The current period of the Covid-19 pandemic—with its lockdowns and teleworking—reminds us that cybersecurity is one of the major challenges of the coming decades. Cyberattacks have increased in number and intensity. Another issue is the growing plague of digital identity theft. What if blockchain were a solution to this?
Known to the general public through the prism of bitcoin and cryptocurrencies, blockchain technology is still at the project stage in many other areas. Nevertheless, some believe that it will potentially revolutionise certain sectors. Of these sectors, digital identification is of great interest to specialists in the field.
Although not exclusively linked to the Internet, digital identity developed at the same time, at the end of the 1990s, when identity documents were digitised. However, identity is synonymous with theft, and digital technology has not escaped fraud. Every year, 210,000 French citizens are said to be victims of identity theft, sometimes with dramatic consequences. This estimate was made by the French Ministry of the Interior itself, which, along with the IRT Nanoelec and Thales, authored a very interesting White Paper by a working group called “Blockchain and Identity” (BCID).
In addition to the concept of identity theft and digital identification, the interest of this White Paper is to make blockchain technology a bulwark for protecting one’s digital identity. This conclusion is not a discovery, as blockchain offers undeniable advantages in the fields of security and identity.
An initiative in line with the European Commission’s Self Sovereign Identity Framework
Dating from October 2020 but made public last spring, the BCID’s White Paper analyses the positive effects of blockchain for digital identification. The White Paper’s introduction even considers that blockchain could be “the instrument for reconciling security (integrity, authentication, trust) and privacy.”
The White Paper is in line with the European Commission’s Self Sovereign Identity (SSI) Framework, which cites blockchain, known as DLT (distributed ledger technology), as a technology that can help implement SSI. The latter aims to put the user back in control of their digital identity. The two main implications would be the ability for the user to use their identity from multiple locations and to give them absolute control of that identity. The French state platform FranceConnect is an example of SSI, made possible by the European eIDAS regulation of 2014.
By putting the user back at the centre of the game, digital identification is at the heart of SSI and, according to the BCID, blockchain is the technology that can enhance the security of this SSI.
Safeguarding fundamental rights through a combination of blockchain and certification of pivotal identity attributes?
“The identity of natural persons is a sensitive subject whose treatment is a matter of national sovereignty. Its digitisation must be understood in accordance with our rule of law, while respecting our administrative and political culture.” Quoted in the introduction to the White Paper, this sentence alone sets up the tone of the sensitive issue of identity protection. How can its effectiveness be guaranteed without jeopardising respect for privacy?
For the authors of the working group, blockchain is the answer to this problem. First of all, they rightly note that digitisation has not changed the notion of identity. Identity means being able to certify that Michel Durand’s attributes, used in a given context, do correspond to Michel Durand. Digital identity is then only a sub-layer of identity in the broad sense. Thus, we will have to ensure that we are dealing with the right Michel Durand online.
To solve this problem, digital identification must then face a contradiction, that of fundamental freedoms—which has been in the news regularly since the beginning of the pandemic—and that of public order. How can the preservation of public order and the respect of an individual’s fundamental rights be guaranteed together? Potentially through the combined use of blockchain and the attributes of the so-called pivotal identity.
Pivotal identity is the “minimum characteristics of the natural person found in the three fundamental documents under French law: the birth certificate, the national identity card, and the passport“, i.e. surname(s) and first name(s), date of birth, place of birth, and nationality. For the BCID, these are the only data that will formally identify a person and are therefore the data to be protected as a priority. Conversely, eye colour, which is present in the passport, is not part of the pivotal identity data. The pivotal identity would be the one that allows the reconciliation of fundamental rights and the preservation of public order. The security and transparency of the blockchain make it possible to controle the user’s attributes. The new European Digital Identity Framework (EDIF) proposal aims to transform digital identity from a pivotal identity concept to an orchestration system of verifiable or certifiable identity attributes and titles.
The role of blockchain in digital identification by use case
Beyond the theory, it is when the White Paper turns to practice that one understands how much the blockchain can bring to digital identity. Seven use cases are presented (starting on page 45 of the White Paper), the most interesting of which is the first: unforgeable official identity documents. For this specific use case, the blockchain would make it possible to:
- Create and register documents containing pivotal identity data (such as a birth certificate) by generating a unique fingerprint;
- Authenticate, certify, and secure this birth certificate on the blockchain;
- Ensure the traceability of requests for identity documents and of their renewal, or even automate the latter through the execution of smart contracts;
- Ensure the traceability of any change or consultation of the identity document through a time-stamping and scheduling system.
In practice, this would make it possible to avoid any falsification of a birth certificate since only one would be recognised: the one registered on the blockchain. In addition, in the event of a house move, each municipality or prefecture would have access to the same blockchain, and there would no longer be any need to reproduce documents. Also, any attempt at falsification would be automatically detected on the blockchain thanks to the time-stamping and scheduling of each transaction carried out on the document.
What about data protection? In addition to user control by means of a private cryptographic key, data can be stored in various forms of “certificates” and authorised for consultation depending on the type of blockchain. It is also possible to restrict access to authorised persons such as the staff of a municipality and the data subject. It would thus be impossible to modify a birth certificate once it has been time-stamped, and it would only be possible to affix mentions of marriage or divorce.
Of course, we would like to see this promise fulfilled in real life. It does involve real groundwork, but it is quite plausible in the medium term.
Personal data protection as an underlying issue of digital identification through blockchain
Building on the European Commission’s SSI, the White Paper clearly demonstrates that this SSI cannot exist without storing personal data. However, only the American digital giants seem to have understood how to store personal data and make it central to their business model. The BCID also recognises that the current state systems are not adapted to counter the hegemony of GAFAM.
Thanks to the SSI, supported by the blockchain, everyone would have “the ability to hold and control the digitisation of their identity without the intervention of a data centralising body.” The role of oracle—the one who guarantees the data stored in the blockchain—could then be devolved to the state since it already has sovereign powers. The state could therefore guarantee the legal identity of an individual but could not communicate it without the latter’s consent or without them being notified.
However, the success of decentralised identity models is not only based on user control benefits: user comfort, economic model, and usage benefits are still predominant, and the work is far from over.
Beyond the problem of identity theft, blockchain would make it possible to significantly improve certain services such as official registers. Not only would security be strengthened, but efficiency would be increased by allowing everyone to spend less time on a file. A dream for many, a reality for all those who are aware of the potential of blockchain.