The concept of a Personal Data Locker (PDL), a secure storage area for each individual’s personal data, has been a core goal of the Pillar Project from its earliest days. As the project team begins to implement these features into the Pillar Wallet, this article discusses the concepts regarding personal data and your digital identity.
Personal data can be defined to include information about you such as your name, birth date, email address, phone number, physical address, etc. Other terms for such data are demographic information or personally identifiable information (PII).
In addition, personal data can include information that is captured about your activities such as fitness trackers, smartwatches and your phone’s geolocation activity. Even further, personal data can include your Facebook/Twitter posts and sensitive data such as electronic medical records.
Any discussion of personal data, however, needs to start with a discussion of digital identity, as that identifies who the “P” in PDL refers.
Digital identity can be thought of as “who you are” in the online world. Personal data such as your name, phone number and email address can be used to identify you in various online communities.
However, just by an individual stating that they are a specific person doesn’t prove who they say they are. Some online sites attempt to increase their confidence in your identity by verifying your email and phone number. They send an authentication code to your email and phone, which you must enter into their site to verify that information. That process proves that you have control over that phone or email account at that point in time, and that may be enough for the online site to feel comfortable in providing services to you. If the company needs a higher level of proof of your identity, then something else is required.
In the physical world, your identity is typically proven to someone by presenting them with a government-issued photo identification document, such as a driver’s license, passport or ID card. The person who is verifying your identity must rely on their skills in document verification or they must employ additional tools to provide assurance as to the document validity and in matching your face to the document photo.
Take for example an alcohol server who checks your ID. She must ascertain whether:
- the ID is valid (maybe it is from another state or country),
- not expired,
- that the text/numbers have not been tampered with,
- that your birth date shows that you are of legal age,
- and that the years old photo matches to what you look like today.
If the establishment chooses to use additional tools to assist with that process, each ID could be digitally scanned, the data retrieved from the document and sent to a government agency for validation, then a photo captured of the individual and matched to the photo on the document.
In analyzing that example, one can see issues with how identity is verified today.
The manual approach has risks with properly spotting a forged document and with properly matching a photo to a face. The automated approach reduces those risks, but introduces privacy risks with the amount of data that is captured.
Digital identity, implemented correctly, could solve many of these issues, both in the physical and digital worlds. Let’s re-imagine that example using digital identity. The establishment asks for proof-of-age by displaying a QR Code on a screen at the entrance. Your digital wallet contains your driver’s license, which has been validated by the issuing agency using a digital signature. You scan the QR Code, and your wallet app captures a selfie photo to verify that you are the owner of the credential. The app then sends a digital proof to the establishment’s system that you are over 21, without disclosing your birth date or any other personal information. Such a system removes manual verification risks and protects your personal information.
How can it look like? Watch the demo of the Citizen Wallet built during the Odyssey Hackathon 2019.
A digital identity system needs a way to collect credentials that prove who you are, a place to store the credentials under your control, and ways to use your identity in the physical and digital worlds. Ownership and control of your identity is a key factor in such a system. The term Self-Sovereign Identity is used to describe the ownership and control aspects. Each individual owns their collection of identifiers and credentials and controls how they are used.
Standard ways of describing digital identifiers and credentials are being finalized by a large group of individuals that represent companies involved in this market space. We at Pillar are part of that effort and are committed to using these standards in our product.
In the next article, we’ll explore these standards and concepts, and how they work together to bring about the changes needed to implement digital identity and personal data ownership.