taken…actually seem like the right thing to do,” Ali said.
The regulatory environment nevertheless remains uncertain, and the possibility that tokens may not be traded as freely in the future looms as a potential risk that should not be ignored for ventures like Blockstack and Civic.
Still, this risk should not hinder the exploration of blockchain-based identity management. It is, of course, important to note that blockchain technology is not a panacea. Indeed, as Ali says in the previously mentioned interview, blockchain technology works very well in some types of applications, and may be wholly inappropriate in others. Data security and identity management represent use cases well-suited for this technology and areas in desperate need of improvement going forward.