Regaining custody of your identity.

Reputation has always had social capital, and most of us do what we can in order to protect it and accrue it, because we understand the value of it.

Reputation is intimately linked to both identity and trust, it is how society perceives your identity, and how much trust they are willing to afford you.

We use various mechanisms to protect our reputations, mainly we choose what parts of our identities we share with other people, and we make sure we conduct ourselves in a manner that fosters trust.

“Show me your friends, and I will tell you who you are”.

One of the indicators that people use to define your identity is looking at the reputation of those who you choose to spend your time with. Societies are complex and multi-layered, just like our identities.

All of this care however tends to go out the window when we are online. We are more than happy to secede our identities for our daily dose of digital heroin, however is the short term gain truly worth losing ourselves in the process?

“If you are not paying, you are the product.” — Anonymous.

It is important to note, that companies like Facebook and Google, are monetizing your broader identities which includes your social media metrics (what you read, what you like, your political affiliations, what you pay attention to etc), and they do this to sell advertising and provide accurate market segmentation and targeting to marketers.

If you had control of your own identity however, you would be able to control how much of a commodity you are, and how much you would be willing to be paid to share some your information, if any at all.

There are technologies however that are currently being developed to tackle this problem in order to restore control of our identities, and the name that is being used to describe these projects is SSID, which stands for “Self Sovereign Identity”.

Let’s look at a real world example

We have all been to a bank and tried to open up an account, the paper work required to prove your identity is never centrally stored, you are always on the back foot trying to source all this information, which is both time-consuming and frustrating.

Generally the types of information required to open such accounts are documents like your place of residence, identity document, place of work and proof of income.

Doing this once is normally a mission, however this process needs to be repeated with each service provider you open an account with.

If you had access to an SSID platform, you would simply be able to choose which pieces of information to share from your smart-device with a given service provider, and they would receive attestations of those documents.

What is an attestation, and how does that form part of SSID?

Attestations are third party providers that digitally sign the relevant document and provide proof that your claims are valid.

An example of this would be a government agency that provides an attestation that your name, surname & age are what you say they are.

Securing your identity

If you control your own identity, the threat of identity theft is mitigated, it is highly unlikely that it would be possible for a criminal to gain access to your documents, because the actual documents are never shared with anyone, the only things that are shared, are attestations of these documents, creating a safe and secure environment.

Let’s summarize the parameters of your social identity

This list is compiled by Christopher Allen in his article detailing the identity principles [6], he is a thought leader in this space.

