Why Blockchain Accounts Matter 1/3: From DB to DID
The technology of decentralized systems and blockchain networks has developed enormously in the last decade. Cryptography can counteract many intermediaries and centralized structures for handling data, as we know them from the current Internet. However, such technologies could be more user-friendly as we know them from widespread Internet services today. Secondly, as Bitcoin and Ethereum, the leading representatives of decentralized cryptographic networks, show, blockchains focus very much on the financial industry, value creation, and self-custody of capital, respectively. Nevertheless, with the help of emerging standardizations of user accounts and tokens within the new Internet generation Web3, this could extend to many other areas of life and business. In this article, I want to clarify which identity problems arise and what solutions are available today to enable global and decentralized social economies.
Before we get into the specifics of blockchain accounts and LUKSO’s standards, which will be explored in more detail in the second and third parts, I would like to point out the direction the crypto space is coming from- and why it is so important that users gain back their power over their data.
Traditional Identities on the Web2
In a technical sense, the Internet is a global server network that uses protocols to transfer data between specific device addresses. Users can transfer data to servers, then available for individual retrieval. Displaying plain page content did not need identity management in the early days. However, in the current era of online connectivity, Web2, attempts are being made to share Web applications and creating ways to handle user profiles for them. The goal: offer people new ways to simplify everyday life and make communities grow, but give companies appropriate targeted marketing tools to develop infrastructures and gain profits. However, by making such platforms available, companies also access personal data from devices and create analytics on user profiles to optimize value creation. Data is the leading business and most important asset. Significantly free services distract their actual benefits from leveraging private information.
Our online identities mainly consist of multiple user accounts that must be created for almost every platform or service. Upon registration, the user is granted access to the information in the account on the operator's part. In this respect, the service provider is the sole administrator with complete control over data management. However, in terms of registration, customers can register directly with the service and by linking to already existing accounts of large companies. The latter, in particular, increases convenience but equally carries the risk of losing access to any account related to the provider if access is lost, attacks, compromise the account, or the intermediary service is once unavailable.
Foreign Identity Handling
From the perspective of identity custody, multiple problems arise: Not only is one's data held externally, and users just acquire the right to manage it, but linked providers can also monitor users' interactions related to their services at any time and make a business out of it. All the accounts are centralized and behind closed doors. Furthermore, the user data is not portable, as companies lock content to their platforms.
The challenges in developing digital identities can be traced back to the Internet's architecture. The Internet was designed for machines with unique device addresses but not for the people's identities behind them. There are no available embedded systems verifying individuals, only proof of device access. The lack of an identity protocol on the Internet is one of the leading causes of cybercrime and identity theft, which cause enormous financial and personal damage.
Web2 also lacks the technology to create unique digital assets. Our signature represents our identity in the real world, but the files we transmit online are just copies. Typically, we scan verified documents to be able to use them digitally. With so many services with different data, it's easy to lose track of who owns them, is currently using them, or is even up to date. In this situation, users need to have a lot of trust in the services that store their data. As George Gilder mentioned: "The crisis of the current order in security, privacy, intellectual property, business strategy, and technology is fundamental and cannot be solved within the current computer network architecture."
Legal Challenges for Platforms
The General Data Protection Regulation concluded that "anything that helps identify an individual, whether it relates to an individual's professional, private or public life" is considered a private data set and counts as an individual's property, even if it resides on the company's server. However, even if users are given the right to view and manage the data collected about them transparently, companies can still process the data they have already collected. How quickly companies can analyze data to their desired advantage is simply a matter of computing power. While the Data Protection Regulation restricts how this data can be obtained, companies can still obscure parts of data sets to exploit legal loopholes. In addition, innovations in data processing allow more and more information to be extracted from procured data, which thwarts the effectiveness of regulations.
In the future, companies will have to adapt to new regulations constantly. Over time, users will be given more rights to delete data or find out where and when companies are mining it. However, implementing systems to verify these rules is a huge task and could lead to the debilitating restructuring of digital ecosystems. As user rights and corporate transparency increase, the need for follow-up and oversight will continue to grow. In addition, security costs to provide such substantial centralized data centers rise tremendously and put data at risk, as we see from plenty of significant data leaks in the last decade. Here, security stems from a top-to-bottom approach, and users have to bear with the company's standards. Ideally, security should be in the hands of the users and their devices and embedded by design. It is foreseeable that enterprises, government entities, platforms, and devices will need sound identity management to counteract highlighted traffic imbalances sooner or later. Rethinking how data is stored and managed is of enormous importance for society.
Digital Identities on Global Ledgers
The question arises as to why account-specific data must always be stored on the company's side. Couldn't there be ways for users to control their data and request services or link up when further identity-related information is needed?
Web3 is the third evolution of the Internet to address this question with one of its technologies. Included blockchain networks define a decentralized way of dealing with data to which actual values can be attributed and which are served in a user-centric way. All this is built in by its technological design. The structure and unique assets create fair and equal relationships between users and services.
