区块链如何杜绝身份盗窃？

我们无法掌控自己的个人身份信息，这是一个问题。一直以来，通过谷歌可以搜索到一个人的生日和家庭住址，现在访问这个黑网还可以找到许多依旧珍贵的信息，如社会保障号码，银行账户，医保详情以及令犯罪分子垂涎不已的一切数据。

之所以会出现这种情况，是因为作为消费者，我们更愿意选择便利，而不是保护个人隐私。多数人同意在线分享信息之前，从没有阅读过附属条款或进行深入的技术评估。我们不想为每一个账号记住一个密码，也不想每次在线购物的时候都要重新输入信用卡账号。相反，我们拱手交出了这些可以证明我们是谁的信息，结果就是，每一家公司和政府机构都成为了我们的身份信息的管理者，不论他们是否意识到了这一点。

但随着区块链技术的出现，隐私这个词可能重新变得名副其实。区块链可以控制信息，避免复制，这意味着自主权身份信息，或者个人可以控制存放在任何地方的私人信息的想法，第一次有可能变成现实。例如，伊利诺伊州区块链倡议（Illinois Blockchain Initiative）正在试点将出生证放到区块链上。他们希望创建自主权数字身份信息，由用户自己掌控，并可迅速安全地进行身份验证，不需要集中数据存储库。

杜绝身份盗窃

自主权身份信息不只是个绝妙的主意，还可以杜绝影响客户隐私的许多问题，包括尤为重要的身份盗窃。去年，美国有1,670万人遭遇了身份欺诈，比2016年增加了130万人。但实际受害者可能要翻一倍，因为人们往往并不知道自己的数字身份信息被泄露，直到他们准备买房或申请贷款的时候才发现，这时他们的财务生活早已一团糟。

利用区块链分布式总账管理身份信息，使诈骗分子在肆意破坏的时候很难不留下明显的数字痕迹。区块链分布式总账的原理是：区块链中的每一个区块均依赖前一个区块建立，这些区块的加密属性，增加了修改存储在现有区块中的信息的难度。区块链生成的记录是不可篡改的，这意味着对与个人相关的每一个标识符的修改，都会生成记录。该系统可防止数据管理机构的恶意行为，最终使身份盗窃更难以实施。

使每个人掌控自己的数据

区块链分布式总账的不可篡改记录，使个人可以掌控与其身份有关的所有信息，并确保信息准确。例如，对于护照或驾照等线下身份，目前尚没有一个被普遍接受的相对应的数字身份，因此人们每一次使用的时候，都会获得一组独一无二的标识符。这些私人信息形成了一个庞大的网络，最终用户很难跟踪，而且由于安全情况不同，并且时间上滞后，因此机构无法保证这些信息的安全。

而通过基于区块链的分散标识符（DiD），我们可以完全掌控自己的个人数据。实质上，分散标识符是一个存储在区块链分布式总账上的加密统一资源定位符，每一个标识符被分配给了用户身份数据中的不同部分，如姓名、出生日期和社会保险号码等。用户通过智能手机或电脑上的数字钱包应用，可以临时授予对其所选的分散标识符的访问权限。例如，今天你登陆一款新应用，通常要分享自己的姓名、电子邮件地址和其他基本信息。而有了分散标识符，这个过程变得更快更安全。应用将显示一个二维码，扫描二维码，数字钱包应用会自动在区块链内调用相关分散标识符，之后应用授予访问权限。

我们的身份信息中会发生变化的部分，如电话、职位、家庭住址等，会使个人隐私变得更加复杂，因为一个标识符可能在不同时间关联超过一个人。想想你在结婚后修改姓氏的时候，你需要更新多少信息？你必须修改护照、驾照、社交媒体账号、银行账户、医疗保险等等，这个令人头疼的过程可能至少耗时几个月。而有了分散标识符，更新信息变得更便捷；更新分散标识符时，相关服务会自动获得更新的信息。这个过程胜过让错误信息肆意传播。

注意：这项工作仍在进行当中

任何颠覆性技术的成熟都需要时间。例如，互联网背后的概念模型与通信协议 — 众所周知的TCP/IP，在诞生了30年之后才开始颠覆零售、交通等传统行业。

区块链上的自主权身份信息肯定大有前途，但依旧有许多问题亟待解决。首先是驱动力的问题：现有公司为什么愿意丧失对客户身份信息数据的控制？自主权身份信息并不符合企业的最佳利益，所以我们需要一家全新的公司，打造一个身份信息的区块链分布式总账。

另外还有其他技术问题需要克服。首先，真得有可能做到不可篡改吗？理论上，区块链是不可篡改的，它将扮演关键基础设施的角色，但这种想法需要接受大量测试，才能获得社会的信任。我们还需要确定如何安全准确地连接个人的物理身份与数字身份。区块链只存在于数字世界，无法保证用户的物理身份，这就增加了公司验证、链接和识别两种身份的负担。

这些问题进一步强调了强大隐私保护基础设施的必要性。其中必不可少的一部分是监管；在没有法律先例的情况下，参与基于区块链的身份信息生态系统的实体，必须接受风险、不确定性和无限的责任。我们需要一家值得信任的实体，就该系统的运行方式、制定一些合法的、可执行的规则，确定连接物理与数字世界的基础设施，奠定为消费者提供基本保护的安全基础。如果我们能做到这些，隐私将变成标准，而不是与己无关的事情。（财富中文网）

本文作者弗雷德里克·克里斯特为Okta联合创始人兼COO。

译者：刘进龙/汪皓

We lack control of our personal identities, and that’s a problem. Birthdates and home addresses have long been accessible through a quick Google search, but now a trip to the dark web will turn up the information many of us still hold precious: Social Security numbers, bank accounts, health insurance details, and whatever else a criminal may desire.