1. Existence. Users must have an independent existence. Any self-sovereign identity is ultimately based on the ineffable “I” that’s at the heart of identity. It can never exist wholly in digital form. This must be the kernel of self that is upheld and supported. A self-sovereign identity simply makes public and accessible some limited aspects of the “I” that already exists.
2. Control. Users must control their identities. Subject to well-understood and secure algorithms that ensure the continued validity of an identity and its claims, the user is the ultimate authority on their identity. They should always be able to refer to it, update it, or even hide it. They must be able to choose celebrity or privacy as they prefer. This doesn’t mean that a user controls all of the claims on their identity: other users may make claims about a user, but they should not be central to the identity itself.
3. Access. Users must have access to their own data. A user must always be able to easily retrieve all the claims and other data within his identity. There must be no hidden data and no gatekeepers. This does not mean that a user can necessarily modify all the claims associated with his identity, but it does mean they should be aware of them. It also does not mean that users have equal access to others’ data, only to their own.
4. Transparency. Systems and algorithms must be transparent. The systems used to administer and operate a network of identities must be open, both in how they function and in how they are managed and updated. The algorithms should be free, open-source, well-known, and as independent as possible of any particular architecture; anyone should be able to examine how they work.
5. Persistence. Identities must be long-lived. Preferably, identities should last forever, or at least for as long as the user wishes. Though private keys might need to be rotated and data might need to be changed, the identity remains. In the fast-moving world of the Internet, this goal may not be entirely reasonable, so at the least identities should last until they’ve been outdated by newer identity systems. This must not contradict a “right to be forgotten”; a user should be able to dispose of an identity if he wishes and claims should be modified or removed as appropriate over time. To do this requires a firm separation between an identity and its claims: they can’t be tied forever.
6. Portability. Information and services about identity must be transportable. Identities must not be held by a singular third-party entity, even if it’s a trusted entity that is expected to work in the best interest of the user. The problem is that entities can disappear — and on the Internet, most eventually do. Regimes may change, users may move to different jurisdictions. Transportable identities ensure that the user remains in control of his identity no matter what, and can also improve an identity’s persistence over time.
7. Interoperability. Identities should be as widely usable as possible. Identities are of little value if they only work in limited niches. The goal of a 21st-century digital identity system is to make identity information widely available, crossing international boundaries to create global identities, without losing user control. Thanks to persistence and autonomy these widely available identities can then become continually available.
8. Consent. Users must agree to the use of their identity. Any identity system is built around sharing that identity and its claims, and an interoperable system increases the amount of sharing that occurs. However, sharing of data must only occur with the consent of the user. Though other users such as an employer, a credit bureau, or a friend might present claims, the user must still offer consent for them to become valid. Note that this consent might not be interactive, but it must still be deliberate and well-understood.
9. Minimalization. Disclosure of claims must be minimized. When data is disclosed, that disclosure should involve the minimum amount of data necessary to accomplish the task at hand. For example, if only a minimum age is called for, then the exact age should not be disclosed, and if only an age is requested, then the more precise date of birth should not be disclosed. This principle can be supported with selective disclosure, range proofs, and other zero-knowledge techniques, but non-correlatibility is still a very hard (perhaps impossible) task; the best we can do is to use minimalization to support privacy as best as possible.
10. Protection. The rights of users must be protected. When there is a conflict between the needs of the identity network and the rights of individual users, then the network should err on the side of preserving the freedoms and rights of the individuals over the needs of the network. To ensure this, identity authentication must occur through independent algorithms that are censorship-resistant and force-resilient and that are run in a decentralized manner.

Some projects that are attempting to solve this problem

• uPort
• Sovrin — Evernym
• Cambridge Blockchain
• Civic
• BlockAuth
• SelfKey

uPort

uPort is a public permissionless ledger, where the identity is defined by smart-contracts.

uPort describes itself in its White Paper as follows:

[1] “ uPort is a secure, easy-to-use system for self-sovereign identity, built on Ethereum. The uPort technology consists of three main components: smart contracts, developer libraries, and a mobile app.”

[2] Pelle Braendgaard, their (uPort) Engineering lead describes uPort as follows:

“ a uPort identity is a complete digital representation of a person (or app, organization, device, or bot) that is able to make statements about who they are when interacting with smart contracts and other uPort identities, either on-chain or off-chain. This ability to make statements about themselves, without relying on centralized identity providers, is what makes uPort a platform for self-sovereign identity.”

What is the problem they are trying to solve?

Key Management — currently your private key is your identity, if this is lost or compromised your identity is lost, and everything linked to that identity is either burned (lost for ever), or could be fraudulently utilized in the form of identity theft.

Key management doesn’t only deal with your key security, but with the revocation and transfer of keys in a secure intuitive manner.

How are they intending to solve it?

They utilise smart-contracts built on Ethereum to program various logical pathways into these smart contracts resulting in key recovery.

[2] Pelle Braendgaard, their (uPort) Engineering lead — “ A uPort identity is a very simple smart contract that is controlled by a replaceable controller contract, which contains key recovery and access control logic. The controller contract is in turn controlled by keys stored securely on your smartphone.”

Typical Use-Case

[3] John Lilic, (ConsenSys)— “I claim that my birthday is Jan 1st, 1982 then I can have someone from an institution like a bank digitally sign that assertion and say ‘we’ve checked this persons passport and we can attest to the fact that her birthday is Jan 1st, 1982”.

uPort in summary

The user is able to make any claim about themselves, and they use third party providers to verify those claims in the form of an attestation (on public key signing of the claim), this allows the user to share the attestation rather than the document itself creating a secure platform for identity sharing.

They utilize smart contracts to provide various pathways at key recovery, I would need to look into the structure of these contracts and if they have been formally validated to make sure that your identity cannot be compromised.

Due to the usage of the Ethereum protocols, there is a cost associated with each transaction.

