Adam Cooper from the Government Digital Service says blockchain technologies are not yet the answer to digital identification solutions.
Everywhere you turn it seems there are research projects, new product proposals and services claiming a new dawn of blockchain driven technologies that fix a multitude of problems. Identity is a space where many of these claims are being made so it is useful if we explain our thinking and the approach we are advising when it comes to digital identity.
The focus on shiny new technology, rather than the right technology to meet user needs, may limit the uptake of blockchain based solutions in areas such as digital identity. Views are polarised but a growing number of experts, myself included, are urging caution at this stage. Recent discussions at international events concerned with identity such as the Cloud Identity Summit 2016 and the European Identity & Cloud Conference 2016 have highlighted issues with identity and blockchain that remain open.
There’s no doubt that blockchain technologies are interesting and innovative. There’s also potential for some useful applications such as creating evidence chains for identity verification, the creation of smart contracts, or for certain types of distributed ledger. But we should remember that blockchain is essentially just another database technology.
There are places where blockchain may have an impact. Indeed, the financial sector is keen to explore uses, such as distributed immutable ledgers and crypto-currency, but these are sector-specific problems which are largely unrelated to identity.
You can argue that when relational databases first appeared the argument that other technologies existed could have been levelled, but in the case of blockchain the hype has been significantly higher. This is bad not only from an architectural point of view but potentially for blockchain technology itself as expectations are high with little evidence to suggest success to date. Given the hype, if blockchain fails to deliver production systems with clear advantage over current architectural approaches, trust in these technologies could be damaged for some time.
Regardless of the properties blockchain technologies may offer (largely based on decentralisation, public views of the data, and immutability), there are some red flags for architects and service designers:
1. The technology is immature
2. There are security issues (for example, lack of Key Management)
3. Blockchain has shown poor performance at scale
4. There’s a lack of established standards
Does blockchain revolutionise digital identity?
The consensus of identity experts seems to be a resounding no. You can build distributed ledgers without resorting to the blockchain, and you can preserve privacy in many other ways. Identity can be improved but it simply isn’t broken, so it’s hard to see where blockchain technologies are really required.
There are potential uses for blockchain type technologies in the creation of immutable evidence chains for individuals wishing to prove their identity. For example, where the individual is starting with no or minimal evidence and needs to build a chain of evidence over time, as is the case for refugees. There may also be applications for personal data stores and attribute services associated with, or unlocked by, verified identity that can enhance the ecosystem.
There are some basic maturity issues with these technologies including the lack of standards, common terminology, or demonstrable examples of ‘real’ implementations. Some of this is to be expected at this stage but, where there are known scalability and security issues left unanswered, the risk of implementation may outweigh any benefit. Blockchain is unproven.
Alternatives to blockchain
The other problem with blockchain technologies is that the clock is ticking. We are yet to see tangible results that make blockchain a mainstream product. Already, alternative technologies are emerging. Swirlds, for example, utilises a hashgraph data structure and the Swirlds consensus algorithm to create a platform for distributed consensus much the same as that claimed by blockchain.
There are multiple blockchain variants offering different approaches and functionality but this all serves to confuse, rather than reassure those seeking to evaluate these technologies if they don’t have a high level of subject matter expertise. Key to all of this is a lack of basic understanding such as knowing that blockchain is really as simple as a chain of blocks containing transaction data linked to the previous block by including a hash of that previous block i.e. a chain of linked blocks.
If it isn’t broken, blockchain won’t fix it
The problem here is that identity isn’t broken. Advocates of blockchain would argue that both trust and privacy would be enhanced by applying it. This may be possible in some cases but it could actually damage these concepts in the long term.
There are no alternatives so far, that can replace or improve on protocols we have in place (such as SAML and OpenID Connect), or the way we communicate trust (for example, PKI, strong cryptography).
The reality remains that until the security, scalability, and operational issues already noted by respected experts are resolved there is no need to rush into the implementation of identity services services based on blockchain.
We must also step back from the hype. We should start with the user and their needs, not with the technology. Until there is a clear user need that is satisfied best by blockchain technology, or a clear and demonstrated advantage for implementation at scale, there is unlikely to be much interest from those developing identity solutions. This may change as blockchain technology matures and answers some of the open questions raised by identity experts but, for now, it remains one to watch and experiment with, rather than one to implement wholesale.
Adam Cooper is GOV.UK Verify’s Technical Architect.
This blog was first posted on the GOV.UK Verify website.