Phil Windley Thinks He Can Protect Your Data
The chair of a foundation dedicated to safeguarding personal information online believes blockchain is the answer.
In an era when major data breaches occur frequently, how can Internet users and online consumers protect their personally identifiable information (PII)? According to Phil Windley, a former CIO for the State of Utah and an enterprise architect and lab director for the CIO’s office at Brigham Young University, one solution is to stop sharing IDs altogether. This is especially important for the most vulnerable identifiers: credit card numbers, bank accounts, Social Security and other government IDs, and mobile phone numbers. Networks that use digital ledger technology — the encrypted, mutually legitimizing software systems known as blockchain — can now be designed to eliminate the need to risk identity theft. For conventional IDs, they substitute unlinked identifiers, verifying them through a distributed ledger, shared digitally among all the participants in the system, which maintains a single ongoing record of transactions without requiring a government’s oversight.
To understand how such a web of trust would work, consider a bartender checking proof of age. In the United States, to show you are 21, you display your driver’s license and are reasonably confident that the bartender isn’t memorizing your name and license number. But in the digital world, you wouldn’t want to share something like a driver’s license just to prove your age. That kind of broadly accepted, portable credential is the kind identity thieves seek most. Instead, using the approach of the Sovrin network, a blockchain-based system that Windley codesigned and oversees, you could share a more specific, tamperproof claim. This would be a digitally signed assertion that your state government, or another creditable group, makes about your age on your behalf.
Sovrin’s approach is known as “self-sovereign identity,” which is a form of personal legitimacy conferred by each individual’s choice about what data to reveal. If you are a Sovrin network member, you can build and maintain your own portfolio of identity claims. You pick and choose which elements you share in any given situation. With the help of the portfolio, over time you can own, build, and control your online identity. You avoid the risk of giving someone unauthorized access to your banking and credit accounts, because those accounts are never identified except through the identity claims that you release. Thus, the organizations you do business with are relieved of the responsibility of possessing and protecting your most sensitive identity data.
Systems such as Sovrin’s can also be solutions to the problems of identifying people without compromising their autonomy — a prevalent problem for humanitarian initiatives, anti-trafficking efforts, and organizations that help refugees. These new forms of blockchain-based identity can’t be usurped or stolen; they can be used to ensure the right people are receiving aid; and they aren’t subject to the whims of a particular government.
Sovrin is not alone in its effort to allow individuals to control and manage access to their personal data. Microsoft, for example, has begun to advocate decentralized identifiers just as Sovrin does. Both organizations are members of the Decentralized Identity Foundation.
Windley is the chair of the Sovrin Foundation, which orchestrates stewardship of the Sovrin network. The nonprofit Sovrin Foundation doesn’t own the Sovrin network. Rather, an evolving group of members, such as certification authority InfoCert, act as stewards. Windley’s interest in user-centric identity goes back to 2005 and the first Internet Identity Workshop (IIW), which he founded with author Doc Searls and identity consultant Kaliya Hamlin.
As part of its series of interviews with digital leaders, strategy+business talked to Windley by phone in December 2017.
S+B: Why are enterprises interested in a decentralized identity approach?
WINDLEY: The enterprise identity world is looking for solutions that are better than what they can build themselves. Heaven knows, nobody is going to hold up a bank or healthcare identity system as the shining example of how to do identity. But on the other hand, they don’t trust anybody else to do it. These institutions are on the horns of a dilemma.
Many companies allow customers to log in using their Facebook, Google, or Twitter identifiers. But this is an uncomfortable situation, because it makes the other companies dependent on them. For example, if Facebook perceived a good business reason to phase out that login feature, they’d probably do so immediately. That’s the just the way the world works.
S+B: How does the Sovrin identity system work?
WINDLEY: Most of the time when people hear “identity system,” they think of a username and password. Once the system has authenticated a person that way, then it may have authorizations, access control lists, and policies associated with that identifier. These determine what this person is allowed to do or how they may be reached in that system.
That’s a very narrow view of identity. If you look at how identity functions in real life as opposed to how it functions on the Web, it’s much richer. We all carry around multiple identity documents that are used for different purposes. For example, in my wallet I’ve got a driver’s license from the State of Utah. I’ve got credit cards from various banks and other financial institutions. I’ve got a health insurance card. I’ve probably got a loyalty card from the local grocery store. Each is in some way an identity document with its own level of trust associated with it. For example, my bank card conveys on me the trust to go to an ATM, enter a code, and withdraw cash.
