Commentary: How Blockchain Could Put an End to Identity Theft – 评论:BoScBand如何终结身份盗窃



Frederic Kerrest

April 20, 2018

Frederic Kerrest 2018年4月20日

We lack control of our personal identities, and that’s a problem. Birthdates and home addresses have long been accessible through a quick Google search, but now a trip to the dark web will turn up the information many of us still hold precious: Social Security numbers, bank accounts, health insurance details, and whatever else a criminal may desire.

We got to this point because we consumers have historically favored convenience over privacy. Most of us don’t read the small print or do deep technical assessments before sharing information online. We don’t want to remember a different password for each account or re-enter credit card numbers every time we make an online purchase. Instead, we transferred ownership of the details that make us who we are, and as a result, we effectively put every company and government institution in the identity management business—whether they realized it or not.

But with the emergence of blockchain technology, the word privacy may regain its meaning. Blockchain’s ability to control information and avoid duplication means that self-sovereign identity, or the idea that individuals can control their personal data no matter where they are, could be a reality for the first time. For example, the Illinois Blockchain Initiative is managing a pilot program to put birth certificates on a blockchain. Their hope is to create self-sovereign, digital identities that can remain under a user’s control, capable of quick and secure validation without the need for a centralized repository.

The end of identity theft

Self-sovereign identity isn’t just a nice idea; it can put an end to many issues that impact consumer privacy, including, importantly, identity theft. Last year, 16.7 million people in the U.S. were victims of identify fraud, a 1.3-million-person jump since 2016. But these numbers only show half the story. Oftentimes, individuals have no idea that their digital identities have been compromised until they attempt to buy a home or take out a loan and find their financial lives in ruins.

Using a blockchain ledger to manage identities would make it extremely difficult for fraudsters to wreak havoc without leaving an obvious digital trail. Here’s how it works: Each block in the blockchain builds upon its predecessor, and the cryptographic nature of these blocks makes it hard to alter information stored in the existing blocks. The resulting record is immutable, meaning that changes to every single identifier associated with an individual must be logged. This system prevents malicious actions by data custodians, and ultimately makes identity theft more difficult to execute.

Putting individuals back in charge

A blockchain ledger’s immutable record is also what empowers individuals to take charge of all the information tied to their identity and ensure its accuracy over time. For example, since there isn’t a universally accepted digital equivalent for offline identity, such as a passport or a driver’s license, people are issued a unique set of identifiers for every single application they use. The result is a sprawling web of private information that end users struggle to keep track of, and organizations fail to keep secure thanks to inconsistent and lagging security postures.

But with blockchain-based Decentralized Identifiers (DiDs), individuals could regain complete control of their data. DiDs are basically a secret URL (which actually stands for Uniform Resource Locator) stored on a blockchain ledger, with each being assigned to the different parts of a user’s identity, such as their name, birthdate, and Social Security number. Using a digital wallet app on their smartphone or desktop, users have the power to temporarily grant access to the DiDs of their choosing. For example, when you sign up for a new app today, you typically have to share your name, email address, and other basic information. With DiDs, the process is faster and more secure. The app shows a QR code, you scan it, your digital wallet app automatically transfers your relevant DiDs over the blockchain, and the app grants access.

The changing parts of our identity, like phone numbers, job titles, and home addresses, further complicate individual privacy because it is possible for a single identifier to become associated with more than one person at different times. Think about all the details that must be updated if you get married and change your last name—you must change your passport, driver’s license, social media accounts, bank accounts, health insurance, etc.—the headache-inducing process takes months at least. DiDs empower individuals to swiftly update these details; when the DiD is updated, the services using your DiD automatically have the updated info. This process is much better than letting misinformation run free.

Caution: work in progress

Any transformational technology needs time to bake. For example, TCP/IP, the conceptual model and communications protocols behind the Internet we know today, was around for 30 years before it started disrupting legacy industries like retail and transportation.

The idea of self-sovereign identities on the blockchain is certainly promising, but there’s still a lot to figure out. There’s the issue of incentive: Why would incumbent businesses want to lose control of their customers’ identity data? Self-sovereign identities aren’t in enterprises’ best interest, so we’ll need a brand new player to build a blockchain ledger for identity.

There are other technical issues to overcome. First, is immutability really possible? In theory, a blockchain is immutable and would take the role of critical infrastructure, but this idea requires intensive testing before it can be trusted in the wild. We also need to determine how to securely and accurately connect individuals’ physical and digital identities. Blockchain only exists in the digital world and cannot guarantee the physical identity of the user, so this puts the burden on businesses to verify, link, and navigate the two.

These issues reinforce the need for strong privacy infrastructure. An integral piece of that is regulation; in the absence of legal precedent, the entities involved in a blockchain-based identity ecosystem would have to accept risk, uncertainty, and unbounded liability. We need a trusted entity to establish some legal and enforceable rules for how it will all work, infrastructure to bridge the physical and digital world, and the security groundwork to guarantee basic protections for consumers. If we can do these things, privacy will become standard, not a thing of the past.

Frederic Kerrest is the cofounder and COO of Okta.

