uPort’s Danny Zuckerman on Self-Sovereign Identity
In May 2018, Facebook exploited the personal data of almost 100 million people, firmly placing data privacy and security as hot topics of national conversation. But even before the Facebook disaster, the personal data of millions were stolen from the databases of some of the largest companies in the world (Sony, Chipotle, and JP Morgan to name a few).
Given the scope and severity of the issue, CoinCentral’s Richard Malone felt compelled to speak with organizations actively building solutions to the problems inherent in data privacy and protection status quo.
Enter Danny Zuckerman, Head of Strategy at uPort. Borne from the ConsenSys ecosystem, uPort is building identity infrastructure on Ethereum that enables “Self-Sovereign Identity” – the concept which provides consumers with complete control over their digital identity and personal data.
Please enjoy this informative conversation on the current state and evolution of digital identity.
What is the scope of the problem that you guys are dealing with here? Why are centralized ID repositories not sufficient?
The main issue with the centralized systems we have today for identity is that they put identity, which is really about the user and a person, in the control of organizations rather than the person. You’ve got governments, organizations, and websites all essentially keeping a registry of who they interact with, and they all have different registries and different lists of the identities, and that causes a bunch of problems.
One, it’s just not very efficient or secure because they all have to store and protect that data separately. Also, all the data that’s generated, all the information about users are scattered in these different silos, and so the user has no complete picture of who they are and the data they’ve been creating in all these different places.
Also, with most of these services, you need to start somewhere, and that’s typically been with a government identity. The first identities were passports issued by nations and one billion people on the planet today don’t have that first identity, and so they can’t get access to all these other services.
All of these issues have been stacking up, and we’ve iterated over multiple different versions of it, so it’s now no longer just based on national identity. We have a federated system today where you log in with Google or Facebook, and they’re collecting all your data as well as all these different scattered accounts. We can now flip that model and put it in the hands of the user rather than the central stations.
What exactly is uPort doing to solve some of these issues that are inherent in today’s ID constructs, and what exactly is self-sovereign identity?
I’ll go back to the previous question first to reference. Basically, each of these organizations previously keeps their own ledger of all the identities that they interact with or that they have issued. Enter blockchain technology, which is, at its core, distributed ledger, and we can now use that ledger as the tracker for identifiers.
We’re focused on people first, but it can be used for devices or anything else too. We now have this shared, common list of identities that are not controlled by any one organization, but instead, secured by blockchain technology and accessible to anyone. If we root on that shared ledger, we can start to attach all of the data from each of these organizations and interactions and relationships, from people, from all the different interactions to that shared ledger.
Now, we can have a complete picture of an identity, a shared picture rather than a scattered, siloed picture. And we can give the ultimate control of that to the user because the individual has the private key to that identifier.
So, self-sovereign is the term we used to say ultimately, you as a person should have the ultimate sovereignty over your identity, gender identity, and the data verification of who you are and everything on that.
Why is blockchain technology uniquely capable of providing optimal self-sovereign identity?
What blockchain lets us do is use these public addresses which everybody has access to as the identifier. The private key to reaching these public addresses is the way that users have ultimate control. It is shared and open that everybody can have access to the same list but secured so that people can’t tamper with each other’s identities.
The whole Cambridge Analytica debacle would not have happened had there been a mass adoption of self-sovereign identity?
There’s been a lot of problems. Cambridge Analytica and Facebook were one of the scandals. The Equifax breach was another. There’s a whole bunch more that add up to be a more significant issue than either of those two independently. The way that those come about is these prominent organizations have their list of identities and all the data around their identities, and they’re trusted to secure all of that data for each of us.
They either don’t do a good job securing it, or they breach the terms and abuse that data and that trust that is given to them. In a system that is self-sovereign where the user has control, the user always has the right to decide who has access to their data and who doesn’t because the data is stored with them rather than with a Facebook or a Cambridge Analytica or an Equifax.
It’s my understanding that you guys are leveraging ERC1056 and ERC780. Talk to me a little bit about how these specific ERCs are advancements. Why not use the ERC725? What are some of the differences here?
Something we spend a lot of time thinking about, especially on a blockchain like Ethereum which is public and permissionless and also immutable, is how do we make sure we can maintain privacy while using an open system like that?