[7] uPort allows for Control, Transparency, Portability, Existence, Access, Persistence, Interoperability, Consent, Minimalization

Sovrin

Sovrin is a public permissioned ledger, where identity is governed using the Sovrin Foundation and the Sovrin Trust Framework.

Sovrin describes itself in its White Paper as follows:

[4] “ lifetime portable digital identity that does not depend on any central authority and can never be taken away. The Sovrin Network has been designed exclusively for this purpose, including governance (the Sovrin Foundation and the Sovrin Trust Framework), scalability (validator and observer nodes and state proofs), and accessibility (minimal cost and maximum availability).”

[5] Phillip Windley Ph.D, Chairman of the Sovrin Foundation describes Sovrin as follows:

“ Sovrin is the internet for identity, its a decentralized, public, global identity system”

What is the problem they are trying to solve?

How do you marry ones real world identity to their online digital identity in order to provide assurance the person is who they saw they are.

In centralized identity frameworks, identity is controlled by organisations and institutions, which means ones identity could be compromised/stolen/revoked because it isn’t within the control of the individual.

How are they intending to solve it?

By using a consensus algorithm operating over many different machines and replicated by many different entities in a decentralized network.

They will be utilizing ZKP (Zero Knowledge Proofs) to provide minimum disclosure by attestation to prove certain characteristics of their identity as requested by a service provider without handing over the underlying information.

Typical Use-Case

Let’s assume you’re online, and you are requested to prove you are over 18 to engage in that transaction, you can provide an attestation (proof) that you are over 18, without disclosing your underlying information (birth-date) or any other information you would normally have to secede by providing your identity document which would be irrelevant to the transaction.

[5] Phillip Windley Ph.D, Chairman of the Sovrin Foundation — “ If a service provider requires you to prove you are over 18, you can prove you are over 18, without even handing over the actual birth date to a service provider”

Sovrin in summary

The user is able to make any claim about themselves, and they use third party providers to verify those claims in the form of an attestation (on public key signing of the claim), this allows the user to share the attestation rather than the document itself creating a secure platform for identity sharing.

They utilize a trust network to manage the governance on the Blockhcain, this allows them to provide an identity transactional service that is at 0 cost.

[7] Soverin allows for Control, Transparency, Portability, Existence, Access, Persistence, Interoperability, Minimalization

Cambridge Blockchain LLC

Cambridge Blockchain provides digital identity enterprise software for financial institutions such as multinational banks[8]

Cambridge Blockchain describe themselves on their website as follows:

[9] “ Cambridge Blockchain’s distributed architecture resolves the competing challenges of transparency and privacy, leading to stronger regulatory compliance, lower costs and a seamless customer experiences.”

What is the problem they are trying to solve?

The problems with centralized compliance databases are here;
1) Centrlaization offers the struggle to meet the conflicting priorities
2) Centralization results in duplication of the same identity checks across institutions and severe impacts to customer experience and operating costs [10].

How are they intending to solve it?

Cambridge Blockchain not only solves the problem of enabling strong digital identities at a global scale but also provides individuals control over their identity data. This platform facilitates client control of their own personal data in a single, unified version through a virtual container called a Personal Data Service (PDS). Using the PDS, a user can do the following task [11]

1. Pre-approve automated rules that allow financial institutions to access the data.
2. Ensure that each division is working with the most updated version of the data.
3. Confirm that the data is identical to what has been checked by another trusted party. The shared blockchain ledger does not contain any personal data, but rather cryptographic proofs that can attest to the validity of personal data (and who has signed it) along with an auditable and trusted tracking of changes. [11]

Cambridge Blockchain as identity blockchain solves this quandary by combining blockchain technology with a Personal Data Service (PDS). The PDS concept was developed by ID3 as Open Mustard Seed to permit individuals to collect and share data in a secure, transparent and accountable way through encapsulated data management.

The goal of this new blockchain-linked PDS system is to meet both privacy and KYC requirements in the same system through the selective release of personal information to only authorized counter-parties on a controlled, as-needed basis [11]

Typical Use-Case

The use case that Cambridge Blockchain has focused on, is within the Financial Sector, where financial services organisations like banks require KYC compliant strong identification, therefore the use-cases in this case is when you apply for a Bank Account, you will be able to provide up-to date attested references to those documents that will be compliant with both KYC and Anti-money laundering legislation.

