Beyond GDPR, Holo Vault delivering on Self-Sovereign Identity for Distributed Applications

Holo may have been the first Internet company that was actually excited about GDPR. Data portability and provenance isn’t a hurdle to overcome for hApps. Quite the opposite! Holochain’s architecture makes compliance a native feature. We want to go further!

To unpack how that works, let’s dig into the progress on Personal ID and data sovereignty. Building out the Holo(chain) ecosystem is as rewarding as it is complex. In addition to delivering the Holo hosting infrastructure and setting the wheels in motion for other asset-backed currencies, we are tackling head on the challenges posed to distributed Internet projects more broadly. Among the most pressing of these is how to handle online identity. After all, so many of the problems we experience with our current net infrastructure center on the importance of personal agency and data sovereignty. We, the participants of the internet, keep getting locked on the wrong side of the identity vault door. Holo wants to change that. Before I say how, I want to provide the larger contextual picture.

I wrote first about Holochain and Identity in the post on Thrivable Technology:

These are some key inquiries for those of us seeking technology that fosters greater freedom:

  1. What is the infrastructure that respects our privacy?…And at the same time enables enough transparency to foster trust!
  2. What design allows us ownership and control of our data?…And at the same time creates and cultivates a commons beyond the individual!
  3. What connects us with others to share and learn and grow together as a community?…And also protects us by creating boundaries and barriers that give us a sense of safety and identity?
  4. What rewards people for sharing and being a contributor?…And does so without extracting wealth from those sharing it!
  5. What creates enough trust to lubricate human interactions?…And for all that, does not become administratively burdensome?

These are broad questions that broach the tensions we hold in building technology using the lessons learned from the Internet of today. In April I posted specifically about Identity, digging deeper into what is needed. After reviewing some philosophy and history on identity, I wrote:

Self-Sovereign Identities
Many are looking to blockchain as an opportunity to escape the centralized control of these permissions and provide Self-Sovereign Identities. Yet one core thread of identity is continuity, and token-centric blockchains are organized around the history of tokens, but not about any continuity of agents controlling those tokens. Doesn’t identity need to go hand-in-hand with the reputation that comes from an ability to hold agents to account for their actions over time?

Self-Sovereign Identity creates the closest specs to what we envision for identity in Holo Applications. I want to explore a bit more about self-sovereign identities before we demonstrate how Holo Vault manages this complexity. (Holo Vault is our identity tool — a secure way of handling identity and the various personas one manages across applications.).

Kaliya “Identity Woman” Young and Heather Vescent recently released A Comprehensive Guide to Self Sovereign Identity. For them, identity is a whole new layer of the internet beyond Physical, Data Link, Network, Transport, Session, Presentation and Application. They also cover the emerging DID open standard for interoperability. (Read more about Self Sovereign Identity using DID on the W3C Community Group Draft Report) Many people are working on decentralized applications such as blockchain, where “Decentralized Identifiers (DIDs) and the accompanying DID Documents enable individuals to share abstract identifiers (DIDs) with an associated public key and a resolution end-point.

Let’s be clear, Kaliya and Heather are not encouraging anyone to put personal data on the blockchain itself. Rather this is simply to use DPKI (Distributed Public Key Infrastructure) as a tool in messaging so you can communicate with a DID, through increased security.

So what does a service need to do in order to supply self-sovereign identity? Christopher Allen gives a brief overview of self-sovereign identity. Then he lists the basic principles for “individual control across any number of authorities”.

Holo attends carefully to these thinkers’ work, and so bakes the following well-established values related to identity directly into the code. Let’s look at what Holo Vault provides and then check off the requirements list.

Holo Vault stores a person’s data on their own private DHT which then shares this data between the user’s devices (phone, laptop, HoloPort).

  • Other hApps can request access to this data via a Profile Spec where each field clearly explains what the hApp is going to do with the data, ie store in their DHT or request it from the person’s DHT.
  • An expiration date can be set on the Profile as well, allowing temporary or short-term access, so you don’t have to remember to deny after a certain date.
  • Holo Vault uses a distinction between a Persona and a Profile. Personas are long-lived and contain the actual data such as names, a Profile only contains a mapping to the Persona data. A work profile can have different data than a friend and family profile, for example. Profiles can have expiration dates where Personas do not.
  • Any hApp can request Profile information with a Profile Specification (note, not personas).
  • The pattern of Persona fields mapped to Profile fields means that the person can update a Persona field and any subsequent Profile request will use that new data.
  • A Profile spec includes a reason for requesting each field and an expiration date. A challenge/response for sensitive data can also be used.
  • At any time people can use HoloVault to do a forensic scan on any apps chain and DHT to give them confidence the app is managing your data as specified.

It is time to get on the right side of the Vault door. The ability to liberate our own digital identity can be viewed as a step in the right direction of personal freedom and self-agency.

The pseudonymization of data through GDPR and Personally Identifiable Information attempts to move forward digital consumer rights. And it also raises concerns over its impact outside of the European Union. Perhaps this approach will prove problematic, but as we brace for its impact on our daily lives, Holo remains steadfast in providing a more organic means of change than the mandated progress of General Data Protection Regulation.

Holo Vault and Personal ID is an acknowledgment of our own self-sovereignty and the pursuit to perfect its principles as we prepare for this new age of digital communications.