Self Sovereign Identity — a guide to privacy for your digital identity with Blockchain
The idea of Self Sovereign Identity is not new. In the same way that Bitcoin built itself on the shoulders of giants, the concept of decentralized digital identity has been explored for many years. In fact, it has its roots originating from the 1970’s when pioneers like Whit Diffie, Martin Hellman, and Ralph C. Merkle, creators of Public Key Cryptography aimed to help people protect their privacy in the new digital age of computers. Blockchain technology is the crucial breakthrough that is now propelling digital identity forward into the era of Self Sovereign Identity — a watershed powerful enough to reshape the future of the decentralized P2P economy.
The emergence of Self Sovereign Identity is a perfect storm of which all interested stakeholders are converging to make it happen. According to a 2014 study from CTRL-Shift, the cost of identity assurance processes exceeds £3.3 billion per annum in the UK alone. Just imagine the total cost globally. On one hand, Governments and companies are struggling to protect citizen and customer information from escalating cyber attacks. This includes a major event that compromised over a billion identities. On the other hand, there is an increasing awareness from Internet users around the world that there is no free lunch. When you are not paying for a service online, you are the product i.e. you are paying for it with your data. Data is literally becoming the fuel of the digital age, and the owners of that data literally have the keys to the future.
Self Sovereign Identity addresses all of these problems.
It can increase efficiency for companies to get the identity assurances that they need. It can prevent the massive data breaches that have become weekly headline news, it can also allow people to decide how their data is shared and monetized — earning them more of its real value.
People will be able to get all of these benefits without having to rely on third party “identity providers” such as Google and Facebook to store and share their personal data. Instead individuals will be able to have all their digital identity data at their fingertips, ready to share easily and selectively exactly how they wish.
To understand how this works, we will explore together the meaning of identity, something surprisingly difficult to pin down, and examine some of the applications that Self Sovereign Identity will enable to see the impact that this upcoming change will have on all our lives.
What is identity?
Identity is something difficult to agree on. Before the industrial revolution, identity was defined by family and the clan. Identity in the industrial society, as we know it today, is often related to “bureautic identity”, which is defined by our Passport or any other Government issued identity document. The next evolutionary step for identity could be defined by our social graph, as described by David Birch in his book “Identity is the new money”. It takes us back to the concept of identity of the pre-industrial era, but in a digital context. Our social graph is a representation of our true human relationships and not by social networks like Facebook.
From a functional point of view, identity can be the sum of attributes associated to a person (age, height, birth date, biometrics, etc), attributes accumulated over time (medical information, preferences, communication metadata, etc) and designated attributes (telephone number, email, Passport numbers, etc), but we can go beyond people and also talk about legal identities, identities of devices or assets which are often linked to human identity.
Types of digital identity models and Self Sovereign Identity
In general, there are two approaches to manage digital identity. The centralized model and the decentralized model. Self Sovereign Identity is a spin-off from the decentralized model and thus creates a third approach.
The centralized models can be divided into two. The Scandinavian and The Continental Identity models. In the Scandinavian model private companies (financial and telecom firms) provide a centralized digital identity service to interact with the government (TUPAS in Finland or BankID in Sweden etc). In the Continental model, Governments provide digital identity services to companies allowing interaction with their citizens. All these centralized models are described in an excellent World Economic Forum report published in August 2016 that can be downloaded for free.
Self Sovereign Identity takes on a different approach to the centralized model, its focus is not “who we are?”, but “what can I do?” as described brilliantly in the reference document by Christopher Allen about Self Sovereign Identity and the “Ten Principles of Self-Sovereign Identity”.
If we want to access a building or an event we often have to show our ID card. Does it really makes sense for us to be obliged to show sensitive private information such as our full name, address and more if the only thing required is whether we are authorized to enter by age or any other condition? The proposal from Self Sovereign Identity is that a simple question needs to get a simple confirmation or answer without having to reveal more about ourselves.
When you think in terms of a decentralized economy and society, really exciting things can start to happen. When people around the world become owners of their own information, this can be a catalyst to a new set of business models allowing completely new ways to interact. There are many different approaches to create the future of Self Sovereign Identity, that might also converge over time to be more compatible, like uPort on Ethereum or Sovrin (a shortener for Sovereign) on which Evernym is building its solutions as an example.
Why is Self Sovereign Identity important?
Our physical environments are becoming more interconnected and intelligent. We are getting intelligent cars, homes and shopping experiences depending on the person accessing a service as part of the custom made economy in which we will be interacting authorizing actions with our Self Sovereign Identity.
In this new digital identity model facilitated by Self Sovereign Identity two challenges will be solved: reputation and risk. Risk will be managed directly because people around the world will be able to share anonymized information for health, credit or other services controlling how information is shared allowing to apply an intelligence layer to it. Self Sovereign Identity could also allow for the creation of decentralized reputation models to establish trust in the Peer-to-Peer economy. Here are some examples:
Login and E-commerce with Self Sovereign Identity
In the future, we might not have to use centralized authorization services to access the Internet such as Twitter, Google or Facebook and instead we will use our Self Sovereign Identity to validate our identity without having to rely on third parties e.g. by using a mobile device. This will allow us to use our “real identity” or a pseudonym, depending on the context, knowing when to allow those services to monetize our information when needed. E-commerce might become a flat world where the big players e.g. Amazon or Alibaba will have to compete with other ecommerce players equally because authorization and payments could be natively digital as part of your Self Sovereign Identity in a P2P economy as proposed by decentralized protocols like Open Bazaar.
Banking with Self Sovereign Identity
Banks are under ever more scrutiny from regulators as part of KYC (Know-your-Customer) and AML (Anti-money-laundering) processes, therefore they need to fulfill increasing costs urgently. Because of this pressure, financial institutions around the world are exploring solutions to help their clients to transport their identities from one bank to another. This will allow any bank to benefit from the previous KYC and AML work done by a previous bank in the same recognized jurisdiction. While they know this lowers the cost of changing for their customers, their plan seems to be to compete increasingly through quality of products and service. At the same time, regulators are positive about this and are producing more regulation that supports the trend as the EU is currently doing with PSD2, GDPR and MiFID2.
Health data with Self Sovereign Identity
Similar to the web, our health information is also distributed in various silos. Self Sovereign Identity aspires to make us the owners of all our health information to be able to choose whom we give further access and allowing us to have access to our own information whenever we may need it. In the future, this should allow a doctor or hospital access to our data whenever we want them to. This method could even be used to help develop new medicines without putting our privacy at risk. Our smart watch could measure our pulse and blood pressure in real time and we could decide to donate or sell this information for scientific purposes or in exchange for products and services.
This is just a selection of an infinite number of potential use cases. In our next articles we will explore the precedents and models that have been tried and tested in the Digital Identity world before we could start dreaming about combining Blockchain and Digital Identity to get to Self Sovereign Identity. In our upcoming articles we will do a deep dive into the history of Digital Identity with the following phases: centralized identity model, federated identity model and user-centric identity model.
The future of identity will be a return to identity as defined by the web of trust that links all humans. To fully understand where we are going with Self Sovereign Identity, we need to know where we are coming from.
Special thanks to Rob Spitz for editing :)