Digital Identity, Privacy and Blockchain – Can They All Be In The Same Equation?

María Teresa Nieto Galán    28 June, 2021
Digital identity

We are becoming increasingly aware of how our data is circulating on the net. In fact, we have all probably had that feeling that, after looking at a pair of trousers in an online clothing shop, seeing them advertised on other websites and coming to believe that someone is spying on us. This thought makes the concept of privacy begin to resound in our minds. 

Privacy is defined as everything related to an individual’s personal life that should be kept intimate and secret. Moreover, the right to privacy is enshrined in the declaration of human rights. For this reason, companies are already starting to take a stand on this issue, such as Apple and its slogan “what happens on your iPhone, stays on your iPhone”.

What Is Digital Identity?

According to the RAE (Royal Spanish Academy), identity is “a set of traits of an individual or a group that characterise them in relation to others”.  If we add the attribute “digital” to this definition, it would become “the set of traits that identify us in the digital world…”.

Therefore, Digital Identity can be our first and last name, our personal email address, our professional email address or even our bank account. In other words, all that set of data or digital attributes that we use to interact with websites, applications, etc.

Our features, our image or our habits and customs are also part of the attributes that identify us and differentiate us from other people in the real world. It is natural to think that they also have an equivalent in the digital world. In this case, we could talk about our aesthetic tastes in fashion when, for example, we look at those trousers we wanted to buy in an online shop or even our habits and behaviours when surfing the internet.

It has already been the case that companies have been involved in lawsuits over data leaks and theft, data trafficking and political inference, such as the high-profile cases of companies like Facebook and Cambridge Analytica. Both entities were accused of using more than 50 million Facebook profiles without the consent of their owners for the purpose of psychological profiling. These profiles were then at the heart of the orchestration of political campaigns.

As a result, both companies have gone through the Courts and have been fined millions of dollars and have been given record fines for breaching the general data protection regulation.

In the end, as users, once we provide our data in the digital world, we practically lose control of it. We have previously discussed how Blockchain could be the perfect fit for managing our multiple identities simultaneously and the need to reinvent digital identity as we know it today.

Digital Identity Legislation

However, it is not all alarming. There are regulations that protect the processing of our personal data and its free movement within the European framework, such as the General Data Protection Regulation. In compliance with this regulation, we as citizens can force companies to remove our personal data from their systems. However, not everything is so simple. To exercise this right, as a user you have to remember which companies you provided your personal data to, a rather complex task in this world where everything (or almost everything) is digital and where we interact with companies unconsciously many times a day.

It is a fact that technology is advancing much faster than legislation, so from a technological point of view we also have to take care of the ethical aspects of users surfing the net.

In many cases the GDPR is now starting to be insufficient when it comes to dealing with digital personal data. As a result, work and legislation has begun on what is known as Sovereign Digital Identity.

What is Self-Sovereign Digital Identity?

The main objective of this new conception of digital identity is that people can once again become the owners of their own data. This identity would consist of a set of traits that identify the individual, called verifiable credentials.

Verifiable credentials, in addition to representing information, make it impossible for data manipulation to take place because they are digitally signed by the issuing entities.

Moreover, they can be traced immutably, so it would be very easy to determine when our data is being used and under what circumstances. These two concepts, “immutability” and “traceability” are, without a doubt, synonymous with Blockchain technology.

The credentials with the raw data would never leave what is known as a wallet or user wallet, which could be a simple application installed on our smartphone. In this way, and returning to the objective of giving people back control of their data, it would be possible to create, own and control access to this type of data.

The Road to This New Identity Model

Recently, the European Commission announced the creation of a European digital identity that would allow any European citizen to use any attribute of his or her identity in any country of the member states. An example could be their financial information, in order to be able to buy a house in a country other than their country of residence.  (https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/european-digital-identity_en )

This concept is conceived as a collection of compatible personal credentials interoperable between different public administrations, which is very close to the concept of Sovereign Digital Identity discussed above.

Among its benefits are:

  • The right of every person with a national identity card to have a recognised digital identity anywhere in the EU.
  • A simple and secure way to control how much information you want to distribute with services that require information sharing.
  • It works through digital wallets available on mobile applications and other devices for:
    • Identifying yourself online and offline.
    • Store and exchange information provided by governments, e.g. name, surname, date of birth, nationality, etc.
    • Store and exchange information provided by trusted private sources.
    • Use the information as confirmation of the right to reside, work or study in a given Member State.

In the case of Spain, we are pioneers and leaders in the creation of mechanisms and solutions in this new identity model. A clear example is the application known as AlastriaID. (developed by the Spanish business consortium Alastria), in which Telefónica participates as a member.

In January of this year, inspired by the AlstriaID model, the first global standard on decentralised digital identity in Blockchain was approved in Spain, following the publication of the Spanish standard PNE 71307-1 in the Official State Bulletin (Boletín Oficial del Estado).

We add Blockchain as an ingredient to the recipe

But are Blockchain and GDPR compatible terms? At first sight we might think that a technology where every participant has an identical copy of the information that makes it immutable and cannot be erased is not compatible with the rights to erasure or modification established by the General Data Protection Regulation (GDPR).

However, in the case of a sovereign digital identity that is built on Blockchain technology, user data is never stored in any way. In this case, what is stored is the traceability that allows us to determine whether a person’s data is still valid, but always maintaining their privacy. In other words, thanks to Blockchain, we could verify that a credential has neither been revoked nor altered and is therefore still valid.

Potential applications of Sovereign Digital Identity

We cannot forget the business vision. This new way of managing identity will give way to new models and use cases. Some of them could be the following, although the range of possibilities could be immense.

  • Electronic medical records: Currently, in Spain, all the management of medical records is carried out by the public health system of the autonomous community in which the patient usually resides. When we leave the autonomous community and have to access other medical services, our records do not travel with us. Therefore, being able to use this digital identity model to carry our medical information in an interoperable way could be a possible solution.
  • Simplification of registration processes (on boarding): Many times, we have stopped registering on certain websites because of the amount of data to be filled in the forms. For this reason, another possible use case is the reuse of our credentials as input data in a form. Moreover, since the credentials would be traced thanks to Blockchain, we would solve the current problem of not knowing which companies we have given our data to in order to be able to exercise our rights of deletion or modification, among other things.
  • Wallets: These applications, our “credential receptacles”, still need a lot of work to be done. We have talked many times about how complicated it is to manage the public-private keys of a Blockchain platform.

One of the limitations of this technology is its accessibility for people who are not familiar with it or people with special needs. If we were to ask an elderly relative to download a Bitcoin wallet to use as a means of payment when going to the supermarket… can you imagine the result?

This is why we should not associate it so much with the world of cryptocurrencies and their wallets. The future here would be that, thanks to these technologies, we could have mobile applications that allow us, for example, to carry out procedures with public administrations using our identity in a very simple way, something that is currently a bit more complicated.

En resumen, la creación de wallets o aplicaciones que nos simplifiquen la interacción con este modelo de identidad, con el objetivo de incorporarla en nuestro día a día, es el reto que tenemos por delante. La tecnología está disponible y es madura. Sólo falta que sea usable y transparente para los usuarios.

The concept of sovereign digital identity is the best candidate to be the solution to all the limitations we have today. And the only one that will allow us to be able to become the owners of our personal data again, thus recovering the privacy that we so long for. Therefore, it is only a matter of time before we start to be able to use this type of solutions that simplify and facilitate the use of our digital identity in our daily lives.

Leave a Reply

Your email address will not be published. Required fields are marked *