Cambridge Blockchain in summary

Cambridge Blockchain is largely different from the other decentralized Blockchain projects, for one it utilizes propitiatory technologies that are not open source, it utilises a centralized server for storing the documents and only stores the attestations on-chain. This is not a technology that would be utilised for mass adoption this has a specific use case in order to check the regulatory checkboxes for KYC and Anti-money laundering.

Civic

Civic is a public permissioned ledger built on Ethereum, where identity is governed using smart-contracts.

Civic describes itself on its website as follows:

[12] “ Civic’s mission is to provide every person on Earth with a digital identity that they can use to interact privately and securely with the world.”

What is the problem they are trying to solve?

As with uPort and Sovrin, Civic is also trying to solve the link between ones physical identity, and ones digital identity, however they are also looking at solving inefficiencies and costs associated with current verification providers such as KYV and AML.

How are they intending to solve it?

[13] Vinny Lingham, CEO Civic — “ So, what’s so special about Civic and how does it work? We’ve been developing a new type of authentication service, called ChainAuth™, which uses the Bitcoin Blockchain to validate your identity credentials — your personal information is never stored on the blockchain, but we utilize the cryptographic infrastructure to ensure that the data on your device is never changed or compromised.”

In summary they utilize an Android and iOS application, which you utilize to “on-board” your identity by providing this information, all your original documents are stored on your phone and encrypted utilizing your phones biometric device, so these documents are never stored on the Blockchain however the attestations of these documents are stored on the Blockchain.

Typical Use-Case

The use-cases of the Civic platform mimic those of Soverin and uPort as they are focusing their efforts on the same target market, albeit with different methodologies.

Civic in summary

The user is able to make any claim about themselves, and they use third party providers to verify those claims in the form of an attestation (on public key signing of the claim), this allows the user to share the attestation rather than the document itself creating a secure platform for identity sharing.

[7] They utilize a the Ethereum Blockchain as the foundations of their product with a centralized SIP server, control is also limited due to the fact that attestations once issued are stored on the Blockchain, and only portions of the product are open source like the API for Partner Integration.

BlockAuth

Block Auth is an open source project to build a competitive marketplace for developers to list authentication services (Registrars) such as for KYC, AML and the log in purpose for websites. The Block Auth system operates with a token, the crowd sale is said to be taking place on the 14th of July 2018 [14]

What is the problem they are trying to solve?

There are multiple silos of information, where each service provider has access and is storing copies of your identification documents, this creates risks of identity theft and fraud.

How are they intending to solve it?

BlockAuth is looking at creating a market place for different identity providers to provide access to those documents, so a service provider can use the BlockAuth api to get access to a specific provider in order to get the relevant attestation for the identity they require.

Typical Use-Case

A typical use case would be a pharmacy requiring access to your name, surname and identity number, they would be able to access the market place, and the relevant authority that would be able to provide the relevant attestation for that attribute.

BlockAuth in summary

In summary this is slightly different to the other identity platforms discussed, as this platform is focusing on the marketplace for identity providers.

[7] BlockAuth allows for Control, Transparency, Portability, Access

SelfKey

Selfkey is a public permissionless ledger, where the identity is defined by smart-contracts utilising the uPort key recovery mechanism.

Selfkey describes itself in its White Paper as follows:

[15] “ SelfKey is an identity system built on an open platform consisting of several key components including: SelfKey Foundation, a non-profit foundation whose charter and governance enshrines the principles of self-sovereign identity, a technology stack with a free and open source identity wallet for the identity owner, a marketplace with real products and services available at launch, a JSON-LD (machine readable) protocol, connection to 3rd party identity micro services which comply with KYC laws and regulations, and a native token called “KEY” which enables the SelfKey ecosystem to exchange value and information in an efficient, fully-digital, self-sovereign manner.”

What is the problem they are trying to solve?

SelfKey was founde by Edmund Lowell, who has a background in law, SelfKey like it’s other counterparts which are similar in nature (Sovrin and uPort) are trying to digitize our identities for automated, attested and thus secure identity management. However SelfKey also offers many template based solutions for incorporating organisations internationally, residency management and trust management.

How are they intending to solve it?

