The global community is increasingly dependent on technology for communication and data exchange. While we can all appreciate the benefits that this technology provides, there is a very large and growing issue in relation to the privacy and security of personal data.
Our respective digital footprints are expanding every day: data such as your name, address, sex, ethnicity, birthday, education, work status, religious and political beliefs, banking data, and health data comes to mind immediately, however, our footprint also includes biometric data, voice data, search history, web-browsing history, media consumption, social media behaviour, communication history, purchase history, location tracking and devices accessed.
In the wrong hands, this data can provide deep insight into our lives and behaviours that can cause great harm on a personal and societal level.
The importance of this data privacy and security issue is slowly coming into public awareness. We see newspaper articles almost every day highlighting cyber-attacks that compromise the personal data of large swathes of people. And it is not uncommon to see investigative reports examining the legally and ethically questionable practices of companies looking to monetise personal data.
The introduction of regulations, such as GDPR, provide a very welcome legal framework around the protection of personal data. However, they do not and cannot effectively protect against ethically bankrupt commercial practices or ever-increasing hacks and cyber-attacks.
Personal Control of Personal Data
Currently, third-party service providers act as custodians of “identity” and personal data. They store our personal information on their databases in order to provide access to and deliver services. However, this type of centralized system is both inefficient and open to attack. The huge stores of personal data held by the many third-party custodians are very attractive to hackers who see the potential of big paydays.
Blockchain technology, and more specifically data tokenization, enables us to place the control and transfer of personal data back into the hands of the individual. Each individual gets to decide who sees what and when and for how long. This control greatly reduces the possibility of third parties using personal data in a manner unknown to, or unwanted by, the individual.
The storage of personal data is more efficient and far safer as there is no “honey pot” effect, i.e., no single point of failure offering a big payday. It is also very good for third-party service providers as it makes it far easier to comply with data security and privacy regulations - such as GDPR. (Many mistakenly believe that Blockchain and GDPR are incompatible - this is very far from the truth.)
How it Works
Data stored and exchanged in tokenized form on the blockchain can be in an anonymised/pseudonymised form so as not to contain any personal data. The combination of Decentralized Identifiers (DID) and verifiable credentials enables this pseudonymisation.
Decentralized Identifiers (DID) are free, unique, machine-readable, user-controlled, persistent and anonymous identifiers that are decoupled from the “personal data” about the user they “identify”.
Since the generation and assertion of Decentralized Identifiers is user controlled, everyone can have as many DIDs
as necessary to maintain their desired separation of identities, personas, and interactions. However, DIDs do not by themselves provide trust - that’s where verifiable credentials come in.
Verifiable Credentials are a way of representing the attributes that we all associate with our identity e.g., a birth certificate issued by a government indicating when/where a person is born.
This enables anyone to verify the source, integrity, and validity of any data that is presented to them and to do so robustly and securely. This mechanism uses public key cryptography to digitally sign each data element.
For example, when an identity owner presents proof of their date-of-birth, rather than actually checking the truth of the date of birth itself, the verifying party will validate the government’s signature who issued and attested to this credential to then decide whether she/he trusts the government’s assessment about the accuracy of the data.
As you can see, the entities currently responsible for personal data maintenance (ID card, passport, driving license...), will continue to do so, just in a different form. By leveraging blockchain technology we can establish trust between parties and guarantee the authenticity of the data and attestations, without actually storing any personal data on the blockchain.
Author: Prof. Paulo Cardoso do Amaral
Paulo Cardoso do Amaral has a PhD in Information Systems (Université Pierre et Marie Curie). He holds an undergraduate degree in Computer Systems and Telecommunications Engineering (IST) and a MBA in International Management (CATÓLICA-LISBON). Adjunct Assistant professor at CATÓLICA-LISBON since 1996, where he is Coordinator of the Executive Master in Digital Innovation and teaches in Undergraduate Programs, MSc Programs, and The LisbonMBA. He is also Visiting Professor in the MBA of Tsinghua University in Beijing, Tongji in Shanghai and Solvay in Brussels. He was CIO in Portugal Telecom and CGD Group, Sinfic Group administrator. He is currently an entrepreneur and business manager in tourism and hospitality areas.