Eusebio Felguera Garrido
Public Policy Manager, Telefónica S.A.
Distributed digital identity is a great tool to ensure that many of the rights enshrined in the General Data Protection Regulation are secured and under the control of the individual.
Digital identity is understood as the set of attributes associated with a natural or legal person that identify that person in the Internet environment. These attributes do not have to be solely digital, but may contain real-life data, such as date of birth, hair colour or behavioural aspects and preferences. It is important to differentiate digital identity from what is known as a digital footprint, a broader concept that includes the entire trace of everything we do on the Internet, which is not the subject of this article.
To understand the idea of decentralisation or self-management, we can take our ID (Identity Document) as an example. This number does not constitute my identity per se, but is my unique identifier, with which I can reference who I am. In contrast to a distributed digital identity, the ID is centrally managed by the national security forces, who are responsible for ensuring that each identifier is associated with a specific person (identity).
In contrast, in a decentralised digital identity, the association between the identifier and their digital identity is made by the individual. This does not mean that, as users, we will self-assign our own ID or passport. What it implies is that the user can control his digital identifier and decide whether and to what extent to associate it with his digital identity. Thus, it is possible for the user to associate, for example, his ID card or passport with his digital identifier, so that they can form part of his digital identity if he or she wishes to do so.
Another benefit of automatically self-assigning an identifier is that it is managed exclusively by the individual. If the user himself has control over his identifier, no one can delete or deny it. This makes him the sovereign of his digital identity. However, there is some nuance related to attributes whose validity will be outside the individual’s control. An example is the validity of a driver’s licence, whose issuer can revoke it if it does not meet the renewal requirements. Therefore, this system allows attributes to be denied or deleted by the issuer, without any modification or deletion of the identifier.
All these considerations are included in article 5 of the UNE PNE 71307-1 standard, which reflects and relates this characteristic of a “self-managed identity” or “decentralised identity” to the idea that “the subjects linked to an identity control the administration of their own digital Identities”. This power requires the user’s ability to “create and use a digital identity in multiple scenarios and to have sole control over how, when and where that identity is used”, with the aim of ensuring user autonomy.
And it is precisely in this ability to have unique control over their digital identifier and the use, or rather the presentation of its attributes to third parties, where blockchain technology plays a fundamental role.
In order to self-assign an identifier (similar to the ID number mentioned above), the user could, after obtaining a pair of asymmetric cryptographic keys, register the public key on the blockchain. In this way, he or she could prove at any time that this identifier (the public key) belongs to him or her.
The user will acquire the attributes through those who can vouch for it. In this way, they can form their digital identity in a repository that only they can control, as in the case of wallet apps. In this way, they can add their date of birth, driving licence, educational qualification, credit card number, etc. The blockchain will record the issuer’s delivery and the validity of each of the credentials, so that whoever receives them can check that they exist and are valid.
When the individual wants to use any of these attributes to show them to a third party, he can send them directly to the third party and include their conditions of use. Here the role of the blockchain is essential to record these submissions consented to by the individual, which would give legal certainty to both the individual and the recipient of the submissions.
Note that no personal data will be stored on the blockchain, but only the procedures, i.e. the obtaining of attributes (for subsequent verification) and the submission to third parties, are recorded. Therefore, this framework would allow compliance with European data protection laws, since it would be the blockchain where the permissions for the use of this data would be stored, as well as the request for subsequent deletion or modification that the individual would like to exercise.
This self-managed identity could also be used as a substitute for the well-known “username and password” access requests for online services or the options of registering on Internet sites using our social network accounts.
Another advantage of decentralised digital identity is that it would make it possible to dispense with cookies and other non-essential data for obtaining services that the user makes public when browsing the Internet. More importantly, to prevent or restrict to the minimum necessary and make uncontrolled access by unauthorised third parties impossible.
The ability of individuals to control their digital identity is recognised by Telefónica in our proposal for a new Digital Deal, where we insist that individuals must have the ability to manage and control their data. This means that they should have the option to choose freely about the use of their personal data and have real choices about how it is used, avoiding the “all or nothing” commitments that are common in the terms and conditions of digital services. In this sense, Telefónica is committed to developing and applying a new “data ethic” based on greater transparency, control and choice.
But do we really know where our digital identity is currently stored and how we can control its use? Moreover, are we aware that we have it replicated and scattered across countless sites on the Internet (legal and illegal, if not outright criminal), which trade with it and that, at present, we do not even have any real possibility of control? In Spain, we have been pioneers in standardising a model that would allow us to return this control and capacity of choice over their digital identity to individuals. Specifically, at Telefónica, honouring our message of putting people at the centre, we have actively participated in its definition.
Thus, a distributed digital identity, and in this case supported by a blockchain, would give users confidence and certainty that those who have obtained their data have done so with their permission. It would also help the service provider to ensure that the data has been given to them in a voluntary and proportionate manner. Because of the nature of blockchain networks, it could even serve as evidence in legal disputes if this were to be considered by a court of law.