The role of DLTs and decentralised identities
Update: ENSURESEC has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 883242.
As part of the H2020 ENSURESEC Project, a EU-funded innovation activity to strengthen the security of the e-commerce ecosystem, the IOTA Foundation and its partners have just reached the project’s second milestone.
A year into the project, the Foundation has developed the first implementation of two new tools (available on github), namely the Immutable Audit Trail Tool and the Ecommerce-SSI (Self-Sovereign Identity) Bridge. The tools leverage the IOTA Streams and IOTA Identities protocols.
To measure the potential impact of our work, we reached out to a community of experts with an impact survey.
The survey aimed to understand the viability of our solutions and their relevance for the e-commerce ecosystem, by collecting opinions from experts not directly connected to the ENSURESEC project. Published on 16/3/21, the survey ran for three weeks. The set of original questions can be found here.
Before diving into the survey’s learnings, let’s first recap what the IOTA Foundation is actually building as part of ENSURESEC.
The figure below highlights the concept and tools along with their envisioned integration.
As mentioned above, there are two tools currently under development that will soon be tested in real-life pilots: the Ecommerce-SSI Bridge and the Immutable Audit Trail Tool.
The first is a Self-Sovereign Identity Ecommerce-SSI Bridge. The Bridge provides a set of APIs for Issuers to export Verifiable Credentials (VCs) to a credential wallet (i.e., a customer app) and for Verifiers to receive VCs and to verify their authenticity, i.e., that the Issuer is a recognised organisation and that the credential was actually issued to the wallet owner (i.e., a customer). Credentials are rooted on a decentralised Identity (or DID in W3C jargon). Underneath the Bridge there is the IOTA Identity implementation.
For an example of where the Bridge will be used, consider the following. A bank that has verified the age of its customer uses the Bridge to allow the customer to obtain a signed verifiable credential, stating their age. The customer can then log in into an e-commerce website and purchase a special medication that requires age verification. The e-commerce website can securely verify the customers age without needing to connect to the bank.
Among other use cases, the IOTA Foundation is considering verifying identities and credentials of organisations (i.e., an authorised seller of medical devices) and products when sold on an e-commerce website. This will help to remove the friction for Small and Medium Enterprises to access e-commerce marketplaces, maintain their security and be trusted by customers, which is one of the main objectives of the ENSURESEC project.
Our tool is well aligned with the recent EU announcement for a digital wallet and decentralised identity network.
Immutable Audit Trail Tool
The Bridge has also been integrated with the second tool the IOTA Foundation is developing for ENSURESEC, the Immutable Audit Trail. The Immutable Audit Trail Tool answers one of the most important needs of the e-commerce industry: to communicate and share trusted threat information in order to manage and prevent cyber-physical attacks. This need is similar to the one recently expressed by the Biden administration in its Executive Order to Improve the Nation’s Cybersecurity (Section 2). Sharing such information requires correctly identifying its source, to avoid fake and malicious information, as well as regulating who can access it, to prevent the risk of it being tampered with.
The Immutable Audit Trail tool provides an API GW (gateway) towards the IOTA ledger that allows e-commerce systems to publish and subscribe to threat information. The ledger guarantees immutability while the IOTA Streams framework allows access control. The SSI Bridge is used to establish and verify the identity of parties authorised to write and read such information, thus guaranteeing integrity of its source and avoiding misuse. All without the need of a central IdM (Identity Management System) and IAM (Identity Access Manager), which might easily become subject to cyber attacks themselves.
More details on the tools, tested use cases and APIs will be made available in a future and more technically detailed blog post.
In light of all the developments since IF’s first proposal for the ENSURESEC project in 2019, now was the right time to check whether the project is on track by surveying the current market sentiment.
Let’s dive into what we learned by surveying experts in our community on the role of DLTs and IOTA in e-commerce security.
The Survey Insights
Most of the received responses were from individuals familiar or very familiar with DLT. More than 60% of respondents declared themselves familiar with the technology as a whole and fairly familiar with the concept of Self-Sovereign Identities (SSIs).
