It has been over 30 years since the the web was introduced, and most of us are facing critical problems involving the security and privacy of our digital identity, our personal data, and the authenticity of content on the Internet. These problems include widespread spam, phishing attacks, fraud, abuse, fake news and misinformation. According to Cylance, carefully crafted fake websites and fraudulent online personas have the potential to not only influence public sentiment and voting habits, but also fuel the cybercrime economy. State sponsored hackers and entrepreneurial cybercriminals alike are increasingly engaging in the practice of running fake empires of phony news sites, web properties, social media facades and online personas. In fact, the recent World Risk Poll ranked fake news as the biggest global cybercrime concern today, according to Lloyd’s Register Foundation, which ran the survey. As various criminal and state-sponsored threat actors join into the act of building fake empires of fictitious personalities and journalists, as well as counterfeit news and shopping sites, a whole black market industry has grown up to support the complicated web of deceit.
And the state of the Internet is getting worse as surveillance capitalism has added to the list of problems, and promises to become even more intrusive and potentially damaging to our privacy and liberty due to the employment of greater collections of personal information being mined by ever more sophisticated machine learning algorithms developed by big social media platform and corporate providers. We don’t have any real control over how our data is used, and the corporations controlling our data have shown their inability to properly protect it. We’re locked into this system, with no reasonable ability to opt out. The European Data Protection Supervisor Opinion on the Proposal for a Digital Markets Act of Jan 2021 describes the problem as follows:
“Services in the digital ecosystem rely on covert tracking of individuals, who are generally unaware of the nature and extent of that tracking. This predominant business model is often paired with trends in the digital economy sitting at the crossroads of those different fields of laws. Those include: information and power asymmetry between large platforms and individuals; insufficient transparency and accountability; growing inequality in the distribution of value; manipulative and addictive patterns; platforms as gatekeepers for solutions, choice, and innovation, online manipulation and disinformation.”
The past year has also required new, precautionary measures involving identity to be put in place at restaurants, nail salons, and doctor’s offices. All of which require more than the customer’s name and phone number — data that may not have been collected pre-COVID. Where is this data going and what is being done with it?
Together, these problems can be summed up as a trust crisis. According to Rob Frasca on Medium, this trust crisis has been created by a paradigm shift to decentralization spurred by the Internet. As Rob Frasca points out –
“From finance, to data, to commerce, central institutions of trust have become the bedrock of our modern economy. The raison d’être of their existence is the missing trust within communities or networks, so they need a trustful intermediary to be organized. However, centrality of this kind in an otherwise decentralized world [created by the Internet], creates massive and concentrated points of weakness. The problem with centralized systems is that they lack transparency, allow for single points of failure, censorship, abuse of power and inefficiencies. CENTRALIZED TRUST IS THE GREATEST WEAKNESS OF THE MODERN ECONOMY.”
This point is amplified and expanded by MATTR in a white paper – Web of Trust 101 –
“As a result, the modern internet has made it incredibly difficult to establish trust with others online, creating many barriers to participation that often leave everyday users out of the value chain. Information and data, and the value they create, are no longer freely accessible by the users creating it — most of whom are utterly unaware of the limited agency they have in accessing it. To fix this fundamental problem of digital trust, we need to begin by building a system that allows users to control their identities and to move their personal data freely from one online platform to another without fear of vendor lock-in.”
So what can we do to improve our digital trust posture? How will trust be manifest in the Internet-of-Things (IoT) age? How can we enable better authenticity in what we see and do with the modern Internet? Keep reading and see what possibilities come to mind for you.
The IoT economy is spurring paradigm shifts towards decentralized systems at the edge. To date, the cloud and centralized data centers have been the epicenter of digital transformation management. However, as more distributed devices connect, and IoT permeates every aspect of life, the edge will light up with intelligence and become increasingly autonomous. Also, traditional security approaches that are widespread on the Internet, such as centralized access control servers, asymmetric cryptography, and transport layer security (TLS) among others do not work well in the IoT. Lightweight and decentralized security mechanisms are paramount to ensure overall security and performance at the edge.
