Any thriving economy depends on the availability and free movement of skilled labour, products and services. Data has for centuries been an integral element in facilitating the movement of these assets. For the casual observer, it might seem that – thanks to the internet, API economy, cloud services and data platforms – we have largely managed to solve the issue of free movement of data. But as the EU Commission initiative, “Building a European Data Economy” illustrates, this is not the case. There are still major barriers to free movement of data and competition, due to localisation restrictions and lack of rules for data portability.
The European Commission has sought to remove these barriers by issuing regulations such as GDPR and the recent proposal for a regulation on a framework for the for the free flow of non-personal data. Whilst these initiatives are major steps in addressing the issue of data portability, they fail to tackle one of the biggest challenges prevalent in the modern internet: the verifiability of data.
As anyone who has ever bought anything online knows, the main issue with data is not its availability, but instant access to trusted data. Can I trust the merchant to deliver the purchased goods? Can I trust that the goods are not counterfeited? These are just some of the concerns for consumers and e-commerce is but one of many use cases. The W3C Verifiable Claims Working Group has identified many more in domains such as finance, education and healthcare. As more and more of our personal and business activities move to the internet, we need to make various kinds of claims as part of our everyday activities in transactional interactions. For example, we use a driver’s license to prove that we are capable of operating a motor vehicle, a university degree to prove our education status and government-issued passports to grant us travel between countries.
As the amount of digital data has exploded, new platform-based business models have emerged. Due to network effects, this has led to a situation where a relatively small number of platforms control our data, as well as continue to grow and gain more influence. European Union initiatives related to data portability aim to address some of these concerns. Yet whilst doing so, the European Commission takes the former network, infrastructure and trust models as given. The trust and data sharing paradigms present in platform-based business models rely on the existence oftrusted counterparty (”the platform”). As instant access to trusted information is becoming increasingly vital for our everyday interactions, a new type of approach for exchanging the data is needed. During the past couple of years, a new network and trust model based on distributed infrastructure – namely blockchain – has emerged. One of the reasons why blockchain technology has received significant interest is that it has the potential to transform existing trust models – including how personal data can be handled. Instead of relying on centralised trust platforms, we now have the means to establish new types of trust infrastructures without vendor lock-in.
Until recently, the prevalent way to share identity information has been through a centralised platform with a single point of control. The problem with trusted middlemen is that when compromised, they pose a massive security risk to a large number of people.
As global digitalisation moves forward, we have witnessed a tremendousincrease in hacks and personal data breaches that cripple businesses. Recent examples include the Equifax breach, where more than 145 million people were exposed to identity theft and the Facebook leak in which more than 50 million user profiles were handed to Cambridge Analytica.
Handling customer data is clearly a huge risk for organisations, but at the same time, it is the cornerstone of customer relationships and business critical operations. How can organisations then maintain a holistic view of their customers without exposing themselves to increasing risks and regulatory pressures? This is actually one of the goals of GDPR: to make organisations rethink how to handle customer information. And this is exactly what solutions decentralised identity networks, such as Sovrin, allows them to do.
In decentralised identity networks, the identity holder forms secure digital connections with entities (organisations, individuals or things) that can provide information about the identity holder. This information can literally be anything such as a name, government ID, address, power of attorney, drivers licence, health information, university degree etc. This verifiable data can then be shared by the identity holder to a party that requires these proofs. This provides for all kinds of rich digital interactions: Know-Your-Customer, contract and transaction signing (B2B, B2C, G2C), permits, insurance claim, job application and so on. Storing identity data on blockchain would naturally be problematic for various reasons, including adherence to GDPR compliance and risk of data hacks. In a decentralised identity network, actual identity data is not stored on the ledger. Instead of identity data, the decentralised ledger only contains pointers to the data. These uncorrelatable pieces of information are related to an identity holder and stored on the ledger to allow entities access, share and verify identity data when authorised.
Whether we realise it or not, technology choices always also carry choices of ideology. This is rarely as evident as in the context of identity data. By supporting centralised platforms, we are essentially supporting a business model which leads to a situation where a relatively small number of operators remain in control of our data and – due to network effects – continue to gain even greater influence over our lives.
The European public sector holds the keys to changing the course of this path. In the context of verifiable data, public administration maintains base registries such as citizen, company, land, vehicle and others. Due to the trust held in public authorities, these are the most reliable sources of basic information. Seamless access to this data is essential in digitalising not only the government but in all interactions (B2B, B2C, G2C). To drive the adoption of distributed identity networks, private and public sector participants should jointly and iteratively prototype, pilot and develop new distributed infrastructure concepts to demonstrate their value for citizens.
Competitive economies depend on the availability and free movement of labour, products and services – and data is the fuel that drives the movement of these assets. Despite the ubiquity of the internet and related technologies, barriers remain in access to verifiable data needed in transactional interactions. EU initiatives related to data portability aim to tackle some of the problems concerning access to data and the dominance of data platforms. These initiatives, however, fall short in responding to issues related to instant access to data needed in transactional interactions. The cause for this is that these initiatives do not address trust, data sharing and infrastructure issues caused by platform-based business models.
During the past couple of years, blockchain-based distributed platforms have emerged, providing us means to establish new types of trust infrastructures without vendor lock-in. The public sector has a pivotal role in digitalising society, as it maintains the base registries containing verifiable identity data needed by both public and private sectors in transactional interactions. The public sector needs to actively drive the adoption of the new distributed platforms in collaboration with the private sector to ensure a wide market take-up. It is now time to time to make the EU’s single market fit for the digital age and ensure that the European economy remains globally competitive – bringing benefits to both businesses and consumers.
This article is published in the May 2018 edition of Open Access Government