El mercado de la identidad digital está en plena efervescencia y tiene mucho recorrido por delante. Hay sin embargo una serie de retos que tenemos que abordar y solventar.

El primero es el tema de la tracción. Es importante que se lancen proyectos para demostrar al mercado que la tecnología está madura y que permite solucionar problemas reales. Estamos sin embargo en un tipo de mercado con multiples actores, y ello requiere de un esfuerzo de coordinación especial para poner en marcha los proyectos. La interoperabilidad es otro de los factores más importantes a tener en cuenta si queremos que la tecnología dé el paso de proyectos aislados con tecnologías incompatibles a un ecosistema global e interconectado. Finalmente, es necesario disponer de un marco legal que confiera confianza a todos los actores, sobretodo aquellos que requieren de procesos más críticos y sensibles.

Por suerte ya se están dando pasos en la buena dirección. El proyecto EBSI, por ejemplo, y en el que tenemos el honor de participar, es un apoyo en toda regla desde la administración pública al uso de este tipo de tecnologías en el ámbito de la identidad, como se verá en los casos de uso que se están desarrollando, tanto el ESSIF (European SSI Framework) como el de diplomas (emisión de credenciales educativas sobre SSI). El proyecto Europass Digital Credentials Infrastructure, en fase de lanzamiento, será otro un importantísimo impulso para el uso de esta tecnología.

Y respecto a la seguridad jurídica, también hay buenas perspectivas. Por una parte en el reglamento eIDAS, que se encuentra actualmente en fase de consulta pública, se puede entrever que ya se está considerando la regulación de la identidad descentralizada. Por otra, la regulación de criptoactivos acabará de aparcar las dudas que aún puedan quedar sobre que la tecnología blockchain ha venido para quedarse.

COVID-19 is an unprecedented pandemic that has put society in a state of emergency almost everywhere in the world.

Because the virus has an incubation period of about 14 days, and many people are asymptomatic, it has been very difficult to contain the infection. The most drastic solution has therefore been to reduce contact with other people through social distancing and quarantine. The main objective of this decision has been to flatten the infection curve in order to win valuable time to organize a strategy to maintain the pandemic and limit the number of complicated cases.

The provision of tests and materials and the decrease in hospitalizations is allowing governments to focus on easing lockdown. In order to implement it, however, it is necessary to be able to keep the number of infections under control, and essential to have more and better data on how many people are infected, how many have been infected and have antibodies, and how many have not.

This is where easing lockdown strategies come in. On one hand, improving the information available by doing massive tests, both serological (to detect antibodies) and PCR (to detect the presence of the virus); and on the other hand, communicating and sharing this information, which allows us to quickly know who has been in contact with the virus and whether it is necessary to proceed to a selective quarantine.

Contact tracing to fight virus spread

Contact tracing is nothing new. In all countries, contact tracing protocols responses are triggered in case of infectious diseases. These protocols (as explained by Louis Gutierrez, executive director of the Massachusetts Health Connector at the imPACT conference a few days ago) are executed manually: the patient contacts the health centre, the centre asks a series of questions, and together they try to make a list of who the person has been in contact within the last 48 hours. This process is manual and therefore absolutely impossible to scale. Now, given the high number of infections, there is an opportunity to address the problem through automatic contact tracing.

To this end, as summarized by the DP3T (an initiative of several European universities), solutions are being proposed that address the problem in different ways through designs that attempt to minimize data recovery. There are two approaches: the first, centralized, in which user interaction networks are built centrally on servers; and the second, decentralized, in which contact data is stored only on people's devices and in case of infection a list is created (on a server) where the identifiers (ephemeral and not attributable) of those infected are published.

In this line, the European Commission published last Thursday a toolbox (Mobile applications to support contact tracing in the EU's fight against COVID-19, Common EU Toolbox for Member States), with a list of recommendations for developing contact-tracing applications (must be voluntarily, approved by the national health authority, preserve privacy - personal data is securely encrypted - and dismantled as soon as it is no longer needed). It is worth noting that the European Parliament on April 17th gave their support to the decentralized approach, pointing out by an overwhelming majority "that [...] the generated data are not to be stored in centralised databases, which are prone to potential risk of abuse and loss of trust and may endanger uptake throughout the Union” and demanding "that all storage of data be decentralised”. This approach was also backed by a joint declaration by several scientists and researchers around the world.

Immunity passport

In addition, and in order to ease conditions of the lockdown, some authorities are considering facilitating the verification of who is immune through the use of a type of electronic passport containing digital credentials.