This transition to the IoT economy means that data processing will progressively migrate from the cloud to the IoT edge, driving convergence around a unified, intelligent edge gateway solution. While centralized applications will continue, local distributed applications will frequently dominate, running on edge systems that support legacy OT and new IoT devices. However, if we are going to move away from centralized to a more decentralized processing scheme, what scheme should we use for ensuring trust for the IoT economy? To date, most IoT devices do not undergo independent security testing. There is no widely accepted security framework for application developers of IoT systems. The general lack of robust security measures for IoT systems creates distrust, ultimately slowing IoT deployment. As such, the shift to the decentralized edge must be accompanied by new trust appoaches enabled by distributed technologies (i.e., blockchain, consensus mechanisms, digital identity, and user-centric cryptography). In the new edge economy, existing intermediaries are replaced by digital assets and smart contracts, forming new webs of trust. New, open ecosystems will restructure work around authenticity as supply chains reorganize to provide transparent provenance, and while cancel culture will demand an open, fluid supply chain.
User-centric controls must also be provided as part of this IoT economy. The realization of many IoT use cases is based on the generation and analysis of huge amounts of data which are sent from IoT devices. However, the information that is collected and sent by IoT devices may unintentionally reveal sensitive information regarding users’ daily habits. Indeed, with the current development of enhanced machine learning techniques, the application of aggregation and correlation algorithms increases this concern, allowing an accurate profiling and tracking of users. As a consequence, protecting access to this information is crucial in order to ensure that only authorized applications or services are able to obtain this data. In this sense, devices’ owners within the IoT economy must be empowered to maintain the control over how their devices share that information and to whom. This is particularly challenging, especially when this information is outsourced, combined with each other, correlated, and stored over long periods of time. A key aspect and starting point to addressing this challenge is to provide a strong, user-centric method of assuring digital identity.
A fully realized, user-centric, web of trust relies on self-signed certificates and third party attestations, forming the basis for what’s known as a Decentralized Public Key Infrastructure (DPKI). DPKI returns control of online identities to the entities they belong to, bringing the power of cryptography to everyday users (aka user-centric cryptography) by delegating the responsibility of public key management to secure decentralized datastores, so anyone and anything can start building trust on the web.
The foundational technology for a new DPKI is a system of distributed identifiers for people, organizations, and things. Decentralized identifiers (DIDs) are self-certifying identifiers that allow for distributed discovery of public keys. They allow anybody to prove they have ownership of an ID on a device they own, login to apps and services with their ID, and begin establishing trust around that ID by using it in their digital interactions. In this model, the individual takes ownership of their own identity and need not cede control to centralized service providers or companies. For DIDs to be fully trusted, they must be consistently bound to an owner in a provably tamperproof way. For this reason, DIDs are commonly anchored to a distributed ledger, though the instance or type of ledger can vary. In this way, users can always be sure that they’re talking to the right person or entity because an identifier’s lookup value is linked to the most current public keys for that identifier.
DIDs are based on open web standards at organizations such as the W3C, IETF, Decentralized Identity Foundation and the Hyperledger Project at the Linux Foundation. Since DIDs are cryptographically secure identifiers that are controlled directly by a user without the need for intermediate service providers, AND because they are based on open standards, they create a kind of even playing field where the standards and requirements for key management are uniform across different users in an ecosystem, from everyday users to large corporations and everything in between. Eventually, DIDs will allow for portability not only of identity but of the trust and reputation associated with the identity. For instance, a user might be able to transfer their reputation score from one ride-sharing service to another, or perhaps use the trust they’ve established in one context in another context entirely.
