Blockchain security

Decentralized identifiers (DIDs) and blockchain: The silver bullet for online privacy?

July 14, 2021 by Susan Morrow

Privacy carries a lot of weight in our modern digital world. But privacy also means different things to different people. For example, would you be happy to sell your data? And if you do sell it, does that transaction preclude a right to privacy? The many forms of privacy have been highly debated in recent years and a mix of both technological and societal aspects have formed the basis of this debate. One area that is emerging is in the technical side around a concept known as a “decentralized identifier” or DID. The question is, are DIDs inherently privacy-enhancing, and can the use of DID as a protocol add privacy value to a system?

Decentralized identifiers: What is a DID?

Centralization of digital identities and identity attributes is something that we have all grown up with, from employee directories to government national security numbering systems, and so on. Typically, these identifiers are held in a central database or similar. Then the blockchain came along and offered a decentralized different way to handle identifiers. But the blockchain was an unfettered way of managing data exchanges as no standard underpinned these exchanges. That was until the W3C came along and developed a specification for this standard, the decentralized identifier (DID).

Standards and protocols are the lifeblood of digital transactions. Without this type of framework, performing a digital transaction would be like having a group of people, none of which could speak each other’s language, write a document together.

W3C recognized this need to develop a common language for blockchain-based digital interactions that involved attributes. The result is candidate draft 1.0 of the specification for DIDs, published on May 22, 2021.

The W3C defines a DID as:

A globally unique persistent identifier that does not require a centralized registration authority because it is generated and/or registered cryptographically.”

A DID can represent anything, both abstract and real: a person, an IoT device and even a robot. 

A DID can work with a blockchain, but it doesn’t have to be based on a blockchain, DIDs are designed to work with any decentralized system. DIDs are designed to decouple from the status quo, removing the need for identity providers (IDPs), certificate authorities and the centralized registries we are so used to. DIDs are a potential game-changer in digital transactions that use attributes. But they are not necessarily the only game in town.

Architecturally, DIDs are URIs. This is important as it makes them understandable to an audience used to using URIs. The URI nomenclature and syntax are used to associate a DID subject with a DID document and the whole is baked in using verified data.

Source: W3C

A DID comprises three parts:

  1. The scheme DID
  2. A DID method (e.g., the ledger used such as Ethereum)
  3. A method-specific identifier specified by the DID method

A DID is resolvable to a DID document that represents a DID subject.

What is a DID subject?

A DID subject is the entity that the DID identifies and that the DID document describes.

What is a DID document?

This is a set of data describing the DID subject. The DID document contains a set of mechanisms that can be used to authenticate the DID subject to securely associate them with a DID. Verification methods, such as a cryptographic public key used to verify a digital signature, can be expressed in the DID document. As a note, the DID document is one part of the system that is not necessarily decentralized.

What is privacy and can the DID specification guarantee it?

The candidate draft has several design goals, one of which is privacy. Under the definition of privacy, the group defines this as:

“Enable entities to control the privacy of their information, including minimal, selective and progressive disclosure of attributes or other data.”

What privacy is, and how it is achieved, is a fundamental question to bear in mind as this discussion on decentralized identifiers and privacy unfolds.

Many organizations, including the International Association of Privacy Professionals (IAPP), describe privacy as the “right to have some control over how your personal information is collected and used.”

Privacy is not security. But security can enhance and enforce privacy. Privacy begins with a choice to share your data and determine its use once shared. Privacy is also legislated for. Firms must meet often exacting privacy requirements.

In definition form, the W3C’s DID specification shows commitment to achieving certain aspects of privacy. But what about the reality of a digital data transaction? Achieving privacy is becoming more complex in a digital world where personal data is required for even the most mundane of transactions. Often these personal data are stored across myriad accounts each with a mechanism to protect these data and varying policies of sharing and consent. These data are required to enact transactions like sending a gift out to a friend’s address while taking payment from a financial account. Fundamentally, if a user releases data to a third party to send out a gift to a friend, it is no longer under that user’s control. As soon as it is passed over to complete a transaction unless stringent legislation is enacted and enforced, it is open to privacy violations.

While a DID may take certain aspects of privacy into account, any system based on DIDs must also look at how data, once released and outside the architecture of a DID/blockchain, is held under consent and used appropriately. In other words, the entire lifecycle of data in use must be considered to get privacy correct.

In recognition of the complexities of data privacy, the W3C DID specification document says this on privacy (within a non-normative section):

It is critically important to apply the principles of Privacy by Design [PRIVACY-BY-DESIGN] to all aspects of the decentralized identifier architecture, because DIDs and DID documents are, by design, administered directly by the DID controller(s). There is no registrar, hosting company or other intermediate service provider to recommend or apply additional privacy safeguards. The authors of this specification have applied all seven Privacy by Design principles throughout its development. Privacy in this specification is preventative, not remedial, and privacy is an embedded default.”

