The Equifax breach has driven Congress and others to rethink two major parts of the current credit system: having credit bureaus store most Americans’ identity data and using Social Security numbers as a primary identifier.
But figuring out a new system is challenging. One intriguing idea is adapting distributed ledger technology, a shared database with security and access controls built in, for identities.
“There’s no doubt that the blockchain concept, with its power to prevent duplication and divergence from the chain, is highly promising for identity,” said Jo Ann Barefoot, a former deputy comptroller at the Office of the Comptroller of the Currency and now a compliance consultant. “On a distributed ledger, everybody can trust that what’s in the ledger is there and is the only version of it.”
Bloom, the Decentralized Identity Foundation, and Open Identity Exchange are all working on protocols and standards that could be used by any entity to create a distributed ledger ID system.
When a user creates a new identity in a distributed ledger based on Bloom, a blockchain identity protocol, the user submits information to the network: name, address, phone number, etc. The system sends queries to parties that already have that information to look for matches.
“If the name matches the name on your phone account, that’s one verification,” said Jesse Leimgruber, co-founder of Bloom. A second might be a utility company verifying the address.
LexisNexis and the credit bureaus already do such verifications. But instead of all the data being stored at credit bureaus, where it’s a target for hackers, with Bloom it’s in a shared, distributed ledger.
Bloom is an open-source project, not a company. Its founders are all serial entrepreneurs who are funding the project as researchers and academics.
“No one on the Bloom team will ever have to think about money,” Leimgruber noted. “We’ve all sold our companies. This is a project we feel passionate about.”
More than 100 financial firms around the world — mostly alternative lenders — are already using the Bloom protocol, he said.
But the Equifax breach has stirred greater interest.
“Before the Equifax hack, it was tough. We were pulling teeth to convince people why a global, secure solution would be better,” Leimgruber said. “After the Equifax hack, we had 42,000 emails and sign-ups for more information to join, and most of those were banks, lenders, fintech providers.”
Credit bureaus are also reaching out to Bloom, which Leimgruber refers to as a decentralized credit bureau, largely because of nervousness about security.
“I don’t think we’re going to put Experian or Equifax out of business anytime soon, but the segment of business that verifies identities would not need to exist anymore,” he said.
Leimgruber acknowledged the drawbacks of blockchain technology: blockchains are slow, they’re expensive (each request can cost 10 to 15 cents) and they’re not scalable.
“If the world’s ID system was on a blockchain right now, it wouldn’t fit,” he said. “These are massive limitations.”
But he addresses those weaknesses by using IPFS, a protocol for decentralized, distributed content hosting.
“It’s kind of like a decentralized Dropbox,” Leimgruber said. “No one controls it; it’s another protocol. Most of the tough computation elements, the things that would typically be bogged down by blockchain, are stored on IPFS.”
“There’s lots of ways disparate impact can seep into these models, even when you’re not using soft data like student information.”
— VantageScore’s Sarah Davies
IPFS could become an attractive target for hackers, Leimgruber concedes. But because the system uses private keys and hashing, it can’t be hacked, he said.
As for concerns about someone setting up a synthetic ID in Bloom and using bits of another person’s identity information, Leimgruber said as long as the person owning the identity has more information than the fraudster, the identity can’t be stolen.
Bloom also has a fallback mechanism called “staking.” Here, a user gets parents, siblings or friends to hold certain keys that unlock their identity.
“So even if a fraudster got every piece of information that ever existed about you, they would also have to compromise your mother, your sister, some percentage of your network that has staked your ID,” Leimgruber said.
Who runs the blockchain?
Some blockchain identity startups are gaining traction, especially in developing countries where there isn’t a large, complicated identity infrastructure in place.
Examples include Bitnation, Cambridge Blockchain, Civic, Global ID, and Consensys.
One World Identity, a strategy and research company focused on identity, works with several.
“The future could look like that,” said Joe Stuntz, vice president of cybersecurity at the firm. “That isn’t a solution for today. There are a lot of smart people figuring it out, so I hope it’s a solution five years from now.”
Instead of a blockchain run by a startup, however, some foresee the credit bureaus building a blockchain of their own.
“I would not believe for one second that the big three players in the U.S. are going to let some startup blockchain company take their franchise away from them,” said Steve Ely, CEO of the alternative credit bureau eCredable. “There’s way too much money at stake for them to allow that to happen. As much as they compete with each other, they’re also smart enough to know that they do have the goose that lays the golden eggs every year.”
There’s a precedent for this, Ely noted: VantageScore, the alternative credit score the three bureaus created to compete with FICO.
“If they’re not thinking about [building a blockchain] already, shame on them,” he said.
“If I were in their shoes, I would be working on exactly that concept,” she said.
A chain of blockchains
Getting everyone in the U.S. to use one identity blockchain is challenging. But what if several interoperable blockchains could be stringed together?
“A lot of people believe that is the future,” Stuntz said. “If we have 10 options and one of them goes down, we can migrate them to one of the options that’s still standing.”
This could provide the scalability needed to accommodate millions of people at a time.
Barefoot believes Congress needs to get the ball rolling.
“A good step for Congress might be to create a DARPA type of initiative, to begin to formulate a 21st-century ID system for the U.S. that would also work globally,” Barefoot said. “It needs to think through privacy, cybersecurity, authentication, access and inclusion, and needs ways to keep up as the technology continues to evolve.”
Editor at Large Penny Crosman welcomes feedback at [email protected].