我们缺乏对个人身份的控制,这是个问题。出生日期和住址一直是通过快速谷歌搜索访问,但现在到黑暗的网络旅行会发现我们许多人仍然持有宝贵的信息:社会安全号码,银行帐户,健康保险的细节,以及其他任何一个罪犯可能想要的。我们之所以说到这一点,是因为我们的消费者在历史上偏爱便利而不是隐私。我们中的大多数人在分享信息之前都不看小册子或者做深入的技术评估。我们不想记住每个账户的不同密码,或者每次网上购物时重新输入信用卡号码。取而代之的是,我们转移了我们所拥有的细节的所有权,从而有效地将每个公司和政府机构置于身份管理业务中,不管他们是否意识到。但是随着Band Stand技术的出现,单词隐私可能恢复其意义。BooStand控制信息和避免重复的能力意味着自我主权身份,或者个人能够控制他们的个人数据的想法,无论他们在哪里,都可能是第一次成为现实。例如,伊利诺斯BBSLAMP计划正在管理一个试点项目,将出生证明放在BooStand上。他们的希望是建立自我主权,数字身份,可以保持在用户的控制下,能够快速和安全的验证,而不需要集中式存储库。身份盗用自我主权身份的终结不仅仅是一个好主意,它可以结束影响消费者隐私的许多问题,包括身份盗窃。去年,美国有1670万人是身份欺诈的受害者,自2016以来,这是1.3亿人的跳跃。但这些数字只显示了一半。通常,个人不知道他们的数字身份已经被破坏,直到他们试图买房子或取出贷款,发现他们的财务生活是一片废墟。使用连锁店分类账来管理身份将使欺诈者在不留下明显的数字痕迹的情况下造成严重破坏。它是如何工作的:块链中的每个块都建立在它的前身上,并且这些块的密码性质使得难以改变存储在现有块中的信息。生成的记录是不可变的,这意味着必须记录与单个关联的每个标识符的更改。该系统防止数据保管者的恶意行为,最终使身份盗窃更难执行。让个人重新负责一个连锁店分类账的不可改变的记录也是授权个人负责所有与他们的身份相关的信息,并确保其准确性随着时间的推移。例如,由于没有一个被普遍接受的脱机身份的数字等价物,例如护照或驾驶执照,所以人们为他们使用的每一个应用程序发出一组唯一的标识符。其结果是一个庞大的私人信息网络,最终用户难以追踪,而且由于不一致和滞后的安全姿势,组织无法保持安全。但是,基于块链的分散标识符(DIDS),个人可以重新获得对其数据的完全控制。DIDS基本上是一个秘密的URL(实际上代表统一资源定位器)存储在BaskStand分类帐上,每个都被分配给用户身份的不同部分,例如他们的姓名、出生日期和社会安全号码。使用数字钱包应用程序在他们的智能手机或桌面上,用户有权暂时允许他们选择的DIDS。例如,当你今天注册一个新的应用程序时,你通常需要分享你的名字、电子邮件地址和其他基本信息。随着DIDS,进程更快,更安全。这个应用程序显示了一个QR代码,你扫描它,你的数字钱包应用程序自动将你的相关DiDs转移到Buffic链上,应用程序授予访问权限。我们身份的变化部分,如电话号码、工作头衔和家庭地址,进一步使个人隐私复杂化,因为单个标识符可能在不同的时间与一个以上的人联系在一起。想想所有必须更新的细节,如果你结婚了,改变你的姓氏,你必须改变你的护照,驾驶执照,社交媒体帐户,银行帐户,健康保险等-头痛的过程至少需要几个月。DIDS授权个人快速更新这些细节;当DID更新时,使用您的服务的服务会自动更新信息。这个过程比让错误信息自由运行要好得多。注意:任何正在进行的技术都需要时间来烘烤。例如,TCP/IP,我们今天知道的互联网背后的概念模型和通信协议,在它开始破坏传统行业如零售和运输之前,已经存在了30年。链链上的自我主权认同的想法当然是有希望的,但仍有很多要弄清楚。有一个激励问题:为什么现任企业想要失去对客户身份数据的控制权?自我主权的身份不符合企业的最大利益,所以我们需要一个全新的玩家来构建一个身份链链分类帐。还有其他需要克服的技术问题。第一,真的是不可能的吗?理论上,Buffic链是不可变的,它将担负关键基础设施的角色,但是这个想法需要经过严格的测试才能在野外得到信任。我们还需要确定如何安全和准确地连接个人的物理和数字身份。Buffic链只存在于数字世界中,不能保证用户的物理身份,因此这给企业带来了验证、链接和导航的负担。这些问题加强了对强大的隐私基础设施的需求。这是一个完整的环节,在没有法律先例的情况下,涉及基于链链的身份生态系统的实体必须接受风险、不确定性和无限责任。我们需要一个可信的实体来建立一些法律和可执行的规则,以确保它将如何运作,基础设施,以桥梁物理和数字世界,以及安全基础,以保障消费者的基本保护。如果我们能做到这一点,隐私将成为标准,而不是过去的事情。Frederic Kerrest是OktA的合伙人兼首席运营官。


Commentary: How Blockchain Could Put an End to Identity Theft - 评论:BoScBand如何终结身份盗窃

You May Like