The General Data Protection Regulation (GDPR) and Facebook's data privacy leaks have focused greater attention on the issues around the data privacy of consumers. These headlines come at a time when plenty of organizations are collecting your data, and there is not a single set of rules about how that data must be handled. Do you own your own personal data about yourself? Can you even control it or know what's out there?
Internet identity is a related topic. Who are you on the Internet? Are you your Tinder profile? Your banking profile? Your educational certifications and credentials? Your profile as a citizen, as documented in your driver's license, voter registration, and other state records? You are all those people. And you probably don't want those profiles to be intermingled.
Besides the question of managing your many online identities, there's another big question -- who owns and controls them?
The rules and the infrastructure of Internet identity are being crafted now. There's a movement underway to give individuals control over their own data rather than cede control to credential-issuing authorities such as employers, governments, and social media network providers. It's still in the early stages, and there are a lot of moving parts, and a lot of organizations working on it.
But now is the time to pay attention, according to Kaliya Young, also known as "Identity Woman," who offered her perspective on the movement during the session, Identity is Changing: The Rise of Self-Sovereign Identity Infrastructure Using Blockchain, at Interop ITX this month.
Young pointed out that the early development of the physical infrastructure of roads and railroads have had a lasting impact on transportation infrastructure, as early routes became established routes. Standards and protocols are essential components of these infrastructures. For instance, she said, it was complicated and difficult for the railroads to keep accurate train schedules at the beginning of their operations when each local jurisdiction set its own local time. There was no Eastern Standard Time or Pacific Standard Time. There were local times in each city, and they may have differed by 12 minutes here, or 23 minutes there. Creating standard time zones in 1883 improved the infrastructure of the railroads.
Today, it's all aboard to craft the infrastructure for identity.
Now, people have pieces of their identity stored in many different apps online, and those pieces of your identity are overseen by the apps that host them, from banking to social media to professional sites. All these online venues store different aspects of your identity, and you don't necessarily want to share your banking identity with Tinder. In addition to these, your identity is associated with the credentials you hold -- for instance a driver's license issued by your state government, or your diploma issued by your higher education institution. Not every institution needs all this information about you. But the ideal scenario is for you to have an easy, secure, verifiable way to communicate only the relevant pieces of your identity and credentials to specific entities, such as your bank, your prospective employer, or your government. This kind of approach is called self-sovereign identity.
Young has been part of the movement working on self-sovereign identity for several years, and there are a number of technical components to creating a system to enable this. Indeed, she said that self-sovereign identity is now possible because these technologies are now available, including smart phones, cloud computing, public key infrastructure (KPI), shared ledger technologies (also called distributed ledgers or Blockchains), open standards for decentralized identifiers (DIDs), PairWise or directed identifiers, and open standards for verified claims.
Young said that self-sovereign identity systems are still under development, but there are currently working wallets in labs. Here's how it works. A person gets an app on their smart phone called an edge wallet and sets up a relationship with a service provider to support their cloud wallet. (The cloud wallet provider can be changed at each person's discretion, as needed.) Using these tools you generate a decentralized identifier or DID -- a really, really long number -- which gets published to a Blockchain. Each person proves that they own their long number with a public key attached to it. The wallet itself contains a private key that proves the person is the owner of the public key. Then all the identity information -- your bank account information, your college diploma, your Cisco certification, your driver's license -- is stored in your cloud agent.
Young said that you can ensure a separation of all your different online identities by maintaining different DIDs for each one. Each DID is stored in your wallet.
The Internet Identity Workshop has been working on identity issues, meeting twice a year since 2005 at the Computer History Museum in Mountain View, California. The next meeting is in October 2018. Young also pointed to this W3C work on decentralized identifier (DID) methods, and several other places to go for DID information and efforts. Another organization at work on the issues around online identity is the Decentralized Identity Foundation, whose members include RSA, Accenture, IBM, and Microsoft.
You can't really go out and set this up now for yourself or your organization. But the work is underway to create the infrastructure for it and put the pieces together to create the system to realize the vision -- "a world where people and organizations own and control their identifiers and their identity data."Jessica Davis has spent a career covering the intersection of business and technology at titles including IDG's Infoworld, Ziff Davis Enterprise's eWeek and Channel Insider, and Penton Technology's MSPmentor. She's passionate about the practical use of business intelligence, ... View Full Bio