Innovations in the areas of decentralized identity and distributed trust are only just beginning and there is no limit to the kinds of new experiences application developers can design and deliver to users. Some examples include:
- Allowing users to synchronize their personal data across multiple applications,
- Allowing users to self-attest to a piece of data or attest to data self-asserted by peers,
- Allowing a user to explicitly give consent around how their data may be used,
- Allowing users to revoke their consent for access to the continued use of and/or persistence of a particular piece of data,
- Allowing users to opt-in to be discoverable to other verified users, provided they can mutually verify particular claims and attributes about themselves,
- Allowing users to opt-in to be discoverable to certain service providers and relying parties, provided they can mutually verify particular claims and attributes about themselves.
Some of these innovations and benefits are already being encompassed as part of decentralized movements. For example, renowned security researcher and strategist Bruce Schneier has recently joined a company called Inrupt that is working to bring Tim Berners-Lee’s distributed data ownership model called Solid into the mainstream. With Solid, your data lives in a pod that is controlled by you. Data generated by your things — your computer, your phone, your IoT whatever — is written to your pod. You authorize granular access to that pod to whoever you want for whatever reason you want. Your data is no longer strewn across different places on the Internet, controlled by you-have-no-idea-who. It’s yours. If you want your insurance company to have access to your fitness data, you grant it through your pod. If you want your friends to have access to your vacation photos, you grant it through your pod. If you want your thermostat to share data with your air conditioner, you give both of them access through your pod.
This same concept of user-centric data control is espoused by the Indieweb. The IndieWeb is a community of individual personal websites, connected by simple standards, based on the principles of owning your domain, using it as your primary identity, to publish on your own site (optionally syndicate elsewhere), and own your data. In essence, the IndieWeb is a people-focused alternative to the “corporate web.” Indieweb uses a mechanism called microformats to ensure ownership and human control of personal data, and to communicate and share data across the Indieweb. Microformats extend HTML syntax to create machine-readable semantic markup about objects including people, organizations, events and products.
The Indieweb and Solid pods are a type of identity hub. In decentralized identity, public ledgers provide storage and distribution of identifiers and public keys. But you wouldn’t want to store your sensitive personal data on these ledgers – considering they are immutable and sometimes, even public (such as, Bitcoin). A different solution for secure storage of personal data and information is needed – an identity hub.
Identity hubs are decentralized, off-chain personal data stores that give complete control and autonomy to their owner. They allow users to store their sensitive data – profile data, official documents, contact information, and more – in a way that prevents anyone from using their data without the user’s explicit permission. Users can securely share their data with other people, apps, and businesses, giving access to the minimum data necessary and retaining a record of who has access to what. App developers can reduce the complexity of data management and compliance by storing sensitive data in the user’s hub and reducing their own risk of data breach. Identity hubs enable a new wave of apps and services that respect a user’s privacy and ownership of their personal information. Identity hubs also provide a method for bootstrapping identity reputation.
Although large corporations such as Microsoft are already on the path of providing identity hubs and decentralized systems, (see below), decentralized open approaches such as Solid pods and Indieweb are available as well. Also, maybe putting technology like peer-to-peer botnets to good use (obviously with some controls) may help provide interoperation and organization to decentralized identity hubs, providing the infrastructure for network effect and monetization needed to successfully grow the decentralized, identity hub ecosystem.
Decentralized open approaches may need new mechanisms to help manage interoperation, data storage, and data exchange for users. For example, an identity hub does not have a fixed schema or set of data it supports. Instead, hubs follow a semantic data model in which each piece of data self-contains all metadata necessary for interactions. An ontology is essentially a vocabulary and grammar for associating meaning to data on the web. One example of an ontology is Schema.org. Schema.org vocabulary can be used with many different encodings, including RDFa, Microdata and JSON-LD. These vocabularies cover entities, relationships between entities and actions, and can easily be extended through a well-documented extension model. One key extension is the need for a standard and secure metadata annotation protocol to enable interoperation. Metadata annotations could potentially lead to interoperability problems if they are used in an ad hoc fashion by different parties and/or without proper documentation. A sound metadata framework standard is needed to satisfy these requirements:
- The set of annotations must be extensible in a decentralized manner so as to allow for defining new annotations without running the risk of collisions with annotations defined and used by others.