When we say privacy, we mean not only should personal information like your name and date of birth not be put on this immutable ledger that anyone can no longer change, and people can start to see your activity around, that’s very privacy compromising. Even if you cut out your pseudonymous activity, people can begin to correlate different identities and different interactions with a person.
Sometimes that’s fine, but sometimes that’s problematic, and we want to make sure that people can maintain their privacy. Our architecture which includes both ERC1056 and ERC780 is designed to be privacy preserving. Whereas ERC725, the way it gets used may lead to people, without realizing it, putting personal information on-chain which puts at risk their privacy.
We’re aiming for a model that has the benefits of this public system but also lets the users maintain their confidentiality and some of them are also around scaling up to many different identities in a practical way without allowing anyone correlate between them without the user wanting them to.
The ERC725 does put some personal information on-chain which then is less efficient or less private than the other ERCs that you guys are utilizing. It’s my understanding that you guys have both on-chain and off-chain use cases and applications. Can you talk a little bit about the interplay there and what some of those applications look like?
When we’re talking about on-chain and off-chain, most often we’re talking about an attestation or basically signed messages, signed pieces of data that attach to your identity or come from your identity. There is some use for on chain transactions like that. Whether it’s interacting with a decentralized application or in some cases, people may want to publish things on-chain like a pseudonymous identifier so that people can find them in a registry. We are more focused on bringing as much off-chain as possible.
Again, for privacy preservation and also scalability, it’s expensive to do things on-chain. By having this identity rooted on-chain but signing and using that to sign off chain data, you can get a lot of the same benefits of the verification and security of the chain without actually having to use the chain for the data storage or for the actual transaction. We think the majority of interactions should and will happen off chain.
Use cases for that would be sending messages to someone or providing your KYC and had an attestation that your bank KYC’dyou, you could give that attestation entirely off-chain to another party as proof of who you are and something about yourself. That signed proof never really has to be on-chain.
The current process flow of identity dictates that someone makes a claim, then there’s this necessity to have a proof that whatever you’re claiming is legitimate, and then there’s the attestation that you touched on earlier. How exactly is uPort improving upon that whole identity flow process?
There will be an issuer who issues a claim about someone and the holder of the claim, who is the subject it’s about. They will hold that claim, and they can provide that claim to another party who might consume that claim, the verifier. This is not something that we’re doing ourselves in a vacuum.
We’re working closely with other organizations in this space to make sure the way that we create this system and implement the system is interoperable. We don’t think uPort should be the sole provider of identities or creator of claims or the only basis for any of that. The walled garden approach just doesn’t make sense if we’re aiming for self-sovereign identity. We work closely with folks like Sovrin and others at the Decentralized Identity Foundation, W3C working group.
A big effort last year has been pushing for the standards that are going to lead all of these different organizations who play in different parts of this field make sure we’re interoperable in creating this open system where the users are ultimately in control. That’s a piece of it.
It’s working with others to make sure we’re building something that’s shared rather than something proprietary to uPort. On top of it, each company will use those standards in their own way. At uPort, we’re focused on making sure that we can bring this to real users and real use cases…the first user application that can actually do things with this claim format.
The app store and Play store, since middle last year, started to see use cases like Zug, Switzerland issuing verifications to their citizens to access government services and Gnosis doing their Olympia trial on uPort. We’ve started to get a real-world understanding of the limitations of the early approaches where we have to revisit some of the ways that we approach privacy and some of the ways that we can make understanding of blockchain transactions usable for users where it’s confusing and different than Web 2.0.
We’ll continue iterating to make sure that the different experiences get better, not just ourselves, but with all of our partners.
You guys have partnered up with Zug, Switzerland for an initiative that enables online voting and proof of residency functionality. I know Estonia is famous for having the world’s first e-government. Are you guys able to provide any updates or KPIs that show the efficacy of an initiative like the one in Zug? And Do you see other governments around the world taking notice of what countries like Estonia and Switzerland are doing, and hopefully follow suit?
We’re definitely seeing more and more interest from governments and this kind of approach. We did a trial with the government of Brazil. I think most of them aren’t public yet, especially at the city and local level is I think among the more many testers to this approach. I think that’s going to continue.
The government in British Columbia is doing some fascinating work around putting all the claims that the government issues to businesses in this format as a way to seed the system. I think it will continue to pick up. I don’t think it would be a flip the switch and now everything is in this digital and self-sovereign model. I think it will be gradually over time.
