“Identity is a very crowded space in blockchain” a friend said to me last week. When I asked him if that was true for all dimensions, classes, and aspects of identity and authentication, there was a long – silent – pause before he said ”I don’t know what you mean by that – but you should really look at Civic – even though their model is a real hassle, they really get blockchain, network effect, and identity.”
We had looked at Civic before – in part because they are a darling of the world of cryptocurrency – but we hadn’t really understood what they were doing beyond decentralized blockchain attestations.
If you have not seen Civic’s white paper – it is here and it is not to be missed. A big focus of their paper is banking and how Know Your Customer regulations remain expensive (USD$15-$20 per new customer enrollment) and millions of people in the US alone are without bank accounts because they lack identity documents.
Their nine-step diagram on page 16 of the document starts with a User and their personally identifiable information (PII). In their example, an organization, presumably a bank has asked for their PII to perform some sort of identity authentication. In step two of the nine step diagram, the organization uses its “existing verification methods” to conduct the check. The typical controls of KYC listed by Wikipedia include:
- Collection and analysis of basic identity information such as Identity documents (referred to in US regulations and practice as a “Customer Identification Program” or CIP)
- Name matching against lists of known parties (such as “politically exposed person” or PEP)
- Determination of the customer’s risk in terms of propensity to commit money laundering, terrorist finance, or identity theft
- Creation of an expectation of a customer’s transactional behavior
- Monitoring of a customer’s transactions against expected behavior and recorded profile as well as that of the customer’s peers
One thing Step 1 above does not mention is matching of the identity document with the person in question (organizations like banks and airports will usually hold up the ID to compare the person to the ID) and Civic’s white paper does not make mention of this.
Nevertheless – as the use case progresses, the User PII is authenticated and an attestation is created. The premise of the Civic model seems to be around PII and that there are enough requests for PII that people and businesses will be able to make money by reselling already verified and attested to PII information.
That might be true, but there is a LOT more information about us beyond the static PII data of date of birth, social security number, gender, etc.
Dynamic data about us includes some obvious things like credit rating, driving history, employment history, education history, and we believe in the future an Identity Trust Score. Other dynamic items that may be less obvious that are worth verifying are our location – if we are not where our credit card is being used, that could be a problem.
It seems likely that these dynamic aspects will be checked, authenticated, and verified with much greater frequency than PII information, and that while in some respects blockchain is still in its infancy – these checks will continue to happen off chain as well as on chain. So what will need to be in place is a solution where the identity of the person can bind to their personal device like their cell phone (which they can unlock with a hardware level biometric to mitigate the risk of hacking) and have all of those static and dynamic identity elements linked to them to make verifications and attestations very easy and low friction.
So PII is a really smart place to start with identity on the blockchain – but once some of the more dynamic elements can be added – then we can get into more day-to-day use of this sort of information.