Who are you? Besides the obvious philosophical undertones, if we take a moment to think about it, this question frequently pops up in our daily lives. Whether we are checking our bank account, paying our bills, making an appointment at a health clinic, logging on to a social media or retail platform, we are prompted to say who we are before we can interact with said service. But how do we prove we are who we say we are? Back when we lived in a mostly analog world, whenever we wanted to prove or confirm our identity, we simply had to reach for our wallet and pull out our ID card. Unsurprisingly, this tried and true method still works admirably when we go in-person to solve various errands that may require us to prove our identity.
As society is racing towards a digital model, people are starting to live double lives, one tied to our physical existence, the other one, intangible, hidden behind glowing screens in the digital space. New technologies have come to challenge how people interact not only with each other but also with public services, healthcare institutions, retailers, banks and so on. B2B interactions are no exception.
Seeing that the online space has become the stage for valuable business transactions, new questions concerning the ownership of our digital identity emerge. Even with the recent technological advancements, people still do not own or control their digital identity. Personal information resides in central repositories outside of our control and is often shared or traded without our consent or awareness. As a relatively new technology on the tech scene, blockchain seems to be able to act as a pillar for self-sovereign identity, a new type of digital identity that places control and ownership back into the hands of its user.
Modex, one of the earliest players in the blockchain market, has utilized its trademark Blockchain Database (BCDB) solution to develop PatientDataChain, a working proof of concept that utilizes the unique characteristics of blockchain to create a patient-centric ecosystem that gives patients control and ownership of their medical records and identity.
Modex BCDB is a middleware software solution that combines the functionality and familiarity of traditional database systems with blockchain, a technology designed to facilitate unparalleled levels of data integrity. Bundled as an Infrastructure as a Service offering, Modex BCDB is devised to act as a building block that companies can use to build an infrastructure tailored to their specific business requirements. What makes the Modex technological layer stand out is the fact that it incorporates a blockchain component that unlocks a series of powerful features and functionalities like data integrity, decentralization, transparency, distribution and data immutability for their most valuable asset, their data.
Available on the Microsoft Azure Marketplace, Modex BCDB can be easily deployed in cloud environments as well as on on-prem infrastructures. With a modular and agnostic approach to its two core components, the database engine and blockchain framework, companies can utilize what blockchain and what database is best suited to answer their data-related needs. Organizations can use the Blockchain Database solution to build a new infrastructure for their business or complement their existing IT framework to unlock a slew of data-related benefits.
What is digital identity?
The National Institute of Standards and Technology (NIST) defines digital identity as “the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known”.
Digital identities are composed of a finite set of attributes that allow a person, company or any other legal entity to be uniquely identifiable and to authenticate others electronically. Unlike paper-based IDs such as driver’s licenses, national ID cards or passports, digital IDs facilitate remote authentication over digital channels. Proving one’s digital identity presents several challenges. As opposed to physical forms of identification, visual verification of digital identity is no longer an option.
Even with this technical drawback, the advantages of digital identities outweigh their drawbacks. For example, digital identities grant people access to global digital services without the need for physical presence or a physical form of identity. This alone opens up a wide area of possibilities related to inclusion as it makes inaccessible services available in real-time to remote communities. Digital identities can also help companies get a more accurate representation of market trends and anticipate the emergence of new consumer patterns.
Digital identity challenges
The internet has forever changed the playing field, acting as the new ecosystem in which we interact with various institutions and companies to get access to their services. For the past decades, our digital identities have slowly become a natural extension of our physical existence, becoming an integral component of our lives, without which we wouldn’t have access to the ever-expanding list of services and products available online.
From a more radical point of view, the lack of a digital identity fundamentally equates to a complete exclusion from modern society. The issue is that our identities are becoming increasingly fractured and redundant with each service provider we access. Data related to our identities and the number of instances of our identities have proliferated to an unmanageable state.
This is mainly because each service provider prompts us to create a new identity before accessing their services. As such, people have slowly dispersed their identity information across numerous insular providers that do not communicate with each other. These providers can range from retail shops, social media accounts, food delivery, governmental institutions and so on.
