Digital identity twin – traversing people and organisations to a secure and private digital presence

How Eya is Changing the Scope of Digital Identity and Self Sovereign Privacy

Why is There a Requirement for Digital Identity?

Why is There a Requirement for Digital Identity?

With the physical world becoming more intermingled with the digital world and people interacting globally with various sources, we are creating many digital identities online and even crossing them into the physical world (for example Tesco Clubcard) many times without even consciously realising so. If you take a moment to look at how many websites, apps and physical retail etc. have some part of your personal data and the accounts associated with them, you will very quickly realise that you are already taking part in creating many digital and physical identities.

Now consider how many of those identities you still have control of, or even access to. Email address changed, mobile number changed, Google password forgotten - you no longer have access to YOUR account and information associated with it.

Imagine the concept of having one identity, which you never lose control of and can use for all of the other accounts, both online and in the real world. This is the fundamentals of the digital identity.

Concepts of Digital Identity and Blockchain Use Case

Blockchains in various derivatives are highly fashionable, but there are very strong misunderstandings of privacy within them. Purists are honing in on public blockchains as the medium to take self sovereign identification to the masses, but there are flaws which need to be addressed.

Case for public blockchain

Public blockchains are networks where anybody can simply plug in a node and fire up a server to collaborate with the other nodes globally. The cases brought forward for using this to allow people and businesses to create and manage their digital identity are based on them having one global identity which they are in control of and no organisation or state can interfere with.

This is played into with the blockchain evangelists who are pro removing control from the governments and financial sectors (plus many more) continuing to control the public citizen. The large increase in crypto coins are largely an attempt to take the top tier financial and governments control away and instead leverage true peer to peer solutions.

In theory, there are many pros for the public blockchains, especially now with the increasing speed of modern solutions. However, as we will cover, there are flaws which need to be addressed to ensure the security and privacy of people, companies and private data.

Possibility of tracing a person is real

It would be very much incorrect to state that blockchains are the ultimate in security and privacy. They are just DLTs in the main, which are public facing and peer to peer node servers. NIST has recently made a very open report on encryption levels not being strong enough for various sectors and the concept of private identity is not altogether true.

We must remember that there will always be malicious users and even node operators within any public facing service and the possibility of harvesting private data is extremely luring to many criminal organisations.

Bitcoin itself has a whole page dedicated to the “real” privacy of the public blockchain and many people do not realise the actual data being stored. IP addresses can be harvested and also there are open tools to see the transactions in real time, including the IDs of both the sender and recipient of the transaction. It is possible, but difficult to trace both parties of the transaction.

Scope of Digital Identity

It is great in concept to have a single identity, but there needs to be a method of using this over the many services both in the digital and physical world. In order for this to be feasible, a common service needs to be adopted and supported through mass adoption and also needs to have a common method for servicing those requests. With both companies and people being concerned of leaking of private data, how many will “plug into” a totally open and public facing solution?

Costs of transactions on public blockchains can make it expensive

It is a huge misconception that sending and receiving of coins is free on public blockchains. How else would the verifiers make money? For every transaction verified, the miners receive a part of the coin as the fee. For sending money, this is very small as the byte size of the transaction is small; Ethereum is around 4 cents USD to send money. However, imagine the costs of sending anything larger than this, e.g. contracts, bonds data, medical reports, legal documents. The costs would soon spiral out of control.

How Secure can an Identity Really be

We all hear of phishing attacks; breaking into peoples accounts and stealing data and even identities. How many websites have you logged into using your Facebook or LinkedIn credentials? Now imagine the rich source of sites which can be accessed if one of those accounts are compromised.

So, we have two factor authentication to sort this out right? Wrong - If an attacker gains access to or clone your phone, they can receive those SMS messages and one time password services, just like you.

Public Blockchains are NOT the ultimate backup and disaster recovery solution

Blockchains are the ultimate backup and disaster recovery solution, right?

Right..?

Not so quick…

It’s an alluring myth. But it’s a myth nonetheless. The idea that you can build a blockchain solution that relies on other nodes on the network to provide backup services is dangerously misguided and there are several reasons why.

The first is that a backup strategy that depends on your competitors giving you back your data if you lose it is a tough one to get past your regulator and auditor..!

But even if you could, the second reason is the killer.

Net-net: if you’re building a blockchain application, you need a strategy for backing up and restoring your private data in the event of an outage or a disaster. There’s just no way around this and so you should be very suspicious of anybody who tells you differently.

 

Impact assessment criteria

EyA has considered the digital twin use case and developed a set of criteria based upon our research. From this we have created that which we consider to be the perfect “Digital Twin” identity.

TIER 1

The security and privacy of an individual, organisation and government must be protected in both physical and digital worlds

  • Encryption methods

  • Authentication

  • Data Breach

  • Private information leakage

  • Control of access

Provisioning of the foundations of the service will provide the mass adoption required to proliferate global reach.

TIER 2

Efficiency of the network in order to perform transactions fast enough for global coverage of both digital and physical world

  • Credit card transactions

  • Online payments

  • Intra and inter organisation transactions

  • Touch transactions (Oyster, Passport etc.)

Ability to remove many other online identities both of people and companies and engage in any type of transaction from financial, through medical and global personal identification.

