The creativity of the teachers was praised in many places in the corona crisis when the school material was conveyed via email or WhatsApp and sometimes still is. The initiative is remarkable and it highlights the state of digitization in Germany: There is a lot of catching up to do, as 12th place (out of 28) in the digitization ranking of the EU countries shows.
However, it is one thing to demand more digitization – another is to have fundamental thoughts about the next steps. After all, in an increasingly digital world, numerous companies are struggling with the problem that trust in digital commerce is often not given. Unfortunately, the question of a reliable identity and reliable information on the Internet has not yet been resolved even at EU level. According to estimates, the loss in online commerce as a result of identity fraud in 2018 was up to EUR 2.9 billion. Unfortunately, the chip including the digital signature on the German ID card did not change that. The procedure did not prevail. Not all government agencies currently accept the digital signature without further ado.
To stay with the example of online trading: Here reliable information about a person could help. Identification processes such as video identification processes can be reached by some users, with the disadvantage that they have to be restarted for each account. With this, the buyer also releases a separate registration with his personal data for different online retailers. For further digitized processes, in addition to natural persons, “things” – such as machines – or legal persons and companies need a clearly verifiable identity. When you start researching identity, you inevitably stumble across the terms:
In the following, these are defined and related to each other in order to then illuminate specific applications.
Digital identity uniquely identifies us on the Internet. But the solutions that are offered today are not very effective: A separate login must be created for each service. As a rule, this data record is supplemented by personal data and all of this ends up in the central data silos of the various companies. As a citizen or user, you have no control over your data and its use, and you cannot access it directly. The result is a splitter identity in the network with redundant data. To make matters worse, the validity of claims is difficult to check. For example, an identity check must be carried out for every bank account, although this has long been done for another bank.
The catchphrase Self Sovereign Identity (SSI) is about personal sovereignty over your own identity in all respects – off- as well as online. It is the responsibility of the individual to determine who can see or use which personal data for how long. A current example that takes data sovereignty into account is the Corona warning app:
Nobody knows who he or she was in contact with because the IDs of the cell phones are always random.
Each user decides whether he or she will pass on his test result.
When the test result is published, none of the random contacts can trace it back – also protected here by the random ID.
As a counterexample to SSI’s needs, I would like to invite you to a thought experiment: Imagine your 21-year-old daughter studying in the USA for a year. In addition to studying, she also wants to enjoy life a little and go out with friends in the evening. In many states, however, only people over the age of 21 are allowed to enter bars or nightclubs due to strict alcohol laws. So she currently shows herself to the bouncer, with her US driver’s license. This means that she cannot prevent the bouncer from reading the home address in addition to her date of birth. This information should remain hidden from the bouncer and his job. All he needs is the verified and reliable information “The person in front of me is at least 21 years old.”
The two examples show the main advantages of a sovereign identity. In addition, one could determine more granularly who gets which information. This approach is in stark contrast to today’s approaches, because it is decentralized in nature: the user manages his data entirely without central authority. The selective release guarantees a high level of privacy and sovereignty over his data. The solution to this problem could lie in the blockchain, because the protocol enables a decentralized PKI infrastructure (public key infrastructure) and is thus the cornerstone for a “self-sovereign identity”, or decentralized identity.
The solution for a sovereign digital identity is the so-called decentralized identity, or DID for short. It acts as a universal key for all online applications – using smartphones there is a bridge to the analog world. This eliminates the need for individual registration on every website and the administration of password and user name. In contrast to the popular social logins from Facebook or Google, the user data is not on the central servers of these providers, but remains in full control of the user. In many situations, however, the participants in a transaction must be able to rely on the information provided. The car rental company must check the driver’s license before handing over the vehicle key. If it is only available in digital form, it must be able to trust this information. In the digital space, the question arises how a valid identity can be proven sustainably?
What is needed is a solution that:
Provides secure evidence of trust in real time and is easy to use;
is tamper-proof and does not require media breaks;
Insurance companies, financial service providers, mobility, B2B trade or the automotive industry could benefit from such a digital identity solution. The decentralized identity is also particularly interesting for logging in to web applications and large social media platforms. The decentralized identity can serve as a kind of universal account for all web services – there is no need to manage password and user names. Compared to the currently popular social login functions, this solution offers the advantage that the user’s data is not saved on a central server from Google, Facebook and Co. They remain under the sole control of the user. This protects privacy, less trust in third parties is required.
