The Path to Digital Sovereignty

What is Decentralized Identity? How does it work and why should you care?

Identity and Self-Determination

Human beings have a natural desire to be recognized and respected for who we are both as individuals and for the cultures, nations, religions, tribes or groups to which we feel we belong. For thousands of years, the way we relate to our identity has directly affected our well-being as societies and individuals. However, when we talk about “identity” we generally do not refer to our true essence, but to certain “identifiers” that other people, organizations or entities use to recognize us.

These identifiers can take the form of, for example, passports, credentials or memberships that in turn categorize us as citizens, students or members of a community, and are requirements for almost all the activities we carry out in our lives. Nevertheless, none of these documents by themselves represent our true “identity”. They are simply sets of labels or attributes that organize us in an administrative system.

Some indigenous tribes, such as the Maasai in East Africa, show their social status and belonging to the tribe’s traditions through the colors and designs of their tunics.

Unfortunately, this desire for identity does not always reflect a shared and universal vision of human dignity, but rather deviates towards manipulation, exclusion and the perception that others’ identities threaten one’s own. History has shown us many times how control over identity can lead to tragedies when it falls into the wrong hands. As sovereign human beings, our identity belongs to us, and it should not be limited or under the control of any organization.

Machines, not people

In the late 1960s, the US army created the TCP/IP protocol to interconnect machines and allow the exchange of information and resources over a network. The solution was so brilliant that it ended up becoming what we now call the Internet. But this protocol had been created to interconnect machines, not people, so nothing in it made any reference to who the individual, organization or entity using it was.

At that moment, the people participating in the network were a handful of academic computer scientists with access to expensive machines and technical knowledge. Most of them already knew each other, so there was no real need to identify themselves. Incredibly, today the Internet still operates under the same protocol, but it is no longer such a small club. Billions of people and devices, almost all unknown to each other, are connected to the network.

“The Internet was built without a way to know who and what you are connecting […] If we do nothing, we will face episodes of fraud that will multiply rapidly, eroding public trust.” — Kim Cameron, Chief Architecture of Identity, Microsoft

The TCP/IP protocol was created by DARPA engineers to facilitate communication between devices, but it was not designed to verify the identity of the users participating.

The Cyberpunk Utopia

In the 1980s, the term “cyberpunk” belonged to a literary genre that described a cybernetic counterculture. Cyberpunks defended freedom of expression, freedom of information and privacy in communications in futuristic cities governed by anarchism and technology, facing ethical dilemmas and challenges derived from the technological omnipresence of dystopian societies.

In 1992, the literary genre crossed over to the real world when a group of hackers began communicating through an email mailing list with the intention of building tools to protect freedom and privacy on the Internet. At their first meeting, they decided to call themselves “cypherpunks”, defining themselves as “individuals who advocated for the widespread use of cryptography and technologies that enhance privacy as a means for social and political change”.

“Neuromancer” (1984) is one of the earliest and most well-known works of the cyberpunk genre. William Gibson predicted concepts like the Internet, virtual reality, artificial intelligence and biotechnology.

The fundamental ideas of the cypherpunks generated explorations in multiple fields related to defending privacy, freedom and crypto-anarchy. For example, some of the ideas promoted by famous cypherpunks such as Wei Dai, Nick Szabo and Hal Finney ended up influencing the creation of Bitcoin, one of the most important innovations of the century.

“Those present here aspire to a world where an individual’s digital fingerprints can only be traced if they decide to reveal them. There is only one way for this vision to materialize: through the widespread use of cryptography.” — Steven Levy

James Dale Davidson and Lord William Rees-Mogg had also prophesied about digital money in their book “The Sovereign Individual” (1997): “Electronic money will allow both businesses and individuals to transact directly with each other […] The information revolution will shift the balance of power from government and large organizations to individuals”. As in fiction, recovering control of information and privacy was the cypherpunk utopia.

Loss of Control

Cypherpunks had reasons to challenge the status quo. In the mid-1990s, the Internet revolution and its penetration into popular culture opened the valve that allowed organizations, companies and governments to collect, exploit and commercialize our personal data for decades without regulations, sanctions, and without our consent, and led to the proliferation of malicious individuals, groups and software programs that are constantly trying to deceive us about who or what we are seeing. For decades we have witnessed an increasing loss of control over our identity, with an aggravating factor: the absurd amount of information available.

As a result, countless security breaches such as the hacking of three billion Yahoo accounts in 2016 or 200 million Twitter accounts in 2023, to mention just a few. More than 90% of American consumers feel they have lost control over how their personal information is collected and used. Identity theft affects more than 70 million people each year, and 80% of these violations are due to compromised passwords (by 2017, the average Internet user had to manage an average of 191 passwords). In 2023, damages from cybercrime cost $8 trillion.

The amount, the dimension and the economic impact of these incidents underline an underlying problem: the paradigm of identity on the Internet as we know it is becoming exhausted.

