Wed, Jun 23, 2021

How to secure smart cities through decentralized digital identities

GeoTech Cues by George Zarkadakis

China Digital Policy Technology & Innovation United States and Canada

At the recent G7 meeting in Cornwall, there was a consensus among democratic nations to offer viable alternatives to autocrats and autocratic governments. One of the areas where such an alternative can be clearly demonstrated is in smart cities. There, technologies advanced by autocrats are already establishing an alarming foundation for digital authoritarianism. For example, China is already setting the rules and industrial standards in facial recognition systems, as well as communication protocols for interconnected Internet of Things (IoT) devices. Chinese technology groups, such as Huawei, ZTE Corporation, Alibaba, and others are exporting “safe city” and “smart city” packages to scores of countries around the world, including Europe. Serbia’s capital Belgrade has installed a surveillance camera system that can monitor peoples’ behavior, recognize their faces, identify number plates, and assess whether “suspicious” activity is taking place. 

As 5G networks and IoT systems become the new communication and data layer of future cities, the question of who has control of and access to these networks, as well as the data they carry, acquires strategic significance. Beyond the obvious human rights threats, such as singling out persons for real-time surveillance, there are huge potential security risks too. Authoritarian regimes can gain access to data via back doors, or in extreme cases, activate a “kill switch” that would debilitate a city’s operations, triggering civil unrest. In exchange for operational efficiency, smart city surveillance systems pose the threat of controlling and coercing societies towards accepting illiberal authoritarianism while exposing themselves to security threats by foreign powers. If that’s what autocrats have to offer, how should democracies respond? 

Democracies should infuse the digital infrastructures of the future with democratic values and protect individual freedoms and liberties. In other words, they must ensure that the industrial standards and communication protocols of smart cities prevent citizen surveillance and security breaches “by design.” To do this, democracies must begin rethinking digital identities. A “digital identity” is the entity created each time someone registers an account in order to access a digital service by a Provider (e.g. a bank, a social media site, the government, etc.). Presently, each individual has multiple digital identities, with various account names and passwords, all stored in the various Service Providers’ infrastructures. This poses at least two major problems: first, data is siloed; second, data is exposed to security breaches whenever the centralized infrastructures of the Service Providers, which physically store and manage the digital identities, are hacked. Digital identities are applicable to non-humans too: robots, drones, or other smart devices (such as smart meters and sensors) also need to access services in order to connect to the IoT. 

A “decentralized” digital identity framework reverses the relationship of any user with multiple digital identities scattered over many service providers by putting users at the center. The user creates a unique digital identity that is owned by them. They then ask and receive credentials that prove their identity from various issuers, such as their government, university, or employer. For example, a university can send a credential proving that the user holds a specific degree. These credentials are issued using a unique public and private key and are verified using a public blockchain, creating the “decentralization” aspect of the new framework. Rather than a central authority managing the user’s identity, a decentralized, blockchain-based ledger would act as the trusted source of truth. The credentials themselves do not need to be stored on the blockchain. They can be stored in a “digital wallet”, i.e. a private data storage accessed only by the unique, personal, digital identity of the user. This data wallet can be hosted and secured anywhere (for example, in the user’s own computer or a cloud service). Each time the user needs to interact with a digital service, they do not need to expose all their personal data. For example, if the service requires that the user be above a certain age, the blockchain can verify this in a trusted interaction without the need to supply additional proof, such as a copy of a passport or a driver’s licence. By separating and decentralizing sensitive personal data from centralized digital services we not only protect privacy but also vastly improve data security. There is no longer a central “honey pot” of personal data for hackers to break into. Just like humans, smart devices can also have their digital identities decentralized and verified via a public blockchain. 

Decentralized digital identity frameworks could be the key to avoiding an Orwellian dystopia for the smart cities of the future and to establishing a liberal, democratic alternative to the authoritarian model, protecting privacy and enhancing security. A grand coalition of democratic governments, cloud providers, mobile network operators, chip and IoT component manufacturers, academic researchers, and entrepreneurs is necessary to establish the standards for commercial, decentralized identity frameworks.