MacManus: RealMe vs the decentralised web
RealMe's growth as a centralised identity service has been slow, until now. Richard MacManus examines the Government-run service's prospects in an era when decentralised systems cope better with hackers.
It’s an interesting time to be growing a centralised online identity service, like the Government’s RealMe. That’s because the current trend in web development is to decentralise. After seeing the damage done to our society in recent years by government-sponsored hackers let loose on large, centralised apps like Facebook, YouTube and Twitter, developers the world over are now exploring decentralised alternatives.
Yet RealMe is the complete opposite of decentralised. It’s a New Zealand Government-operated authentication service that you can use to log in to various government and other online services. If you’re a verified user, which requires more proof of identity, you can also use RealMe for things like applying for a passport or opening a bank account.
The question is, does RealMe’s centralised identity service still make sense in an online world that is now trending to decentralisation?
Decentralisation in this context simply means to take control away from a centralised authority (like the Government, or Facebook) and give that control back to individual users. Decentralisation is a big part of the appeal of blockchain, which is often defined as a distributed ledger. But there are non-blockchain platforms for decentralisation emerging too – and one of them is being built by the Web’s inventor, Sir Tim Berners-Lee.
Pod save the internet
Last week Berners-Lee announced a startup called Inrupt, which is developing a decentralised web platform using a new technology called Solid. As one of Inrupt’s developers explained, you will be able to “store every single piece of data you create in a place you want.”
Such a place is called a “data pod” and the idea is that you – the user – will choose which apps are allowed to access your data pod.
In other words the data is no longer coupled with the app, as it currently is with Facebook, Twitter and other centralised apps.
Now, arguably RealMe already does this for Kiwi users. Similar to Berners-Lee’s data pod concept, you store your personal identification data at RealMe and then use it to log in to other apps. The main difference is that with data pods, you’re free to store your data anywhere you like – you can even store it on your own private web server. Whereas with RealMe, there’s one (and only one) place to store your data: the Government’s servers.
But do Kiwis trust the Government to control such an important aspect of their online life (their identity)? Privacy concerns are at an all-time high in 2018, as are cyber-security threat levels. This has led to a sense of profound unease among many of us about where our personal data is stored and who has access to it.
RealMe has already had issues with privacy and security this year. In March, there was a phishing scam that targeted RealMe users. Then in August, Immigration New Zealand had to deal with privacy breaches by some immigration advisors, who had wrongly shared RealMe logins.
A well-designed decentralised service would be better suited to repel cyber attacks and avoid privacy breaches. As Ethereum founder Vitalik Buterin wrote last year, there are three key reasons to implement a decentralised system: fault tolerance, attack resistance, and collusion resistance (“it is much harder for participants in decentralised systems to collude to act in ways that benefit them at the expense of other participants”).
A Privacy Trust Mark
RealMe advocates might counter that if you’re going to trust any service to authenticate you online, the safest option is one run by the Government. Especially if that service has the seal of approval from the Privacy Commissioner.
In May, the Office of the Privacy Commissioner launched a “Privacy Trust Mark” and awarded one of the first two such marks to RealMe (the other went to Trade Me). Privacy Commissioner John Edwards said at the time that “RealMe’s data minimisation and user control practices are excellent.” He went on to say that “users can control when and where their identity information is shared and can review all of their transactions and revoke their consent at their discretion.”
Despite having this validation, RealMe has so far struggled to gain traction among New Zealand citizens. Last week RealMe announced it had reached half a million users, five years after it was launched by the Department of Internal Affairs and NZ Post. But it had originally projected 1.7 million verified accounts by the end of the 2017, over three times more than what it actually has now.
However, major traction for RealMe might not be far off. In March, management of RealMe was transferred from NZ Post to Internal Affairs. Given the number of essential services managed by Internal Affairs – passports, citizenship and marriages, to name just a few – this raises the likelihood that RealMe will, in time, be made mandatory for all NZ citizens.
And online voting?
The real end game of RealMe is online voting. While this won’t happen before the next election cycle and probably not the one after that either, eventually online voting will become a reality. Nearly everything else can be done online now – in many cases using RealMe – including paying your taxes and registering a birth. Voting is a holdout from the online revolution only because of ongoing cyber-security concerns, which are clearly a threat to democracy.
But it’s inevitable that online voting will replace paper voting at some point in the near future. And when that happens, it’s a fair bet that RealMe will become compulsory for all NZ citizens who wish to vote.
Even now, RealMe is hard for the average citizen to resist. If you want to renew your passport online, for example, you must sign up to RealMe. Who wants to fill out the paper form, go to a camera shop to get a printed photo, put it all in a paper envelope, buy a single stamp from your local dairy because you have no other use for stamps, and then attempt to find an increasingly rare letter box to post it? No, that’s all too difficult.
So the convenience of RealMe will reel you in, even if it takes years for online voting to arrive.
As for decentralisation, it clearly has promise in this current privacy and security focused era – particularly on the commercial web. However, centralisation will continue to rule when it comes to government services.