Golden Recursion Inc. logoGolden Recursion Inc. logo
Advanced Search
Identity management on blockchain

Identity management on blockchain

Refers to the use of blockchain for identity management and the use of anonymization tools for blockchain-based transactions.

Overview
Blockchain

Distributed Ledger Technology (DLT) or blockchain refers to the technology behind decentralized databases providing control over data through connected entities in a peer-to-peer network that use consensus algorithms to ensure replication across the nodes of a given network. Often, this is thought of as an open, public ledger, which anyone could obtain and anything written on its pages is there forever. Blockchain is considered a more secure technology compared to centralized databases and current data storage systems, as each block where data is recorded cannot be changed. And one can only write to the blockchain after the consensus of the majority of the network, which means that for any information to be changed, all the proceeding blocks would require change.

Blockchains often fall into two categories: permissioned or permissionless. Permissionless blockchains, like most digital currency blockchains, allow all users to write on the ledger, and there is no need for permission to become a node on the network. Whereas on a permissioned blockchain, authorization is required from one or several parties in order to become a node on the network. For example, Sovrin's blockchain is governed by Stewards who act as nodes, which is done to preserve the integrity of the information.

Blockchain and anonymity

Blockchain promises a lot of things; one is they are generally considered anonymous and provide anonymous payment networks. However, it is at the same time the most transparent payment network globally, while also offering privacy. This is done through the use of cryptocurrency wallet IDs in any blockchain-enabled transactions, or cryptocurrency transactions. However, it is possible to find the address used for a transaction, and once that address is known, it is also possible to see the balance and transaction history of the wallet address.

The wallet ID or address does not reveal an identification of the person who is behind the wallet address. This, in principle, offers privacy. However, as most transactions require some form of disclosure of one's identity, whether that is a postal address, login data such as emails, or deposited credit card data used to purchase cryptocurrency, the disclosure of some personally identifiable information (PII) means that cryptocurrencies and blockchain cannot be one hundred percent anonymous. As well, if there is a sufficiently interested party, these small breadcrumbs of personal information can be enough for the party to identify the user behind the wallet ID.

The major difference between cryptocurrencies and regular fiat currencies is the role of the bank. In cryptocurrencies, there is no bank playing a middleman role, and no state that intervenes in a regulatory capacity. Although it is not completely autonomous, cryptocurrencies do not readily offer the same level of personally identified transaction history, despite offering increased traceability. However, with the increasing popularity, and use, of cryptocurrencies, governments are increasingly interested in introducing regulations for cryptocurrencies.

Blockchains are pseudonymous

Perhaps it is best understood that blockchain is not anonymous, but rather is best considered pseudonymous. In the case of blockchain, the pseudonym given is the user's public address, a string of numbers and letters that does not contain any identifiable information that would tie a user to an address or its associated wallet. Many feel, based on the complicated alphanumeric string of the address, that users find that activity on the blockchain is anonymous. However, the public address protects a users privacy to an extent, but other blockchain features can provide insight into a user's identity.

Increasing anonymization in transactions

There remains an interest in retaining and increasing the anonymity of cryptocurrency and blockchain transactions, as was the early promise of the use of decentralized financial tools. Part of this anonymization, most often it means obscuring or hiding the origin of any transaction and the wallet ID. However, many of the services and technologies for anonymization are, rightly or wrongly, associated with criminality. These services include Tor network, Dark Wallet, Bitcoin Laundry, CoinJoin, and CoinShuffle. The general principle of most instruments of anonymizing transaction follow a collective transaction framework, which means at least at one stage of money transfer there is a collective transaction which excludes the opportunity to fix one-to-one correspondence between coins and their senders.

Private cryptocurrencies

Perhaps one of the first steps to increasing anonymity is to dispel the myth that cryptocurrency is inherently anonymous, and to realize that the cryptocurrency network is transparent. Accordingly, users should develop an awareness that cryptocurrency transactions have traceability, and therefore there are actions that need to be taken to ensure anonymity. There are, however, some cryptocurrencies that are intended to offer anonymity, such as the Monero or ZCash cryptocurrencies.

