Microsoft’s Bitcoin-based decentralized identity tool, ION, went live with a beta version on mainnet Wednesday as one of many efforts by members of the Decentralized Identity Foundation (DIF), some of which may fast-track tools anyone can use for COVID-19 crisis response programs.
Microsoft and ConsenSys’s uPort project are both leading DIF members. Separately, Microsoft is also collaborating with the bitcoin startup Casa to create a user-friendly interface for managing multiple digital identities.
“We’re excited to help ION take full advantage of technology like Bitcoin to vastly improve authentication, security and privacy on the internet,” Casa CEO Nick Neuman said in a press release.
“We are thrilled to have Casa collaborating on ION with us, which showcases the potential of building real-world applications that leverage the strong foundation Bitcoin provides,” Microsoft project lead Daniel Buchner said in a statement.
First announced last year, ION is meant to enable user-controlled logins that suit independent companies or services, rather than having system-providers (like Facebook) owning a user’s login credentials. ION can be used for many use cases that aren’t strictly related to health certificates or contact tracing, though the continued spread of coronavirus has influenced its potential usage.
“Almost every group in the blockchain industry is coming up with use cases,” said ConsenSys employee and DIF leader Rouven Heck, referring to potential partnerships with government agencies.
“There are conversations happening at the moment but it’s not a formal agreement,” Heck said.
“Everybody wants to move fast and has a high interest in demonstrating this technology can be very powerful.”
The race is on for companies to work with governments on such high-tech emergency ID measures. There are generally two approaches, contact tracing and digitized medical records, while some Asian governments combine them. For example, dozens of blockchain startups joined forces to start creating an “immunity passport” approved by the World Wide Web Consortium (W3C) Verifiable Credentials standard.
However, some people see both approaches as controversial, even dangerous.
In May, attorney Elizabeth Renieris resigned from her advisory role at the ID2020 consortium for decentralized ID (DID) creators, including Microsoft, saying she “cannot be part of an organization overly influenced by commercial interests that only pays lip service to human rights.”
Microsoft would not make executives available for an interview, though the company did provide a statement.
“Microsoft is continuing to work on the ION project, which has always included considerations on functionality for a wide range of use cases,” a Microsoft spokesperson told CoinDesk. “While there could be relevant software solutions inspired by new needs and current market demands, Microsoft believes in empowering people and protecting privacy and is committed to growing the open source community and industry standards.”
Microsoft’s open source ION project uses the Bitcoin blockchain for something comparable to a coat-check ticket.
Rather than include all the data about the coat (or person), which would be hard to scale, it offers a Bitcoin-ledger reference number to the data’s chronology. The heavy data is actually stored between ION nodes using the InterPlanetary File System (IPFS). Whoever is anchoring the data pays a small fee to bitcoin miners to record the reference number.
“The focus is to make things highly interoperable,” Heck said, referring broadly to the urgent work being done on solutions across the space.
Part of the reason why organizations involved with DIF are working to make their technologies compatible across use cases and systems is interoperability might, at the very least, make it easier to build privacy features that apply across the spectrum.
“Uport at ConsenSys are also working on projects,” Heck said. “Microsoft’s ION stack or Uport’s stack should be compatible.”
Even so, some privacy advocates say the project’s safeguards are lacking.
Former W3C employee Harry Halpin, now CEO of the privacy-tech startup Nym, said some of these efforts are simply repackaging previous work.
“ID2020 is just the latest attempt to violate people’s privacy using feel-good rhetoric. It’s also part of a larger business plan. Microsoft and IBM’s entire bottom line is to build identity systems,” Halpin said. “Governments need to establish identities of who owns these keys, so they say, ‘OK, we’ll have an open standard, call it decentralized, and make it mandatory.’”
In the face of such harsh criticism, blockchain advocates are working to identify and minimize the ethical risks of the tools they continue to build.
According to W3C member and nonprofit Blockchain Commons founder Christopher Allen, it’s not clear the contact tracing like Google and Apple are offering will work unless the vast majority of all Americans use them. Since it’s hard to get enough people on board for contact tracing to work, he worries the most salient result may simply be accelerated data collection.
“Probably the most dangerous type of information, out of all types of personal information, is location data,” Allen said, explaining contact tracing would require privacy tech at multiple layers, from the app level on the phone to the internet infrastructure someone uses.
“It’s incredibly hard to protect,” he said.
In reference to an open source emergency app in Israel, which does have privacy measures yet was operated in cooperation with various government entities, Allen said it’s clear “this data is already out there being collected and [location data] correlation is happening.”
Zcash Foundation researcher Henry de Valence agreed such systems are not the best use case for distributed ledger technology, or really any software.
“I don’t think people should build those systems and I don’t think they would be effective at preventing the spread of disease,” he said, adding he does not see so-called immunity passports as any better. “There’s no cryptographically strong way to prove immunity one way or another.”
Some countries, like Honduras, have already implemented some type of blockchain solution for certificates that give people a type of ticket for medical services or free movement outdoors.
However, in these cases, the government generally came up with a policy and found a startup to create the relevant tooling, rather than tech startups coming to policymakers with prospective offerings. One exception, which isn’t widely adopted so far and didn’t use blockchain technology, was NSO Group pitching surveillance technology to American police. Despite the societal risks, crypto companies are taking NSO Group’s proactive approach.
Allen is slightly more optimistic about decentralized identity tools for self-sovereign medical records.
“This architecture is ripe for solving this particular problem,” Allen said, warning this is only in reference to the digital certificate itself. (Whether the medical tests actually prove immunity is a different matter entirely.)
As someone who collaborates with both immunity passport teams and companies involved with the DIF, he said they are taking disparate approaches based on their own evaluations of the tradeoffs. He’s not sure which will be better and hopes the market will decide.
“We don’t know what the best answer is and we don’t have a strong rubric for what the best level of decentralization means,” Allen said of the immunity passport coalition. “Parties like DIF, with Microsoft and ConsenSys … [have] a different set of rubrics to decide the answer to their solution.”
On the other hand, Zcash’s de Valence remains skeptical.
“It’s the duty of technologists to ask what types of systems we’re creating and what kinds of social structures do those things create,” he said.
Although Allen warned no technology offers a panacea, especially with regards to government overreach or recurring outbreaks, he expects some type of new “verifiable credential” technology will probably emerge from this crisis.