Public blockchains in this context can be described as a publicly shared network of computers operated by individuals worldwide, connecting to form a network and aggregating an ever-growing chain of data blocks. They work without the need for central servers or actors. Complex cryptography makes this network secure and the chain virtually immutable, so written information cannot be subsequently replaced. Data on the blockchain is thus the digital equivalent of an engraving in stone, allowing users to own information and ascribe value to it themselves. In contrast to previous improvements and extensions of the Internet, this is a fundamental change and creation of new network architectures which houses security as a core property.
However, the great advantage of blockchains and the associated networks is adding a layer of identities to this construct, as they allow users to sign and exchange data without producing copies. Actions on such a network relate to the actual identity of their account, not just a device connected to a service provider. Through such a novel data economy, multiple parties can request and verify the same information about an individual without storing it again.
Decentralized Architectures of the Blockchain
Instead of usernames and passwords, public and private keys are used due to cryptography in blockchain networks. All actions are linked to this public key. The public key is like a reference to a person himself or one of his instances. The private key represents your handwritten signature or password. Only the user decides when, where, and what they sign.
Yet, as already indicated, it is about more than just the people and their shared credentials. As in the real world, the relationships between the keys here do not belong to anyone and exist only collectively. While in Web2, companies still have sovereignty over connections, and users are merely given more rights to access specific data points, blockchain technology is helping to enable a level of independence never seen before. What was a tremendous amount of work for both parties in complying with legislation and verifying the integrity of personal data in the central model can now be solved much more efficiently in a user-centric way. People decide what they share publicly or which service they link to. Using cryptographic methods such as zero-knowledge proofs, even offline data can be verifiably attached to these accounts without revealing it directly.
Blockchains are secure and exceptionally resilient and can reduce companies' system management and IT security costs because users hold their identity data independently. Instead of a company's central server, geographically distributed computers run the same software in parallel and verify information independently. Here, there is a strong trend toward publishing the source code, as management depends entirely on the accepted consensus of the protocol. Everyone should have the right to review their exact specifications and where their security lies underneath.
Like ownership in the real world, decentralized networks bring more responsibility for the user and their belongings. Therefore, two main things need to be standardized and expanded to enable a seamless transition to this technology: The blockchain accounts and how data can be verifiably incorporated into them. Both are distinct issues, which I elaborate on in the following chapters and parts of the series.
Data Relationships on the Web3
First, let's cover how verifiable data relationships can be set up in a distributed way. When establishing user behavior to verify and manage data globally, actors must use a public and decentralized registry, as all participants need unrestricted read access for tracking. Here, they can decide whether only necessary linking or self-attached files, regular servers, or if they should be stored publicly on the blockchain.
There are three critical roles for verification and management with self-sovereign identities (SSI): the issuer, the verifier, and the actual user. They all have a public address or key number as an identifier (DID). As in the real world, the user owns an initially empty shell of his identity and requests a certificate from the issuer to attach it to his account. After the request is fulfilled, the issuer signs the certificate with its private key on the blockchain, which references the user's address. This certificate has become a verifiable credential (VC): a signed proof in the global record. The holder can continuously use services that need to track these credentials independently.
DIDs and VC can be applied flexibly, including private companies and service providers not necessarily connected to a blockchain. But compared to Web2, the great benefit is that users only need one account connected to a ledger and can use all the different services supporting its architecture. Here, the network effects of social groups can be taken to various applications without losing connections or their roots to private data. That’s why the public context regarding the account is such an essential piece of Web3 data-linking, even if the content is kept confidential.
The concept can be extended to core elements in almost all areas of life where verification of arbitrary credentials, transcripts, or IDs is required. For e-commerce, verifying users before payment could be done using SSI integration. Banking services could use VCs and DIDs to simplify bureaucracy and natively issue digital documents. Health documents could also be approved digitally instantly, or a history of illnesses regarding medical interventions could be displayed. Here, however, it is of utmost importance to manifest only encrypted links on the network. Blockchains are unsuitable for data storage, especially for personal data. This is because data remains forever in the formed chain. On the other hand, storage is enormously cost-intensive since the network has neither central computing nor a storage unit. Therefore, external storage solutions and the previously noted zero-knowledge proofs are fundamental building blocks.
Two of the most widely known projects building on DIDs and VSs for identity management in the blockchain space are Disco and Sismo. Disco is building software to keep your identity claims (VCs) packaged together so you can take them across apps conveniently. Sismo, as an attestation protocol, has a similar approach while selectively revealing certain information from claims of connected Web2 or Web3 accounts, using them as sign-in or allowing to form digital badges out of them. Both currently only build on an Ethereum integration, but Disco already plans to support different chains in the future. As the space evolves, we can expect more projects to explore different ways of implementing identity claims, pushing the boundaries of what’s possible regarding privacy, security, and interoperability. The new claim bundles might allow for a data backpack across all of Web3 instead of just one chain- providing a more versatile and interoperable solution. Ultimately, they only need some encryption key, which must be mandatory in any blockchain application.
SSI is not abandoning big data once sitting at the company’s power machines, just in a more decentralized way. It's rather about owning and managing your identity roots independently. Services can still collect usage data- if approved, even private data. The big difference is the consent that is given and built-in.
Now that I explained the downsides of current account schemes and how new data models could work out, it's time to tackle how shared datasets can be attached or integrated into blockchain accounts and what's needed to create a good user experience.