These and other cryptocurrencies use differing protocols in order to either mix coins, where they might use either CoinJoin or CoinShuffle to obfuscate where a coin originated from, or they may use zero-knowledge cryptography to hide transactions, among other protocols. Coins working to offer better privacy tend to suffer from performance and scalability issues, with the additional layer of secrecy often costing in terms of transaction size, speed of execution, and computing performance.

Mixing service

A mixer is a type of anonymizer that obscures the chain of transactions on the blockchain by linking all transactions in the same bitcoin address and sending them together in a way that makes them look as if they were sent from another address. A mixer sends transactions through a complex, semi-random series of dummy transactions that makes it extremely difficult to link specific virtual coins with a particular transaction. Mixer services operate by receiving instructions from a user to send funds to a particular bitcoin address. The mixing service then "commingles" the transaction with other user transactions, so it becomes unclear to whom the user intended the funds to be directed.

CoinJoin

CoinJoin is another solution that offers to increase the privacy of a blockchain transaction. Similar to mixing, this service combines the coins of multiple payments into one transaction. Then it distributes funds from the transaction pool to the appropriate recipients. In the scenario, the recipients receive the payments they are supposed to, but the transactions are more difficult to trace.

Dark Wallet

One attempt to anonymize cryptocurrency transactions was the Dark Wallet. Although it could not be reached as of December 2020 through standard search engines, or the dark web, the Dark Wallet previously was a digital wallet that enhanced data anonymization by obfuscating cryptocurrency transactions. Although it was never complete, the wallet inspired other anonymity projects such as the Samourai Wallet and Electrum on Tails. The Dark Wallet was an underground site that required specific software to be installed in either a Chrome or Firefox browser. The wallet was created with a wallet seed or key and came equipped with three pockets—spending, business, and savings—and no limit on the number of user-created pockets. Each pocket offered its own stealth address from which transactions could be made. The Dark Wallet used coin mixing as well as the stealth addresses to provide anonymity and privacy.

Stealth addresses meant that a user receiving a payment from a transaction using the Dark Wallet had a new address generated for the funds to be deposited. Through encrypting the transaction, not even the payer was able to pull up or track the payee's address. And the payment was hidden from unsolicited parties trying to look into both users' transaction histories.

Keep data private

Although it includes more general advice for retaining anonymity in general internet surfing, a user generally needs to know where and with whom one's data is stored. If the name, address, and telephone number are entered at a given merchant to accept goods, and the payment is processed from a crypto-wallet, a data leak at the provider is sufficient to link private data with a cryptocurrency address. All other transactions from this address can then also be linked to this data.

There are different approaches to anonymizing this data can be including the use of a post office or parcel shop to accept shipped goods. Although this itself is not perfect, as it requires some presentation of valid identity to release packages. Further, even if this step is taken, if a merchant requires a payer's phone number, and the number used is a mobile phone number, this offers another vector of identification.

Another way to keep a wallet ID private is to use new addresses often and regularly. This can include using a new address per transaction, as using the same address for every transaction on the blockchain can direct the address to an individual in the case of a single leak. One often encouraged approach is to change addresses regularly and create different wallets for different purposes. However, if those different wallets transact with each other regularly, the loss of anonymity of one could trigger a reaction where all anonymity with all wallets is lost. It might be obvious, but it is also important for a user working to remain anonymous to not publish their address anywhere publicly, especially with any identifying information attached.

Surf anonymously

An IP address can also be used to find the identity of a user. This address is used to communicate on the internet and can be traced back to a home connection by places. Cryptocurrencies, further, are often peer-to-peer network, which makes it possible to track transactions and associated IP addresses. The so-called full-node clients are responsible for the transmission of all transactions. This makes it more difficult to trace the source of a transaction, and every node can be confused with the actual starting point. Thus it makes more sense to disguise an IP address.

