Savings in the millions and increased privacy beckon thanks to blockchain
With the arrival of the latest technologies, privacy concerns among government and citizens are growing. Blockchain actually offers opportunities to better protect privacy, according to Techruption program manager Pieter Verhagen. Verhagen focuses on the development of a self-sovereign identity framework, among other things, on behalf of research institute TNO. This framework is designed to help supply official information in digital form without sharing personal data. Potential cost savings? “Over one billion Euros in the Netherlands alone.”
The most we might notice is the bother of having to make copies or waiting in line at city hall.
Law-abiding citizens can’t get around it; from the application for a parking permit to securing a mortgage, providing personal data is a requirement for everything. This can and must change, Pieter Verhagen says, who believes that we reveal sensitive information about ourselves, in “unnecessarily high quantities, and often.” Verhagen is the blockchain business development manager at the TNO research institute, one of the founding partners of the Dutch Blockchain Coalition. At Techruption, he is responsible for the “blockchain co-creation program”. TNO supports pioneering parties, among others, in their research into and development of what is known as a self-sovereign identity framework (SSIF). This is a platform that is designed to enable citizens to meet the previously mentioned requirements, without having to share personal data with a variety of parties. The potential cost savings are substantial. According to Verhagen’s “guesstimate based on common sense”, seven million Dutch households spend a total of over one billion Euros for these checks on personal data each year. These are costs we hardly think about considering they are part of much larger amounts in duties and taxes. Besides, the processes involved are usually digital. “When a non-digital process is involved, the most we might notice is the bother of having to make copies or waiting in line at city hall.”
In the tension between the ever-growing data landscape and the related increase in privacy issues, data minimization is becoming even more important. From a criminal perspective, the gigantic data streams in combination with the Internet of Things offer countless new opportunities for questionable practices. However, there are plenty of question marks associated with even well-intentioned use. In 2017, the Belastingdienst (Dutch Tax and Customs Authority) was the target of harsh criticism due to possible leaks of confidential information. Even though an investigation did not result in criminal prosecution, the incident proved once again how crucial it is for us to continuously study how to handle this type of data and the ways it must be protected. Our data is not only stored in government databases, there are also numerous other parties that know our names, where we live, when we were born and other sensitive facts. The upcoming enactment of the General Data Protection Regulation (GDPR) aims to ensure better protection for the privacy rights of EU citizens starting on May 25 of this year. Organizations processing personal data will be accountable and must carry out a data protection impact assessment in certain cases.
The self-sovereign identity framework is based on the principle that citizens must have as much control possible over their identity information and only share a minimum amount of personal data with others. Personal data is managed and stored in encrypted form in a wallet on one’s own cellphone. When used correctly, this information is only accessible to the owner. Put simply, blockchain technology is used to provide official confirmation that someone is who they claim to be, and satisfies the demands set by these parties. Verhagen: “This enables certificates issued by accreditation bodies about other parties, public keys for signatory parties and explicit user content to be registered in the blockchain. The types of things that are not registered include sensitive data such as personal data and certificates about individuals.”
Example: After undergoing leg amputation surgery, Jan needs a wheelchair. His application is being processed by the responsible municipal authority which, in accordance with the Social Support Act, evaluates whether or not he is in fact entitled to the medical device. Jan has to share a variety of personal information, such as his name and date of birth. In the event of doubt, a WMO (social support) consultant can also request medical records – provided Jan gives official consent for this. The transition to the self-sovereign identity framework entails a simplification of these types of processes. Filling in personal information and any consultation of extremely sensitive medical records is no longer necessary, program manager Verhagen says. Instead, Jan needs to add a certificate to his wallet, namely the official confirmation of the fact that he needs the wheelchair from a medical point of view. “This certificate is digitally signed by the public key from an accredited doctor. The system automatically verifies all the parties involved. In this case, an example would be a digital signature from the Ministry of Public Health. This is handled via publicly accessible certificates which are not stored in someone’s personal wallet.” It might sound complicated, but in theory, SSIF irrefutably proves that Jan does have the right to the wheelchair, and he will retain considerably more privacy and control over his data than is the case in the current situation.
After the hype
Health care is one of the many areas in which SSIF can offer a solution, according to Verhagen. “Discussions with health care insurer CZ about research into these types of application possibilities are ongoing.” In the meantime, Techruption participants APG, TNO, Accenture, Rabobank, the Volksbank and the Chamber of Commerce have developed mobile apps. This first demo targets registration with the Chamber of Commerce. Prospective entrepreneurs can verify their identities a lot easier at the Chamber of Commerce using an (SSIF) app. The Dutch Blockchain Coalition’s action agenda cites reliable identification and authentication as prerequisites “for nearly every blockchain application.” Blockchain solutions for the identification of people, legal entities and objects take priority. “First of all, we need a good digital identity to use in a variety of blockchain applications,” Verhagen clarifies. “After that, blockchain technology can be used to put the self-sovereign identity framework into practice, for example.”
His enthusiasm about the “potential social added value” is obvious during our conversation, which incidentally had to be conducted via a WhatsApp video call due to his full schedule. Admittedly, there are still a whole lot of issues that need to be tackled before it becomes clear whether or not SSIF is a realistic option for reducing data streams and the corresponding costs in our society. Legal validity is just one of them; the matter of who should be legally responsible for the data (citizens, government, business or all three?) is another point that will undoubtedly lead to further discussion. Questions involving market forces and earnings models are also inevitable. Ideally, citizens should have access to their own data free of charge. In Verhagen’s view, the “most sensible scenario” is perhaps payment to the party granting the certificate, which would not require citizens to get out their wallets; the organization that needs the certificate should be responsible for this. He emphasizes that blockchain is not a silver bullet. Technology does however force everyone, from government to business, to be more open during research projects on future use. “The fact that some companies explicitly mention blockchain in praising their services says something about the strange times we live in. Once the hype has blown over, the real potential of blockchain technology will remain intact: the simplification and decentralization of processes which simultaneously offer better guarantees for the protection of our privacy.”
Pieter Verhagen (1980) doesn’t believe in “the full decentralization of our identity.” “There has to be an anchor somewhere, the verification of information that other parties can trust.” The fact that the self-sovereign identity framework holds a personal appeal for him is not surprising for someone who says that he protects his own privacy-sensitive data. “At home, I’m always complaining about the importance of being careful with this type of information.” Due to the risk of identity theft, as negligible as it may be, he is only willing to share his year of birth; he keeps the date, month and place to himself. Verhagen is based in The Hague for his work for TNO, one of the organizations that have taken the lead with Techruption. Pieter Verhagen is married, has three children and lives with his family in Rotterdam.