The Identity Industry

Alastair Berg is from the RMIT Blockchain Innovation Hub, the world’s first social science research centre into the economics, politics, sociology, and law of blockchain technology.

He has received funding from the NEM Foundation to examine how start-ups are using the NEM blockchain to provides solutions to help consumers, businesses and regulators understand the nature of the people, businesses and things they interact with.

The identity industry is massive.

Background check automation, biometric solutions, KYC compliance, identity theft and fraud protection, IoT device security and of course blockchain based identity solutions. These are just a handful of segments in an industry which is estimated to grow to USD16 billion by 2022.

In a previous post on the NEM forum, I talked about how identity is a crucial part of all but the most trivial economic, political and social exchange. Any time you transact with someone, depending on the nature of that transaction, you require some level of assurance over who you are dealing with, and what you are purchasing. Most transactions rely on identity.

The KNOW Identity Conference was held in Washington DC over three days in March. I was lucky enough to get funding from the NEM Foundation to attend, as part of my research into how organisations are using blockchain solutions to help consumers, businesses and regulators understand the nature of the people, businesses and things they interact with.

One World Identity (OWI), the organisers of the KNOW Identity Conference, are an identity research organisation and consultancy. Attending was a tremendous opportunity to network, learn and get an insight into the state of the industry.

Two key insights from the conference.

First is that new regulations are going to have a significant impact on the way in which organisations collect and store personal data.

The European Union (EU) General Data Protection Regulation (GDPR) is top of mind for many participants in the industry. Although a European regulation, it will have global effects. No matter where your organisation is based, if you deal with European customers, you must abide by it, otherwise face fines of up to EUR20 million, or 4 per cent of annual revenue.

The GDPR forces organisations to allow data subjects rights including data access, rectification, the right to withdraw consent, as well as the right to erasure. They must also employ a data protection officer (DPO) to comply with the 261 page document.

Such a regulation as the GDPR covers personal data like names, addresses, and economic, social and physical identities of individuals. It also covers pseudonymised data. This means that even if information has a function like SHA3 - used in the NEM protocol - applied to it, it is still considered personal data.

Second, and most interesting, were the discussions – both positive and critical – of the use of blockchain for individual identity. A number of organisations developing self-sovereign identity solutions were represented, including Sphere Identity and Evernym. These self-sovereign identity solutions allow individuals complete ownership, control and portability over their digital identities, rather than relying on third parties such as governments, financial institutions and social media websites.

Some criticisms of using blockchains, and especially public blockchains, for individual digital identity involve privacy concerns. This is easy to understand. Storing sensitive personal data on a publically auditable – and immutable – blockchain is inherently unwise. Think of storing sensitive medical information on a public blockchain. You just shouldn’t do it. Indeed, organisations like Sovrin, an organisation establishing a self-sovereign identity network, explicitly recommend keeping personal data, and even hashed personal data, off chain.

Instead of keeping personal data on chain, what are kept on chain are decentralised identifiers (DIDs), and this allows the management of relationships with various counterparties to be separate and uncorrelatable. Your relationship with your bank or favourite retailer is separate from your relationship with the university you attend. This is privacy enhancing.

Interesting discussions over private key management were also enlightening, and speak to the ways in which blockchain applications and technology will need to be ‘sold’ to the millions and billions of people who are still not used to managing their private keys. Losing the private key to your NEM wallet is one thing, losing the private key to a wallet containing your passport, or your driver license, or your university degree is another. Multi-sig addresses, and other innovative solutions may become common and widespread for such identity use cases. This all makes it clear that as transformative as the new blockchain economy will be, if will also have to be user friendly. User experience will make or break many start-ups, while those which thrive will have the needs of their users front of mind.

As the identity ecosystem keeps evolving, it will be fascinating to see how start-ups and larger organisations continue to develop, and deploy, such identity solutions using blockchain technology. We are already seeing large and well-resourced players entering the space, including IBM joining the Sovrin network. What will be exciting is to see some by smaller, more nimble players who might use the NEM blockchain. Already we have seen players like Luxtag using the NEM blockchain to provide assurance over the provenance of luxury goods, and it would be equally exciting for a group to take it one step further, and explore the concept of self-sovereign identity.


Nicely written!