They have built their distributed identity platform on Ethereum, they will be utilising the 3rd party attestation mechanism, and uPort as its key recovery mechanism.

Typical Use-Case

Person x wants to set up a company internationally (let’s say in Malta), they will be able to use this platform to incorporate the legal entity and start trading.

SelfKey in summary

The user is able to make any claim about themselves, and they use third party providers to verify those claims in the form of an attestation (on public key signing of the claim), this allows the user to share the attestation rather than the document itself creating a secure platform for identity sharing.

They utilize uPort for key recovery, and thus the formal verification of the uPort mechanism which is currently unknown is the only threat to this process.

Due to the usage of the Ethereum protocols, there is a cost associated with each transaction.

[7] SelfKey allows for Control, Transparency, Portability, Existence, Access, Persistence, Interoperability, Consent, Minimalization

Let’s take a step back an summarize what we have learnt

There are multiple projects all targeting a similar problem statement, which in essence is the ability to bridge the gap between someones physical and digital identities, and being able to source proof of ones identity in a secure, trusted manner.

The risks involved within these projects lies with their implementation of Smart Contracts or DApps that will be built to handle some of the workflows and automated exchanges of attestations.

Smart Contracts have always been a weak link, due to their complexity and developers who are prone to introduce unwanted features into their code.

There is a way around it, and that is utilising formal proof methodology to “mathematically” prove the veracity of a contract. Other methodologies could be as simple as designing it in an open source manner so that others can look at the code, and pick up issues.

Whenever Blockchain projects leap from the digital to the physical there will always be an element of risk, and it is important to try tightly integrate these two worlds as closely as possible.

Our best bet at achieving that would be a multi-factor biometric identification mechanism.

The Role for Biometrics in Self Sovereign Identity

Identity covers a multitude of dimensions and parameters, from your passport, through to your driving licence as well as your various social media persona’s.

Various biometric traits also form part of your identity and can be used as identifiers, the risk with biometrics however is that they cannot be retracted, once they are in the open, that biometric is compromised, these are still hurdles that need to be carefully managed to secure ones biometric identity.

If these challenges can be adequately solved the future for SSID and biometrics looks bright, you can imagine being able to travel without a passport, by allowing various biometrics to be scanned at an Airport, they will be able to verify that it is in fact you, and they will have access to your passport attestation on the public/private Blockchain.

This concept can be extrapolated to all service providers, you will no longer need to “push” attestations, your biometrics can be scanned, and you will be required to verify the request and the identity attributes being requested via an oAuth mechanism.

We will then truly have Self Sovereign Identity, because your identity will be tightly linked to your biology and not some centralized or federated system.

References

[1] http://blockchainlab.com/pdf/uPort_whitepaper_DRAFT20161020.pdf
[2] https://medium.com/uport/what-is-a-uport-identity-b790b065809c
[3] https://decentralize.today/dont-forget-what-self-sovereign-identity-system-uport-doesn-t-claim-to-do-1f43ca228575
[4] https://sovrin.org/wp-content/uploads/Sovrin-Protocol-and-Token-White-Paper.pdf
[5] https://www.youtube.com/watch?v=tWuwJhyy7Ac
[6] https://github.com/ChristopherA/self-sovereign-identity/blob/master/self-sovereign-identity-principles.md
[7] https://www.slideshare.net/TommyKoens/matching-identity-management-solutions-to-selfsovereign-identity-principles
[8] https://www.youtube.com/watch?v=D2djtNWrja4
[9] https://www.cambridge-blockchain.com/
[10] Handova, D.: B2B Solution of the Week: How blockchain technologies will affect B2B industries.Retrieved, https://www.b2bnn.com/2016/01/b2bsolution-of-the-week-how-blockchain-technologies-will-affectb2b-industries/
[11]https://files.ifi.uzh.ch/CSG/staff/Rafati/ID%20Management%20using%20BC-Atif-VA.pdf
[12] https://www.civic.com/company/
[13] https://vinnylingham.com/civic-enabling-the-future-of-privacy-digital-security-with-chainauth-b79d61904d4c
[14] https://medium.com/@DJohnstonEC/informational-report-on-block-auth-f6496a51b97d
[15] https://selfkey.org/wp-content/uploads/2017/11/selfkey-whitepaper-en.pdf