How decentralized (and self-sovereign) identity can help enforcing GDPR
Recently I was invited to a tech meeting where different blockchain startups were presenting their innovative projects.
I begun my presentation with this list, from wikipedia, of data breaches involving more than 30.000 personal data records stolen.
https://en.wikipedia.org/wiki/List_of_data_breaches
As the wikipedia post states, at the time of this writing, there has been in the world, in 2019 so far:
- More than 2.7 billion id records stolen
- more than 700 million unique email addresses stolen
- 21 million unique passwords stolen
And here's a second figure, this time coming from the European Commission, showing the number of data breach notifications, from May 2018 to May 2019.
https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_1.pdf
The reason I started with this numbers is clear. There's a real threat. These breaches affect us, directly or indirectly, even if personally we take privacy and security seriously.
We share data. Constantly. And so far, we have almost no control on what really happens with it.
GDPR is a good step towards a more privacy-friendly future since it tries to address this problem. But its enforcement is showing to be quite challenging sometimes, because, but not only, our tech industry (well, our society) has been built using a completely different set of rules.
Indeed, the Internet was designed to be fast, open, frictionless... but 30/40 years ago there was little place for encryption, strong authentication, and even less concerns to enforce privacy or data protection (great article here).
So, back to GDPR, I recently spotted this motto-title in a European Comission's report on GDPR (June 2019):
https://ec.europa.eu/commission/sites/beta-political/files/digital_avatar_280519_v5.pdf
It caught my eye the fact that here with this title, the EC is not trying to make us aware of the rights, benefits and good deeds of GDPR. They are pushing citizens to be active actors of it.
And the question that immediately came to my mind was: how they pretend citizens can do that?
Some years ago, in the Rebooting the Web of Trust, the attributes-based concept of identity became important again. The novelty was in the decentralized property that blockchains were bringing up. Allen coined the term self-sovereign identity, and came up with 10 principles to define it, some of them very aligned with the core principles of GDPR:
- Existence. Users must have an independent existence.
- Control. Users must control their identities.
- Access. Users must have access to their own data.
- Transparency. Systems and algorithms must be transparent.
- Persistence. Identities must be long-lived.
- Portability. Information and services about identity must be transportable.
- Interoperability. Identities should be as widely usable as possible.
- Consent. Users must agree to the use of their identity.
- Minimalization. Disclosure of claims must be minimized.
- Protection. The rights of users must be protected.
W3C's implementation (Verifiable Claims + DIDs) of this vision puts the user in the middle. Any exchange of personal data (credentials) flows through the user and is sent to 3rd party (as presentations). Literally, this vision helps users to take control of their virtual identity.
https://www.w3.org/TR/vc-data-model/
DLTs help here by decentralizing the control of a central registry where we can verify the validity of those credentials.
The benefits of adopting this approach might be obvious:
- better customer experience (no more login/passwords!!),
- compliance with regulation,
- new business scenarios (e.g. key recovery services),
- decrease in ID costs management,
- and, for me, the most important one: to know that we are doing things in a better way.
There are several companies working on Decentralized Identity. And we are still at its infancy! The industry is working together towards standardization (done by W3C, IETF, DIF and Hyperledger) and if as a community we are able to agree on a common protocol for identity that is used by many different players, the benefits will be hundreds of times bigger.