What are the architecturally-significant use-cases for identity?
Some of the most interesting uses for cryptocurrency technology in finance are securities processing, supply chain finance and derivatives operations. These are areas where there should be almost total automation but there is, in reality, still large amounts of manual processing, rework, reconciliation, complexity and endless opportunity for confusion and dispute.
To help think about how blockchain technology could play a role, I suggested the “trust bundles” concept as a way to think about which aspects of a given business, such as securities exchange and settlement, could be moved onto a decentralized consensus system – and what benefits might accrue.
However, there’s a big problem that needs to be addressed before many of these opportunities become realistic. That problem is identity. The anonymity (or pseudonymity) of Bitcoin may be great for some use-cases but it doesn’t help a firm accused of paying a “crypto dividend” to a terrorist if they have no way of proving they didn’t!
So let’s imagine we’re living in the future… Smart property technology means that securities can be issued and traded on a blockchain-like system and smart contract technology has allowed us to move all derivatives contracts onto a global platform.
What identity problems would we need to have solved for that future to come true?
Smart Property Issuance
Imagine you’re an investor. You have a Smart Property wallet. Perhaps it contains multiple cryptocurrencies, some bank-issued fiat currencies and your equity portfolio, safely secured with a multi-signature scheme.
You decide you want to add some IBM stock to your portfolio. So you instruct your wallet to place an order on a decentralized equities exchange.
What do you place the order for?
What do you physically type into the user-interface to tell it you want IBM stock and not somebody else’s stock?
It would be nice if you could simply type “IBM”.
But how would that work? We’re in a decentralized world, remember. We’ve “unbundled trust”. So how should the wallet interpret “IBM”? Which asset on the decentralized ledger represents the “real” IBM? A Namecoin-like system doesn’t help if a “cryptosquatter” took the IBM name before the real IBM did.
And, in any case, what do you mean by “IBM”?
Intuitively, you probably mean something like: “The big American IT company based in Armonk, New York that had 2014 revenues of about $100bn and is a component of the Dow”. Or something like that. But how to capture that intuition in a way that a decentralized network can interpret?
And how to distinguish the security you want from something similar (and legitimate) issued by somebody else? And, of course, how to distinguish it from a security issued by a fraudulent third party who is trying really hard to fool you into buying their product?
In a pseudonymous world, how do I distinguish “real” blockchain assets from scams?
One really unimaginative way would be to do what we do today: just decide to trust somebody to do the mapping for you. Tell your wallet that you trust Bloomberg or Markit, say, to maintain a directory and you’re done. This would be an oracle service, in effect.
But this is a new point of centralization. Whoever controls that list can extract a rent and they are a source of risk: what happens if their database gets hacked or a rogue employee changes the records? Maybe having multiple oracles is the way forward.
Alternatively, perhaps we can use the internet X.509 Certificate system as a model. But even that would require some thought: you don’t want your webmaster issuing a $1bn bond!
What does it mean to be an issuer?
But we also need to think about it from the perspective of the issuer and this is altogether more difficult. To keep things interesting, let’s use a currency example this time.
Imagine we’re still in the future and I am a customer of Citi with a $1M balance. I could ask Citi to issue a token on the blockchain representing this balance and send it to my wallet. My balance in my Citi account would be converted into ownership of a token representing $1M USD. (I shouldn’t need to state it but I will: I chose Citi purely as an example. I have no insight into their plans, if any, in this space!)
Richard is a Citi customer. Citi converts Richard’s balance into a “CitiUSD” token on a blockchain and sends it to Richard’s “1RICHRD” address
So I would now be a holder of a 1M CitiUSD token, owned by my “1RICHARD” address. Note that this is essentially what happens when I use a gateway on the Ripple system but let’s assume we’re on a blockchain system for now to keep things consistent.
Aside: imagine if all banks did this… we could have CitiUSD, ChaseUSD, BarclaysGBP all issued on the same platform. Perhaps they’d trade at different prices based on market perception of their credit-worthiness? Prices as a function of CDS spreads perhaps?
Now, Citi would know exactly who I was: I was already a customer, remember, and they needed to know my blockchain address to issue the token to me.
But think about what happens next. I now have full control of this token.
So I could send it to anybody else in the world. And that person would now own a token representing a claim of $1M against Citi. Let’s imagine I bought a house from Charlie and paid using my CitiUSD tokens, sending them to his blockchain address, 1CHRLIE
I “pay” Charlie with my CitiUSD tokens. So Charlie now owns the claim on Citi. But Citi had no part in this transaction…
What would Citi think about this? Who is “1CHRLIE”?? Are they already a customer? If not, how do they know if “1CHRLIE” is a “good guy” or not? Is Citi obliged to pay $1M upon presentation of the token?
More trickily, what happens if the token has passed through the hands of a “bad guy” at some point between issuance and redemption? Sure – the initial owner of the token might be OK – and the person presenting the token some time later for redemption might also be OK. Perhaps we do know that 1CHRLIE is Charlie and that Charlie is a Chase customer and we’ve doubled checked with Chase. But do we need to know who has held the token in the intervening steps?
Do we need to know the identities of everybody who has ever owned a token?
What if one of the intermediate owners was 1TRRST, aka “Terry the Terrorist”?
You can be pretty sure we do need to know something about them. Good luck if you try to tell your regulator that these tokens are “bearer assets” that are morally equivalent to cash!
