Decentralizing Digital Identity: I Am Who I Say I Am
Digital identity — simply put — is a collection of information about an individual, organization, or machine that exists online. Although digital identity management has advanced over time, current common practices continue to be very much centralized, as well as cumbersome and inefficient for everyone. Additionally, they leave much to be desired in terms of privacy and trust. The good news is that new approaches are emerging to address these flaws.
The most common form of digital identity continues to be the siloed model, which basically means that to be able to digitally interact with an entity or use an online service, you need to create an account with a username and a password, every time. This has essentially translated into the existence of a myriad of centralized identity repositories, owned and controlled by different entities.
The siloed approach, without a doubt, scores low on user control and portability, and leaves plenty of room for data breaches, privacy loss and identity theft.
Federated identity is a more user-centric model in the sense that you can use an existing account — e.g. one of your social media accounts such as Facebook or Google — to gain access to other online services. Although this approach somewhat improves the user experience, it is still very much centralized. In this case, instead of the organization operating the online service, the middleman — e.g. a social media company — will be the one managing your identity data.
Federated identity not only creates massive pools of user data that can be monetized by social media giants, but also serves as a honeypot for cyberattackers. I don’t think we will ever forget about the Cambridge Analytica scandal in 2018, where — reportedly — personal data from over 87 million Facebook users had been improperly obtained and misused by the political data-analytics firm. Another example is the Equifax data breach in 2017, where about 143 million accounts were exposed including 209k credit card numbers. And the list goes on…
Decentralized and Self-Sovereign Identity
More recently, decentralized and self-sovereign identity (DID/SSI) approaches have emerged, where the focus is on protecting personal autonomy and data ownership alongside providing convenience. When it comes to digital identity, the terms ‘decentralized’ and ‘self-sovereign’ are not very different — at least not at the moment — with both concepts recognizing that people and organizations should own and assert control over their identity data.
What this new wave of digital identity practices look to achieve in practice is that attributes — e.g. age, nationality — that make up your identity, can be verified in real time, and without involving a centralized directory or paper-based document, for any purpose, e.g. renting a car, getting a loan or turning on utilities. You — the data owner — do not need to overshare (for example, you can demonstrate that you’re an adult without sharing your date of birth), and the recipient does not hold unnecessary data, nor can use or share your personal data without your consent.
The combination of various technical innovations including decentralized identifiers, digital wallets, distributed ledger technology, verifiable credentials, and zero-knowledge proofs are needed for a decentralized or self-sovereign identity system to work properly. Organizations working on these fundamental components via open-source projects and open standards, include:
- Decentralized Identity Foundation (DIF)
- Hyperledger Foundation
- Sovrin Foundation
- World Wide Web Consortium (W3C)
When It Comes to Digital Identity, Why Is Decentralization So Important?
Whatever applications you have on your phone or online services you subscribe to, the organizations behind them will most likely use your data and the data of many people combined, for their own purposes — and this may happen with or without your consent, even with regulations and security measures in place. Furthermore, I believe we can all agree that the pace at which the number and magnitude of data breaches have been increasing in the last few years, is concerning.
User benefits we can expect from decentralizing digital identity, include:
- Users owning and controlling their digital identity
- Users being able to choose and control what data they share with whom, and trust that that data is not sold to other parties without consent
- Users having the capability to monetize their own identity data
- Users having the ability to isolate themselves from data breaches
- Users having the ability to revoke access to their identity data in the spirit of the right to be forgotten
Identity does not stop at basic attributes that identify us — e.g. when and where we were born — but also includes what we have or know. For example acquired skills, expertise and experience — e.g. university degrees or professional credentials — also form part of who we are, and as any other identity data, they should also be tamper-proof, digitally verifiable and under our control.
Identity of Things
Identity not only applies to people and organizations. With the growing number of devices connected to the internet, being able to digitally manage their identity in an efficient and trustworthy manner, also becomes critical. Applying DID/SSI to devices not only improves data and device integrity and security, but also enables new, high-value, networked business models in the Internet of Things and Machine to Machine space.
In PwC’s Time for trust: The trillion-dollar reasons to rethink blockchain report published in 2020, ‘identity’ appears as one of the top three application areas that are not only driving the adoption of distributed ledger technology (DLT), but also have great potential to yield significant economic value for us all. The report says: “Blockchain can safeguard valuable personal credentials online, from personal identification, such as driving licences, to professional credentials and certificates, bringing vast cost efficiencies and helping to curb fraud and identity theft.”