“Most of the time when people hear ‘identity system,’ they think of a username and password. That’s a very narrow view of identity.”
Online, we haven’t really thought of identity that broadly. So when you look at these new emerging self-sovereign identity systems like Sovrin, many of them are trying to define identity as a holistic system. You clearly have to have identifiers because that’s how you’re going to know that you’re talking about a particular entity, whether it’s a person, an organization, or another thing. But beyond those identifiers, you have to have ways of creating verifiable trustworthy credentials that fit this broad spectrum of use cases, all the way from merchant loyalty cards to passports from a sovereign government.
S+B: How does the Sovrin approach manage those identifiers?
WINDLEY: As a default choice, unless the user specifies otherwise, we issue a new identifier for every relationship. That reduces correlation risk. Let’s say for example that I have a relationship with my employer and I have a relationship with my bank. If I have different identifiers for each of them, they can’t get together behind my back and exchange information about me.
Of course, if I give them both my Social Security number because the laws require it, then they would be able to use that number for correlation. But they can’t do it just from what Sovrin provides them.
Mobile phone numbers are another example. There’s really no reason we each have to have a single cell phone number. That was the way it was engineered a century ago. Instead, you could imagine a system in which I can create a different number for everybody that I talk to. Nobody remembers phone numbers anymore or dials them directly anyway. We all just click on contacts. So phone numbers could be really long non-correlatable strings and the system would still work just fine.
Now that systems are emerging that create identifiers that aren’t correlatable and still accomplish all the things you need to do, you’ll see the use of correlatable identifiers decrease. At least that’s our hope.
Managing Biometric Markers
S+B: Biometrics [identity markers tagged to the human body, such as retina images or fingerprints] are another example of correlatable information. How are biometrics handled on the Sovrin network?
WINDLEY: Our architecture never stores personally identifiable information on the ledger itself. Of course, PII includes biometrics. So biometrics are just a subcategory of a large group of things that we won’t store on the ledger.
Biometrics are very useful at the device level. Face ID for iPhone and Touch ID in Android or iOS are good examples of using biometrics to access a device. But the biometrics in that case are stored on the device. The devices don’t push them up to Apple or other providers. They keep them right there on the device where they can’t be stolen or used against you.
One of our partners is iRespond, an NGO that uses biometric technology to help humanitarian services track the identities of people they deliver services to. Peter Simpson, the executive director of iRespond, is on the Sovrin board of trustees. iRespond helps keep track of immunizations in Africa and Asia, for instance. Its records are based on biometrics — specifically, the patterns of the iris in an eye — because people who are displaced don’t necessarily have any other form of identification. They don’t have cell phones or identity cards; biometrics are the perfect solution for them. We don’t store the biometric data in Sovrin. Sovrin’s used essentially for storing the other information that’s necessary to make that work. For example, we create a new identifier for each relationship to avoid correlations.
Why Data Privacy Matters
S+B: Some national and state governments are starting to use Sovrin, correct?
WINDLEY: Yes. The Illinois Blockchain Initiative, a government effort, has announced that it’s going to start issuing birth registrations using Sovrin. Birth certificates are one of the foundational government-based identity documents that we all use for various purposes.
The provincial government of British Columbia in Canada has started a business registration system. All of the business registrations that they do, they’re putting on top of Sovrin.
And we’re working with a consortium of government, university, and industry leaders in Finland to see how Sovrin can be used there to create trustworthy documents for various purposes, some of which are governmental.
S+B: Reducing correlation seems key to these sorts of initiatives.
WINDLEY: Yes. We have a lot of opportunity to reduce correlation. And the reason that’s important is that reducing correlation protects privacy. People will say that privacy’s not a feature people are willing to pay for. I agree, but I think it’s a feature that they have to have in order to have other features that they do care about.
If you ask people whether they want privacy, they’ll say no, but if you ask them whether they want control over how their information is used, they’ll say yes. It depends on how you phrase the question. And you can’t have control without privacy. Once your data’s out there, it’s out there. You don’t have control anymore. So privacy is one of those must-have things for any system that purports to give people sovereignty over their data.
Author profile:
- Alan Morrison is a senior research fellow at PwC US, based in San Jose, Calif. He was named a Quora top writer in 2016, 2017, and 2018, and has written for ExtremeTech and Recode.