Ten reasons blockchain may not be the solution for a global identity ecosystem!

I’ve lost count about the times that I’ve presented on the problems posed by designing a single, global, identity ecosystem and people come up afterwards and say “so what are you proposing – blockchain?”; to which my standard response is “blockchain may play a part in some aspects of a solution, but it is not THE solution!”.

So, what is behind that assertion?

Vint Cerf on Blockchain
First: the problem as I see it, is "the solution is blockchain - now what's the problem" crowd. Driven partially by VC funding, partially by its proponents trying to find other viable solutions beyond alt-currency and land registry.
Blockchain is just a database – yes, it’s a special kind of database, with some interesting properties around pseudo-privacy and provable immutability, but also with some interesting issues as it’s a public ledger – more on that later.  But the bottom line is that I’m with Vint Cerf on this one as my starting point for a debate.


Second: Blockchain does not pass the "sniff" test for a global identity solution. It does not pass the acid test of "will the Chinese use a US run solution or vice versa". - remember - someone has to own, control, manage and upgrade the model etc. even if its distributed. Global governments want to have a large portion of control of the Identities (or more correctly Identity Attributes) that matter to them, particularly around citizen attributes.

Third: The locus-of-control problem - see Jericho Forum Commandment[i] #8 “Authentication, authorisation and accountability must interoperate / exchange outside of your locus / area of control”. This is the “we can only make it work if we control everything ourselves” – it’s the mentality the security and identity industry has had for over half-a-century, whether it’s “put it all into AD”, “everyone must have my product for it all to interoperate”, or the “we can only make identity work if I run the central database” (look at any government developed identity system).

This is really key, because it goes to trust and risk; how do you trust (or perform a risk calculation on) something you do not manage – and the reality is you generally don’t – you insist on doing your own identity proofing and creating an identity that YOU manage, in your identity system – which is why corporates end up with poorly managed contractors and third parties alongside (reasonably managed) staff identities; or governments end up creating dummy citizen identities so foreign nationals can pay tax.

Fourth: We've already seen the need to fork bitcoin[ii], or Estonia (the poster child for state-mandated ID systems) who found a security problem with its ID cards[iii] - can you imagine needing to do this for 7.5bn people (let alone 20bn+ IoT devices).

Fifth: A truly distributed blockchain cannot handle the growth or transaction rate for 30bn+ (and growing) identities together with all their attributes. Think how many identity transactions need to be carried out on a global scale - unless it’s a private blockchain (but then go back and see the second problem above).

Sixth: Identity and attribute revocation – once it’s on the blockchain, how do you revocate? - a total or binary revocation is often unwanted; example my old passport even if expired (revoked) while I cannot use it for border entry, it is still a government issued document with my photo and (immutable) date-of-birth; depending on the risk-assessment by the entity I assert it to, this may be perfectly adequate for proving my age. Conversely, under GDPR “right to be forgotten”, how can I completely erase any trace of an aspect (or persona) of my identity, when it’s stored on an immutable public ledger?

Seventh: Blockchain, or to give it its full name “public distributed ledger” can have serious problems when it comes to privacy, given its public and distributed nature. Any solution will need to store SPI (sensitive personal information) and while I agree there are technological measures to protect said attributes, often the very existence of an attribute (but not its contents), or a reference to an external organisation or system can lead to inferences being drawn. For example: a reference to a particular ethnic group may result in an entity being arrested, targeted or killed.

Eighth: Blockchain relies on the always-on, or certainly the always-accessible, nature of its design. While there are proposed solutions that allow a currency transaction to take place between two off-line parties that is then later uploaded; the real-time verification of a UK drivers’ licence in the mid-west USA where there is no Internet for miles is a problem yet to be solved (or I suspect, even thought about) in the blockchain world.

Ninth: Most of the blockchain identity solutions rely heavily on PKI to make it secure; the problem for a PKI solution is that within the short-term life-cycle of a global identity ecosystem, quantum computing will likely break PKI as it stands. Therefore, a heavy reliance on PKI may not be an optimal design solution.

