Andrew Tobin, Jason Law, and Elizabeth Renieris of Evernym on Self-Sovereign Identity
Full video and transcript below.
On April 10th, Mattereum hosted the third Internet of Agreements® (IoA) conference at the Google Campus in London. IoA® is a vision for global supply chains and logistics, integrating national laws and regulation with international commerce through the application of technology such as blockchains and smart contracts.
Mattereum Head of Operations David Salgado sat down with several members of the Evernym team, Elizabeth Renieris (Global Policy Counsel), Andrew Tobin (European Managing Director), and Jason Law (Chief Technology Officer) to discuss the notion of self-sovereign identity, how the Sovrin protocol facilitates identity management, the reasoning behind the design, key considerations for those developing identity solutions using blockchain, and how these solutions coexist with regulation and each other.
Throughout the discussion parallels were drawn between self-sovereign identity and real life interactions involving shared credentials. The question of how revocable credentials and efforts such as the EU’s General Data Protection Regulation can work with immutable ledgers led consideration of what information should actually be written to the blockchain. Jason described the Sovrin approach, in which the blockchain does not store credentials but verifies the claims without disclosing the credential itself or allowing different claims to be correlated by using zero-knowledge proofs. The question of interoperability between these multifarious identity solutions led to the team highlighting the different trust frameworks throughout society and how Sovrin is working with others to standardize best practices around decentralized identifiers. The team then detailed the rollout of Sovrin to different industries and jurisdictions and their open source approach.
Video:
Transcript:
David: I’m David Salgado, Head of Operations at Mattereum.
Elizabeth: Hi, I’m Elizabeth Renieris, Global Policy Counsel at Evernym.
Andy: Hi, I’m Andy Tobin, the European Managing Director for Evernym.
Jason: Jason Law, CTO at Evernym.
David: I’d like to start off with just a quick introduction to what Evernym is, what’s your approach, what problems you’re solving and a little bit about the company.
Andy: Sure, I’ll cover that. Evernym is really all about self-sovereign identity, we’re all about fixing the problem that’s actually being articulated this morning already, which is how do you trust who you’re dealing with online.
We’re probably best-known as the inventors of Sovrin. Sovrin is a global identity network that’s based on something called Hyperledger Indy, which is code that Jason and our technical colleagues at Evernym wrote and open sourced. The network itself is run by trusted parties, the latest ones to be announced are Imperial College, and IBM was actually announced recently as a steward that runs the network as well. What essentially it does is it provides a couple of things: first of all, it provides a — I know we’ve got a fairly technical audience here — a decentralised key registry for public keys, and it provides a protocol on top of that, that allows you to share data in a way that involves no middleman, and allows you as an individual to own and manage your own data, and allows an organisation or a connected thing to do the same.
Essentially, it solves a problem that we have at the moment. In the old way of sharing identity data, if David asks me who I am, I can say, “I’m Andy Tobin,” and he would naturally say, “Well, says who? Who says I am?” and I could get one of these out, I could show it to him, and you could look at it and take it and see it’s got some shiny information on it and some holograms and so on, and David can establish a certain level of trust, because I’ve shown him this thing and he trusts the Passport Office and that it’s probably pretty genuine. But we don’t have the digital equivalent of doing that in a way that’s global and properly open source and standards-based, and Sovrin essentially provides a solution to that problem. Using a standard called Verifiable Credentials or Verifiable Claims, I can be given by the Passport Office a digitised version of this, not a scan of it but a digitised version with all the attributes. I can then present individual attributes to David, and he can verify that that came from the Passport Office, he can verify I haven’t changed it, he can verify it was given only to me, and he can verify, very importantly, that it hasn’t been revoked. So we’re talking about essentially Sovrin being a global utility that allows anyone or anything to do those things.
David: Can you perhaps expand a little bit on the issue of revocation of credentials? Because that’s something that I think in the blockchain space we’re very comfortable now, with the idea that you write it to the blockchain and it’s there forever. In the case of identity issues, that kind of has… not quite a conflict, but I think there’s an interesting balance between “I know who you are, and I know this is true and this is true forever,” versus “What happens if I got it wrong, if a bad actor got into the system?” and increasingly, with the forthcoming GDPR regulation, with the right to be forgotten.
