Written by Victoria Dorum
on 

Digital Age Identity Management Challenges

alt text

In the past few decades, identity has been an increasingly evolving concept. In the physical world, identity systems are government issued credentials, such as state ID, passport, and social security number. These tangible documents allow the identity holder a great amount of control over revealing his or her identity. In the virtual world, however, identity systems are not held by the identity holder, but by companies and corporations. As a result, digital identity has reached a height of centralization and interconnectedness, where digital giants are the identity holders of the individuals.

A website’s ability to validate the user’s identity is very important. Identity validation online, enables users to interact with each other. A user may be a person, a group of people, an organization, or a non-human computational agent._ _Everytime a user creates an account, whether it is a payment account, social media or a consumer account, that entity receives an identity token from an identity system established by the provider with which the account is created.1 That identity token may be identifiable, pseudonymous or even anonymous to other users or entities within the same system.2 Every virtual interaction that uses the provided identity token is transactional in nature. These transactions exemplify the inherent benefits of identity systems.3 For example, a user identity token enables the user to store their information on the could and easily access it later, save their preferences, for content a user chooses to see on a given platform, keep credit card information on file, and many other things we take for granted when creating any user account. Typically, online organizations use one of three identity management systems for identity validation: centralized identity, federated identity and self-sovereign identity.4 Each of these systems is subject to its own set of pros and cons with respect to how much control a user has over its own identity.

Centralized Identity Management

A centralized Identity management system embodies multiple logins by a single digital identity.5 For example, a Single Sign On (“SSO”) function allows a single account with an organization to be accessed by multiple web applications.6 SSO enables a user to browse its Gmail account in one tab and open YouTube in another, using a single sign in session. It is also the tool in which web services grant you access to different sections in the same broader account. Consider online banking, for instance. A user can typically move from their checking account to a savings account without re-entering login credentials, even though these two accounts are very distinct.

Unfortunately, granting control of online user’s identity to centralized authorities of the online world results in an array of problems. For instance, users are locked in to a single authority who can deny their identity or even confirm a false identity. Additionally, centralization innately gives power to the centralized entities and little to no power to the users.7

To a large extent, identity on the Internet, today, is still centralized, or at best, hierarchical. Digital identities are owned by certificate authority organizations, domain registrars, and individual sites, and then rented to users or revoked at any time. However, for the last two decades there has also been a growing push to return identities to the people, so that the users have greater control of their identities.

Federated Identity Management

Federated Identity Management is a set of agreements and standards that enable the portability of identities across multiple enterprises and numerous applications to support large numbers of users.8 It is essentially an arrangement that can be made among multiple organizations that let subscribers use the same identification data to obtain access to an application, program, and even the networks of all members of the group.9

One of the most significant differences between centralized and federated identity management is that while SSO allows a single authentication credential to access different systems within a single organization, a federated identity management system provides single access to multiple systems across different enterprises. In a federated identity management system, users do not provide credentials directly to a web application, but only to the federated identity management system itself. An example of such a system is a user’s ability to log in to different third party applications within a platform such as Google, Facebook, Linkedin or Twitter accounts.10 The biggest downside to this system was that originally such log ins required the Federated identity to share the whole profile of the user. This is no longer the case, as large platforms later switched to a user centric identity system, a sub-type of federated identity management. A user centric system enabled identity systems to only share parts of the user profile, which in certain circumstances a user may modify.

Even user centric federated identity management systems fall short of user control, however. To start, there’s no choice of provider. Certain applications only allow logins with one specific platform. Worse, many such platforms have a history of arbitrarily closing accounts, resulting in a user losing the identity token and access to their account.11 As a result, people who access other sites with “user-centric” identity may be vulnerable to losing that identity in multiple places at once. Thus, the user-centric system does not actually give the user any real control over their own identity token. In other words: being user-centric isn’t enough.