An often used option is a network like the Tor network. This network sends requests to a worldwide network to obfuscate the originating IP address. The routing via the nodes further makes any IP address difficult to trace. Another commonly used tool to anonymize a user's IP address is a Virtual Private Network (VPN). With a VPN, a tunnel is built through the network, through which one can enter the internet anonymously. The VPN tunnel encrypts all data traffic. In principle, Tor and VPN are similar; however, with a VPN the requests are not sent through many different relay nodes, but only through a single node.

Blockchain Analytics

Blockchain analytics have become a common service offering. These firms are used to track, gather, and analyze cryptocurrency payments on the blockchain. But privacy advocates have expressed concern that these firms and their activities are blockchain surveillance and could be used to gather information on people around the world while compromising the privacy of cryptocurrencies. The debate, in part, highlights tension between know-your-customer (KYC) and anti-money-laundering (AML) compliance in mainstream cryptocurrency and the subversive cypherpunk origins or cryptocurrency. It further foreshadows a possible conflict between investors who see cryptocurrency as an investment asset and those who see cryptocurrency as a tool to fight surveillance and circumvent traditional financial models.

There are over twenty blockchain analytics firms on the market, many of which have been contracted by governments, law enforcement agencies, and companies such as cryptocurrency exchanges. Generally governments or law enforcement are those that do the ultimate de-anonymization, but surveillance and blockchain analytics firms are a key tool, tracking movement and targeting individual wallet addresses. This practice has proven lucrative. As reported by CoinDesk in early 2020, Chainanalysis, one of the most prominent blockchain analytics firm, made more than $10 million in five years from the US. government. These numbers showed an appetite for the firm's services, including from law enforcement agencies like the FBI and US Immigration and Customs Enforcement, both of which have contracts with Chainanalysis.

One similar tool, developed by Neutrino, was acquired in 2019 by Coinbase, one of the largest cryptocurrency exchanges. From this acquisition, Coinbase developed and launched Coinbase Analytics from the acquired technology. The exchange was considering deals in 2020 with the Drug Enforcement Administration (DEA) and the Internal Revenue Service (IRS), but in July it was reported that the analytics product was sold to the Department of Homeland Security, and specifically used by the US Secret Service.

While blockchain analytics firms serve valuable purposes for law enforcement agencies, with 2019 seeing firm Elliptic discover a terrorist fundraising network through blockchain, and, in the same year, the US Department of Justice announced a shutdown of the largest online market for child sexual exploitation content at the time, privacy advocates have seen this sort of blockchain analysis as an extension of governmental surveillance. Further, there is some concern that blockchain analytics firms will gather information on blockchain within the scope of AML and KYC purposes, which has been key to larger financial institutions and payment processors entering the cryptocurrency space.

Blockchain identity management

Blockchain identity management systems could be used, and have been proposed to be used, to eradicate identity issues such as inaccessibility, data insecurity, and fraudulent identities. Furthermore, the process offers a chance to verify an individual's identity without exposing or using any personally identifiable information (PII).

Identity and access management (IAM) compromises all the processes and technologies used to identify, authenticate, and authorize someone to access services or systems. More traditional systems, using centralized and siloed systems, often have a problem of being verifiable in only specific scenarios, or being able to be hacked, or else, especially if its paper-based, subject to being lost. And while some digital identification systems have worked to solve some of these issues, especially online where services such as "Login with Facebook" or "Login with Google" allow users to have a simplified sign-in procedure, and outsource the identity management job to those other companies. However, blockchain technology offers a chance to verify identities in many contexts, be they physical or real-world, and digital, while offering a more secure identity management tool.

Such a decentralized identity, with a verified identifier in the form of a QR code would allow users to use this kind of identity to prove their identity and access certain services. The service provider verifies the identity by verifying the proof of control or ownership of the presented attestation.

