Technical architect in GDS team urges caution over possibilities for distributed ledger technology in digital identities
The potential for using blockchain technology in public services has taken a second blow in a week, with a warning from the GOV.UK Verify team that there is a danger of government being carried away in the hype around the issue.
Adam Cooper, a technical architect working on the identity assurance programme under the Government Digital Service (GDS), says that blockchain could be useful in some areas, but that there is a need for caution and identity experts are not convinced that it can provide an effective approach to managing digital identities.
Blockchain emerged initially to provide a public ledger of bitcoin transactions, and has been developed to provide a mechanism to check on the validity and audit a chain of transactions. It involves the use of blocks of timestamped transactions, all of which are linked into a chain.
Cooper says the expectations for its use in managing digital identities are high but that to date there is little evidence to support them, and claims there are four “red flags” for architects and service designers:
- The technology is immature.
- There are security issues, such as the lack of management of cryptographic keys.
- It has shown poor performance at scale. This comes partly from the need for more storage, bandwidth and computing power as a blockchain grows longer.
- A lack of established standards.
He asks if blockchain revolutionises digital identities and says the consensus among identity experts is that it does not.
No visible requirement
“You can build distributed ledgers without resorting to the blockchain, and you can preserve privacy in many other ways,” he says. “Identity can be improved but it simply isn’t broken, so it’s hard to see where blockchain technologies are really required.”
He acknowledges that there are potential uses for similar technologies in the creation of immutable evidence chains for individuals wishing to prove their identity. For example, where the individual is starting with no or minimal evidence and needs to build a chain of evidence over time, as is the case for refugees.
But the shortcomings highlighted above and the lack of real world examples create an outlook in which the risks of an implementation currently outweigh any benefit.
Cooper also suggests that other emerging technologies could soon look more likely than blockchain to support digital identities, citing the example of Swirlds – a software platform designed to build fully distributed applications that use cloud computing without servers.
But he argues that at the moment there are no options better than those the protocols in place for digital identities – such as security assertion markup language and the OpenID Connect authentication mechanism – or ways of communicating trust, such as public key infrastructure.
Avoid a rush
“The reality remains that until the security, scalability, and operational issues already noted by respected experts are resolved there is no need to rush into the implementation of identity services services based on blockchain,” he says.
This has come days after Chi Onwurah, the Labour Party’s spokesperson on the digital economy, warned that the Department for Work and Pension’s pilot with the technology is creating worries over how the data of benefits claimants is being used.
The fact that Cooper’s warning has been published through the GOV.UK Verify blog suggests that it reflects the predominant thinking of the programme team, and points to a reaction against the momentum in favour of blockchain over recent months.
The Governmment Office for Science has published a report highlighting its potential, Government minister Matt Hancock has enthused over its potential, and a supplier of distributed ledger technology has become the first to win a place on G-Cloud.
But now that people around government are looking at the practicalities of implementing the technology there are worries – despite the fact that it has not been used in any UK government project to date – that some organisations may rush in before it can provide an effective solution.