Self Sovereign Identity and MyData

Antti Jogi Poikola
Nov 16, 2017 · 7 min read

“Infrastructure for digital identity is key in the technical realisation of the MyData -vision and there is lot’s of innovation happening in that area.”

Molly Scwartz in the MyData 2017 closing remarks

It is curious how the worlds of digital identity technologies and personal data management technologies are coming together. I started as a “personal data guy”, but I am slowly starting to speak identity jargon — you know the issuer, verifier, claims etc. In this post I will tell the story how I learned about the potential of Self Sovereign Identity and eventually got invited to the Board of Trustees of Sovrin Foundation (I recommend the “Inevitable Rise of the Self-Sovereign Identity” as the first reading from the Sovrin Library). And of course how I see this all relating to MyData.


Self Sovereign Identity

If this is the first time you hear about Self Sovereign Identity I recommend Christopher Allen’s The Path to Self-Sovereign Identity blog post as first intro to the topic.

Self sovereign identity (shorthand SSI) or decentralized identity as it is also called is a lifetime portable digital identity for any person, organization, or thing that does not depend on any centralized authority and can never be taken away. It means that the identity is not controlled by any web giant that offers it as an authentication mechanism nor any government or other institution, it is truly yours.

Among the identity gurus, who love to create the standards and specifications for safer and more functional web, the dream of SSI has been around for some time. The recent raise of the blockchain and other distributed ledger technologies (DLT) finally offers technically viable option for developing such an identity system that would not be under control of any single organisation or consortium.

MyData Way of Sharing Data

Example “CV 2.0”: I’m looking for a job and filling in my CV info (competence profile) in a recruitment portal. There is an import feature which allows me to fetch my authenticated educational history from the national registry of educational degrees, how fancy! This could be done in centralised manner so that the recruitment service, me and the national registry are somehow all connected to the same hub. However that is not very scalable, and who would operate that one and only hub anyways?

We envision that instead of one hub, there should be a network of connection points that are interoperable and interconnected. In the MyData White Paper call these connection points “MyData Operators”. Maybe the national registry would be connected to an operator run by the government [A], while I might rely on operator service [B] offered by a private company (or I might run the needed operator stack on my own cloud) and the recruitment service may be connected to the network via yet another connection point [C].

An DLT based self sovereign identity -infrastructure could work as the technical base to enable interoperability between different MyData operators. This is where I see the “personal data world” and “identity world” meeting.

Sovrin

A startup called Evernym had participated in MyData 2016 conference and since then became active member of the global MyData community. Evernym originally developed the Sovrin ledger technology to enable Self Sovereign Identity. Developing global digital infrastructure can not (should not) be done by a single company. Evernym made the Sovrin code open source and helped to set up the Sovrin Foundation to carry on with the task of developing the global identity infrastructure in open community. Early 2017 the Sovrin Foundation transferred the open source code base, originally contributed by Evernym, to the Linux Foundation and the ledger development project is now known as the Hyperledger Indy.

While the code development happens now in the open community nurtured by the Linux Foundation the Sovrin Foundation focuses more on the development of the governance structure called the Sovrin Trust Framework.

In the Technical Foundations of Sovrin white paper the MyData-model is referenced strongly:

“This approach to personal data management under the identity owner’s control and consent is wonderfully synergistic with the vision articulated in the MyData white paper from the Finnish Ministry of Transport and Communications.”

The personal information management services or MyData operators, however we call them, could be mapped in Sovrin terminology to the “agencies” that offer the tools for people and organisations to access the Sovrin Identity Network.

Trough autumn 2016 and spring 2017 we studied intensively the potential of SSI in general and Sovrin specifically in the Finnish MyData Alliance (forum for companies, government and research institutes). This effort led to a joint project called TrustNet with six industry partners, three universities and external funding from the Finnish Innovation Fund Tekes. The project which aims to build a trust network for distributed personal data management in Finland (with international scalability in mind) and pilot it in several use cases more or less similar to the one I described above.

Sovrin Foundation

Last May I had a presentation at the European Cloud and Identity (eic2017) conference at Munich. I was invited to the conference by Andy Tobin from Evernym to tell a bit about our experiences and plans regarding MyData and Sovrin in Finland. In the panel discussion after the presentations there was an audience question related to the role of Sovrin Foundation — who has the decision making power there and how is it governed?

