The Evolution of Digital Identity
Everyone has one, no one owns it. A look into the history of Digital Identity
In the course of the rapid digitalization of our lives, society and the economy, the digital world has become increasingly important. The Internet, which was initially built for the exchange of information, has grown in economic importance over time.
Nowadays, around four billion people interact, communicate and trade digitally. Entire branches of industry are founded on the Internet. Seven of the ten most valuable companies — based on market value — are internet companies.
As the digital realm evolves technically and socially, there is one aspect that has hardly changed: identification on the Internet. How does digital identification work and what’s up with the Digital Identities of internet users?
What is a Digital Identity?
As the name suggests, Digital Identities are the digital counterpart to a real identity. Identity comprises the unique and unmistakable characteristics of a person. In the real world, it is quite easy to prove that a person is exactly who they claim to be. Nevertheless, there are expected to be more than 1.1 billion people on earth without a valid proof of identification.
People can also reveal themselves in the virtual world. However, it is far more difficult to be certain of the authenticity of the other party. Perfectly shown in Peter Steiner’s famous drawing “On the Internet, nobody knows you’re a dog”.
Published more than 27 years ago, the cartoon illustrates the ever-present issue of identification on the Internet. Users are identified by username and password. But that only works in systems with a central authority that manages the user ID. This kind of digital identification is outdated and does not fulfill the premise of a sustainable digital future.
Trustworthy digital identification is the foundation for a secure and sustainable digital society and economy.
How is it possible that the Internet has spread and developed to such an extent, while the unambiguous digital identification is not yet feasible?
A look into the history of Digital Identities
The Internet was created without a standard for the clear identification of its users. Thus, online services began to develop their own methods to identify people within their systems — resulting in the identification by means of a unique username and a corresponding password. Since then, it has been the predominant method to identify people on the Internet.
Christopher Allen, a pioneer in the fields of internet cryptography, describes the evolution of Digital Identities in his article “The Path to Self-Sovereign Identity”. Allen divides the evolution into four, major stages:
Centralized Digital Identity (1990–2000)¹
In the early days of the Internet, online services became the issuer of Digital Identities. They were trusted with the storage and handling of user data. It was during this time that certificate authorities started handing out official digital certificates, so that everyone knew which services could be trusted.
The profound and inherent weaknesses of centralized Digital Identities quickly became apparent. On the one hand, the data sovereignty laid with the service provider and not with the user. Hence, the user was not in possession of his own Digital Identity. The user was obliged to trust the provider to store his data properly and to not misuse it.
On the other hand, the centralized and isolated data storage was troublesome. The users had to use (at best) individual credentials for each online service they used. With the rapid expansion of the Internet, the number of usernames and password increased dramatically. That was not user-friendly nor a secure way to identify digitally.
Federated Digital Identity (2000–2008)
The next development of Digital Identities was quite similar to the previous one. The only and notable difference was the portability of the Digital Identity from one online service to another one. The user was able to use one set of login details for multiple services. The goal was to make the user experience more seamless.
However, the risks and weaknesses remained the same. Providers retained complete control over the Digital Identities. They were able to withdraw the user’s access to the Digital Identity at will.
At the time, it had already become hard to imagine life without the Internet: particularly successful service providers accumulated millions of personal data records, which were stored in central databases. This centralized data retention allowed malicious parties to steal millions of Digital Identities with just one successful attack.
Nowadays, Digital Identity theft is a serious issue. According to a study of the market research company, Bitkom Research, over half of all German Internet users fell victim to cybercrime in 2017. Nineteen percent of them lost their credentials to online services. Keeping in mind the growing economic importance of the Internet, identity theft can have serious consequences for individuals.
User-Centric Digital Identity (2008 — today)
In recent years, the focus of Digital Identities has shifted. The user is supposed to have better control over his Digital Identity. The ability to log in to multiple services with one user ID remained, complemented by a user-friendly and fast login (One-Click-Login). The highlight: The user can determine to what extent he wants to share his data.
An example of user-centric Digital Identities is Google’s Single Sign-On (SSO). The user creates a profile and stores his data with Google. If the user wants to log in to an online service, he can use his Google profile for a quick and seamless registration (provided that the other party has integrated Google’s feature). Google’s SSO tells the user what data the other party requests and if he consents with it.
While the user benefits from an extremely convenient way of identifying himself, user-centric Digital Identities don’t solve the underlying security risks that came with centralized Digital Identities. The central provider remains (in our example, it’s Google). He retains full control over the users’ Digital Identities. Data misuse and identity theft persist.
It can also become dangerous to the Internet, if one identity provider, such as Google, becomes the standard for digital identification. Intensified by network effects, the Internet user can hardly escape the monopoly provider and has to agree to a unilateral contract in order to continue using online services as before.
The fourth and last development stage, according to Allen, will be Self-Sovereign Identities. Currently, the Internet landscape is dominated by user-centric Digital Identities. This fairly new concept of digital identification pursues a completely different approach:
With Self-Sovereign Identities, the individual becomes his own identity provider — the user owns, controls and manages his Digital Identity.
This paradigm shift — moving away from central identity providers and towards truly user-owned Digital Identities — entails profound changes. The digital self becomes independent, the user is able to identify himself self-determinantly. Arbitrary and illicit invasions of the user’s digital privacy will be a thing of the past.
So far, centralized data storage and the associated security risks led to immense data leaks. Data misuse, identity theft and data scandals, such as Equifax, Yahoo and Uber, will be a thing of the past as well.
A fair and trusting digital world
With Self-Sovereign identities, the level of security and trust on the Internet can reach unprecedented levels. The sole ownership of the Digital Identity enables the Internet user to decide with whom and to what extent his data is shared. Abusive behaviour can be drastically reduced, because the individual is more careful with his Digital Identity than a private company that monetizes millions of personal data records.
At present, we are still at the very beginning of a self-determined and trusting digital world. However, it is becoming more and more clear that the existing methods of identification are insufficient for the promises of a secure digital future. Internet users are starting to emancipate themselves and demanding better protection of their digital privacy. Companies are not able to guarantee the secure storage of personal data.
What the Internet needs is the empowerment of the individual, so that they can interact digitally in a self-determined and secure manner. What the Internet needs is trust. And that is exactly what Self-Sovereign Identities promise.
Blockchain HELIX is a technology start-up that develops the Digital Identity solution, helix id. With helix id, individuals regain control over their Digital Identity. Everything needed for a trusting and secure Internet.
 The annual figures are an estimate.