Digital Identity on the Internet

Two main models have been tried to solve the problem of identity on the Internet:

• Centralized model (Web 1): Users authenticate to services with a username and password that are stored in a database. If that database is breached or the service ceases to exist, users lose the ability to identify themselves to that service and therefore also lose access to their information.
• Federated model (Web 2): Users rely on an intermediary service (an “identity provider”) to manage their credentials. For example, platforms like Facebook and Google store our data and delegate to them the ability to authenticate us to other services without having to remember multiple combinations of username and password.

The federated model introduced major improvements in the user experience, but also serious issues regarding control over our digital identity. First, the large companies that concentrate our information have become “honeypots”, targets for hackers who with a single attack can get their hands on the data of millions of people. Second, diffuse privacy policies have led to major leaks and opaque handling of our personal data for the purposes of being marketed, transferred or exploited by third parties.

The abandoned Presidio Modelo complex in 1995 (The Guardian). Unlike Foucault’s Panopticon, Internet users do not know that they are being observed in each of their digital interactions.

Most worryingly, it has succeeded in resigning users to a dynamic of subordination where the only possible way to access digital services is by abandoning ownership and control over our privacy. Who we are, what music we listen to, what ads we see and what products we buy, the Internet has become a network of data concentrated on the servers of a few companies that are vital information sources for hackers, governments and advertising companies. We have taken for granted that this is how the Internet works and we have resigned ourselves to the fact that control over our identity no longer belongs to us. We have voluntarily submitted ourselves to a digital panopticon in which we are continuously observed, aggregated and monetized by centralized companies and powers.

But just because this is how it has worked so far, it does not mean that we must accept that it will continue the same way. The “Web 3”, which is built on the same principles and technologies advocated by the cypherpunks, paves the way for a new model of digital identity: the decentralized model.

The decentralized model is the paradigm for digital identity on the Web 3.

What is Decentralized Identity?

In 2021 I attended several bars and nightclubs in London where it was mandatory to take a photo and scan your document on a kiosk in order to get in. That information was digitized and stored on the servers of an external provider. People did not read or accept any privacy policy, they did not know where their data would end up or how it would later be used. They simply took it for granted that this was the necessary condition for entering the site. A dystopian madness.

This real-life example serves to illustrate how we currently relate to our digital identity. Every time we want to access a digital application, we have to send a series of personal data that are stored on their servers. In many cases we are also asked for selfies and copies of physical documents. People also do not read and accept privacy policies, they simply take it for granted that this is the necessary condition to log in.

Returning to the physical world example, let’s imagine that we want to go for a drink at an exclusive bar in New York that has decided to use the decentralized identity model to validate that its customers are of legal age. With this model, the process is simpler and more secure. Without using passwords, completing forms or handing over our data to the bar for verification, users can show “credentials” that are issued by verified issuers and stored in a virtual wallet to which only we have access.

A digital wallet containing digital credentials (VCs) serves as an analogy to replicate the way we manage our identity in the physical world.

Now let’s take this example to our experience on the Internet and imagine how it would be to interact in this way with the services and applications we use regularly, preserving our privacy and staying in control of the information we share. Sounds good, doesn’t it?

How does it work?

The technical foundations of SSI are based on cryptography, blockchain and decentralized networks. Individuals have a pair of cryptographic keys (a public key to identify themselves and a private key to authenticate themselves) that are securely stored on their devices or on a blockchain. Additionally, the concepts of DIDs or “decentralized identifiers” and VCs or “verifiable credentials” are introduced to represent and exchange identity information in a standardized way.

The “Trust Triangle” is the model that defines how the actors interact in a decentralized identity ecosystem.

In simple terms, we could say that a DID represents an entity and a VC represents a document issued by that entity. Since that entity’s public key is stored on a blockchain and that VC has been cryptographically signed, it is possible to verify that this entity exists and this “verifiable credential” is valid, i.e. that it was indeed issued by that entity. This VC could be, for example, a passport, but it could also be any data or set of data that we would like to share selectively. Returning to the previous example, we could present a VC informing our age without revealing our date of birth. Or even better, a VC stating that we are over 21 without disclosing our age.

DIDs invert the scheme of information control and the way we identify ourselves on the Internet: instead of us requesting to authenticate to the services we want to use, it is the services that request permission to access our data. We decide what we want to share, with whom, at what level of detail and for how long. Unlike traditional identity systems where a third party stores and manages our information, the decentralized model empowers the individual to own, control and share their identity without depending on any intermediary.

The end of surveillance capitalism?

Current digital identity models allowed the massive collection and exploitation of our personal data, moving from passive collection to active extraction. The digital panopticon is still in place, but decentralized identity can be a resilient shield against the excesses of surveillance capitalism. Decentralized identity is more than just a technology, it is a paradigm shift that puts control and ownership of personal identity in the hands of individuals.

