Breeding Licenses on a Blockchain

Blockchain technology itself is innovative, but its applications for governments and businesses could be revolutionary, argues Sam Smith.

One of the most talked technologies of the past few years is the blockchain. Its origins are in the crypto-currency bitcoin: blockchain is bitcoin’s underlying technology. Perhaps the best and simplest to describe it is as an enormous public spreadsheet of chronologically stored information that anyone can contribute to, but no-one person controls. That results in an immutable, publicly available database. Blockchains are a generic mechanism for getting information to anyone who chooses to care, where everyone who wishes can see it at the same time.

The technology itself is innovative, but it’s the applications of block chain that could be revolutionary. Which is why governments, businesses, and technologists of various shades are trying to figure out how to apply it to real world problems. One possible application is how it could transform the way we deal with identity theft, which already costs the UK economy billions of pounds a year and is growing. Not to mention the distress and worry it causes to thousands of people.

For a criminal, the holy grail of identity theft is something called a “breeder document”. This is a document that lets you create offspring (of the identity, not the human, kind). For example, one fake driver’s license can get you multiple bank accounts, and each bank account gets you money in someone else’s name, and shortly thereafter a nice car for you that the victim – or an insurance company – has to pay for. This can be repeated ad infinitum with different banks until the real identity owner notices he or she has apparently just purchased two brand new BMWs. However, even then, the crook can continue to be able to use their new identity with other sources that may pay less attention to revoked documents. Just because one bank has spotted the problem, it doesn’t mean everyone else has. HSBC might freeze a fake account, but it doesn’t mean the online store that requires proof of identity hears about it.

This is because revoking a driving license, and making it easy for people to check if a license is legit, is very difficult. (It is not about prohibiting the legitimate owner from driving, but about invalidating an illegitimate document). In the case of passports, for example, sometimes one can only find out at a border that their passport has been revoked, but a passport gets checked by many organisations that may not have access to the Government revocation databases. Governments don’t want to share a big public lists of valid passports, as this can also create many other problems. Publishing a public list of invalidated document identifiers, however, is less troubling. Such a list doesn’t contain any personal data, just enough to know that if the number is on the list, and you have a seemingly legitimate passport in front of you, or a bank account was opened with it last week, you might want to take a closer look.

The technical capacity to authenticate, maintain and distribute a list of revoked IDs is not new. There are a wide range of different ways to do this, but no government has ever done it. A blockchain provides the decentralised potential for a coalition of the willing to write and share information with anyone who wants to know which documents they issued but later realised they probably shouldn’t have. Writing invalidated document numbers to Facebook would be pointless, but writing the same data in a structured form on an immutable publicly accessible spreadsheet means it can be known by anyone who looks.

The advantage of networks and blockchains is that the list can exist regardless of bureaucracy choice. A coalition of the willing can simply begin to write information in a defined structure to a blockchain. This could work by each contributor writing its own entries and providing a unique digital signature for what it has done. Through this full organisational independence and autonomy is maintained ; they just need to use the same standard everyone else has agreed to use, and write entries to the chain in that format. Governments may choose to trust the list from the Greek authorities when they’re collecting passports abandoned on a beach. Blockchains enable hierarchies to turn into networks, which doesn’t say anything about what happens to power.

It’s probably inevitable that governments will also see in blockchains the ability to micromanage a nation, and improving its ability to track and monitor citizen activity. This also means that encryption of personal data becomes of increasing importance if blockchains start to be picked up by public bodies. All cryptography fails. Should you have a cryptographic algorithm that is guaranteed to hold up for the lifetime of babies born today, GCHQ would like to hear from you (or they’ve already undermined it). Blockchain enthusiasts may be distinctly optimistic about progress in the short term, but that would seem to be excessively pessimistic about progress in the longer term. For the foreseeable future, personal data on a blockchain must be considered cautiously. To tackle identity theft, for example, I can imagine blockchains being used for administrative metadata: the passport number, the issuer, and -if absolutely necessary- hashes of certain information, but never the personal details of the individuals.

A list of revoked drivers’ license IDs or passports is never going to be something that thousands will care about, but a hallmark of good institutional identity hygiene is that it should be something no one should ever have to care about. Proper implementation will prevent harm to those who have their identity reused after it had been reported stolen, and have no effect on anyone else since their details won’t be included. The billions in costs for the UK economy are dwarfed by the untold worry and harm to those who are victims. It doesn’t have to happen.

As data and identity become a more important part of the smooth functioning of the economy and society, so we need a new way of revoking documents while protecting privacy. Blockchains aren’t the whole answer; but they do make it practical for the authorities’ work across borders and silos to better protect individuals.