Co-CEO, Fluree PBC. Co-founder, Silk Road Technology.
In an era where you can fund art through Patreon and bills through GoFundMe, pay rent on Venmo, and use your Facebook login to access work applications, why is the driver’s license still a piece of physical plastic? Why is the passport still a book, the diploma still a piece of paper?
Because they’re too important. IDs, diplomas, social security numbers and the like are considered verifiable credentials. They are managed by a central authority such as the DMV or a university. Most ensure the basic rights of citizenship. Digitization is not to be taken lightly, especially given that the identities of up to 33 million Americans have already been stolen in data breaches.
Physical documents, with their holograms and RFIDs, are in theory less accessible. Yet these documents also become insecure when exposed to digital infrastructure. The minute a lender asks you to send over a picture of your driver’s license, or a bank asks to verify your identity with your social security number, your data is exposed to the insecurities of whatever system the recipient uses.
Only when verifiable credentials move beyond the need for a central authority will a new era of online trust, efficacy and even privacy dawn.
Authority Does Not Require Centralized Power
As mentioned in my previous article, the trouble with centralization is that data is stored in a database. Once breached, a database can yield a treasure chest of information to be sold on the dark web. This costs victims dearly. In the US, the average organization pays $8.19M per data breach. Identity theft increased 46.4% between 2018-19. Subjecting verifiable credentials to the same system would be a recipe for even more breaches.
The good news is that digitization does not always require databases. Blockchains can replace databases in some cases, including verifiable credentials (though a public blockchain, with all information visible to everyone on a ledger, may not be a good idea). What’s most important for driver’s licenses, diplomas, etc. is that an authoritative agency or institution issues them, otherwise a diploma from a mill is as good as one from Harvard. This issuing authority, however, does not need its powers of verification centralized in one place. Decentralized identifiers (DIDs) can digitize the verification process with less risk to security than a paper or plastic document.
How DIDs Work
Chances are, you’re already using a decentralized process to verify security on the everyday internet. Websites use an SSL certificate that lights up with a little green lock. Email providers verify identities through spam filters. Yet phishing proves that filters are less than foolproof, and SSL is prone to injection.
Driver’s licenses, passports and other verifiable credentials require more than what a browser can offer. A decentralized identifier (DID) provides that extra layer of security. It is a form of cryptography that can be accomplished by a phone app, a blockchain, a file system, on AWS, in a web browser, or even on a thumb drive.
DIDs use cryptography and public keys to bypass the need for a central authority. Take a driver’s license as an example. Instead of printing out a hologram, images and data on a plastic card, the DMV publishes authoritative attributes or schemas. For a driver’s license, this means cryptographic codes that can be unlocked to reveal state, expiration date, etc. These attributes are then stored in a decentralized registry by the person whose identity is on the driver’s license. Every time someone needs to verify the driver’s license, its attributes are cryptographically verifiable through public keys.
Unlike with paper IDs, citizens can retain their privacy while proving only the relevant parts of their identity in a digital format. If date of birth is the only important factor for getting into a bar, that’s all your driver’s license (as a verifiable credential) will show. The person wishing to verify the authenticity of your date of birth will use software that can run the right mathematical proof to point back to the DID’s origin. Your credential is verified, the bar is satisfied, and you have only revealed as much as you want to.
Why the Internet Needs Verifiable Credentials
With global data flowing between endless SaaS apps and APIs, online security has become something of an oxymoron. Data laws such as GDPR and California’s CCPA are catching up, and forcing online providers–which is almost everyone these days–to take data security seriously. Complying with GDPR costs the average business between $100,000-$500,000, an untenable expense for many of the small businesses that are the engine of the US economy, or those who run on thin margins. Verifiable credentials and DIDs, because they scale easily, are a much more cost-effective solution.
The overcomplicated internet has led to an epidemic of fraud in general, from ID theft to counterfeits. Organizational networks with many moving parts, such as supply chains, easily lose track of every piece, opening up easy opportunities for malfeasance.
To track the movement of a single toy through an international supply chain, for example, you would either have to integrate multiple countries’ suppliers’ and customs software to work together–good luck–or find a new way. If every supplier on the chain adds their verifiable credential to a blockchain, full traceability would happen, and things like shipment fast lanes and pre-approvals could become a reality.
Another example involves diplomas. Community colleges reliably feed second-year students to universities, where those students then graduate. Yet the community colleges, many of which are funded based on the number of graduates, do not get credit for university graduates. If transcripts and diplomas are transformed into DIDs, then college administrators can easily see which students matriculated and graduated from university, and gain retroactive credit for funding.
From permanent resident cards to anonymous payments to automatic notarization, verifiable credentials and DIDs are a technology whose time has arrived. Use cases are currently being piloted; many will surface in coming months and years. Security on the internet as we know it may be broken, but it is not beyond saving. A touch of the cryptographic wand, and we’ll be able to repair trust once more.