Another advantage: Users can control which data is free for further use for their DID. In this way, regulatory concerns of states and users could be enforced against platforms such as Amazon, Facebook or Google: These companies generate sales with the data of their users; they de facto transform their customers into products. Regulators and politicians worldwide are trying to bring these platforms under control, often with a focus on tax issues. Privacy protection lags behind. Decentralized identities give states a means of collecting taxes and at the same time ensure the protection of their citizens’ data. This would require companies to offer access to services with digital identity as a minimum requirement and thus non-discriminatory. Any other identity feature can of course be requested, for which the platform could have to pay, for example.
Reading tip: US CLOUD Act versus EU GDPR – freedom is not limitless in the cloud
Verifiable Credentials (VC) are the electronic equivalent to physical attestations, such as credit cards, passports, driver’s licenses, qualifications and awards. Each VC has an exhibitor and recipient. For example, the issuer of the identity card is the municipality, i.e. city administration or district office. In the digital and decentralized world of identity, the district office must of course be validated as a certified digital identity. Just as the ID card is requested and printed by Bundesdruckerei today, the district office could issue verifiable credentials for the decentralized identity of the person (recipient) in the future. As today, VCs can be limited in time, or even withdrawn. In the event of a check, the police could, for example, check the DID and VC and easily verify the identity. At first glance, these interdependencies can be confusing or even complicated. In the end, however, they only describe automated test mechanisms that are cumbersome in the analog world today.
Imagine that you identify yourself in a police check with a document on which your name, date and place of birth are written. The policeman would not accept this slip as proof of identity, despite your wife’s signature. Here you need an official document such as your identity card. This has various security features from which auditors draw conclusions about the authenticity of the ID and thus your identity. This commitment brings verifiable credentials to the online world.
The outstanding properties of blockchain technology are:
Trust without the help of an intermediary.
The blockchain protocol can be used in two ways: authenticity and security mechanisms. In addition to official verifiable credentials such as identity cards, there are also many other awards, certificates or certificates in the course of life. These documents are stored somewhere, e.g. on a cell phone. Using the blockchain, the authenticity of the document can be checked at any time. The hash value of the document in the blockchain is compared with the hash value of the submitted document. If both values are identical, the document is the same. The time stamp in the blockchain and its immutability create additional trust.
The second use case is a simple security mechanism. A person’s DID becomes more and more valuable over time as more and more verifiable credentials accumulate on the decentralized identity with which the person can identify themselves on websites or in real life. In the event of loss of access data – in our case the private key – it would be very tedious to collect all this information, data and certificates again. Because with the loss of the key, the access to the DID is also lost and the citizen would have to collect all the VCs for his identity again, as in analogue life, when the wallet is lost.
Bitcoin wallets, i.e. the storage accounts for bitcoins, offer a so-called multi-signature process for such cases. Simply put, an account with multiple keys can be opened and used here. Of course, this not only applies to the content of Bitcoin, but in our specific case could also ensure that a decentralized identity with two or three replacement keys could be used.
In an increasingly digital world, it is important that partners in a transaction can be sure that the counterpart is what it claims to be. This applies to people, companies and objects. Suddenly it is possible to process processes fully digitally without waiting for a fax with a signature.
In my opinion, decentralized identity will first gain a foothold in the business world. Many processes in active business relationships between companies are still designed analogously with time-consuming loops. A number of scenarios can be derived around a motor vehicle alone: On the one hand, the digital twin of the vehicle could replace the vehicle letter and registration certificate. Thanks to blockchain, a vehicle can only be deposited once as security for a leasing contract. Many other steps can be digitized via the process from purchase to approval of a leased company vehicle in a complex network of relationships between insurance, bank, lessee, lessor, driver and manufacturer. In a world of unique digital tokens, signatures and verified information, processes can then be automated almost completely.
