Blockchain and PII thoughts

Updated: Apr 12, 2020

Dutch security firm Gemalto’s blockchain product aptly named the Trust ID Network is aimed at users and service providers that need legitimate and verifiable Self-Sovereign Digital IDs where “attestations” issued by trusted parties are stored on the blockchain.

The good thing is that only the “attestations” shall be stored on the blockchain, allowing users to have full reins on their personally identifiable information (PII).

A common misconception about blockchain is that it would be the perfect platform for PII storage and such information should and would be stored in each chain given that it acts as an immutable distributed ledger.

The early stages of the blockchain technology adoption lifecycle prompted a series of twitter threads dedicated solely to the argument that storing PII on any immutable ledge is a bad idea.

Early on this year, Dan Gisolfi, IBM CTO of Trusted Identity, Blockchain Technologies tried to debunk the blockchain myth and said:

“One of the most common myths surrounding blockchain and identity is that blockchain technology provides an ideal distributed alternative to a centralized database for storing personally identifiable information.”

In a nutshell and to clear out any misconception, the Trust ID Network would provide privacy, security and immutability along with a streamlined integration for service providers and the ability to support mission critical identity services. Moreover, it will also keep your personal data off the blockchain. Gemalto’s executive vice president for banking and payment, Bertrand Knopf even claimed that their app would solve the irregularities and weaknesses of traditional identity frameworks chronically suffering from “clumsy user experiences”, rising costs and problems in complying to stricter regulations.

It’s no-brainer that the more information flowed on the Internet, the more the identity of each individual is at risk. GDPR refers to ‘pseudonymization’ as a process in which the information is encrypted and cannot be read by other individuals unless they have an access through a decryption key. However, due to the risk of re-identification, hashed or “pseudonymized” data can still be considered “personal data”. Considering this from a risk-reduction point of view makes Gemalto’s Trust ID Network much more sensible.