Balancing blockchain tech and identity dilemmas

As we look back at 2015, we can see the explosion of interest in blockchain technology in mainstream media. These articles tend to either dismiss the importance of this technology, or promise that it will disrupt major areas such as FinTech, the Internet of Things, digital rights, Identity and Access Management or Life Management Platforms. The trustless blockchain model will, yes, disrupt existing solutions and approaches in these non-trivial industry verticals, yet it is important to maintain a balanced perspective on all new technology. To dismiss the blockchain’s importance, or to evaluate it based on existing technology or past innovations is a short-sighted and risky position to take, as the very nature of disruptive innovation is that it upends existing reference points and disrupts current certainties. On the other hand, to get carried away by the hype, often generated by those with vested interests in the new technology, would lead one to make predictions about the future that are often proven wrong in hindsight.

No one has figured out how to predict the future, as past events just don’t allow for crystal ball extrapolation of potential outcomes.  What we can do is maintain an open-minded perspective when looking closely at blockchain innovations, examining where this new technology will change the way we currently do things. It is possible to note the disruptive potential of the blockchain yet avoid the hubris of thinking we can assert with confidence what will happen to it in the future.

So what do we know today about the usefulness of blockchain technology in areas of Identity and Access Management such as user identification and authentication? Martin is right on target here regarding the blockchain and the current problems of user identification. The long-running dilemmas we face around user identification will not be solved with what the blockchain currently is: a public, distributed ledger. In the future, homomorphic encryption and blockchain-enabled distributed, trustless computing technologies such as Ethereum and Enigma do offer the potential to radically change how personal data is managed, and therefore, change the approach to user identification. And these new, trustless, distributed approaches will present new dilemmas and challenges as well as solutions. User-controlled data stores which include standardised protocols to allow granular, revokable access to personal information, or Life Management Platforms, have long been heralded by KuppingerCole as foundational to the problems of privacy, identification and digital consent that are more and more urgently requiring a solution as every aspect of a person’s life is increasingly stored online. A good summary of why life management platforms are very difficult to create and how a public blockchain might help and hinder their creation can be found here.

The problems faced with biometrics and user identification, and the need to ensure user-controlled privacy, transparency, integrity, as well as useability, are far from trivial. A use case which exemplifies these dilemmas would be the situation where there exists a future user-controlled, legally-binding life management platform and a user loses their set of private keys, or in the case of serious illness or death, a legal guardian needs to be granted access to those keys. With the legacy, centralised model, a trusted third-party such as a government department has master key access to all user information. The risk profile of such centralised models is well-known, and here the question would be whether to sacrifice user control and transparency, for the sake of useability. Conversely, a trustless, decentralised model may be perfectly transparent, yet forgoing trusted third parties in favour of a strict proof-of-work mathematical algorithm, as some of the more extreme proponents of decentralised blockchain models suggest, would probably be considered unacceptable to the majority of the users of such services. How do you argue with an algorithm that you require urgent access to the health records of a family member? How do you guarantee that a rogue government employee or an insurance company does not abuse full access to health records?

There are no easy solutions to these dilemmas, which leads those in information security to maintain a high level of caution when speculating on possible future uses of blockchain technology. With its widespread adoption, technology professionals will have their work cut out for them understanding in detail how trustless, distributed systems with a lot more public transparency than ever before will operate in practice, regardless of the prognostications of non-technical journalists, perhaps a little too excited by the blockchain hype. Caution does not imply a dismissal of the importance of the blockchain. Rather, it is an awareness of how much things will change. It is possible to examine to gain a deep understanding of what is currently made possible by the blockchain yet remain conscious of the merely speculative nature of the many future scenarios posited. Science fiction blockchain hype may grab headlines yet information security professionals already have their hands full gaining an understanding of and responding to a constantly changing threat landscape.