Want to own your data? Start by owning your identity
Practically everywhere in the world, your first cry is almost immediately matched with the first verification of your identity, your birth certificate. To this first claim, designed as a proof of who you are, will follow countless third-party issued certificates of your being, from passports or ID cards, to health care cards or driver’s licenses. Without them, without these endless proofs of our identity, we could not function in today’s society, we could not work, drive, travel or be taken care of.
But the map of our identity is not only limited to these physical artifacts. Since the advent of the internet, the need to create identities has multiplied. Platforms like Google, Facebook, Twitter, Spotify, Apple or Airbnb provide you with an identifier, a way to register your personal data that is relevant to them, together with a method to prove this data identifies you, generally a password.
Online identities or siloed identities have been designed focusing on the different platforms and their needs. Users are secondary. Multiple systems are created to provide a tool for these companies to administer identifiers and attributes within a specific domain. In the meantime, users end up with multiple “personalities” who don’t even belong to them. Each identity belongs to the system where you created it. And in the meantime, you continue leaving a trail of identity breadcrumbs across the virtual world. A fragmented identity, upon which you have no control or ways to benefit.
But what if we didn’t have to create a new “personality” for every virtual relationship we want to establish? What if we could shift this identity paradigm and be the single holders of a unique proof of our identity? What if we finally had a tool to not only protect our private data but also to manage it.
This idea is called self-sovereign identity (SSI). SSI is based on the concept that we all are the makers of our own identity, online and offline. Because SSI does not rely on a centralized authority, self-sovereign identity systems are decentralized, matching the way identity works in real life.
In the SSI universe, the individual is now the center and the focus of the system and exercises complete control over every transaction or exchange of data tracing back to them. With SSI data storage and silos do not sit in the hands of platforms or corporations, instead, the gathering, storing and processing of the data is decentralized across a flat data ecosystem. This is in direct contrast to the system created by third-party identity providers, where the user depends on middlemen to manage their data and any identity transactions.
With SSI the user holds absolute control over a universally trusted, secure and portable proof of identity. SSI is built upon public and private cryptographic keys used to “sign” records. Private and public keys are unique to a user, private keys are used to sign and public keys to identify.
Let’s look into a practical example. You are enjoying a great night out with your friends and decide to head to a club to get your groove on. The doorman asks for your ID to let you in. In this offline world, the club is trusting the State who issued your ID to know your date of birth. Therefore, they are basing their decision to let you in, on a decentralized verifiable credential granted to you by a third party (the state) and conveyed by you to the club’s doorman.
How does this example translate to the SSI online world? In this case, the State is the credential issuer, giving you, the credential holder a digital representation of your ID. The State uses keys assigned to their decentralized identifier on the blockchain to sign this credential so anyone who receives it, can verify that it was issued by the State. In your digital wallet, you hold your verifiable credential and can use the keys linked to a decentralized identifier that you control to countersign the digital ID. When the doorman asks you to see your age, you can present your digital ID and he can verify its integrity, the issuer and to whom it was issued.
One of the biggest players in the space is Sovrin who is committed to building what they claim to be the missing identity layer on the internet. To accomplish this ambitious objective, Sovrin is conceived as a universal solution, capable of being incorporated into any blockchain that wants to integrate SSI.
Sovrin’s architecture is based on Decentralized Identifiers (DIDs) developed by the W3C which enable “permanent, globally unique, cryptographically verifiable identifiers entirely under the identity owner’s control”. DIDs are stored on a blockchain along with a DID document containing the public key for the DID, any other public credentials the identity owner wishes to disclose, and the network addresses for interaction. The identity owner controls the DID document by controlling the associated private key.
In Sovrin, if a business wants to know something about you, it will send a request to establish a pairwise-unique DIDs relationship. When you receive the request, you can choose to approve it or deny it. If approved, you can send either a transparent proof (access to the relevant part of your actual data), or a zero-knowledge proof verified by the public key of the credential issuer, which tells the business whether or not you meet its criteria, but doesn’t say why.
Nevertheless, the potential is not limited to establishing pairwise-unique DIDs between previously known peers. It goes further into public DIDs which could potentially be shared in an open data market. Right now, public DIDs use cases are limited to institutions, but they could also potentially expand to individuals if the appropriate changes happened within the GDPR, for instance. This could allow an institution to contact a previously unknown individual and request to establish a new pairwise-unique DID relation. In this case, they would use Sovrin, first to find one another and then to negotiate their relationship in a completely private channel, outside of the ledger, that is unique to that particular relationship and has no middlemen.
A public DID could be shared widely (similar to a website address) by the identity owner. Furthermore, an identity owner could make public claims using transparent proof through the agent endpoint.
Until now, use cases for a blockchain data marketplace have been mainly limited to the recording of data (or pointers/paths to data buckets) by the user/institution into a specific ledger. This has limited the scalability of the market by reducing it to a particular ledger and forcing the integration of the technology by all the actors. The implementation of an SSI has the capacity to create a public, open, marketplace built upon a public permissioned ledger where actors won’t exchange data but are able to establish a relationship and negotiate privately and securely outside of the chain.
“When we build interconnected systems without a core understanding of identity, we risk inadvertently compromising human dignity. We risk accidentally building systems that deny self-expression, place individuals in harm’s way, and unintentionally oppress those most in need of self-determination.”Joe Andrieu
SSI is a relatively new and experimental idea so it’s still being constantly polished and improved. For example, standards for DID’s and verifiable credentials are currently being developed to grant interoperability. The objective remains clear: to build a universal SSI system that promotes and protect human dignity, freedom, and self-determination.
Countless papers and articles have been written about the potential for blockchain to grant us control over our data. I, myself, have published a few. The possibilities seem limitless and the future is most exciting. Nevertheless, while we keep on dreaming, it is truly time to focus on building the foundations for this future in the blockchain. Understanding the importance of SSI and looking directly at projects like Sovrin is a great way to start. Our revolution will undoubtedly be powered by ideas and dreams, but it also needs systems architecture and code in order to be more than just castles in the sky.