When performing the serological tests, laboratories or health centres could not only give the results to the patients on paper, but in a digital format, to facilitate verification if necessary by the competent authorities.

It is important to note that this is highly sensitive personal data, and it is also important to consider that any technological solution used should be compatible and scalable with existing information systems.

Covid Credentials Initiative, a community-driven initiative

For this reason, several companies, currently working on the development of technologies that respect privacy and the protection of personal data, are joining forces and knowledge to provide a joint response to this challenge, through the Covid Credentials initiative (CCI, https://covidcreds.com). Specifically, several working groups have been created with the aim of defining and prioritizing the set of verifiable credentials most useful for COVID-19's response.

Here are the first use cases being worked on:

• Creating and maintaining a local network of trust: The use case focuses on the question of "what is needed locally to issue reliable credentials (COVID-19 and others)". It is expected that in the coming months and years a large number of credentials will be issued that will be relevant in COVID-19 related contexts. Since such credentials provide privileges, such as physical or digital access, there is a risk that unreliable credentials will provide illegitimate privileges.
• Proof of immunity by exposure and vaccine: To measurably reduce the likelihood that employees returning to work will be carriers of COVID-19.

Similarly, the DIF (Decentralized Identity Foundation) of which we are also a member, is evaluating the creation of a working group to host the initiative in order to ensure that all the results of the collaborations are protected by the appropriate legal framework and that they remain free, open-source and widely usable.

Here be dragons

At the moment, the approach taken to solve the problem is mainly technical. Bringing together the best practices and the experience of professionals to provide a coordinated and consensual solution from the sector.

Despite the good intentions of the initiative and the unquestionable benefits the use of an immunity certificate can bring, some ethical questions arise with it. As this article argues ”many people will be resentful if others were able to return to work and make money because they had an immunity passport”.

Other difficulties could also end up pushing away the idea of an immune passport in the short term. As noted in this other article, “we still know very little about what human immunity to the disease looks like, how long it lasts, whether an immune response prevents reinfection, and whether you might still be contagious even after symptoms have dissipated and you’ve developed IgG antibodies. Immune responses vary greatly between patients, and we still don’t know why. Genetics could play a role”.

Join the initiative!

This is why the CCI is calling on the scientific and health communities to join the initiative so that they can contribute from their experience to validate the approach being given to each of the use cases, thus minimising the technical and ethical risks.

You can join the Covid Credentials Initiative through its website at https://covidcreds.com.

Image by fernando zhiminaicela from Pixabay

One year ago, we met the team behind the Blockchers project. At that time we were showcasing the concept of our identity wallet. We were still evaluating which technologies and approaches would be more suitable for our enterprise.

The objective was to create a ledger-agnostic identity wallet that could deal with as much as ledgers as possible. The main reason was, as still today, a matter of interoperability.

Our challenge

The main challenges to get our project we were facing at the time were:

1. Having a rather-stable MVP to start a PoC with one or more players.
2. Finding and convincing the right players to join us on our vision and help testing our assumptions.
3. Getting the initial funding to let us (at least) start the virtuous circle of building => measuring => learing and do some iterations.

Blockchers came in the right time for us. They were proposing a short acceleration program with some funding based on the collaboration between an SME and a technological partner that would help providing and developing the technology to solve a problem.

We partnered with Factory Matters. They provide creative ways of improving digital competences using what they call "factories": project-based learning modules where students "create" a technological company or startup.

Digital competences, once evaluated, and following the framework proposed by the European Commission (DigComp) require a way to be tracked and followed up. The match was pretty straightforward: We would provide them the tools to help FactoryMatters students to keep track of their accomplishments and to be able to reuse them.

Getting on board

Blockchers is based on a 4-stageprocess: Open Call – Immersion – Implementation – Recognition. We got selected in the Open Call phase together with 17 other companies among more than 100 applications. This was the easiest part, even though we were concerned about the growing number of applicants.

The Immersion phase was more challenging. We had to prepare a prototype of what we wanted to achieve, showcase it and then pitch our solution. The competition was tight, all the other proposals were suitable to be selected for the next phase. As stated by the Blockchers guidelines, the evaluation of the proposals would be based on:

1. Market potential of their technology.
2. Pitching skills demonstrated in the demolition pitch contest.
3. Technological skills demonstrated in the Blockathon.

We decided to focus our pitch on how we were planning to evolve our identity and credentials service, and how we see this can have an impact on the educational credential space.

Good news are we got a ticket for the next phase, as we were one of the 8 selected companies to participate on the Implementation stage (yay!).