As digital identities have become an integral element of our daily lives, it is becoming increasingly clear that the current approach to identity is incompatible with the rights and needs of its users. The most prevalent challenges of digital identities are:
- high levels of fragmentation: navigating the web requires people to constantly shuffle between different identities associated with their username or other aliases. Overall this does not create a user-friendly experience as people need to pass through tedious and repetitive authentication processes while also needing to memorize multiple usernames and passwords.
- vulnerable security: by dispersing identity information across a wide range of service providers, users unknowingly make themselves more visible for cyberattacks, increasing the chance of their data getting hijacked. The security of identity information rests solely on the service provider. As such, companies are forced to perform a balancing act between costs, technical complexities and regulatory risks in their attempt to ensure the security of the sensitive information of their user base.
- false identities: under the current digital identity paradigm, there is a weak link between online and offline identities, which enables the proliferation of false identities. Some companies exploit this aspect to generate false likes, comments and user reviews in an attempt to influence genuine users or customers. A more damaging phenomenon facilitated by false digital identities is the spread of fake news. Because there is no way to determine who are the people behind false accounts, they are usually free to spread misinformation without any repercussions. Another malicious use for false digital identities is related to phishing, a type of social engineering attack in which a malicious actor masquerades as a trusted entity in an attempt to gain access to sensitive data.
- inability to manage data: people have a limited ability to share personal information with other parties. In contrast, users have no knowledge or control over who has access to their data and who is monetizing it.
- ownership: due to the high levels of fragmentation, users do not have full control and ownership over their digital identities.
Types of digital identities
The original digital identity model was centralized and siloed. Even today, a large portion of digital identities are centralized. From a high-level overview, a centralized identity is the account people create in a website that is controlled and owned by a single entity, the service provider. The system owner records, stores and manages the user’s identity and all the data associated with it. In a centralized identity, once a user is introduced into the system, he or she can access the system owner’s offerings like banking services, social media networks, retail services and so on.
In this type of model, it is the responsibility of the owner to perform cybersecurity due diligence as well as ensure compliance with international standards concerning the processing of personally identifiable information such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). The downside to the centralized identity model is that users are offered little choice concerning how their personal data is used. Also, the centralization of identity data in a siloed structure creates an attractive target for hackers. Another inconvenience for users is the lack of interoperability with other systems, which means that users need to create a separate identity for every platform they wish to access.
In federated identity systems, users can use an identity created on one platform to authenticate and access another platform. Federated identity systems are single sign-on models that allow users to access multiple separate services. The best examples of this are “Login with Facebook” and “Login with Google” functionalities. In these examples, Facebook and Google become the middlemen of trust. Federation in this sense, allows identity information to be shared across trust boundaries and between organizations.
Compared to the centralized model, federated identities facilitate data portability which enables users to log in to one service, using the credentials from another. Similar to centralized identities, federated identities concentrate control over the data to parties external to the user who has little choice regarding how their data is used.
Decentralized identities (user-centric identities)
Decentralized identities are a strong departure from the previous two models where the person’s identity was provided by an external entity. In the decentralized identity paradigm, the goal is to put the user at the centre of the framework and remove the reliance on third parties to issue and administer the identity. This can be achieved by placing as much of the identity infrastructure as possible in the user’s control and through a combination of decentralized methods, like cryptographic algorithms that can produce mathematical proofs that validate the accuracy and truthfulness of the information without the need for a third-party authority. As a technology known for removing the need for middlemen, and its ability to deliver unparalleled levels of trust to data, blockchain positions itself as an integral component of the newly emerging decentralized identity model.
In a decentralized identity context, users create their own digital identities by generating a set of unique identifiers. Users can collect and then attach additional information to that identifier such as credentials from trusted authorities and produce them when needed. Blockchain is used as an infrastructure for identity attestation, meaning that it isn’t used to store personally identifiable information (which would contradict the provisions of data regulations such as GDPR), its role being to prove that the information and credentials attached to the digital identity are genuine.
The main advantage of decentralized identities is that it shifts control of the identity from external actors to the user. Portability and interoperability are essential features that allow users to use their decentralized credentials across multiple websites. This drastically increases user experience as people no longer need to juggle multiple accounts and passwords. Furthermore, interoperability means that user personal information no longer needs to be dispersed across multiple platforms, which lowers the risk of information leaks and data breaches. Decentralized identities do not appeal only to users, but also to businesses who would no longer be solely responsible for managing and securing the identity infrastructure.