Inaccessibility

Inaccessibility refers to the amount of people, estimated at around 1.1 billion, who lack proof of identity. Often the identification processes are cumbersome, expensive, and hindered by an individual's lack of knowledge and this leaves individuals without traditional identification systems. Without possessing physical identities, one cannot enroll in school, apply for jobs, get a passport, or access governmental services. Having an identity can further be crucial to gain access to financial systems. Conversely, 60 percent of the estimated 2.7 billion unbanked people own mobile phones, which offer a chance for blockchain-based mobile identity solutions.

Data insecurity

Data insecurity refers to the storage conditions of valuable identification information on centralized government databases supported by legacy software which operates with numerous points of failure. Large, centralized systems containing the PII or millions of user accounts have proven appealing to hackers, with studies showing that PII is the most targeted for data breaches. And, despite regulatory legislation and enterprise efforts to increase cybersecurity, these attacks on centralized databases have continued to occur.

Fraudulent identities

The digital identity landscape is fragmented, with user often juggling various identities associated with usernames across different websites. There is no standardized way to use data generated by one platform on another, and this creates a weak link between digital and offline identities, which makes it increasingly easy to create fake identities. And fake identities create fertile ground for the phenomenon of counterfeit interaction, which can help in the perpetration of fraud and lead to inflated numbers and lost revenue.

Decentralized digital identities

When compared to traditional and platform-specific digital identities, the infrastructure of blockchain offers increased privacy and security. This, in part, is based on verification process, with verifying parties not needing to check the validity of the actual data in the provided proof, but rather can use the blockchain to check the validity of the attestation and attesting party (such as the government), and use this to determine whether to validate the proof. And using blockchain technology can establish trust between the parties and guarantee the authenticity of the data and attestations without storing any PII on the blockchain.

Furthermore, this means only references and the associated attestation of a user's verified credential. Privacy can be ensured through non-correlation principles via pseudo-anonymization, which means only those attestations are stored, including:

  • Public decentralized identifiers, which are a new type of unique identifiers for verifying blockchain identities and are controlled by the identity owner
  • Schemas, which are the description of the structure of a credential
  • Credential definitions
  • Revocation registries, which allow issuers to revoke a claim
  • Proofs of consent for data sharing, which store consent receipts to prove consent and reception
Decentralized identifier (DID)

A decentralized identifier (DID) is a pseudo-anonymous identifier for a person, company, object, etc. Each DID is secured by a private key, and only the private key owner can prove that they own or control their identity. An individual can possess many DIDs, which limits the extent to which they can be tracked across activities. For example, an individual could have one DID associated with a gaming platform and a separate DID associated with a credit reporting platform. These credentials are cryptographically signed by issuers, which allows DID owners to store the credentials rather than relying on a single profile provider. In addition, non-attested data, such as browsing histories or social media posts, can be associated to DIDs by owners or controllers of that data depending on context and intended use.

Cryptography in identity

A key element of securing decentralized identities is the use of cryptography. In cryptography, private keys are known only to the owner, while public keys are disseminated widely. This pairing accomplishes two functions. The first is authentication, where the public key verifies that a holder of the paired private key sent the message. The second is encryption, where only the paired private key holder can decrypt the message encrypted with the public key.

Blockchain identity management systems can take advantage of zero-knowledge proofs, which offers a method of identification which allows one entity to prove another entity that they know a certain piece of information to meet a requirement without having to disclose any information that supports the proof. The entity that verifies the proof has thus "zero knowledge" about the information supporting the proof but is "convinced" of it's validity.

This can be especially useful when and where the prover entity does not trust the verifying entity but still has to prove to them that they know a piece of information. In an identity management with blockchain scenario, this allows a person to prove that their personal details fulfill certain requirements without revealing actual details.

Use cases of blockchain in identity management

Use case
Description

Data monetization

As some examine who should profit from user-generated data, blockchain-based self-sovereign identities and decentralized models give users control and offers a path to data monetization. This means a user could sell their personal data for economic benefit, with insights derived from PII substantially increasing the value of the data. This means individuals could also choose not to share or monetize their data.