- The syntax and semantics of annotations must be documented, and the documentation must be easily accessible.
An important milestone in the identity-ontology area occurred in July 2019 when the Global Legal Entity Identifier Foundation (GLEIF) published the semantically correct model in the form of ontologies relevant to using the Legal Entity Identifier (LEI) in web-based applications in RDF (Resource Description Framework). So now there’s a good and legally approved semantic identity model to use for decentralized identifiers. GLEIF partnered with data.world on the development of the RDF model.
The concepts of decentralized identity and personal control of personal data also bring the notion of decentralized data exchange markets to fruition. For example, Ocean Market is a decentralized exchange (DEX) tuned for data. It consists of an app and libraries used to publish data, stake on data (curate), and buy data in a secure, privacy-preserving fashion. Data is published as interoperable ERC20 datatokens. Ocean datatokens turn data into data assets. This capability enables data wallets, data exchanges, and data co-ops by leveraging crypto wallets, exchanges, and other decentralized finance (DeFi) tools. Ocean Market also provides a Compute-to-data capability. Compute-to-data enables private data to be bought and sold by resolving the tradeoff between the benefits of using private data, and the risks of exposing it. It lets the data stay on-premise, yet allows 3rd parties to run specific compute jobs on it to get useful compute results like averaging or building an AI model.
Large corporations have also taken notice of the movement to decentralized systems. Both Microsoft and Twitter have announced initiatives in this area. For example, Microsoft launched the first decentralized identity infrastructure implementation by a major tech company that is built directly on the bitcoin blockchain back in 2019. The open source project, called Ion, deals with the underlying mechanics of how networks talk to each other. For example, if you log onto Airbnb using Facebook, a protocol deals with the software that sends the personal information from your social profile to that external service provider. In this case, Ion handles the DIDs, which control the ability to prove you own the keys to this data. Microsoft was a founding member of the Decentralized Identity Foundation.
Twitter also recently announced plans to build a “decentralized standard for social media.” Called the “bluesky” initiative, Twitter is working with Protocol Labs, the company that’s produced the censorship-resistant InterPlanetary File System and distributed storage network Filecoin. The team is looking at ways to monetize a decentralized platform at the application, provider and/or protocol level.
Other companies have announced non-PKI versions for decentralized identity. For example, NuID leverages zero knowledge cryptography to enable users to prove they know their authentication secret (such as a password or a token unlocked by mobile biometrics) without ever sharing it with anyone. By removing the need for users to trust enterprises or any 3rd party to secure their credentials, this “trustless” authentication protocol allows us to break down the siloed identity model.
During registration, the client device is used to generate “public reference parameters” from the user’s authentication secret, such as a password or biometric. These parameters are non-sensitive and can be shared openly, much like a public key. The reference parameters are immutably stored on a distributed ledger technology (DLT), and used to challenge the user during authentication. NuID teamed with Digital Asset – the creator of DAML – to provide the business logic-driven contract language to express the zero knowledge model and to leverage the power of DLT. DLT takes the place of a central authority to store and manage users’ authentication data. This decentralized identity model opens up a whole world of user-centric processes and services such as efficient, reusable KYC or privacy-preserving e-commerce.
What is most interesting to me about some of these innovations and new approaches to decentralized identity systems is that they also help to foster greater authenticity of data through better provenance, better definition and understandinng of data (using ontologies), greater granularity of access, and more accessibility to different platforms. Providing greater authenticity can help enable greater digital trust.
So what is your view? Will decentralized identity systems help to bring better authenticity to the web? Will identity hubs become easy-to-use and commonplace on the web? What has to change to get more control of your identity information? Let ActiveCyber.net know your thoughts through your comments and emails to our site.
And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at Active Cyber™.