Given the fact that self-sovereign identity is still in its early stages, there is still much debate regarding definitions and functionalities. The general consensus is that self-sovereign is the next evolutionary step to decentralized identities. Similar to the latter, self-sovereign (SSI) identities grant users a central role in the administration of their identity but does not rely solely on the interoperability of the user’s identity across multiple platforms with the user’s consent. The goal of SSI is to give users more autonomy and control not just of their identifiers but also of the data associated with them.
From a high-level overview, SSI is a portable identity model owned by any person or organization, that does not depend on any centralized authority. By removing the reliance on any external administrative authority, users become the true owners of their digital identities. SSI is censorship-resistant, nobody can take them away or revoke them. This comes in stark contrast with the federated identity model where the identity provider can stop giving access to a user’s credential without even consulting them.
In an SSI model, users have both a means of generating and controlling unique identifiers as well as a storage medium for their identity data. These unique identifiers can be data from a social media account, a history of transactions on a retail platform, or attestations from friends, colleagues, or the workplace. This design feature greatly expands the number of possible sources of identity data that can be collected. Users also have much finer control over how much data they share and with whom, which makes it easy to create different digital identities for different contexts, based on different sets of credentials or identity attributes. With SSI, people can have one digital identity for their healthcare provider, one identity for their professional life, and one for social media sites. Each of these would present a different version of “you”, but in a way that is managed entirely by the user, the true owner of the identity.
SSI also opens up the possibility for users to monetize their personal data, by selling it to medical research companies, advertising companies or renting it to AI training algorithms, just to name a few examples. Self-sovereign identities give users full control and ownership over their personal data, making it easier to provide consent to third parties to use personal data for a determined amount of time and more importantly, to revoke that consent.
In 2016, Christopher Allen, co-chair at W3C Credentials Community Group outlined ten principles for self-sovereign identity that have become a reference point in the field:
- Existence: Users must have an independent existence
- Control: Users must control their identities
- Access: Users must have access to their own data
- Transparency: Systems and algorithms must be transparent
- Persistence: Identities must be long-lived
- Portability: Information and services about identity must be transportable
- Interoperability: Identities should be as widely usable as possible
- Consent: Users must agree to the use of their identity
- Minimalization: Disclosure of claims must be minimized
- Protection: The rights of users must be protected
The three pillars of self-sovereign identity
According to the World Wide Web Consortium (W3C), the main international standards organization for the World Wide Web, self-sovereign identities are built on three pillars: decentralized identifiers, verifiable credentials and blockchain technology.
W3C specifies that “Decentralized Identifiers (DIDs) are a new type of identifier for verifiable, “self-sovereign” digital identity. DIDs are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority. DIDs are URLs that relate a DID subject to means for trustable interactions with that subject. DIDs resolve to DID Documents — simple documents that describe how to use that specific DID. Each DID Document may contain at least three things: proof purposes, verification methods, and service endpoints. Proof purposes are combined with verification methods to provide mechanisms for proving things. For example, a DID Document can specify that a particular verification method, such as a cryptographic public key or pseudonymous biometric protocol, can be used to verify a proof that was created for the purpose of authentication. Service endpoints enable trusted interactions with the DID controller”
As W3C outlines, DIDs are just identifiers, they do not provide information about the subject itself. In SSI, DIDs are used in combination with Verifiable Claims (VC) to support digital interactions in which information about the subject must be shared with third parties, by proving to those third parties that the DID subject has ownership of certain attestations or attributes. This proof is based on a cryptographic link between the VC, the DID subject the VC is about, and the issuer of the VC.
According to W3C, “verifiable credentials represent statements made by an issuer in a tamper-evident and privacy-respecting manner.” As a broad simplification, VCs allow the digital watermarking of claims data through a combination of public key cryptography and privacy-preserving techniques to prevent correlation. As such, VCs facilitate the conversion of physical credentials into a digital format while public-key cryptography enables the owners of the credentials to selectively disclose specific information from a credential without exposing the actual data. This mechanism allows third parties to instantly verify user credentials without having to call upon the issuer.