Getting things done

Here is where the real fun began.

The first and foremost part was to agree on the KPIs that our mentor from Blockchers would use to measure our progress. This was a key part of the process. KPIs were meant not only to measure the technical development performance, but also marketing and sales indicators were defined: Online publications, evolution of social media followers, presence and participation in events as well as sales meetings were some of the KPIs that have helped us to accelerate our decentralized (self-sovereign) identity service.

We have roughly spent 60% of our energy and time on product development, 20% on marketing and 20% on sales, and even we don't have yet meaningful ROI metrics, just by the increase of the activity on those areas we can feel the change of the investment on marketing and sales.

Recognition

And here we are, after 3 months of crazy work schedules and a lot of sweat and tears, with a first MVP version of what our service will be.

The 9th and 10th March we will be present at the Recognition stage, in Frankfurt, during the Crypto Assets Conference, where we pitching our MVP together with FactoryMatters.

Conclusion

Funding is a key step in the process of a startup, but is even more important to be able to test your assumptions the sooner you can.

Blockchers has allowed us to do both: bootstraping a first PoC with a real use case so we can start testing and validating our vision about decentralized identity and helping our team financially, not only with cash, but also helping us creating more sales leads.

Recently I was invited to a tech meeting where different blockchain startups were presenting their innovative projects.

I begun my presentation with this list, from wikipedia, of data breaches involving more than 30.000 personal data records stolen.

https://en.wikipedia.org/wiki/List_of_data_breaches

As the wikipedia post states, at the time of this writing, there has been in the world, in 2019 so far:

• More than 2.7 billion id records stolen
• more than 700 million unique email addresses stolen
• 21 million unique passwords stolen

And here's a second figure, this time coming from the European Commission, showing the number of data breach notifications, from May 2018 to May 2019.

https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_1.pdf

The reason I started with this numbers is clear. There's a real threat. These breaches affect us, directly or indirectly, even if personally we take privacy and security seriously.

We share data. Constantly. And so far, we have almost no control on what really happens with it.

GDPR is a good step towards a more privacy-friendly future since it tries to address this problem. But its enforcement is showing to be quite challenging sometimes, because, but not only, our tech industry (well, our society) has been built using a completely different set of rules.

Indeed, the Internet was designed to be fast, open, frictionless... but 30/40 years ago there was little place for encryption, strong authentication, and even less concerns to enforce privacy or data protection (great article here).

So, back to GDPR, I recently spotted this motto-title in a European Comission's report on GDPR (June 2019):

https://ec.europa.eu/commission/sites/beta-political/files/digital_avatar_280519_v5.pdf

It caught my eye the fact that here with this title, the EC is not trying to make us aware of the rights, benefits and good deeds of GDPR. They are pushing citizens to be active actors of it.

And the question that immediately came to my mind was: how they pretend citizens can do that?

Some years ago, in the Rebooting the Web of Trust, the attributes-based concept of identity became important again. The novelty was in the decentralized property that blockchains were bringing up. Allen coined the term self-sovereign identity, and came up with 10 principles to define it, some of them very aligned with the core principles of GDPR:

• Existence. Users must have an independent existence.
• Control. Users must control their identities.
• Access. Users must have access to their own data.
• Transparency. Systems and algorithms must be transparent.
• Persistence. Identities must be long-lived.
• Portability. Information and services about identity must be transportable.
• Interoperability. Identities should be as widely usable as possible.
• Consent. Users must agree to the use of their identity.
• Minimalization. Disclosure of claims must be minimized.
• Protection. The rights of users must be protected.

W3C's implementation (Verifiable Claims + DIDs) of this vision puts the user in the middle. Any exchange of personal data (credentials) flows through the user and is sent to 3rd party (as presentations). Literally, this vision helps users to take control of their virtual identity.

https://www.w3.org/TR/vc-data-model/

DLTs help here by decentralizing the control of a central registry where we can verify the validity of those credentials.

The benefits of adopting this approach might be obvious:

• better customer experience (no more login/passwords!!),
• compliance with regulation,
• new business scenarios (e.g. key recovery services),
• decrease in ID costs management,
• and, for me, the most important one: to know that we are doing things in a better way.

There are several companies working on Decentralized Identity. And we are still at its infancy! The industry is working together towards standardization (done by W3C, IETF, DIF and Hyperledger) and if as a community we are able to agree on a common protocol for identity that is used by many different players, the benefits will be hundreds of times bigger.

_Post feature photo by ev on Unsplash._