So, leaving aside the possibility that we just don’t go down this road at all, what are some of the options for making this work?
I think there are two broad options:
Option 1: Ex-Ante Prevention – The Issuing Bank “Co-Signs”
This option is pretty simple. You change the model so that these assets are not bearer assets. Holders of Citi tokens need to get Citi to co-sign any blockchain transactions that move the asset. So Citi gets the chance to vet the recipient and check they’re happy owing them money. You can think of this as “ex ante prevention”. It would work, of course, but it would heavily constrain the usefulness of such a system.
Option 2: Ex-Post Prevention – The Bank Won’t Pay Up Unless You’ve Behaved Yourself
This option is more interesting. You can send the token wherever you like, but if you want to redeem the token for real USD, the bank will ask you to prove that everybody who ever owned it was a “good guy”. If you can’t prove a clean ownership history then the token is worthless; the bank won’t pay up.
Leaving aside the question of what we mean by “good guy” and the natural worry that this could give banks an excuse to renege on their commitments, how might you do it?
First, let’s cover off the obvious option. The obvious option is simply to say: “We’ll only redeem a token if its ownership chain consists only of Citi customers”. Or perhaps you could extend it and say: “We’ll only redeem a token if its ownership chain consists of customers of the following banks”. The latter approach might pave the way for an industry “register” that maps bank identifiers to blockchain addresses. Again, we’re back to centralization and the very real risk of a “balkanization” of the system: you would effectively have “white” addresses and “black” addresses – those that can hold banking-system assets and those that cannot.
If several of my readers are about to explode in outrage, bear with me because this isn’t what I’m proposing…. Happily, there could be another way.
“Identity is the New Money”
I was fortunate last week to attend Consult Hyperion’s “Digital Identity” unconference at Barclays Bank’s “Escalator” venue in East London. Our host, Dave Birch, encouraged the audience to really exert themselves to think deeply about questions of digital identity. It gave me the motivation I needed finally to read his book, “Identity is the New Money”. I recommend it. It’s short, snappily written and made me think.
One of his key themes is that we’re thinking about identity all wrong. Most of the time we think we need to know who somebody is, what we actually need to know is something about them:
- A bartender doesn’t need to know your name; they just need proof you’re over 18.
- A UK doctor doesn’t need to know what town you were born in to know if you’re entitled to free healthcare.
- … and so on
Similarly, and at a very conceptual level(!), what an issuer of USD tokens on a blockchain needs to know is probably something like:
- The actor who controls an address is a legal person…
- … and this person has a US bank account…
- … and somebody has studied this person’s identification documents closely and has no concerns about them…
- … and whoever is making these statements about them is trusted by the issuer of the tokens (say Citi)
Now, I say “conceptual”, because AML, KYC and CDD regulators might not see things this way yet but let’s keep going…
What these concepts all have in common is that they have this idea of a “certifier” – somebody or something that:
- Is trusted by the issuer
- Ties something I have (my face or my blockchain address) to something I am (“over 18”, “a holder of a US bank account”, etc)
If you trust the certifier then you can trust that somebody proving ownership of the face or the address is over 18 and a holder of a US bank account, etc.
What does a bank need in order to be satisfied?
So now let’s return to our currency example. Remember the problem we’re trying to solve: If I am Citi, I want to be sure that anybody who has ever held one of my tokens is somebody I am allowed to transact with.
So how could we achieve this without a centralized database? Well, imagine Charlie is a customer of Chase.
- Let’s assume Chase knows who Charlie is and is satisfied that Charlie is a good guy.
- So if Charlie can prove to them that he controls a particular blockchain address, they might be willing to issue him with a “certificate”
- This certificate might say: “I am Chase. Here’s my proof. I know who is the owner of address 1CHRLIE…. That person is a US Citizen and, as of 3 December 2014 was a retail customer, with a good account history and no warning signs on his account”
And perhaps I could get a certificate from Citi that says they think I’m a “good egg” and one from the UK government confirming I’m a UK citizen:
Could asset issuers use certificates from third parties they trust to satisfy their regulatory and other “client due diligence” requirements?
So now we have something really interesting.
An issuer can set down their conditions when they issue the asset. They could say something like: “I will redeem this asset at par if the redeemer can prove that they and every intermediate owner was a US citizen with a KYCd US bank account. I will accept proof from any FDIC insured bank”.
So if I was considering buying a CitiUSD token from somebody, I no longer care who they are. I just care that they possess one or more certificates that comply with the conditions that were specified in the definition of the asset. My wallet software could even check it automatically for me.
And when somebody wants to redeem the token, they simply return it to Citi, with the chain of certificates and Citi can immediately tell that the token has only been in the hands of people with the attributes it specified. No need to reveal my identity to anybody and no central third parties we need to trust. If somebody does need to figure out the identity, they can get a court order and the certifier will reveal it.
Reality is more complex. In particular, how to stop a black market in certificates? e.g. a “mule” obtains a certificate for a blockchain address and then turns over the certificate and the address’s private key to a bad person. A difficult problem to solve but probably not unsurmountable.
But the underlying principle is absolutely crucial: if we’re moving to a world where trust is unbundled and control is decentralized, we need to rethink identity. Anchoring it in a diverse set of “certifiers”, who attest to the linkage between something I have (a blockchain address? My face?) and something I am (British, Over 18) surely has to be the way forward.