Self-sovereign identity systems use blockchain to verify decentralized identifiers without involving a central directory. By themselves, blockchains don’t solve the identity problem, but they provide a missing link that allows identity systems designers to utilize cryptography concepts that have been known for decades but didn’t have real-life applicability. In an identity context, blockchains allow people to prove things about themselves using decentralized, verifiable credentials, without revealing the actual data. Verifying parties do not need to verify the validity of the actual credential. With blockchain, it is sufficient to check the validity of the attestation and attesting party, which can be a government, university, healthcare clinic, bank, etc.
Blockchain can be used in self-sovereign identities to:
- create decentralized identifiers – blockchain utilizes asymmetric key cryptography which uses a set of private and public keys. These keys are used to allow external parties to verify digital signatures, or encrypt data to the respective identity holder.
- act as a DID registry – blockchain can act as a storage mechanism for information concerning DID ownership
- notarize credentials – storing the hashes of verifiable credential on a blockchain generates a timestamp and digital signature. This way blockchain can provide proof of when the credential was created, while also providing guarantees to verifying parties that the credential is authentic and that it wasn’t modified. Storing verifiable credentials directly into the blockchain isn’t advisable as it would contradict the provisions of the GDPR concerning the storage of personally identifiable information. For example, a university might send the hashes of diplomas to a blockchain during graduation. This way, each student will have a timestamp that will prove when the diploma was issued as well as a digital signature of the university to prove its authenticity.
- track access rights and consent – as a shared digital record, blockchain can record access rights to information. For example, a user can agree to share his medical records with a medical research institution, but only for a predetermined amount of time. The user’s consent can be recorded on the blockchain along with the expiry date. In turn, at the expiry date, the research institution deletes the information and adds to the blockchain proof that the deletion occurred.
PatientDataChain, a healthcare identity solution built on Modex BCDB
PatientDataChain is a personal health record system that utilizes a decentralized, blockchain-based architecture to integrate patient medical record systems by gathering and connecting all the stakeholders in the healthcare value chain. The idea behind PatienDataChain is to create a patient-centered model where patients are the true owners of their health records and digital identities.
Due to the permission-based mechanism facilitated by the Modex BCDB layer, patients are able to grant healthcare organizations, physicians, and other medical personnel access to their data for a limited time frame. Based on this functionality, PatientDataChain enables an integrated and interoperable approach, capable of collecting and combining medical data from a diverse pool of sources: EHR (electronic health record) systems, different healthcare providers as well as from a multitude of wearable sensor-based healthcare and fitness devices.
Through the decentralization facilitated by the Modex BCDB component, PatientDataChain introduces an enhanced data sharing and exchange system capable of ensuring an optimal level of privacy and confidentiality combined with secure access to patient health records.
Modex BCDB is a middleware software solution that combines a blockchain engine with a traditional database system to augment the security and data privacy of existing software infrastructures. By adding a blockchain backend to a client’s existing database system, the newly created infrastructure becomes able to demonstrate zero-knowledge proof which means that data can be verified with third parties without the information. These design features make Modex BCDB an ideal technological foundation for PatientDataChain because it enables the PHR (personal health record) solution to seamlessly integrate with existing EHR systems or other medical databases, including data collected by medical wearable devices and other types of healthcare sensors.
An essential component of the PatientDataChain system is the Patient Health Wallet app which represents the PHR element that unifies all the data related to a patient’s medical records. The Patient Health Wallet represents a single version of the truth that is owned and controlled entirely by the patient. The system is designed to grant patients full control over who can access their medical records. When a patient is programmed for a medical appointment, he will need to give read access to the physician, to enable her to access his medical records. Write access will also need to be granted to the physician to write a new medical record that will be added to the wallet after the consultation ends.
All the prescriptions written by doctors will be added to the Patient Health Wallet to provide traceability and an accurate representation of the treatment a patient followed. Future system functionalities will allow patients to grant pharmacies access to see the prescription to purchase medication, to search for prescribed drugs in the system and make reservations and receive notifications from the pharmacy when the patient can come and pick up his order.
The core element that facilitates the integration and aggregation of the diverse medical sources is the blockchain component facilitated by the Modex BCDB layer which is composed of an array of distributed nodes. Due to Modex BCDB’s agnostic take on database engines, the nodes that compose the blockchain network can be configured with different database connectivity parameters. Network nodes perform a wide range of functions, ranging from data processing, database connectivity, read/write operations to the blockchain, data synchronization, and permission granting. The business functionality component is provided by the software application client that integrates with the blockchain nodes.