Tactical Information Systems
Biometric Identification Software
SERVER.png

Identity & Technology

Tactical Information Systems Blog

Identity and the Blockchain

I am always interested in learning about companies that are innovating in the identity space. There is a lot of opportunity for innovation, and the more companies are willing to try more things, the more likely it is that Internet can be made relatively safe from scammers and bad actors.

Two new companies are attempting to use the Bitcoin blockchain as a means of registering/proving identity. I'll assume you are familiar with the electronic currency Bitcoin, but you may not be familiar with the integral component of bitcoin called the blockchain. In basic terms, the blockchain is the shared ledger that holds every single Bitcoin transaction ever made. The neat thing about it is that it is a public registry that anyone can use, but you don't have to trust anyone in order to trust the blockchain itself. Cryptography makes it so that it is effectively impossible for anyone to corrupt the blockchain. The value of Bitcoin depends upon it.

OneName

OneName was one of the first companies to attempt to do identity using the blockchain. Basically what they do is allow you to assert that you own a particular Facebook, Twitter, or GitHub profile. Interestingly, they do this by having you post something publicly on those platforms instead of using OAUTH. This is important because it lets someone outside of OneName validate the assertion. Once you have done this, OneName generates a digital hash of this data and puts in on the blockchain.

onename.png

In a way, this is kind of like a title registration. You are registering your social profile on the blockchain, where anyone else can verify it, forever (or at least as long as Bitcoin is relevant). While this is interesting, it is not clear what problem it is solving in terms of online identity verification. I registered with OneName. You can see my profile here. But there is nothing to stop someone from impersonating me and creating a clone account on Facebook (or the other platforms). And then they can go comment on blogs as me, try to connect to my friends, etc. It's not really an identity. All it means is that I registered these accounts on the blockchain (via OneName) at a particular time. If there was some value in being the first "Alex Kilpatrick" to register, then that might be useful. But in this case there isn't. If there is ever a contention for who is a particular Alex Kilpatrick, then I don't see OneName as helping resolve that dispute.

ShoCard

ShoCard is an interesting startup that was recently written up in TechCrunch. ShoCard is an app that lets you scan in your driver's license and also a physical signature. Then, ShoCard puts an entry in the blockchain with a hash of that information. Then, when you want to use that credential somewhere (like a bank), you present that data in a digital form to the merchant. Then can then verify that your data matches the entry in the blockchain. Only someone who had your private key could have presented that data.

ShoCard's approach is interesting for a couple of reasons. First, they don't store any sensitive data. All that data is retained by the consumer, and only the hash is on the blockchain. By using the blockchain they ensure that their usefulness (might) live on after they go out of business, and it does ensure that their back-end data hasn't been compromised. However, it is not clear to me how this is any different from just mailing my bank a digital copy of my driver's license. The fact that I asserted it on the blockchain just means I had that driver's license at that time. It could be mine. It could be one I bought online. Or it could be one I copied from Google Images. The ShoCard approach doesn't really prove identity.

In some cases a copy of a driver's license is enough, and some online sites accept that, presumably for things that aren't too critical. However, the main value of a driver's license lies in the fact that it is relatively hard to copy, and you can compare it against the person standing in front of you. This is why it is such a critical part of new account creation for banks. When you use a digital copy of a driver's license online you lose both of those advantages.

Why not the blockchain?

I've been fascinated by the blockchain and Bitcoin for a while. But I can't seem to figure out a good use for it in the online identity verification space. How is it better than some of other methods? I think the reason is that the blockchain only is really useful if an authoritative source is creating entries on it. In Bitcoin, this is implicit in how transactions work. But if anyone can make an entry for anything on the blockchain in other areas, it makes it much less useful as a general store of information. As a counter-example, imagine if the DMV offices could hash driver's license info on the blockchain at the time of issuance. Then, anyone could verify a driver's license against the blockchain and ensure it was genuine, and without any loss of privacy. That would be useful! But that only works because we can assume there aren't any competing or nefarious DMVs asserting driver's license info on the blockchain. But with simple self-asserted version of identity, the blockchain doesn't really help - you end up with shallow identity assertions devoid of provable connections to real-world identities.