Skip Navigation
BlackBerry Blog

PII and the Blockchain - Rethinking the Identity Trust Problem

The Equifax hack on PII user data (145.5M accounts and counting) has given the impetus to the identity industry to start exploring other technologies and practices around storing, distributing, and utilizing identity data.

One of the technologies that has come to front of discussion is the blockchain. The blockchain, of course, is the foundation for many successful cryptocurrencies such at Bitcoin, DASH, and RIPPLE.

But the blockchain is also the basis of blockchain-based distributed computing platforms such as Ethereum and NEO (its Chinese counterpart), whose focus has been the promotion of smart contract services on an open, public ledger.

Both the currency-focused and non-currency blockchain implementations, share the basics of the blockchain. The blockchain is an open, distributed ledger, which consists of a list of records (blocks) linked together via cryptographically-derived hash links. In most blockchain scenarios, these are public, anonymous servers – not owned or affiliated to any enterprise.

Here are five basic principles underlying the technology.

1. Distributed Database
Each party on a blockchain has access to the entire database and its complete history. No single party controls the data or the information. Every party can verify the records of its transaction partners directly, without an intermediary. (E.G.: a consensus of replicated, shared, and synchronized digital data geographically spread across multiple sites.)

2. Peer-to-Peer Transmission
Communication occurs directly between peers instead of through a central node. Each node stores and forwards information to all other nodes. (Every user is allowed to connect to the network, send new transactions to it, verify transactions, and create new blocks.)

3. Transparency with Pseudonymity
Every transaction and its associated value are visible to anyone with access to the system. Each node, or user, on a blockchain has a unique 30-plus-character alphanumeric address that identifies it. Users can choose to remain anonymous or provide proof of their identity to others. Transactions occur between blockchain addresses. (The different blockchains vary on their KYC - Know Your Customer - criteria of identity validation).

4. Irreversibility of Records
Once a transaction is entered in the database and the accounts are updated, the records cannot be altered, because they’re linked to every transaction record that came before them (hence the term “chain”). Various computational algorithms and approaches are deployed to ensure that the recording on the database is permanent, chronologically ordered, and available to all others on the network. (This is the coveted “immutability” principle of the blockchain. There is some talk of quantum computing threatening this principle, but in reality, that seems a long way off.)

5. Computational Logic
The digital nature of the ledger means that blockchain transactions can be tied to computational logic and in essence programmed. So users can set up algorithms and rules that automatically trigger transactions between nodes. 

Ok – That’s the Blockchain – What About My PII?

The “killer app” now for the blockchain has been transaction recording, in an open, public, and immutable manner. And the most accepted of these open-ledger transaction traction, to date, has been currency. (There are slew of new transaction blockchain solutions – just follow the ICOs.)

But how does this solve the problem of PII (personal identifiable information) and its secure and quantifiable distribution?

If you think about how many identities you carry/create yourself (government, bank, work, personal email, online shopping, education) - each of the identities are created and stored - with little to no knowledge of the other identities. This means each entity consumes your data, stores the data and attest to the data via their own mechanism(s).

It’s not only a massive duplication of effort by all these enterprises, it’s a “the weakest link” security problem. (E.G. your data is only as secure as the most insecure enterprise holding and passing around the data).

So, a New Model is Arising….

It’s not so much that the blockchain needs to become the store for the data. The storage mechanism of the data mostly already exists – it’s the “Trust” of these entities where the blockchain is the biggest help.

Most of the experimental models are working with the strength of the blockchain - a public ledger system that can establish the level of trust of an identity based on who trusts/attests to the identity. And then shares this score/attestation to other services and requestors.

For instance, the Deloitte “Smart Identity” working P.O.C. uses an open source blockchain called Smart Identity based on Ethereum. The strength of the Deloitte model is that it has a built-in attestation system where the user manages his own identity and the system then would support enterprise attestation plug-ins. (Be it from services like eVerify that can help raise the addressed identity score).

One of the advantages of the Smart Identity system, in theory, is people would not have to give up their identity information to every requester – but, instead, would be able to answer questions like proof of age, by saying “XYZ service attests to my age.” (Thus avoiding unnecessary spreading of PII, like street address, government ID # and/or DL #).

Similar to this project is the work being done by Accenture and Microsoft Azure. The project is titled “ID2020” and focuses on delivering identity to the 1.1 billion people of planet earth who do not have any digital identity – especially those living in or fleeing from war-torn regions, those experiencing political turmoil, or victims of natural disasters.

Approximately one-sixth of the world’s population cannot participate in cultural, political, economic and social life because they lack the most basic information: documented proof of their existence.... The goal of ID2020 is to make digital identity a reality through a technology-forward approach that will leverage secure and well-established systems.

Once again, the blockchain is not used to store the data - but to provide an Identity Attestation Infrastructure, assessible by all parties. The concept is to use the Blockchain’s decentralized architecture to eliminate the need of a central authority. In many instances where ID2020 is utilized, the centralized data store, like in the case of stateless refugees, does not exist or is inaccessible.

For ID2020, all PII remains “off chain” and the solution utilizes a Ethereum private or “permissioned” blockchain protocol. Biometric authentication is utilized to establish the identity of the participants - since no paper trail is assumed to exist for the subjects. The solution utilizes Accenture’s Biometric Identity Management System, also used by the United Nations High Commissioner for Refugees

Another interesting model is being pursued by the private entity called Civic. A company that is big on promoting that they put the PII ownership/distribution model back into the hands (literally) of the users.

Their model is a mobile-app centric solution where, once again, the blockchain is used as a ledger system that builds up a system of identity trust. The user themselves owns the PII, in the Civic model. When enterprises wish to obtain the data, the enterprises would make a call to the Civic service for the PII.

The Civic model is powerful - because, Civic itself does not own any data. Instead Civic serves as an “attestation clearing house.” Civic points the PII requestor to the civic client, the user’s mobile device - who has a Civic smart app on the device. The user then can confirm the request and release the identity information as they choose.

The enterprise knows to trust the PII data, because of the others who have trusted and what attestation mechanism the Civic services has applied to this data.

Key Takeaway

As can be seen from the overview and a few of the models listed, there is merit in the global attestation system known as the blockchain.

The blockchain’s immutable ledger system can help create a trust of PII - whether the data is stored in the blockchain itself, or referenced from a blockchain service.

Garret Grajek

About Garret Grajek

VP of Identity at Cylance

Garret Grajek is a certified Security Engineer with 30 years of experience in information security. Garret started his career as Security Programmer at the likes of Texas Instruments, IBM and Tandem Computers. He went on to do distinguishing field security work for RSA, Netegrity and Cisco, before becoming a Founder and creator of SecureAuth IdP, a 2-Factor/SSO offering. 

Garret is recognized in the industry as a security visionary in identity, access and authentication matters. He holds 9 patents, involving x.509, mobile, SSO, federation and multi-factor technologies. He has worked on security projects for major commercial accounts including Dish Networks, Office Depot, TicketMaster, Oppenheimer, E*Trade, and public-sector accounts such as GSA, U.S. Navy, EPA and USUHS.