As my own opinion I answered that for me the human governance in the foundation seems to be quite clear and transparent, there is a named Board of Trustees as well as Technical Governance Board and working group developing the Trust Framework. I appreciate the fact that the Sovrin governance is being developed alongside with the technology, which is not the case in some other new blockchain initiatives which are much more tech and developer driven.

I continued that in my experience it had been quite easy to engage with the Sovrin community, people are open and accepting. To conclude I voiced out my concern that things might change. If the Sovrin promise of global utility for self sovereign identity becomes even partially fulfilled it means that there will be huge financial and other interests towards the system. If by that time the democratic and balanced governance structure is not “bullet proof” it might open the door for powerful corporations to hijack the agenda as it has happened in some standardisation processes before.

Me in the Sovrin Board of Trustees and the MyData Community

Last August I got invited to join the Board of Trustees of the Sovrin Foundation. This was definitely an honour and exciting challenge. I also knew that I may be seen of less technologically neutral person in the MyData community if I am in active and official role in Sovrin. To get some advice I consulted to those people and organisations that actively contributed to the MyData declaration.

I did accept the invitation and I have been now for couple of months a Sovrin Trustee (learning a lot!). From the consultation round I got a lot of valuable feedback and advices from the folks in MyData community. Comments were generally supportive, but there were also some very important concerns. Below is the summary or responses, which I publish here in order to keep myself publicly accountable:

COMPETING SOLUTIONS

  • Sovrin is only one of many different potential solutions.
  • There are other approaches and interests than Sovrin.
  • What happens if an alternative to Sovrin emerges?
  • Will it have the same chance, sponsorship and support from key MyData people?
  • Will the same ‘neutrality’ remain for the start-ups named (and future start-ups) to validate their commercial objectives without fear of bias?
  • Does this indirectly or directly signal that Sovrin is the network sanctioned by MyData?
  • Interoperability will be the only way forward.
  • Take proactive steps to also be involved in other activities which might be said to ‘competitive’ to the Sovrin approach.
  • Keep your mind open to all possible directions and architectures
  • Being inclusive to everyone and being the wider spokesperson for the whole industry and taking on roles such as Sovrin trust to help promote not just Sovrin but the whole (in this case) self sovereign ID concept.

NEUTRALITY (or illusion of it)

  • None of us is neutral.
  • As clear representative of a growing MyData community you need to be unspoken.
  • Implicitly you represent MyData in everything you do (or it will be perceived this way).
  • By being involved you will have a natural tendency both to adopt the viewpoint of Sovrin and to want to defend its interests.

COLLABORATION FOR COMMON CAUSES

  • The broad goals of the Sovrin Foundation are also clearly aligned with those of MyData.
  • Ensuring you feed the MyData declaration and mission into any organisation is a worthwhile endeavour.
  • More cooperation between different independent orgs (Sovrin, PDEC, Kantara Initiative, etc.).

CONFLICTS OF INTEREST

  • There will be some topics (competitive to Sovrin) that come up in MyData work where you will have to rely on the opinion of team members and withdraw your vote — likewise with Sovrin.
  • The key is about your belief that you can help both MyData and Sovrin to flourish without constraints, and that you can articulate the potential conflicts of interest.
  • Set yourself some hard and fast rules personally and hold yourself to those and put in writing your views for transparency.
  • Be aware of the different contexts and nuances that you encounter along the way, and be prepared to recuse yourself or even withdraw if the circumstances create a conflict of interest for MyData and/or yourself.
  • Deal with possible problems when they occur.

OPENNESS

  • Of course it’s important to be open about this.
  • Above all else, be transparent at all times to all parties.

OTHER ISSUES

  • Things change a lot if it’s a remunerated position — either salaried or through shares. [note: the position is not remunerated in any way]
  • Sovrin currently is not independent of Evernym. [note: Phil Windley’s blog post is worth reading on the topic]
  • Sovrin currently is seemingly US dominated [note: I have started to work on this by suggesting strict limits on the distribution of the nodes in the network and by encouraging more non US based folks to participate in Sovrin]