Before sharing IOTA’s actual plans for ENSURESEC with our surveyed experts and evaluating their reactions, the survey focused on learning what role the experts would assign to DLTs in the general e-commerce ecosystem.
Most of them (57% of respondents) agreed that securing data sharing is an important feature, although not as important as authenticating and authorizing customers with DID (76% of respondents). We also asked whether they would see a role for cryptocurrencies in being used as a form of payment.
So, what about cryptocurrencies?
While there was a general agreement that using cryptocurrencies could increase security, scalability and decentralisation, and allow users to more easily pay for what they get, in case of timed services (with IOTA being acknowledged for its feeless microtransactions), using an open ledger to manage payments was also seen as a potential opportunity to build the reputation of payers, a sort of proof of honesty in the financial industry.
However, despite the opportunities provided by cryptocurrencies, respondents highlighted also the associated risks, including volatility and additional burdens (such as the need to pay capital gain taxes on favourable purchases) or missing regulations.
The above confirms we are on the right path, since we never planned to use IOTA as a currency in the e-commerce industry within the ENSURESEC project.
We have been experimenting with crypto as a currency in other domains (like energy) and we are aware of the risks. So, there were no surprises for us in the recent news about those that have recently tried this path, of selling assets for cryptos (smiley face).
Why is immutability important?
Because e-commerce is a complex ecosystem made of customers, sellers and distributors, immutably storing data on DLTs has a recognised value in guaranteeing assurance among the different parties. In particular, according to our survey participants it enables: 1) tracking product authenticity; 2) creating a more direct link from product to consumers and 3) identity responsibilities without the need of third party auditors.
Why is self-sovereignty important?
According to the survey participants, decentralised identities are the only reliable tool for building e-commerce actors' reputation and preventing scams and frauds or white- and black-lists sellers and customers in such complex ecosystems. With that, it will allow us to improve product reviews, verifying their authenticity and removing fake ones. By overcoming the limitations of Google and Facebook log ins, Decentralised Identity (DID) also allows customers to easily log in into multiple services while maintaining control over their data and avoiding third party reselling; it allows second factor authentication, smooth age verification and guarantees delivery to the correct customer.
These last two are, coincidentally, two of the planned use cases to test IOTA Tools with ENSURESEC partners. More will be presented in the future when the project pilots take place.
Where else can DLTs be useful?
Most of the respondent focused on the use of NFT (non fungible tokens) and in particular they suggested that DLTs and NFTs can:
- Better connect product-sale chains, i.e. the owner of product/token x will have a benefit/discount when purchasing product/token y. Post sale information about product usage can be anonymously collected when attached to product identities. The same product identities could be used to provide updates on new product versions, book repairs or buy add ons.
- NFTs can allow secure product purchase while avoiding cash flow issues with non-stock items; automate tax and customs declarations; reward and incentivise customers for monetisation of their product data.
After all of this, are we on the right path with ENSURESEC?
After collecting ideas from survey participants on the possible benefits of using DLTs, SSI and cryptocurrencies in the e-commerce domain, our investigation focused on collecting feedback about what we are actually doing in the project. With respect to that, 60% of participants think it is good that we use the IOTA ledger to record immutable e-commerce logs for incident analysis.
An equal 50/50 split also believes creating APIs that allow central access to ledger functionalities is a good approach, since this helps to reduce complexity when first introducing DLTs. It is recommended that this has to be removed in future. However while respondents agree that writing centrally is useful, they confirm that data integrity should always be verified locally.
This is exactly our ENSURESEC approach. Different systems can use IOTA Audit GW to write and verify data on the ledger using a REST Service deployed either locally or centrally, but avoiding the complexity of direct integration.
E-commerce data should be stored on a permissioned ledger, according to 50% of our respondents. This allows better handling of data regulations and protection. However, to prevent the risk that a permissioned ledger could be halted, some of the data could be permanently anchored to fingerprints stored on permissionless networks.
