Oct 4, 2021
How Tenbeo’s Distributed Ledger Technology Brings Privacy and Security to Identity Management
And why it’s critical infrastructure for ensuring freedom and democracy in the digital age.
Proving one’s identity has been a challenge since the dawn of time, but the consequences of being unable to do so have never been greater. With 7.8 billion people and counting interacting physically and digitally at an ever-increasing pace, being unable to prove your identity in the 21st century effectively cuts you off from the benefits offered by civilization. Even those who are “in the system” face serious challenges. In the best case, interacting with, for example, government services in all but the most technologically savvy jurisdictions is “merely” inconvenient (and costly). In the worst case, part or all of your identity can be stolen.
Fundamentally, the problem we have always faced is how to efficiently and securely prove you are who you say you are, and there has never been a fool proof way to do so at a meaningful scale. The problem is that identity management systems have always been forced to rely on centralized authorities to act as the final source of truth. Whether managed by government or corporations, on paper or digitally, the records are always held in centralized databases. When, for example, you apply for a loan, you produce one or more forms of basic identity and perhaps some evidence of your income. These documents are checked, typically by third-party know-your-customer (KYC) service providers who ping the relevant centralized databases. Practically, this means you are not, in fact, the real “owner” of your identity.
Having your identity managed by others brings monetary costs, security risks, and anti-democratic consequences.
On the monetary front, there are direct and indirect costs. Direct costs relate to intermediary fees paid to, for example, KYC providers, which drives up the costs of customer onboarding. A report from Bain & Company, for example, found that “governance, risk and compliance (GRC) costs account for 15% to 20% of the total ‘run the bank’ cost base of most major banks.” Indirect costs, though difficult to quantify, are much larger as they include wasted time due to the inefficiencies of centralized identity management, and lost opportunity where businesses are unable to interact with customers due to the difficulty of identifying them and complying with regulation.
The honeypot of valuable centralized identity data also brings significant security risks. In terms of outright hacks, the Equifax data breach, as a single notable example, exposed the Social Security Numbers of fully half the population of the United States. Yet hacks are, arguably, not even the biggest concern.
The consequences of not being the true owner of your identity now include the monetization of your identity along the predatory “surveillance capitalism” model. Those of us with significant digital footprints now routinely have our identity literally sold off by tech giants to the highest bidder (with the end goal of getting your attention towards consumerism). Where identity is turned into a commodity, economic forces erode free choice, ultimately bringing anti-democratic consequences.
Is there a better way?
Distributed Ledger Technology (DLT) presents a way to, for the first time — efficiently, securely, and at scale — prove you are who you say you are. It does this by distributing the ledger (that tracks identity information) across a number of nodes, with all nodes agreeing to a consensus mechanism for making updates to the ledger. This provides not only the traceability and transparency needed to keep everyone honest, it also provides the redundancy needed to ensure mistakes aren’t made, and that the information persists through time.
DLT allows people to take, for the first time in history, self-sovereign control of their identity. This can be considered a critical prerequisite for not only identity security and privacy, but also freedom and democracy, particularly as we move deeper in the digital age.
How does DLT-based self-sovereign identity work?
With a DLT-based identity management system, people collect digitized and encrypted pieces of information about themselves (from governments, academic institutions, hospitals, banks, etc.) and manage them in a digital vault for which only they hold the key. The information itself is stored in encrypted form by the nodes which constitute the network, meaning the nodes don’t have access to the contents of the data they store.
When you want to prove your identity to a third party, you do so using an internet-connected device like your phone. Importantly, you grant access to only the required information, meaning the third party sees precisely (and only) what they need. Further, thanks to a cryptographic method known as zero-knowledge proofs, you can share the absolute minimum required information without leakage. For example, for a loan or credit card, the third party may need to know that you have at least $10,000 in your bank account. With zero-knowledge proofs, you can provide a yes/no answer to this question without revealing your actual balance or any other information about yourself. Same goes for any other type of attestation, such as that you’re over 18 years old, you have a driver’s licence, etc. All can be confirmed without leaking, for example, your true age or your address.
A new paradigm for identity management
It’s important to note that DLT-based decentralizing of identity management doesn’t mean dismissing the state or destroying business potential. Rather, it promotes good governance, improves customer experience, and reduces costs.
While tech giants currently cashing in on data capture and sale will certainly be disappointed by such a system, many other businesses will embrace it for the simple reason that it simplifies their interaction with customers. By freeing them from the risks and costs of managing sensitive data, new business opportunities are created.
In terms of governance, DLT-supported identity management can be built on top of existing systems. It’s an added layer that supports legacy systems, making them less vulnerable to failure and influence by predatory actors. As individuals take ownership of their identity data, not only can they interact with business and government services more easily, they are also freed to act in their own interests, thereby bolstering freedom and democracy.