Data portability

Article 20 of the EU GDPR grants users the right to data portability, which pertains to the data subject's right to have their personal data transmitted directly from one to another, when feasible. This has the potential to enhance user experience, reduce the need to reverify an identity across services and platforms, and migrate identities with greater ease. Data portability also allows for reusable credentials, where users can reverify themselves while meeting KYC requirements.

Economic growth

Decentralized or blockchain identities have been suggested to be a key to economic growth worldwide, as it is considered to be inclusive and benefit individuals, which can stimulate economic activity for the global market. Additionally, the reported value attributed to digital identities is estimated to expand by 22 percent yearly. Decentralized identity models give users the chance to unlock this value, which, in turn, is anticipated to grow the global economy.

Self-sovereign identity

Self-sovereign identity (SSI) is a concept that people and businesses can store their own identity data on their own devices; this includes choosing which information to share with validators without relying on a central repository of identity data. These identities could be created independent of nation-states, corporations, or global organizations.

Benefits of decentralized identity

With regulations such as the EU GDPR being used to strengthen identity standards, governments have begun to look towards blockchain technology to bestow identities to the unidentified and to protect citizen's personally identifiable information. Blockchain technology offers the following benefits:

  • Decentralized public key infrastructure (DPKI)—this core of decentralized identity creates a tamper-proof and trusted medium to distribute the asymmetric verification and encryption keys of the identity holders. DPKI allows anyone to create or anchor cryptographic keys on the blockchain in a tamper-proof and chronologically ordered way. These keys are then in turn used to verify digital signatures or encrypt data to the respective identity holder.
  • Decentralized storage—identities anchored on blockchain are inherently safer than those stored on centralized servers. Using cryptographically secure blockchain, in combination with distributed data storage systems, it is possible to disintermediate existing centralized data storage systems while maintaining trust and data integrity. Decentralized storage solutions also reduce an entity's ability to gain unauthorized access.
  • Manageability and control—in a centralized identity system, the entity providing the entity is generally responsible for the security of the identity data. In a decentralized identity framework, security becomes the responsibility of the user, who may decide to implement their own security measures or outsource the task to a service such as a digital bank fault or a password manager application.
Case Study: Blockstack vs. Civic
Blockstack

Two different companies developing blockchain-based identity management solutions have approached the problem with two different approaches. Blockstack approaches the solution by using blockchain technology to solve the security challenges through eliminating the need for digital intermediaries and allowing individuals to retain full control over their data. Rather than relying on external third parties to store data, individuals can use Blockstack's browser to run decentralized applications, and user information is encrypted and housed on user's personal devices.

Blockstack's wider and more fundamental mission is more ambitious: to create a new, decentralized internet. Blockstack aims to replace what is currently thought of as the internet with a system that is more secure and more aligned with what initial internet designers had envisioned. Blockstack works to fix the original internets flaw by building individual identity directly into the Blockstack browser, allowing people to communicate without the use of a third party, such as Facebook. Through its decentralized identity system, domain name system, and storage network, Blockstack aims to give people full ownership over their digital footprint. One challenge to Blockstack's solution is that blockchain technology can come under control of a single entity, or that it can go from decentralized to centralized.

Civic

Civic offers a different blockchain-based identity management solution. Rather than removing third parties or the need for third parties and trying to create a new internet ecosystem, as Blockstack aims to do, Civic seeks to work with an existing framework and focuses specifically on identity management and security. Through blockchain technology, Civic enables individuals and companies to verify their identities without having to store this data on centralized, breachable servers.

Through the process, an individual signs up for Civic's app, which verifies the user's identity through official records. Civic then cryptographically encrypts this information and stores it on a blockchain. From there, other entities requesting such personal data can verify the information an individual provides against the information on Civic's blockchain, thus removing any need for a party to store sensitive data on a centralized server. This means that Civic validates a users identity and personal information, stores it on the users mobile device and only that user can see or use that information. It is never stored on servers. This means that in the case of Civic being hacked, a users information is never accessible.