The EyA Approach to Digital Identity and the “Digital Twin”

The EyA Approach to Digital Identity and the “Digital Twin”

EyA is a permissioned based DLT, which is much more than just a blockchain. Taking Corda Enterprise from R3, the solution has been developed beyond the completely private node system of Corda, into a hybrid inter-private node of nodes. Each organisation can opt to have the own node(s) and all private data within them stays within them and only the party which a transaction is completed with. It does not use verifiers, thus no public verification is required, instead using a combination of notaries and oracles. However, public marked data is propagated through the EyA cloud and just as with public blockchain, could be viewed by anybody in theory. The public data takes on the form of completely immutable data, but the private data uses multiple organisation nodes and notary to complete the requirements of disaster recovery. Some may argue that this breaks the immutable aspect of blockchain, but this is in fact not true.

From Corda

Corda is designed on the basis that you will always have private data that you need to protect. As a result, something special emerges: Corda nodes simply don’t differentiate between private and shared data from a resilience and backup perspective. It’s all stored in the same relational database and can be backed up consistently and completely using standard, insanely reliable traditional techniques. No need to distinguish between the two types of data and deal with the inconsistencies and need for reconciliation that creeps in if you try to separate these things.

Hot / Cold High Availability Deployment of Corda Enterprise nodes and their associated configuration setup. In such a set-up, there is one back-up instance that can be started if the primary instance stops.

Taking the above into account, and with the addition of the EyA managed cloud, the solution has redefined the ability to hybrid a private blockchain service into a chain of chains and provide the organisations with the privacy required, whilst allowing them to engage with other organisations, governments and citizens.

Authentication Services

EyA has developed a federated authentication and security service which, in a similar manner to the methods used by Google, Facebook, LinkedIn etc., allows for a person to use one login to enter other websites etc. However, rather than allow the service to view information regarding the person, EyA provides “Realms”, where a validated and monitored website, service or even entry doors in the physical world can authenticate the person knowing nothing more than they need to. With this is mind, it is possible for a person to have one single source of identity for accessing anything in the world, without giving up personal information.

To combat the two factor authentication service, EyA is co-developing a three factor authentication service, two of which are human and the third a powerful quantum proof algorithm. With this, even if a phone is compromised, the attacker will still not be able to gain entry to an account. There is a future project for RFI tokens and Bluetooth AI based entry systems in the physical world too.

Efficiency

As the transactions are not all propagated through the entire network, but instead a hybrid of peer to peer and EyA Cloud, the efficiency is increased exponentially. This means that the network growth does not impact on the speed of confirmed transactions and a smart hashing of data reduces the footprint of every transaction whatever the contract size and data size. Overall weight of data is spread across the peer to peer and public data weight being a combination of the peers and the EyA cloud.

With this in mind, the costs are reduced dramatically and people are not having to pay for a transaction, nor the storage of their data.

Digital Twinning

EyA was developed to not only be a database, but also to map the schema or details of every single entity in the world, from a sub atomic atom, through to living species, companies, buildings, cities and ultimately, planets. This has lead to the solution being named “Industry Agnostic” and placed EyA into a world leading position through mass partnerships with literally every type of person, business and government.

In order to bring order to the potential chaos of the data and transactions, we have developed the requirement for an asset to have templates “bound” to it at any given point in its lifecycle. This dynamic bonding provides the perfect foundation for the ability to build an organically changing and highly controlled footprint of any asset.

In order to build a digital twin of a human being and deliver the control of it to the person, EyA is built on the dynamic template bonding. Imagine a person creating an account in EyA; initially a simple template is bonded to their asset containing the most basic information which they have presented during the onboarding process. This information is in the main totally private to them and can not be seen during any interaction with any other person or company.

Now imagine the person signs up to a service - let’s take a medical blood donor service as a use case here. As they sign up to the service, the application binds its template to the person’s asset within EyA. The service collects the data which is specific to the application and adds this to the bound template. It cannot see anything other than the public profile data and the bound template data. Everything else is completely private and the person can donate blood safe in the knowledge that their private data is just that. This on its own can lower the administration costs of the donor service and even provide rapid discovery of donors with a specific blood type and locality, without knowing anything at all about them.

As you will be able to imagine, it is possible for a person to bind a totally unlimited number of both digital and physical world templates to their asset and as such, create an ever evolving digital twin of themselves, whilst ensuring that their privacy as always controlled by them. With this is mind, it is possible for people to store literally anything within their secure asset from Bitcoin wallet IDs through to passport and identity records. Imagine not having to carry the store loyalty cards with you anymore, and also see exactly the data they can see about you!

When offboarding from a service, again the person is in complete control and simply “tears off” the association between them and the service provider. EyA strictly monitors the service providers to ensure that they do not store that previously bound data other than that which the person has considered public.

The exact same method is used with an organisation digital twin, creating the privacy required for an organisation to complete transactions with their peers, government and people. In fact, everything can now have its digital twin in EyA, from your pets through to cities.

References -

https://www.corda.net/blog/corda-top-ten-facts-2-industrial-resilience/

https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8202.pdf

https://bitcoin.org/en/protect-your-privacy