Tenth (and finally): Smart contracts are cited by many as the way you make Identity on the blockchain work. I like the David B. Black quote[iv]They’re not smart. They’re not contracts. They’re rife with security issues. And they violate the core principles that are supposed to make blockchain wonderful. Other than that, they’re great!” A smart contract is visible to all users of the blockchain including bugs and security holes and may not be quickly fixed – indeed if fixing the bug requires a fork of the blockchain, once implemented on a global scale it may be impossible to fix.

Conclusion:
I have no doubt that many of these issues can be technically solved, but in solving the problems the solution becomes increasingly complex, convoluted and difficult to understand/implement.

If I have learnt nothing from a long security career, it is that complexity is the enemy of good security. The global identity ecosystem model must be simple if it’s to stand any chance of working, let alone achieving global adoption.

I would commend the Identity 3.0 key principles[v] that we developed to try and get the fundamentals right.

There ARE better solutions, see the work out of the Jericho Forum and the Global Identity Foundation - but it all starts with needing to get your mindset out of trust = a central system that I control.

References and footnotes:

Jericho Forum Commandments Jericho Forum Identity Commandments: https://www.globalidentityfoundation.org/downloads/Identity_30_Principles.pdf

Jericho Forum Identity videos:

IoT's dirty little secret

IoT has a dirty little secret, they tend to only work if you connect via that devices hub; generally a cloud system. Should that hub go down, or the company simply decide not to support it any more, or go bust, then all you have is a non-functional brick.

This was recently brought home to the purchasers of the IoT devices from Best Buy who’s Insignia 'smart' home gear become very dumb (https://www.theregister.co.uk/2019/11/05/best_buy_iot/) or more recently “Pets 'go hungry' after smart feeder goes offline” (https://www.bbc.com/news/technology-51628795)
If that device was $20 and you got 5 years use of you may take the pragmatic view and simply buy the latest and greatest widget. But if you purchase a new car - and it’s Internet connected; it’s effectively an very expensive IoT device.  Before you collected it the salesman told you to pre-install the app on your phone and create an account, and on collection you are walked through how to connect the app to the vehicle - only you actually didn’t; in effect you connected your app to the Volvo / BMW / Mercedes cloud service and that service paired your account to the vehicle.

The problem is the same, should Volvo / BMW / Mercedes decide to discontinue support, or (however unlikely) go bust, then I’ve gone from having a smart vehicle, to a dumb one!  In essence I’m at their mercy, and the smarter these vehicles get and the more we rely on those smart features the more of a problem this becomes until the point that, although buying a car may seem like good value, in effect you are just being allowed to borrow it.

The problem gets worse when you get into the home - connecting a set of disparate IoT devices requires your control centre (typically a smart speaker) to connect to the cloud service. Then, in turn, you tell that cloud service how to talk to each device, via the cloud services of each individual device manufacturer.
Firstly, all of those devices are communicating through your home router, opening up multiple avenues of attack for the bad guys, but; Second, WHY? Surely when I turn on the light my intelligent light switch should talk directly to my intelligent light.

The challenge is that when I buy a new IoT light bulb, how do I make in “my light-bulb” or probably, and more realistically “my homes light bulb”, such that my homes IoT enabled light switch can control it - directly (on the same network) and without needing to go out to a cloud service.

The Identity 3.0 concepts of “personas” and “context” allow you to do just that. The (digital) join between Entity:Human Myself and Entity:Device Volvo XC90 creates a unique personal for the vehicle; “My Volvo XC90”, with a set of cryptographic keys that allow me to directly and securely connect the the vehicle.
In the house, the connection between Entity:Organization House and Entity:Human Myself gives me a persona as a member of the organization. In turn the new IoT light bulb and IoT light switch are also enrolled with personas making them the houses IoT devices. Now anyone (just as you do today) can operate the switch and the light turns on, but as a member of “house” I can also use my voice or smart-device to control that light.

Not only is this more secure, it is more logical to set up and maintain; and more importantly, keeps working even when the manufacturers cloud service goes off-line, or goes bust!

See: https://www.globalidentityfoundation.org/downloads/Briefing_-_Infrastructure+IoT.pdf