We got to this point because we consumers have historically favored convenience over privacy. Most of us don’t read the small print or do deep technical assessments before sharing information online. We don’t want to remember a different password for each account or re-enter credit card numbers every time we make an online purchase. Instead, we transferred ownership of the details that make us who we are, and as a result, we effectively put every company and government institution in the identity management business—whether they realized it or not.

But with the emergence of blockchain technology, the word privacy may regain its meaning. Blockchain’s ability to control information and avoid duplication means that self-sovereign identity, or the idea that individuals can control their personal data no matter where they are, could be a reality for the first time. For example, the Illinois Blockchain Initiative is managing a pilot program to put birth certificates on a blockchain. Their hope is to create self-sovereign, digital identities that can remain under a user’s control, capable of quick and secure validation without the need for a centralized repository.

The end of identity theft

Self-sovereign identity isn’t just a nice idea; it can put an end to many issues that impact consumer privacy, including, importantly, identity theft. Last year, 16.7 million people in the U.S. were victims of identify fraud, a 1.3-million-person jump since 2016. But these numbers only show half the story. Oftentimes, individuals have no idea that their digital identities have been compromised until they attempt to buy a home or take out a loan and find their financial lives in ruins.

Using a blockchain ledger to manage identities would make it extremely difficult for fraudsters to wreak havoc without leaving an obvious digital trail. Here’s how it works: Each block in the blockchain builds upon its predecessor, and the cryptographic nature of these blocks makes it hard to alter information stored in the existing blocks. The resulting record is immutable, meaning that changes to every single identifier associated with an individual must be logged. This system prevents malicious actions by data custodians, and ultimately makes identity theft more difficult to execute.

Putting individuals back in charge

A blockchain ledger’s immutable record is also what empowers individuals to take charge of all the information tied to their identity and ensure its accuracy over time. For example, since there isn’t a universally accepted digital equivalent for offline identity, such as a passport or a driver’s license, people are issued a unique set of identifiers for every single application they use. The result is a sprawling web of private information that end users struggle to keep track of, and organizations fail to keep secure thanks to inconsistent and lagging security postures.

But with blockchain-based Decentralized Identifiers (DiDs), individuals could regain complete control of their data. DiDs are basically a secret URL (which actually stands for Uniform Resource Locator) stored on a blockchain ledger, with each being assigned to the different parts of a user’s identity, such as their name, birthdate, and Social Security number. Using a digital wallet app on their smartphone or desktop, users have the power to temporarily grant access to the DiDs of their choosing. For example, when you sign up for a new app today, you typically have to share your name, email address, and other basic information. With DiDs, the process is faster and more secure. The app shows a QR code, you scan it, your digital wallet app automatically transfers your relevant DiDs over the blockchain, and the app grants access.

The changing parts of our identity, like phone numbers, job titles, and home addresses, further complicate individual privacy because it is possible for a single identifier to become associated with more than one person at different times. Think about all the details that must be updated if you get married and change your last name—you must change your passport, driver’s license, social media accounts, bank accounts, health insurance, etc.—the headache-inducing process takes months at least. DiDs empower individuals to swiftly update these details; when the DiD is updated, the services using your DiD automatically have the updated info. This process is much better than letting misinformation run free.

Caution: work in progress

Any transformational technology needs time to bake. For example, TCP/IP, the conceptual model and communications protocols behind the Internet we know today, was around for 30 years before it started disrupting legacy industries like retail and transportation.

The idea of self-sovereign identities on the blockchain is certainly promising, but there’s still a lot to figure out. There’s the issue of incentive: Why would incumbent businesses want to lose control of their customers’ identity data? Self-sovereign identities aren’t in enterprises’ best interest, so we’ll need a brand new player to build a blockchain ledger for identity.

There are other technical issues to overcome. First, is immutability really possible? In theory, a blockchain is immutable and would take the role of critical infrastructure, but this idea requires intensive testing before it can be trusted in the wild. We also need to determine how to securely and accurately connect individuals’ physical and digital identities. Blockchain only exists in the digital world and cannot guarantee the physical identity of the user, so this puts the burden on businesses to verify, link, and navigate the two.

These issues reinforce the need for strong privacy infrastructure. An integral piece of that is regulation; in the absence of legal precedent, the entities involved in a blockchain-based identity ecosystem would have to accept risk, uncertainty, and unbounded liability. We need a trusted entity to establish some legal and enforceable rules for how it will all work, infrastructure to bridge the physical and digital world, and the security groundwork to guarantee basic protections for consumers. If we can do these things, privacy will become standard, not a thing of the past.

Frederic Kerrest is the cofounder and COO of Okta.