The Science and Technology Directorate (S&T) and the U.S. Citizenship and Immigration Service (USCIS) have joined forces to implement a new internet standard, called Decentralized Identifiers (DiD). Let’s explain what this means and why it matters.
One of the critical challenges of our technology-driven, interconnected world is identity.
Without even speaking a word, we identify ourselves every day and in many different ways. Perhaps you enter a PIN to sign-in to a bank account or use a password to login to your health benefits. You scan your own face to unlock your phone to access some of the apps running on it. You swipe an ID card with a magnetic stripe to enter your office building. And of course, when you travel or work abroad, you must identify yourself with a passport. But what are you sharing when you identify yourself? Where does that identifying number or document come from, and who controls access to it?
The Science and Technology Directorate (S&T) is working to help make your identity more secure, and to put control over your privacy and personal information into your own hands. Jared Goodwin, chief of the Document Management Division at USCIS, was also working on these issues. His division is tasked with the production of all immigration documents-they design the documents and acquire the vendors to produce them. USCIS wants to be able to issue digital credentials, like a green card, to a smartphone, for example. It could be easier to carry, easier to use, more secure, and it could be supported online. Actions like renewing and modifying immigration status wouldn’t require standing in line at an office somewhere.
Jared discovered that S&T’s Silicon Valley Innovation Program was exploring similar solutions, “going out to industry to look for ways to partner with agencies to prevent forgery and the counterfeiting of certificates and licenses."
The solution that they settled on together is called Decentralized Identifiers (DiD). DiDs are meaningless, but unique, identifiers specifically associated with data. Let’s say that a prospective employer wants to verify that a candidate is a college graduate. When the candidate graduated from college, in addition to a paper diploma they also received a digital diploma that is cryptographically signed by the university with the University’s DiD. The university issues it to the graduate with the graduate’s DiD, so that the digital diploma is provably a legitimate diploma from the university, provably the diploma of this specific graduate, and that it hasn’t been forged or altered. It’s also fully digitally signed with the graduate’s DiD, so it is more secure. Now if the graduate needs to prove that they have a college degree, they can choose to share it with the prospective employer and the employer can use the graduate’s DiD and the university’s DID to prove that it is the legitimate diploma of this person and that it was issued by the university. Additionally, because the diploma is digital, the candidate can choose to share only the data that is required, so the prospective employer only sees the degree and the major but does not see the date of graduation. And all of this without having to contact the university itself, because the credential that it issued upon graduation was cryptographically sealed and verified. The individual now controls their own personal information, and the verification process does not rely on any third-party central authority.
In the case of a government recognized DiD, there would be a process whereby the entity would verify that the DiD represents them. If the individual needed to generate a new DiD, they would have to repeat the initial verification process.
Image
Working together, and with other like-minded partners, S&T and USCIS went to the World Wide Web Consortium (W3C) and facilitated the creation of a new official web standard, which designated DiDs, describes how they work, and how any system making use of them will function. This means that anyone can create a program or application that makes use of DiDs and as long as it conforms to the W3C specifications it will work correctly. Web standards are the rules and specifications for how the internet operates. For example, HTTP, which proceeds every internet address and helps define how web addresses work, was also created by W3C.
Consider this example: a customer attempts to purchase a six-pack of beer at a convenience store. The way it works now, the cashier asks for an ID to verify that the customer is old enough to buy liquor, but when they hand over their driver’s license…what else are they handing over?
Think about that very common, everyday transaction for a moment: a state-issued document from a department of motor vehicles (DMV), intended to demonstrate qualification to drive a car, is presented-along with date of birth, address, ID number, organ donation status, if you need to wear glasses, even height or weight.
Part of the promise of the DiD standard along with Verifiable Credentials Data Model (VCDM) standard is the ability to share only the data that is required for a transaction. In the scenario above, when the cashier asks for proof of age, the customer could use their phone to prove their verified age without sharing any other information (not even a specific date of birth). This is an important step towards putting privacy back in the hands of the people.
Because DiDs allow individuals to generate and control their own identifiers, if they are ever compromised, a new one can be generated. Different DiDs could be generated for different purposes, so that if a banking DiD was compromised, it wouldn’t affect health insurance privacy, and so on.
DiDs are an improvement over current forms of physical documentation in many ways:
* They are not issued by a government agency (like the DMV) and do not need to “phone home" to a government agency to be verified.
* They are generated and controlled by the individual, who decides when, and what personal identifiable information to share. The identifier could be stored by the user in a personal digital wallet or vault. Where and how it is stored is up to the user, there is no expectation to use any specific product or vendor.
* They do not require any proprietary technology vendor or platform, and because they are based on a worldwide internet standard, there is the opportunity for worldwide interoperability.
* The actual identifiers are meaningless, but unique. Just stealing the identifier from someone doesn’t mean you can use it, and the identifier itself cannot be used to discover information about the user. There is no personal information encoded in the identifier.
“Going forward, the government does not want to issue and control your identification," said Goodwin. “The user should be able to own their identity and decide when to share it, and we don’t want a system that has to reach back to an agency for verification."
Thanks to the work of SVIP, USCIS and many others, DiDs are going to become more and more common in the near future. The work will make a big difference preventing identity theft and forgery, allowing individuals to control their own personal information and privacy, especially online.
Source: Department of Homeland Security, Science and Technology Directorate
