The U.S. government is finally dipping its toes into blockchain projects and is getting on board with new ways to offer secure documents. Having written previously on the topic—and having done similar projects around supply chain—we want to offer some suggestions on how it can be done right. If implemented properly, it can be a revolutionary way for Americans to store, share, and protect their personal data in ways they could never before.
(For the full technical paper we wrote, take a look on Github).
The Department of Homeland Security, in their request for proposal (RFP) document, is offering $800,000 for anyone to develop a new way to improve on existing secure documents for things like travel documents, certificates, licenses, etc. ID cards need to be harder to destroy or forge, yet easy to invalidate when necessary. DHS would also like to use the ID to link to secondary data beyond the basics of ID, but also keep it secure from being abused.
In addition to stated requirements, we recommend these additional features:
- Room for anonymity. Current forms of ID like driver’s licenses unnecessarily expose too much information, which increases fraud and identity theft.
- Document is invalid until received by the destination party. There are many schemes where documents are intercepted during or immediately after delivery, to perpetrate identity fraud crimes.
- Document can be invalidated without possession of the document itself. Most forms of disabling IDs are physical, like punching a hole through a passport. This implies having a document in hand. Once a document is stolen, invalidating it physically is unlikely. However, that need not be the case with a digital ID.
- Unauthenticated access to personal data should yield no data. Each authentication must be authorized and the person who owns the data should determine how much data to give away without access.
- Authenticated data access should yield a trace. To avoid misuse of trusted privilege—anytime someone reads data—there should be a written trace. All highly secured assets have that.
- Historical data should not be deleted, only augmented. Most data attacks include wiping logs after the data has been stolen. Removing the ability to do so as a feature of the system makes it much harder to do malignantly.
We have recently completed a project that secures a supply chain with Near-Field Communication chips (NFC). This technology looks like a great fit here. NFC is a trusted technology available in nearly every smartphone and tablet these days. It is already being used for payment processing by major players such as Apple Pay, Google Pay, Visa, MasterCard, and others. While the NFC chip alone provides authenticity and prevents counterfeiting, combining NFC with blockchain technologies assures decentralized data safekeeping.
As recently as September 2018, NXP Semiconductors N.V. unveiled a more secure and less expensive (NFC 424 DNA) chip that generates a unique/unbreakable code at every scan by phone, tablet or other inexpensive readers connected to a desktop PC.
Combining two of the newest technologies—NFC DNA CHIP for authentication and blockchain for data safekeeping—will likely solve each scenario described in the RFP document.
One can place a tiny tag—via an NFC chip—inside a document that will preclude it from being copied. NFC uses commonly respected encryption algorithms built into the chip itself. U.S. passports use a similar technology, but is unfortunately from an earlier generation which can be hacked.
Here, we would use newly developed chips that would allow one to secure documents with the utmost certainty in their authenticity. The newly developed chips are also tamper-proof, meaning that if someone tries to remove it, the chip would detect it and notify a verification service next time it’s being authenticated.
Chips can be read by any recent smartphone. A mobile app could be used to authenticate the chip within the document and download any amount of additional data related to the document.
The solution uses standard authentication techniques paired with any blockchain mechanism to ensure data is never erased and always appended.
What’s also interesting is that documents themselves will no longer need to display any personal identification. This allows for anonymous personal IDs. People can be in charge of their own information and can provide a certain default access to certain groups of users (for example, full medical history to any medical doctor without exposing personal data) while denying others (nosy people always up in your business) any information at all.
No longer needed are the dreaded picture IDs, like the one appearing on your driver’s license, yet it’s now possible to have 20 high resolution digital pictures available for, say, creating a missing person’s report. Implementing solution this way will not only solve the counterfeiting and forgery problems, but it will also open up the door for endless functionality that could include secure communications/messaging, tracking, payments in any currency, eSignatures, and much more, on a scale never before seen in the United States.
Properly architected, it can even allows a secure offline mode for agencies like the TSA, so an internet outage shouldn’t stop airport from functioning. Yet it precludes TSA—or any other agency—from opening up the data on everyone without their presence or consent and abusing their privilege.
Blockchain technology is here to help, as our aging reliance on Social Security Numbers (SSN) is crumbling. Today we find ourselves facing a crisis scenario with SSN numbers not unlike Y2K. The king of IDs is dead, long live the king!