Business Review

Executive Summary

It’s a strange world we live in when large companies such as Experian, Equifax, and TransUnion are able to store huge quantities of our personal data and profit from it in a way that doesn’t benefit us. And when those same companies lose our personal data and make us susceptible to identity theft, there’s virtually nothing we can do by way of retribution. However, technology may be able to help us wrest back control of our personal data. Encrypted distributed ledgers have big implications for identity systems. They would allow us to keep certified copies of identity documents, biometric test results, health data, or academic and training certificates online, available at all times, yet safe unless you give away your key. At a whole system level, the database is very secure, as each single ledger entry among billions would need to be found and then individually “cracked” at great expense in time and computing. Using smart, distributed ledgers to prove our identities and store our personal data could shift the power of (and profit from) data management from big, established firms back to individuals.

It’s a strange world we live in when large companies such as Experian, Equifax, and TransUnion are able to store huge quantities of our personal data and profit from it in a way that doesn’t always benefit us. And when those same companies lose our personal data and make us susceptible to identity theft, there’s virtually nothing we can do about it. Equifax lost the data of more than 140 million people, and recompense is not forthcoming. Meanwhile, the CEO may be stepping down with a pension worth $18 million. Clearly, the system is broken, and it’s time to stop and ask ourselves why we continue to rely on a system that doesn’t stand up to the challenges we face in a digital society.

Credit-referencing agencies benefit immensely from our data, but there are many other data privateers — from online shopping sites to retailers to media firms – that are doing the same, including our own governments. U.S. Social Security numbers, or UK National Insurance numbers, were originally created to keep track of the earnings history of workers for entitlement and benefit programs. Both have since morphed into critical numbers assigned at birth that can be used by government agencies not just to collect taxes, but to identify individuals. They are also now used by private industry to track our financial and commercial histories.

Many countries have such a national identity system. With the governments of China and India both providing their citizens a national identity (Hukou in China and Aadhaar in India), it’s safe to say that well over a third of the world uses government-issued identitifiers. Among the various ways to prove identity, the U.S. stands out for its complexity, relying on a mix of varying state mechanisms — for example the ubiquitous use of state driving licenses, combined with Social Security numbers. A decade ago, the UK attempted to establish a national identity system, which was ultimately scrapped for many reasons, which included political overreaching, lack of security, and cost overruns. None of these nation’s systems have proven to be a practical, reliable way to protect and prove our identities.

Still, numerous smaller countries, such as Singapore, are exploring national identity systems that span government and the private sector. One of the more successful stories of governments instituting an identity system is Estonia, with its ID-kaarts. Reacting to cyber-attacks against the nation, the Estonian government decided that it needed to become more digital, and even more secure. They decided to use a distributed ledger to build their system, rather than a traditional central database. Distributed ledgers are used in situations where multiple parties need to share authoritative information with each other without a central third party, such as for data-logging clinical assessments or storing data from commercial deals. These are multi-organization databases with a super audit trail. As a result, the Estonian system provides its citizens with an all-digital government experience, significantly reduced bureaucracy, and significantly high citizen satisfaction with their government dealings.

Cryptocurrencies such as Bitcoin have increased the awareness of distributed ledgers with their use of a particular type of ledger — blockchain — to hold the details of coin accounts among millions of users. Cryptocurrencies have certainly had their own problems with their wallets and exchanges — even ID-kaarts are not without their technical problems — but the distributed ledger technology holds firm for Estonia and for cryptocurrencies. These technologies have been working in hostile environments now for nearly a decade.

The problem with a central database like the ones used to house social security numbers, or credit reports, is that once it’s compromised, a thief has the ability to copy all of the information stored there. Hence the huge numbers of people that can be affected — more than 140 million people in the Equifax breach, and more than 50 million at Home Depot — though perhaps Yahoo takes the cake with more than three billion alleged customer accounts hacked.  Of course, if you can find a distributed ledger online, you can copy it, too. However, a distributed ledger, while available to everyone, may be unreadable if its contents are encrypted. Bitcoin’s blockchain is readable to all, though you can encrypt things in comments. Most distributed ledgers outside cryptocurrencies are encrypted in whole or in part. The effect is that while you can have a copy of the database, you can’t actually read it.

This characteristic of encrypted distributed ledgers has big implications for identity systems.  You can keep certified copies of identity documents, biometric test results, health data, or academic and training certificates online, available at all times, yet safe unless you give away your key. At a whole system level, the database is very secure. Each single ledger entry among billions would need to be found and then individually “cracked” at great expense in time and computing, making the database as a whole very safe.

Distributed ledgers seem ideal for private distributed identity systems, and many organizations are working to provide such systems to help people manage the huge amount of paperwork modern society requires to open accounts, validate yourself, or make payments.  Taken a small step further, these systems can help you keep relevant health or qualification records at your fingertips.  Using “smart” ledgers, you can forward your documentation to people who need to see it, while keeping control of access, including whether another party can forward the information. You can even revoke someone’s access to the information in the future.

Several organizations are working on returning the value of your data to you, such as the state of Illinois’ pilot to test a blockchain-based birth registry/ID system. Taking this idea one step further, when you are the sole owner of your personal data on purchases, online browsing history, or mobile data, you can also choose whether or not to “sell” your own data, with rights and restrictions using smart ledgers. This could shift the power of (and profit from) data management from big, established firms back to individual users. This would also shift the responsibility. If you lost your cryptographic “keys,” then they would be truly lost and you would have to build your identity again.

Equifax and others have shown the weakness of central databases in the hands of a single firm. Mutual distributed ledger systems have the potential to provide us with identity and activity management, even permitting us to make a market selling information about ourselves, taking control and cash back from companies like Equifax and Yahoo and giving it back to ourselves. There will certainly be mistakes along the way, but how can we truly object to reclaiming control of our most private property — our personal data?