Could Decentralized Identifiers Facilitate Users’ Control over Their Data?
Written by Max Samarin and edited by Ahsan Monzoor, Rovio
It is challenging for companies in an environment as complex as the digital advertising world to understand which consents an individual has given regarding handling that data, after that data has travelled a long way in the chain of AdTech vendors. It is also challenging for individuals to fully understand which companies have had access to their data after sharing it with just one company.
Luckily, there are tools to help with that. The Transparency and Consent Framework is one solution that many websites and AdTech companies in the EU implement to manage user data consents. Essentially, what the framework does is make it easier for companies to comply with GDPR and for individuals to see and decide which companies have permission to access their data. When an AdTech vendor down the chain receives data from a user, they also receive the information on what consents the user has given, so the company knows to whom they are allowed to forward the data. This article does a great job explaining what TCF is and how it works in rather simple terms: https://clearcode.cc/blog/iab-gdpr-transparency-consent-framework/
The TCF is a standard that many AdTech vendors choose to adhere to. Optionally, a company may create their own solution or use something else. However, does the world of distributed ledger technology have anything to offer to help services and vendors to put users in control of their data? The SOFIE project enables us to explore distributed ledger technologies in the context of various use cases. And one such use case could be to research using decentralized identifiers in a framework for managing user consents.
Decentralized Identifiers
A decentralized IAM framework allows a user to log in to several services with a single account without giving data to an external identity management provider. An involved consensus mechanism on the blockchain (built, for example, on Hyperledger Indy), is used to authenticate the user. Whenever signing into a service, the user would enter the password in their mobile management application, from which they could manage all their connections with the services and choose what data (credentials) to share with each connected service with arbitrary granularity. When removing a service’s access to the user’s data, that specific DID on the blockchain will be marked as revoked.
Indeed, if a user has sent data to a connected company, that company now has a copy of the shared data. So how is it revoked? The act of revocation is just the removal of the linking of that data to the actual user. The company will still have that data, such as an advertisement profile, but it will no longer know to whom that data belongs to.
In classical terms, this is analogous to first using one anonymous account within a service, and later creating a new anonymous account. In reality, however, it is common for users to use one identity provider to log in to numerous services. Creating new, separate accounts for various services would be cumbersome.
A decentralized identity provision framework would allow the effects of creating new anonymous accounts while maintaining the convenience of logging in with one master account everywhere from the user’s perspective, all while not relying on a single company for identity management. A user would presumably have one mobile application from which they sign in and manage their connections to various services.
Such a framework based on decentralized identifiers would not be perfect. A service can always track the user’s device ID and note that two anonymous accounts (or decentralized identifiers) are used by the same person. However, like in TCF, the ambition here is not to fully ensure but rather facilitate users’ control of their data, while helping companies to comply with regulations such as GDPR. In the DID approach, a user would allow or refrain from giving explicit consent to every service that asks for it. If a service would provide an option to sign in with a DID, a user would arguably give credence to the company, knowing that the revocation mechanism is always at hand. The user is in control of their data not only due to the trust in the services’ compliance with regulations, but also thanks to the privacy-driven way a DID-based approach is technically implemented.
Photo by William Iven on Unsplash