User-centric designs turned centralized identities into interoperable federated identities with centralized control, while also respecting some level of user consent with regard to whom and how an identity is shared. It was an important step toward true user control of identity, but nonetheless, just a step. To take the next step, required user autonomy.12 Legal policy makers recognized the problems proliferating due to the users’ inability to control their own identity tokens and attempted to provide autonomy through legislation. In Europe, the General Data Protection Regulation (“GDPR”), was drafted with the intent to give users more control of their data and identity tokens. GDPR is made up of several articles and recitals that govern data processing and management of EU data subjects.13 GDPR requires that every user is given a right to data rectification, export and erasure.14 Data portability is an important right given by the GDPR, which would could be achieved by an identity system that gives a user autonomy over their identity.15 Additionally, GDPR’s privacy by design requirements compel organizations to think about privacy from development to deletion.16 This means that GDPR does not only require the development of secure systems, but also data management tools that would allow a user the maximum amount of control over their user profile. The call for self-sovereign data management tools in designing a GDPR compliant data system is further underscored by the GDPR’s requirements of consent lifecycle management.17 Consent and consent lifecycle are very significant and well defined concepts within GDPR, which require an organization to have a well designed consent management system for capturing, storing and managing users’ consent for the purposes of sharing user profile data and give users’ rights for review and revocation of existing consent.18

Self Sovereign Identity: A New Approach (Peer to Peer Model Using Blockchain)

The initial push to give users more control over their digital identities, however, did not start with the GDPR. Privacy advocates and technologists contemplated the idea of a self-sovereign identity system since 2010s. Rather than just advocating that users be at the center of the identity process, self-sovereign identity requires that users be the rulers of their own identity. In the past decade, the idea of self-sovereign identity gained momentum, but opinions differed about the best way of implementing such a system. For example, a developer, Moxie Marlinspike, proposed a mathematical policy approach to self sovereign identity, where cryptography is used to protect a user’s autonomy and control.19 Respect Network, on the other hand, addresses self-sovereign identity as a legal policy, which would define contractual rules and principles that members of their network agree to follow20. Many other models were advocated as well.21 One model, of particular interest, is a peer to peer self sovereign identity system model that uses blockchain technology. In the next article, I intend to explain this model, its benefits, and how it fits in with the requirements of the GDPR.

Stay tuned!

Notes

  1. Vossaert, J. at al, “User-Centric Identity Management Using Trusted Modules,” Mathematic and Computing Modeling, 2013, available at https://www.sciencedirect.com/science/article/pii/S0895717712001331. ↩︎

  2. Id. ↩︎

  3. Smith, S., at al., “Identity System Essentials,” Evernym, 2016, available at https://www.evernym.com/wp-content/uploads/2017/02/Identity-System-Essentials.pdf. ↩︎

  4. Tobin, A. et al., “The inevitable Rise of Self Sovereign Identity,” The Sovrin Foundation, 2016, available at https://sovrin.org/wp-content/uploads/2017/06/The-Inevitable-Rise-of-Self-Sovereign-Identity.pdf. ↩︎

  5. Id. ↩︎

  6. Vossaert, J., supra. ↩︎

  7. Tobin, A., supra. ↩︎

  8. Id. ↩︎

  9. Id. ↩︎

  10. _See id. _ ↩︎

  11. See e.g., Hassine, Wafa Ben, et. al., “Changes to Facebook’s ‘Real Name’ Policy Still Don’t Fix the Problem,” EFF, 2015, available at https://www.eff.org/deeplinks/2015/12/changes-facebooks-real-names-policy-still-dont-fix-problem. ↩︎

  12. Tobin, A., supra. ↩︎

  13. GDPR, Recital 22; GDPR, Recital 2. ↩︎

  14. GDPR, Articles 16, 17, 20; see also GDPR, Recital 65. ↩︎

  15. See GDPR, Article 20. ↩︎

  16. GDPR, Article 25. ↩︎

  17. See GDPR, Articles 7, 9, 22, 45, 46; see also GDPR, Recital 42. ↩︎

  18. See GDPR, Article 7. ↩︎

  19. Marlinspike, Moxie, “Self-Sovereign Identity,” The Moxie Tongue., 2016, available at http://www.moxytongue.com/2016/02/self-sovereign-identity.html. ↩︎

  20. Respect Network, “The Respect Trust Network v2.1”. Oixnet.org.,” 2016, available at http://oixnet.org/wp-content/uploads/2016/02/respect-trust-framework-v2-1.pdf. ↩︎

  21. Graydon, Carter, “Top Bitcoin Companies Propose the Windhover Principles – A New Digital Framework for Digital Identity, Trust and Open Data,” CCN., 2014, available at https://www.cryptocoinsnews.com/top-bitcoin-companies-propose-windhover-principles-new-digital-framework-digital-identity-trust-open-data/; Smith, Samuel M. and Khovratovich, Dmitry, “Identity System Essentials,” Evernym, 2016, available at http://www.evernym.com/assets/doc/Identity-System-Essentials.pdf. ↩︎