Decentralized Identity Management and User Data Sharing

Javed Shah

In the first blog of this series, we positioned decentralization of identity as a construct that allowed for preservation of a user’s privacy in stark contrast to the invasion and exponential destruction of user privacy that occurs in centralized identity management.

Decentralization of Identity is the ability of an ecosystem to shift control of user identity from a central authority over to a distributed network where the ultimate authority remains with the user. This is in line with each individual’s desire to control who gets access to their data.

A secured zero-trust distributed architecture is therefore needed to guarantee the preservation of user-controlled privacy, as well as enabling users to control if and how their data is shared, and with whom, for what purpose and under what conditions.

Data Sharing and Privacy

Collection of user data is associated with serious privacy issues.

We posit that this is the main problem with centralized identity management. Data contributed directly or indirectly by the user such as information obtained from observation of user behavior, or data inferred from advanced analysis of previously volunteered or observed data is all subject to privacy laws and regulations throughout the world.

When trust resides within a centralized identity custodian for all the storage and lifecycle management of the user data, it is affected by centrality issues such as intentional or unintentional deletion, accidental over-sharing, or data loss due to technical or infrastructure failures.

While collection of user data is a practice often pursued by companies with intent to provide personalized service, function, interface or options in the name of improved user experience, it also impacts security and privacy of user data. It virtually eliminates user control of their own data.

Instead of centralizing the storage of data, we want users to be empowered to share their data with third-party entities, while maintaining the authenticity and trust using cryptographic signatures.

Compliance with GDPR, for example, requires the owner’s consent whenever data crosses a boundary previously established by the user. While disruptive to user experience, this additional step also has secondary implications because it introduces fatigue. Users will often simply “Agree” to the consent form, or new terms of service presented to them without realizing how much and for how long they are electing to give up control of their data.

Data Sharing and Blockchain

Fortunately, distributed ledger technology, or blockchain, provides a flexible mechanism for obtaining and renewing user consent for data use and sharing. The software pattern of blockchain technology represents a digital ledger, a database with an immutable record, cryptographically protected, of every transaction that has even taken place with an associated time stamp.

According to Gartner:
“By 2024, a true global, portable, decentralized identity standard will emerge in the market to address business, personal, social and societal, and identity-invisible use cases.”

A private blockchain, introduced in my previous blog, has the potential to replace traditional centralized data repositories such as directories and databases to store user data in a decentralized manner offering more cryptographic auditability.

In fact, we need both a private and a permissioned blockchain, to introduce the concept of access control, and provide the users ways and means to control how their data is shared and to track incentives or rewards they might accrue in the process. Ethereum, for example, supports smart contracts that govern accountability of access and provide incentives to the users and businesses for sharing data.

It is therefore the combination of a private and permissioned blockchain that allows us to ensure proper data storage, data sharing, and access control. In this way the private and permissioned blockchain serves as the foundation of a decentralized identity management system addressing the shortcomings of legacy identity management systems that lack accountability for ensuring user privacy.

Gartner mentioned 1Kosmos in the Hype Cycle for blockchain and has stated in the report:
“We project that by 2023, 35% of enterprise blockchain applications will integrate with decentralized applications and services. The rewards are simply too high to ignore, and are far greater than the costs.”

Decentralized Smart Contracts

Decentralized identity management supports trustless, transparent, and immutable transactions between anonymous parties. When compared to centralized identity management, decentralized identity management lowers transaction costs and improves process efficiencies. This is possible because identity lifecycle management transactions are carried out through previously agreed upon rules via decentralized smart contracts. Blockchain protocols keep transactions transparent, immutable and Byzantine fault tolerant, i.e. trustworthy.

Smart contracts are instances of contracts stored on the Ethereum blockchain. They contain rules which negotiate the terms of the contract and also contain the mechanisms for automatically verifying the contract. Blockchain and smart contract technology couple together to remove the reliance on any central system shared by transacting parties!

A smart contract lives to execute the agreed procedures when triggered by authorized parties on previously agreed upon events. All executed transactions are kept cryptographically secure and are irrefutable ensuring a distributed and zero-trust architecture we spoke of at the beginning of this blog post.

It is generally hard to implement automated transaction rules that are triggered by changes to a user’s runtime context. Accommodating behavioral or network factors is nearly impossible to do without compromising security or via a simple workflow in a centralized identity management system. With decentralized identity management utilizing decentralized smart contracts we eliminate the need for such cumbersome processes entirely and usher in a user-controlled data and user-consent driven data sharing narrative that both businesses and the users they serve will benefit from.

In the next blog I shall talk about verifiable credentials and how decentralized identity enables identity providers to securely validate claims about any identity.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.