DID could find its way into the world of consumers (users) via the driver’s license as access authorization to the vehicle. Gone are the days when cars would drive off if the driver didn’t have a driver’s license. At the same time, the digital car twin contains all the information on repairs, maintenance and care and the symbolically thick file would be worth real money when reselling. Finally, the price of a used car is measured on the basis of the general condition, the kilometers driven and the maintenance intervals observed. Stamps can easily be added to a checkbook. In contrast, certificates in the blockchain always have a time stamp plus the hash of the original object – here the repair invoice from the workshop – and offer greater security when reselling.
In summary, the three biggest advantages of decentralized identity are:
Sovereignty: First of all, sovereignty over one’s own identity and control over one’s own data should be mentioned. Emancipated users move more freely and safely in the digital world.
Optimization potential for B2B processes: Analog processes in systems with intermediaries as a control and trust body are too slow to keep up with Industry 4.0. The requirements for public administration, but also for companies, will continue to increase and reliable identification of partners, data and information is essential.
Compliance: Blockchain technology can not only save transaction data with a timestamp in a large cash book, but can also organize a value transfer with underlying rules (laws).
Another example of a perfect use case is the combination of transaction data with a payment. With the help of so-called Smart Contracts, different contractual agreements can be automated at the same time, and these small programs then fulfill the respective obligations step by step. For example, imagine you book a trip from Munich to Hamburg in an autonomous car. On the one hand, blockchain helps you ensure that the car is a car and that you are you. At the same time, you want to arrive in Hamburg while the vehicle is expecting money in Hamburg. Here, a smart contract acts as a notary, which in the first step collects the money from you and pays it out to the car on arrival at the agreed arrival location – in real time and transparently and incorruptibly for everyone involved in the cash book.
This creates the opportunity not only to address problems related to fraud and process abort sustainably, but with an increased degree of automation and digitally verified information, completely new use cases are created – certainly also in your company. (bw)
- Protect your own digital identity
The security software manufacturer ESET has put together a few recommendations on how users can protect their data in the digitized world.
- Pay attention to warning signals
Identity thieves regularly change private addresses so that letters no longer reach the recipient. For example, if you no longer receive letters from your own bank, this can be a first sign of identity theft. In order to avoid such abuse, everyone is advised to contact their own bank if expected letters do not arrive at the usual time. It
also helps to skim unexpected mail from unknown financial institutions instead of dismissing it as unwanted advertising. If there is an envelope in the mailbox from a lender or credit card company, it should be read through to ensure that no stranger has borrowed in a foreign name.
- Check creditworthiness regularly
At credit bureaus such as Schufa in Germany or KSV1870 in Austria, everyone can find out about their own creditworthiness and find out whether credit cards or loans run under their own name, which are completely unknown. Such credit information is free of charge once a year and should be an absolute must for everyone.
- Always send important letters personally
Credit card applications or tax returns contain valuable information that even cybercriminals appreciate. Because this data is enough for him to copy the victim’s identity and misuse it for his own purposes. Letters containing such sensitive information must therefore never be passed on to other people carelessly.
- Online banking: change your password regularly
The password to the online banking account is one of the most important forms of security that every bank customer has. Many users are probably aware of this, and yet there are certainly some who use the same password as a few years ago. For all those who are: Change password immediately. Some sites regularly ask you to change the password. Users often react to this by simply adding a special character or number to the existing password. However, this is not a recommended procedure. Because if a password is ever compromised, it is the first thing a password cracker will try.
- No information is required for calls
Identity fraudsters often rely on people to disclose information on their own initiative – for example, when calling or responding to fake emails from their bank or other institution. But that’s not how banks work. If a phone call seems strange, everyone has a right to hang up.
- Protect personal information at home
If you let strangers like representatives or cleaners into your own four walls, you should make sure that documents such as tax returns, credit card information and ID cards are not lying around. In the event of a break-in, it is extremely important to check whether someone has taken possession of your identity.
- Beware of Facebook tests
Links in social networks are generally to be treated with caution. In particular, the popular Facebook tests should never be clicked without thinking. Because some of these tests are not only boring, but also dangerous.