The permissioned infrastructure should be maintained by e-commerce providers or hosted by a public EU infrastructure.
We are on the right track here too, since we are investigating use of an ENSURESEC private Tangle or a mainnet connected to a private chronicle network, managed by e-commerce providers. In future we might consider a data shard as well as leverage EU links from the ENSURESEC project to also investigate interconnection with the EBSI network.
We are also aligned with participants' feedback that personal data should not go on the ledger while product data can. This is why we are building decentralised identities with anonymous DID identifiers stored onto the ledger while credentials are maintained off-chain. We are also protecting confidentiality of product data, by storing them in private IOTA Streams.
OK: we got the implementation right. But do our tools have a future for adoption?
We put this question to our survey participants. 80% of them believe that e-commerce log in with decentralised identities will get traction, as it is easier, reduces password fatigue, provides GDPR compliance and prevents fraud/identity theft. However, there is a moderate expectation for short term adoption unless integration is easy.
For this reason we have decided to build an integration bridge that will simplify e-commerce systems and app integration, using one single framework. With integration being simplified and made more accessible, e-commerce providers can focus on a positive and easy user experience to engage their customers into the use of decentralised identities.
96% of participants also believe that SSI should be used also for organisations, with the following expected benefits:
- It allows easier and secure integration and interactions;
- It allows a reputation system to be built, so there is no central point of failure in the admission process to e-commerce marketplaces;
- It could serve to automatically attach credit scores to sellers that pay distributors on time;
- It improves on openID as openID is still centralised and allows tracking.
What use cases should we focus on?
When it comes to decentralised identities, most respondents agree that decentralised identities for organisations should be explored and evaluated as a means of improving trade finance and building reputation systems. However, legal compliance remains a risk factor, as well as possibly facing resistance from organisations that want to profit from different established identity systems. New business models should be considered and it remains to be seen how decentralised identities can be monetised.
92% of participants agree that decentralised identities for IoT is useful for the following use cases:
- Verification, authenticity and product state
- Correct parcel delivery
- Monitoring of medical equipment distribution
- Trusted oracles, data sources
- Status and post sale monitoring, servicing
That is in line with what the IOTA Foundation is doing with ENSURESEC.
In fact, we are planning to use the identities of things and organisations to allow customers to verify seller identity (with the banks in the project consortium) and product authenticity from any e-commerce website (i.e., a signed authenticity credential issued by a verified seller will be attached to a given product identity). We are also planning to test our Ecommerce-SSI Bridge to share customer credentials and proof of purchase (with project e-commerce operators) with logistic operators (use case 2).
We will implement and test case 3 “Monitoring of medical equipment distribution” in a project which is about to start (SECANT, stay tuned for more details). Use case 4 “Trusted oracles, data sources” is also the main reason why we will connect other e-commerce monitoring tools to decentralised identities, before they share data using the Audit Trail tool.
The survey confirmed most of our and ENSURESEC’s assumptions, resulting from the discussions with e-commerce stakeholders involved in the project. It identified interesting use cases, in particular related to IOTA NFTs which were not considered for this project but which could represent an interesting direction for future projects in the e-commerce space.
The survey recognised that despite the competition existing from the Ethereum ecosystem, IOTA ledger and tools remain feeless, greener, open, scalable and maintained by a not-for-profit foundation. Despite these, the challenge for adoption, in particular of decentralised identities, remains, until a sustainable way for monetising it across such an open ecosystem is identified.
The use of the ledger for data assurance is easier when the right tools for integration are available, since it increases transparency and accountability in such complex ecosystems.
All of this is very encouraging for the IOTA Foundation. Our tools are almost finalised and final pilots’ use cases are shaping up. Stay tuned for more technical information on the IOTA e-commerce tools and the outcomes of their evaluation. By collecting and communicating proof of value from real demonstration scenarios, we are confident that we will also be able to promote their wider adoption during the course of the ENSURESEC project.