The Foundations of a New Digital Era — Self-Sovereign Identities
A gentle introduction to the concept of self-sovereign identities.
The Internet emerged without an authentic method to identify oneself independently. Many weaknesses and issues come from this, including online fraud, identity theft and data theft. Distrust is predominant in the digital world, an understandable reality when considering there is simply no way to verify the credibility of the other party.
To be able to conduct business online, we use a third party to create trust between the two parties that wish to interact (most of the time it is a service provider). However, this isn’t solving the problem in a sustainable manner, since in each transaction we are always forced to trust yet another third party.
What may have been adequate in the past, is no longer sustainable: The increasingly economic and social importance of the Internet calls for new and improved trustworthy methods of identification.
In fact, the underlying concepts of digital identification have not changed in its core. While there were improvements to make the whole process much more user-friendly and efficient, the quintessence always remained the same: The control and therefore the ownership of the data stayed exclusively with the service provider. Nowadays, these third parties constitute an oligopoly on the Internet and make billions with their intransparent storage and use of data.
The current standards of digital identification are the bottleneck of a sustainable digitization of our economy and society.
It’s a long-standing and well-known issue and various attempts have been made to change the way we identify ourselves online. Unfortunately, with moderate success.
However, thanks to technological innovation, new and promising approaches are becoming feasible: A prominent one is decentral identities, made possible by the advent of distributed ledger technology. Decentral identities are digital identities which exist independently from the service provider — you are no longer forced to trust a third party with the control and storage of your personal data. With the technical feasibility of decentral identities emerged the concept of self-sovereign identities (SSI).
A Self-Determined Digital Life (At Last)
As the name implies, in a self-sovereign identity, the individual becomes empowered to determine his digital life in a self-determined manner, that is:
- The sole access to identity data,
- the possibility to change data,
- and to be able to decide freely what happens to the data and with whom it is shared.
The quintessence of SSI is clear: The full ownership and sovereignty of personal data remains with the user. It promises to revolutionize the identification processes and with it the way we interact with each other online.
For one thing, our digital coexistence will become much safer. The centrally administered data storage by the service providers (honeypots) often attract cyber attacks, as one successful hack gives the attacker access to millions of data sets. A paradise for hackers. But if we look at a data storage on an individual level (feasible with SSI) — let’s say on the user’s phone — then we can see data thefts becoming almost unprofitable. This does not mean that the data is better protected on a phone, it’s rather the fact that one successful attack doesn’t put millions of data sets at risk, but just one.
Digital identity theft and online fraud as much as we witness it today will be a thing of the past. Today, it’s rather simple to impersonate someone else in the digital realm, which facilitates abusive behaviour.
By implementing trustworthy identification standards with SSI, the digital world will resemble our analog lifes: You know exactly who you are dealing with, since people are clearly identifiable. Internet trolls and people who deliberately spread fake news or incite hatred have to be much more careful.
Eventually, self-sovereign identities can do much more than the authentic digital identification of individuals. SSI can be an enabler for seminal technologies and visionary concepts such as Industry 4.0, autonomous driving and the Internet of Things. In the near future, things and machines also need a way to be clearly identified. Machines in highly connected and automated factories have to interact among each other to guarantee a seamless production. Current infrastructures don’t provide the necessary security for this type of machine to machine communication. Not for the industry nor a smart home.
Status Quo of SSI Projects and Initiatives
Distributed ledger technology is being researched in various industries. Reputable companies as well as innovative startups are working on different use cases: the secure tracking of goods in supply chains, authentic digital proofs of physical objects, virtual currencies, efficient international payment and the tamper-proof digital identities, just to name a few.
Initiatives developing SSI solutions are for example the ID2020 initiative and the Sovrin project. The former has set the ambitious goal to make a secure digital identity available to all the people worldwide who are not able to prove their identity (according to The World Bank there are more than 1.1 billion “invisible” people!). The Sovrin project pursues the plan to build a global self-sovereign identity system for people and organizations.
Furthermore, the World Wide Consortium (WC3), an international community establishing web standards, is working on standardizing core elements for self-sovereign identities, such as decentralized identifiers and verifiable credentials. These standards are supposed to facilitate interoperability between different identity systems.
Governments and national agencies are also working on SSI projects: The Spanish autonomous community, Catalonia, started a pilot project on this topic, as well as the U.S. state Illinois. The Swiss city Kanton is already testing an identity solution for secure e-government services. The overall goal is to make the citizens’ lives more comfortable by simplifying the access to digital government services.
For the private sector, many startups are developing innovative and intuitive approaches to SSI. A thought leader in the space of digital identity is Evernym, which is also an initiator of the Sovrin project. Another pioneer is uPort as well as the Frankfurt based startup Blockchain HELIX, with its digital identity solution, helix id.
A Double-Edged Sword
This does not only apply to distributed ledger technology, but all other young and disruptive technologies: As the technology is able to improve our lives and promote good behaviour, it can also be abused by people, facilitating bad behaviour. What it is used for ultimately depends on the individual.
A good example for this is the virtual currency, Bitcoin, which is often denounced as a criminal medium of exchange. Bitcoin’s intention is to create a secure payment network without the need of an intermediary. The possibility to help criminals pay their illegal activities on the Internet was never its intention, yet it’s happening. It should, however, not be seen as a property of the technology itself, but as an unforeseeable dynamic caused by the intentional misuse of individuals.
Technology is not per se bad. Bad are those who purposely misuse it.
In this context, cash could also be classified as a criminal currency. Besides its function (and intention) as a legal tender, it is used as a payment for illegal activities. In fact, it’s the most popular payment method for criminals, as the transactions with cash are anonymous with a high degree of liquidity.
With regard to such a sensitive subject like digital identity, it is crucial to create secure and trustworthy standards. As the possibilities of misuse are numerous and can have severe consequences for individuals, ‘unforeseeable dynamics’ for misuse have to be minimized as much as possible. If a digital identity is compromised, one could completely lose access to digital products and services (disastrous for people who make a living online). If a malicious actor finds a backdoor in a system for verified and secure digital identities, he is able to commit a crime in the digital world in the name of someone else. The loss or misuse of digital identities can therefore have very real consequences.
Currently, the user behaviour is clearly on the side of a comfortable and simple identification by third parties. This can be problematic for self-sovereign identities, because the individual responsibility increases with the safe and self-determined handling of the digital identity. At the same time, data protection plays an ever-increasing role, more people are becoming aware of what happens to their data and who has access to it. Solutions for self-sovereign identities will be measured by the degree of user-friendliness and intuitive handling, while the integrity and security of digital identities have to be ensured at any time.
The Ten Principles of Self-Sovereign Identity
The Internet cryptography pioneer Christopher Allen is one of the thought leaders of SSI. He recognizes the issue of the double-edged sword in identity systems and drafted the ten principles for transparent, secure and trustworthy digital identities (fig. 1):
Although Allen is a prominent advocate, the principles are based on years of community work and the “Laws of Identity” by Kim Cameron. Many projects and solutions of SSI follow these principles and take them as a general basis for digital identity solutions.
The Digital Revolution is here
I’d like to close this article with a statement made by the World Economic Forum in its recently published community paper:
And the time to act is now. The digital identity revolution has already begun.
If you want to get to know more about self-sovereign identities, then you can follow me on Twitter and this blog. Here you’ll find weekly articles on digital identity, the team at Blockchain HELIX and the digital identity solution, helix id.