“We used to search Google, now Google searches us” — Shoshana Zuboff

Decentralized identity introduces significant improvements in privacy, security and autonomy, allowing users to selectively disclose information and significantly reducing the risk of large-scale data breaches and identity theft. This new approach cuts at the root the ability of large companies and powers to amass aggregated information from people and adds a layer of security by avoiding centralization. To steal data from millions of people, a hacker would no longer have to find a single point of failure in a database but would have to access the private keys of millions of devices.

The Future of Decentralized Identity

The ideas behind decentralized identity have been in development for years, but have begun to consolidate with the involvement of major players like W3C, FIDO Alliance and DIF. The development and promotion of standards and protocols by these organizations, a new wave of digital identity companies [1] [2] [3] [4] and the eIDAS 2.0 regulation are strong drivers for this vision to become a reality.

In the coming years, the industry will set a path toward mass adoption and a new era in the history of digital identity will begin. Very soon we will carry in our virtual wallets passports, credentials and memberships issued by authorized entities that can be instantly verified by third parties without having to hand them over to anyone and without sharing extra information.

However, there are still major obstacles to overcome. Standardization, interoperability and mass adoption are some of them. At the time of writing this article, many companies are developing protocols, authentication gateways and digital wallets that 1) no one is using and 2) can quickly become obsolete. Rather than focusing on creating new wallets or prototypes based on specific protocols, developers need to build usability bridges and deliver excellent user experiences for a smooth transition to decentralized identity.

Ultimately, the wallets, the interfaces through which users will access this technology, will become secondary. Large companies will have a strong positioning advantage. The important thing is to make all these wallets and architectures reusable and interoperable with each other. This effort requires the participation of large companies and governments. Companies like Apple, Google and Microsoft seem to be taking steps in this direction, although it is true that under this new scheme many of their business lines would have to be transformed, limiting their degree of digital phagocytosis.

Conclusion

Identity is a fundamental human right that allows us to define who we are and how we relate to the world around us. In the digital age, our identity has become both a valuable and vulnerable asset. In this context, decentralized identity emerges as a resistance alternative. Not only because of its technical foundations, but also because of its ability to reconfigure the balance of power and give people back control over their digital lives. As individuals and societies, this new paradigm opens the way to a more just, free and sovereign digital future.

References

• “The Sovereign Individual: Mastering the Transition to the Information Age” (1997), James Dale Davidson and William Rees-Moog https://www.amazon.com/Sovereign-Individual-Mastering-Transition-Information/dp/0684832720
• “Self-Sovereign Identity: Decentralized digital identity and verifiable credentials Paperback” (2021), Alex Preukschat and Drummond Reed https://www.amazon.co.uk/Self-Sovereign-Identity-Decentralized-verifiable-credentials/dp/1617296597
• “Crypto Rebels” (1993), Steven Levy https://www.wired.com/1993/02/crypto-rebels/
• “The Laws of Identity” (2005), Kim Cameron www.identityblog.com/?p=352
• “Our Take on Verifiable Credentials” (2023), Vittorio Bertocci and Damian Schenkelman https://auth0.com/blog/our-take-on-verifiable-credentials/
• “Decentralized Identity: The Ultimate Guide” (2023), Dock.io https://www.dock.io/post/decentralized-identity
• “Average Business User Has 191 Passwords” (2017), Security Magazine https://www.securitymagazine.com/articles/88475-average-business-user-has-191-passwords
• “IBM’s CEO on Hackers: ‘Cyber Crime Is the Greatest Threat to Every Company in the World’” (2015), Forbes www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world
• “Americans’ Complicated Feelings about Social Media in an Era of Privacy Concerns” (2018), Pew Research Center www.pewresearch.org/fact-tank/2018/03/27/americans-complicated-feelings-about-social-media-in-an-era-of-privacy-concerns
• “Crush Them’: An Oral History of the Lawsuit That Upended Silicon Valley” (2018), The Ringer https://www.theringer.com/tech/2018/5/18/17362452/microsoft-antitrust-lawsuit-netscape-internet-explorer-20-years
• “300+ Terrifying Cybercrime and Cybersecurity Statistics & Trends” (2020), Comparitech https://www.comparitech.com/vpn/cybersecurity-cyber-crime-statistics-facts-trends
• “Cybercrime To Cost The World 8 Trillion Annually In 2023” (2023), Cybercrime Magazine https://cybersecurityventures.com/cybercrime-to-cost-the-world-8-trillion-annually-in-2023/
• “Digital Identity: Moving to a Decentralized Future” (2019), Citi https://www.citi.com/ventures/perspectives/opinion/digital-identity.html
• “Passwords Are Still a Problem According to the 2019 Verizon Data Breach Investigations Report” (2019), LastPass https://blog.lastpass.com/2019/05/passwords-still-problem-according-2019-verizon-data-breach-investigations-report/