Blockchain could reduce the risk of data breaches

Last year, many Aussie consumers were affected by a plethora of data breaches, but a new decentralised way to store identities could be the future to reduce the risk of losing precious data.  

Dr Eric Lim, senior lecturer at the UNSW Business School said breaches could be reduced by decentralising the data and giving each customer and employee sovereignty over their own data points, using blockchain-enabled Decentralised Identity (also known as DID). 

According to Lim, DID has a well-defined standard based on the World Wide Web Consortium (W3C) as a new type of identifier that enables verifiable, decentralised digital identity.

“In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralised registries, identity providers, and certificate authorities,” he said.

“This means instead of a company holding all the customer’s data in an alluring one-stop-info-shop, everyone is tasked with maintaining sovereignty over their own data.”

Lim said this will reduce cyberattacks as when there is a decentralised model of data management, they are essentially diffusing vulnerabilities to the edges. 

“As opposed to attacking the honeypot and making off with a whole jar, attackers will at most get a drop. A lot less worth the time and effort for reward,” he said.

However, no system is perfect, Lim said.

“Individuals would still be vulnerable to cyberattacks with DID. But, in this scenario, if an individual got careless is subsequently hacked, it doesn’t affect anyone else who has been careful in protecting their own identity. Instead of storing everyone’s information on a central server, DID allows individuals to hold their own information in their own devices,” he explained.

If an attacker wishes to carry out cybersecurity attacks, they will have to target every mobile device, which Lim said is “costly and impractical.”

He said, “Such a concept applies to the protection of any sensitive data such as financial and health data where the individual is the only one who will decide how and whom they would like to share data with.”

How it works

There are three basic components to DID, the individual holder, the issuers of digital credentials and the verifier.

Lim explained, “The entire process flows across these three entities and is founded on the utilisation of the public-private key pairs that are very common in cryptography and similar to how cryptocurrencies work.”

The individual will have a pointer on the blockchain represented by their public key, which as the name says, is public but the user will keep the information to themselves.

The individual holder accumulates pieces of information associated with their economic identity known as digital credentials.

Examples of digital credentials could be your driver’s licenses, education certificates, criminal records and passports, Lim said they would be issued by the relevant authorities.

“When a digital credential is issued by the issuer to an individual, they are signed with the digital signatures created by the issuers and the credentials are then stored by the individual,” he explained.

The final component of the DID is the verifier, which uses two signatures, one from the issuer and the other from the individual which can then authenticate them with the respective public keys publicised on the blockchain by both the issuer and the individual holder.  

The next steps to reality

Lim explained that the first step towards setting up a DID and giving everyone a digital identity is the need to agree on a set of procedure that will allow people to register their DIDs on a blockchain with own their relevant governmental agencies. 

He said, “This would apply to every individual, so they are recognisably connected to their DID and the connection is made official and auditable on the blockchain. This also applies to all government agencies who would also be officially connected to a unique DID on the blockchain, for auditability.  

“This systematic creation of an auditable trail of connections between the DIDs and their real-life entities would be the first and most important step, something which would preferably be recorded on an open decentralised blockchain. This will ensure that in the event of political or civil upheaval, that the DIDs would still be auditable by others.”