The internet has been in widespread, world-wide use for more than twenty years, but we still lack adequate methods and systems for verifying the identities of individuals on line. Many experts have expressed their thoughts about the inadequacy of user-defined passwords for identity verification. They point out that users often create weak passwords. Users often lose passwords, requiring a backup system which is itself inherently less secure than a strong password and more prone to social engineering. And, users often use the same password on multiple accounts. Experts also point to numerous data breaches in recent years as proof of the lack of sufficient security around the protection of users' passwords on corporate and government servers.
Despite years of international conferences focusing on the issues involved in the digital identity problem, no one solution has been widely adopted. The difficulty in arriving at a universal solution revolves around three factors that are critical for a well-designed digital identity system: trust, sovereignty, and inclusion.
In order for users to trust companies and governments with their digital identities, users must be confident that these organizations will provide three things: security, confidentiality, and accountability. Trust cannot occur while companies and governments continue to have numerous scandals and data breaches. Just one data breach at Equifax exposed the names, dates of birth, Social Security numbers, and addresses of 143 million Americans. In recent years, hundreds of major data breaches have occurred. In the first six months of 2018 alone, 2308 data breaches were publicly disclosed, accounting for the exposure of 2.6 billion users' personal data. It is estimated that a total of about 4.5 billion identity records were compromised during that time. The situation is so serious that social security numbers can now be purchased for as little as one dollar on the dark web.
In addition to unintentional loss of data, many companies intentionally divert users' personal data for profit. Facebook is arguably the most glaring example of this with seemingly monthly scandals as users gain new insights into its use of their data. Currently, no laws in the United States prevent Facebook's behavior, but, laws have recently been passed in the European Union that hold companies accountable for how they collect and handle personal data. This has not happened yet in the United States, where individuals often do not have access to courts, instead being forced into binding arbitration when the need arises to bring disputes against organizations like banks and other financial institutions. But, perhaps EU accountability laws will soon inspire changes in US law.
The second requirement for a well-designed digital identity system that is mentioned above is identity sovereignty. Identity is the recognition of a person as a unique individual in society. Digital identity sovereignty means placing individuals in control of their own digital identity, including the ability to decide who may collect and access their personal information and for what uses. Identity sovereignty is necessary to ensure an individual's right to privacy, because one cannot have privacy if everything that can be known about him is already known and controlled by someone else. By the way, although some argue that citizens of the United States have no right to privacy, the right to privacy is a legal concept that has a foundation in an 1890 Harvard Law Review article by Supreme Court Justices Warren and Brandeis. In this article, the justices argued that in order that "the individual shall have full protection in person and in property" the law must be expanded to recognize "the right to privacy". Additionally, the fourth amendment to the US constitution states, "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." If that is not a description of the right to privacy, then what is it describing?
Although identity is recognized by international law as a basic human right, many governments are still under the conflicting impression that they have the right to be in control of an individual's identity through the issuance of "pieces of identification" like driver's licenses, social security cards, or biometric records. Clearly, this gives governments the power to violate international law simply by refusing to issue such pieces of identification. Therefore, in order to comply with international law, governments must recognize the right to individual digital identity sovereignty.
The last requirement for a well-designed digital identity system, digital inclusion, means the ability of everyone in a society to acquire the skills and access to online systems for transactions pertaining to the maintenance and verification of their digital identities. These transactions may involve purchasing goods, checking bank balances, applying for governmental aid, voting in elections, and many others. Development of skills requires education and training. Access requires programs for poor people who cannot afford to pay for internet connections, computers, and software to get on line.
Now that we've discussed general principles that are important to the identity problem, let's summarize several specific solutions that are available today. They include Keybase, ZeroID, ZeroVerse, Sakia, Onename (now Blockchain Name System), IBM Blockchain Trusted Identity, Namecoin, OpenID, idcoin, and Stampery. Many of these use blockchain technology to provide decentralized control of a public ledger; thus, ensuring individual digital sovereignty.
Stampery uses blockchain technology to store encrypted data. Stampery is used in the Estonian e-Residency identification card. Estonia is the first country to offer an identification card to anyone in the world for use in establishing and administering a location-independent, Estonian company online. This means that anyone in the world can pay $118 to apply for the right to start an Estonian virtual company and do everything via the internet that is necessary to run it from day-to-day, including securely transmitting legal documents, conducting e-banking, and legally, digitally signing documents and contracts. Estonian citizens can use e-Residency cards to vote on line. The e-Residency program was temporarily suspended in 2017 due to a major security flaw that could have allowed identity theft. Owners simply had to update to a new security certificate to reactive their cards.
ZeroID and ZeroVerse are used to verify users' identities on ZeroNet, a decentralized, peer-to-peer network that hosts a collection of websites on user's computers, not on central servers. Despite the fact that ZeroNet is decentralized, ZeroID and ZeroVerse are not decentralized. ZeroID uses public and private keys instead of passwords. Other than this, not much information is available.
OpenID is an authentication protocol that relies on transmission of JSON messages to and from a central server over HTTP.
Namecoin is similar to bitcoin, but it can store data within its decentralized blockchain database. Namecoin has multiple uses, including the management of identities.
Onename uses the Namecoin protocol to store usernames and personal data in the Namecoin blockchain.
Keybase is an opensource application that can be used to store personal identity information, chat, and share files securely. It uses a public/private key-pair for encryption.
If so many experts agree that password-based systems are inferior to the other available identity systems that are discussed above, why do we still use password-based systems? In comparing password-based systems to other systems, we must talk about three things: usability, deployability, and security. Usability refers to the ease of use of the system from the user's perspective. Deployability refers to the cost/difficulty of setting the infrastructure of the system in place for the method to be used. Security refers to the level of difficulty involved in a nonauthorized user gettting access to private data. There are many details associated with each of these issues which are beyond the scope of this article, but interested readers can find discussions of them in a paper that can be downloaded here. Although a comparison of the use of password-based systems to the use of other systems is a complex undertaking, it is clear that strong password-based systems are better in some of the respects just mentioned than are other digital identity systems, and they are worse in others. The final solution to the identity problem, if there is one, may lie in the use of multiple factors, just as we have already begun to see the use of passwords coupled with second factor authentication methods.
For the time being, it seems multiple explanations exist for the slow evolution of digital identity systems. One is that government is looking to business to implement digital identity systems, and business is looking to government. Another is that a single, optimal standard, or a small number of them, have not been agreed upon. Another is that the interests of individual users are not necessary aligned with those of governments and business. For example, while an individual may want to have a digital identity that protects his private information and is under his control, governments may want control, and organizations like Facebook may want access to users' data without the users' permission. Despite these conflicts of interest, it seems that non-password-based digital identity systems will continue to be invented. The only question is, whose interests will they protect?
Copyright © 2018-2019 The Cheapskate's
Guide to Computers and the Internet. All rights reserved.