We’re seeing that in Zug too. I think just last week the government there announced they’re going to try all blockchain voting through uPort. It’s really, for now, not about massive scale usage. It’s about continuing to push these use cases. It started as just issuing an attestation to citizens to their uPort ID that they are citizens of Zug, which is a new way of doing it because rather than issuing a new ID, it’s an attestation to their uPort ID.
It’s one ID for the user that everything’s oriented around rather than these silos. Then they introduced their website where users could use that credential to get access to services. Now, they’re trialing voting, so I think it’s just going to keep expanding in terms of the uses that we see people build on top of it. Different governments are going to find different methods and hopefully start to copy each other more and more.
What are some of the current barriers to mass adoption of self-sovereign identity? Like regulations, the lack of technology out there, and/or a lack of awareness?
I’d say there’s still quite a few challenges. One is finalizing some of the standards. Again, not just us but with everybody else to make sure what we’re building is going to be interoperable and being on a solid foundation. Also, incentivizing the adoption of this and that means different things. When we talk about incentives in the blockchain space, often people go to tokens, and that may play a role, but also, it’s just starting to demonstrate the value of an identity system like this where the users are in control, creating ways for users to accumulate their data and get value out of that.
Whether that’s browsing history from one Dapp being useful on another or KYCs being reusable. I think some use cases are going to start to make it very clear how quickly this can become very powerful, and we’ll start to see some take off there. There are some technology challenges around usability. For example, for us, transaction fees on the Ethereum network. We need to figure out if we’re going to have a lot of users on this, how do we onboard them if they don’t have Ether start with? How do we make sure transaction fees are not a barrier to on-chain transactions?
There’s still just a lot of code to be written, a lot of work to be done to make all of this really user-friendly because people have high expectations for the services they use. There is going to be comfort with the security of new technology like blockchain in some of these government projects where we see lots of various voting initiatives built on top of uPort in countries all over the world. I think, right now, they’re mostly in the proof of concept or experiment phase.
Not serious things, but if they start to demonstrate the security of blockchain and the efficacy of that insurant trust, we’ll begin to have more adoption by more prominent organizations and governments. I think it’s all the things you’ve mentioned discontinuing to build out what’s still a pretty new field, both value, and trust in the various areas.
When I was interviewing Andrew Keys, he explicitly mentioned self-sovereign identity as a prominent use case for blockchain. It’s going to be very transformative for society. He specifically mentioned game theoretic incentives built into self-sovereign identity model. For example, we could aggregate Airbnb and Uber rating data to come up with something like a social score to incentivize people to act in the best interest for the world. We could, for example, prevent crime and other situations of that nature. What does the future of self-sovereign identity look like for you?
That idea of both contextual and portable reputation is an essential concept. If users are accumulating all of this data, that’s great, and that’s the basis for everything. Having access to everything from your browsing history to your health records and everything else, but it’s making sense of that data.
Once you can bring it all together, that’s really exciting. That might mean a universal reputation score of some kind, but that starts to get into some dangerous territory, but also, you can then combine all of your peer to peer sharing economy type data, whether it’s Uber, Airbnb, ETC, to have a score that you can then use when you go start on a brand-new service. You don’t have to build up a new reputation from scratch.
Also, when you start to use things like your mobile phone usage and payment history, and you have an excellent record of paying rent to create a reputation that gives you access to loans that you might not have had access to before. It’s being able to combine these different forms of data to create reputations and credibility without having to start from scratch each time.
I think it’s a fascinating piece. I don’t think we know exactly how that will look. It probably won’t be a five-star system which is very simplistic. I think we’ll see a lot of different companies using lots of forms, but that’s something we want to very quickly start to let people experiment with and see what forms it takes so that we can design uPort around that.
Before we wrap up, I’d like to finish with one of my favorite questions. If you had access to a big billboard in Times Square, what message would you want to be displayed? It can be about identity in general or specifically uPort.
Good question. I’ll have to say:
uPort: your data in your hands, your privacy in your control, your digital freedom.
Oh, and also blockchain.
Thanks for your time, Danny.
ABOUT THE AUTHOR
ABOUT THE AUTHOR
Richard is a blockchain investor who loves health/wellness, backpacking, social entrepreneurship, and DC sports.
He is the in-house skeptic of many altcoins but is very bullish on blockchain and Bitcoin.