The specification sets out a series of vital advisories to ensure that privacy is robust, including ensuring that DIDs do not contain personal data. Instead, personal data should be behind service endpoints under the control of the DID subject or DID controller.

Data, whatever place it resides in (or not) is a fluid entity that moves across the internet to do jobs for us. How we ensure its privacy is complicated and neither begins nor ends with a technical mechanism.

Data privacy reality and DIDs

Privacy is a human right, not just a measure of how secure data is. Data privacy is about an attitude that extends way beyond a decentralized method of managing attributes into the way that data is collected, consumed, shared and queried. Data privacy is about respect and control, not just by the user, but by the data consumer too, such as a retail website.

Using a blockchain model for personal data sharing based on the DID protocol does confer some aspects of that privacy lexicon. These privacy-enhancing features are based on the use of zero-knowledge proofs.

What is a zero-knowledge proof?

A zero-knowledge proof (ZKP) is a method that uses cryptography to prove a piece of information without handing over reference data like if a person is over 18.

Passing the DID Rubicon

Not everyone is convinced of the holy grail of the DID. Privacy and blockchain expert Elizabeth Renieris resigned as a technical advisor of ID2020, describing the company as taking a “techno-solutionism” stance and that it promoted “decentralized identity solutions at all costs.” 

In an article, “The Dangers of Blockchain-Enabled Immunity Passports for COVID-19,” Elizabeth explores the issues of using a blockchain/DID-based system for the highly topical area of immunity passports. In this treatise, she writes about how the context of an attribute can add dimensions to a system that are unaccounted for. The example she gives is the unknowns in the human immune response to the SARS-CoV-2 virus. 

Renieris goes on to link this current lack of knowledge on the virus with the prospected use of DIDs to create COVID-19 immunity passports. She critiques the use of DIDs, a web technology, for use in such wallets. Her overall concern is the ethics and civil liberties aspect of tying a record of infection/vaccination to an individual on an immutable record such as a blockchain; this is a societal problem and technology could have broad implications for our society. A conclusion that she makes in May 2020 is that “Before entrusting any technology to protect people from the spread of infectious disease, it should be subjected to rigorous formal analysis and security review. At this stage, W3C VC, DIDs and related technologies have not yet undergone sufficient scrutiny.”

Another high-profile critic of the use of DIDs is analyst Steve Wilson. Steve has been a critical voice in the blockchain space, pushing to ensure the technology is robust for use within an identity context. Steve said, “Digital Identity can’t be anything other than data. The frontiers of Digital Identity ― verified claims and credentials, ‘DID documents,’ proving possession, granting consent ― all boil down to the quality characteristics of data.”

This contextual view of data from both Renieris and Wilson is a very important aspect of achieving a system where privacy is firmly placed. The type of data held within a blockchain and represented by a DID must have robust governance. The data registered therein, may be highly sensitive and be placed by a state entity or other organization without a person’s consent. For example, in the UK, the NHSX Covid vaccination app’s privacy statement originally showed an intent to not only hold health data but other data, too. In an earlier version of the privacy policy of the app (an extract shown below), it clearly stated that data such as “criminal convictions or alleged criminal behavior” would be stored. 

Source: Google cache of NHS Covid-19 status app.

Whilst this app is not currently based on DIDs, the principle of data minimization is not upheld. It is noted that this data requirement is not reflected in the latest version of the privacy policy. The rumor is that the original privacy policy showing the criminal convictions data clause was copied and pasted from another privacy policy. Whatever the reason, this shows a lack of clarity over what privacy entails. There is no reason why a similar scenario would not happen within a DID-based system. Privacy is as much about context and perspective as it is about technology.

DID privacy matter?

The DID protocol is not confined to use with a blockchain but does offer a useful standard for identity attribute sharing. A DID is designed for privacy but a decentralized system, blockchain or distributed ledger can only go so far in promoting privacy. It is not a privacy panacea or silver bullet. Nothing is. No system can prevent a relying party (like an eRetailer) from asking for more data than is truly needed to transact. Similarly, no system can prevent the user from releasing more data than required. Legislation on data minimization can attempt this, but ultimately, it is down to the user-relying party relationship. Privacy is a challenge, but one that cannot be achieved by a single protocol or mechanism.

 

Sources:

Decentralized Identifiers (DIDs) v1.0, W3C

What does privacy mean?, IAPP

Technical advisor resigns from ID2020 Alliance criticizing direction and immunity passports stance, Biometric Update

The Dangers of Blockchain-Enabled “Immunity Passports” for COVID-19, Berkman Klein Center

Digital identity can and should be reframed, Steve Wilson

Posted: July 14, 2021
Articles Author
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.

Leave a Reply

Your email address will not be published. Required fields are marked *