Applications and implications of blockchain identity management

There exist some issues and concerns with the use of blockchain in identity and access management processes. These include legal, technical, business, and cultural implications, which should underlie the decision-making process for any investments supporting identity and access management. These implications should be considered with the possibility for blockchain to improve identity and access management infrastructure and the end user experience. These include the following:

  • Centralized vs. decentralized: companies are accustomed to central and proprietary data storage infrastructures. This model tends to create power imbalances between identity credential holders and those seeking to use them, including the end user. Distributing identity verification and governance promises several efficiencies and individual and institutional benefits, but runs counter to the status quo for centralization.
  • Public vs. private: permissioned blockchain architectures are a consideration, as few enterprise use cases can be fully public. Instead, the use cases require confidentiality and permissions for reading and writing to a managed blockchain with known participants. This distinction has several other implications for security, computation, and scalability.
  • Dynamism: levels of access, privilege, and restrictions change, as to identifiable attributes. Blockchain must be able to handle frequency and complexity of verifications accurately, with minimal latency, across various connectivity and IoT environments.
  • Speed: consensus algorithms used for verification and distributed access affect the speed and computing power required to deliver service-level agreements in a scalable and sustainable way.
  • Portability: digital identities need to be portable, and blockchain can ensure personal information, verifiability, and the proper controls follow users when they transition from one organization to another.
  • Privacy: organization amassing PII face new risks, regulations, privacy-focused competition, and consumer distrust. Use cases enabled by blockchain offer stronger privacy protections and keep sharing controls could remain with the end user.
  • Standards: identity and authentication standards exist, including roles, attributes, keys, and entitlements, and these will need to conform with often nonexistent standards for blockchain technologies and interoperability across chains.
  • Interoperability: shifting from a centralized to a distributed paradigm will require interconnectivity and coordination of data, APIs, systems, and governance mechanisms, not only within organizations but across other organizations and ecosystem partners.
  • Regulatory compliance: regulations surround individuals' data, from the patchwork of international, federal, and state data protection laws to specific areas such as biometrics. These will be relevant to blockchain architectural decisions.
  • Immutability: the inability to delete records on a ledger, is beneficial to security, but can affect the privacy of PII. Determining what information stays on-chain versus off-chain is important for other criteria. On-chain immutability will need to balance requirements and safeguards across parties.
  • Key lifecycle management: ensuring an individual has the right cryptographic keys for any task at any particular time requires the ability to renew, revoke, and update access.
  • Usability: distributed or centralized, identity and access management user design is the interface of digital identity, personal identification, and control mechanisms for individuals' data. While successful architectures obscure complexity from the end user, designers should remember the importance of interface for education, consent, ease, and accessibility.
  • Emerging data sets: as data sets are generated and used at greater scale and likely need to consider the long-term risks and compliance questions, and focus on data minimization and privacy engineering techniques.
  • Emerging technologies: as new capabilities, designs, and best practices shift—not to mention developments in blockchain, cryptography, AI, cybersecurity, cloud computing, quantum computing, and critical concepts like digital wallets, will likely need to be considered when designing digital identification systems and after their implementation.

Timeline

Further Resources

Title
Author
Link
Type
Date

5 steps how to anonymize your Bitcoin - Coinmonks - Medium

Lukas Wiesflecker

Web

June 10, 2021

Blockchain Identity Management: The Definitive Guide (2021 Update)

Web

May 19, 2021

Blockchains Aren't Anonymous. But They Can Be. - Ledgerops

Web

May 1, 2019

Integrating Privacy Enhancing Techniques into Blockchains Using Sidechains

Web

2019

Research on Anonymization and De-anonymization in the Bitcoin System

QingChun ShenTu, JianPing Yu

Web

References

Golden logo
By using this site, you agree to our Terms & Conditions.