I have no control over my data. I have no control over my identity.
In order to open bank accounts, crypto trading accounts, obtain credit cards and even hiring a car requires handing over sensitive personal information that can be used by hackers to steal my identity and wreak havoc.
This isn’t unfounded concern, people’s personal data is being hacked and stolen every day. Binance had KYC data from 60,000 users exposed last month, Equifax exposed social security numbers for 150m people, Yahoo had 3 billion accounts compromised, while Adult friend finder had 400m accounts hacked.
I have that much sensitive information stored in Google it scares me to think what will happen if (when?) there is a widespread hack of Google.
Not only that, but my data is spread out across many different services that don’t talk to each other. My health records are scattered across hospitals and doctor surgeries. I have playlists stored in Spotify and iTunes that don’t sync. I have fitness data scattered across Strava, MapMyRun and Apple Health.
It doesn’t have to be like this.
I envisage a future where I have a digital wallet on my phone, only accessible to me. This digital wallet controls my encrypted data managed by a public blockchain. No one can access this data except me and those I provide limited access to.
I choose what personal information to share with companies and I can revoke that access at any time. I can have independent agencies access my identity data (passport, birth certificate), validate it and provide a KYC verification certificate, then delete it. This verification certificate can then be shared with companies so I no longer have to provide the actual data to any company.
My personal data is portable and can be securely accessed by different service providers.
I can sign into any website using my digital wallet, no longer requiring multiple usernames and passwords for every different site. This eliminates hacks that involve stealing usernames, passwords or secret question / answer combinations – the vast majority of hacks.
I can sign up to a new crypto exchange by providing a KYC verification certificate from a trusted third party, without exposing my passport or any other identifiable documents. All in a matter of seconds and a couple of clicks. This eliminates the chance of the Binance and Equifax hacks.
I can visit a new Doctor and share my personal health records with a single tap of my phone. I can then revoke access after a certain period of time, or if I feel uncomfortable I can revoke access as soon as I walk out the door.
I can be an avid user of iTunes with 50 finely crafted playlists, but want to start using Spotify. With a single click I can sign up to Spotify and provide it access to my private playlist data stored in my digital wallet that is also used by iTunes. I can use both seamlessly and they’re always kept in sync as they’re always writing to the same private playlist records stored on the blockchain.
Moving banks becomes as simple as one click. I share my verified KYC certificate confirming I am who I say I am. I also share my basic details (name and phone) so they can contact me. I receive electronic statements, so they have no need to have my address.
My employer can save a private Employment Certificate into my wallet which I can selectively share with banks to confirm my salary and obtain a loan.
Updating my address details across every service can be done instantly. I can authorise service providers to be notified when I update my phone number (if I’ve given them access in the first place) and they can update their records instantly.
These solutions focus on identity data, without mechanisms to adequately store other private dApp related data.
Blockstack, Persona.im, Meeco.me and Veres.one are all solid solutions that enable digital identities and storing of personal data. However, they’ve all gone down the path of creating their own blockchain which makes interoperability with existing dApps much more complex. They also require end users to maintain a separate identity, making it more difficult for end users.
I recently discovered 3box which has been spun out of uPort. It provides public / private dApp data management with profiles for authentication, all built on top of Ethereum with no gas charges. This looks like a very promising project that could become the foundation of a self sovereign platform for dApps.
We can leverage public blockchains to store personal data, encrypted on distributed storage. Individuals can permit any distributed app (dApp) on-demand access to a subset of their personal data, for their active session or for an extended period of time.
Such a future has been dangled in front of us for a number of years with blockchain technology. The idea of having your own digital wallet that holds your assets and information which you can control using your encryption keys is not new. However, everything on the blockchain is public which has prevented this from becoming a reality.
There are some key traits any such solution requires.
1. Must be on a public, dApp blockchain
It is essential that any such solution is anchored on a public blockchain. A private blockchain still has a central authority which is a large target for hackers and just moves the problem.
The solution must run on an existing blockchain that supports dApp development (ie: Ethereum, Vechain). This maximises interoperability with other consumer facing dApps and enables dApps to respond to events when data changes (ie: Update my phone number) and enables users to have single wallet they can use for both public and private purposes.
2. Must encrypt my personal data
Personal data must be encrypted using the users wallet keys. This data should be stored off-chain and could exist in either (or a combination of);
Zero knowledge proofs may also play a key role in protecting user data while enabling the verification of data.
3. Third party verification
It must be possible for a third party to be provided access to my data so they can “verify” me and issue a “verification certificate”. This enables companies to meet their Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance requirements, without gaining access to my personal data.
This also enables education institutions such as Universities to issue verification certificates regarding qualifications or employers to issue verification certificates about employee’s work history.
4. Third party data sharing
It must be possible for me to share my personal data (including my verification certificates) with third parties and then revoke that access at any time.
5. Third party data interoperability
It must be possible for individual industries to agree on shared data storage standards. This enables a new era of portability where users can move seamlessly between services.
6. Simple for end users
Public blockchain solutions currently require users to purchase crypto before they make a transaction, which is necessary to save personal data.
In reality, this means a user needs to go through a KYC process with a crypto exchange, purchase crypto, create a wallet and transfer their crypto to the wallet before they even get started. This is a huge barrier to entry for widespread adoption of blockchain solutions to the general population.
It must be simple for dApps to pay for transactions on behalf of their users or simple for users to pay for their own transactions without going through complicated crypto purchasing procedures.
It may also be necessary to provide data recovery services to end users in the event they lose their keys, which is possible using multiple trusted signatories to unlock encrypted keys.
7. Simple for dApp developers
It must be simple for dApp developers build applications using private user data, while working with existing development tools.
Firstly, we require a technology solution that addresses the 7 traits outlined above. I have been working on a proof-of-concept and am confident this can be built on top of existing public blockchains in combination with existing tools.
Next, we require dApp developers to come onboard with the concept of “consumer privacy comes first”. This requires designing apps differently with an emphasis on users controlling their data.
Consumers must also come onboard and realise it’s possible to own and control their personal data in this new era of blockchain technology. As a trade off, consumers have to realise blockchain transactions cost money and need to be prepared to pay a small price for that privacy.
I believe there’s a huge market for dApp developers to create “privacy first” applications replicating many of the current centralised SaaS product offerings. It will be a trend that will gain momentum in the coming years and be a significant revolution in how we all control our data.
What do you think?
I would love to hear your thoughts, especially from dApp developers currently building consumer focussed applications.