Andy: Yeah, I think we all want to jump in on that one. I’ll just cover the first bit, and then Elizabeth can cover some of the legal side and Jason some of the technical. One of the reasons you don’t have lots of people going around with digital passports is that there is no sensible way to revoke them, until now. What you don’t do is you don’t put this on a blockchain, and you don’t put a hash of it on a blockchain either. You give it to me and I can take it with me anywhere I can, like I can with this thing.
Elizabeth: I think one of my favourite myths about the GDPR and the right to be forgotten is that blockchain is inherently at odds with the right to be forgotten because of its immutability. Exactly to Andy’s point, I think it depends what you’re writing to the ledger, and I think that there are a lot of solutions we’ve seen that make both inherently compatible, because they’re not exactly that, they’re not putting credentials on the ledger. I think there’s also just notions around immutability in general: it depends on the chain, it depends on whether you consider forking and other technical measures to actually introduce changes to the record so to speak. So I think it’s a more nuanced approach.
Jason: Let me just comment about the nuanced part of it, and I will try not to go too deep on this. The credential that a person might have, that they might show that to someone else, the blockchain doesn’t actually hold a reference to the credential in a way that could be identified later; what the blockchain allows us to do is prove that I have a credential, that that credential is not revoked, that it was issued by a certain party, and I can selectively disclose attributes in that credential. I’m using the blockchain to allow the other party to verify that the proof that I’m giving is correct, but it’s not identified; there’s not a hash, there’s not an identifier on the ledger that you could go and point to and correlate across different presentations of that same credential.
David: So the issue of revocation in that sense is you would revoke the authenticity of that verifiable claim on your side?
Jason: There is a bit of… Andy, I think you call this crypto magic?
Andy: Yeah, exotic cryptography.
Jason: Exotic cryptography. We’re actually using cryptographic accumulators that allow us to allow an issuer to be able to update the list of those credentials that are correct, and then I as a credential holder can prove, and we use zero-knowledge proofs for this, I can prove in zero knowledge that I hold a credential that is not revoked, without you being able to see which one is mine.
Elizabeth: I think it’s a little bit like in the real world, where if the DMV could revoke your driver’s license — sorry, it’s a very US example — but you’d still retain the artefact so to speak. The same in the digital world, where you might revoke the credential but you’d still have the artefact controlled in your wallet, so I think there’s some analogues we can draw there.
Andy: Yeah, the issue we’re trying to solve with revocation is the problem of phoning home. Those of you who’ve maybe tried to rent a car, although this doesn’t happen really because it’s so complicated to do, but if you need to prove that you’ve got an unrevoked driving licence, the rental car company needs to get in touch with the UK DVLA to confirm your license is still valid. So there needs to be an API there and all the rental car companies need to connect to it, and you as a driver need to, first of all, go to the DVLA and get a code, and that code is the token that gives permission for them to access your details around the back. It’s very, very complicated, and this is why we see a complete lack of scale and actually rental car companies not even bothering to check if your license is valid. And if you have to replicate that across all the world’s DMVs and DVLA’s and so on, it becomes very complex.
You need this ability for the recipient to check if your credentials are valid, and it could be the fact you’re a doctor and you’re not struck off for example, it could be you’re a driver, maybe you’re on a terror watch list or something, but doing it in such a way that the recipient doesn’t have to phone home, because that’s technically very complex at scale. Also, you need to not put a database somewhere that correlates everybody and breaches privacy. The way that it works on Sovrin is, as Jason says, there’s a one-way accumulator that is created that is put on the ledger that can be used to create zero-knowledge proofs that you are not revoked, and that accumulator can’t be reverse engineered in any way.
David: That sounds like a really interesting and valuable technical approach, which brings me on to another question that I wanted to ask, which is if we have a global marketplace of identity solutions, how do you see this working in terms of interoperability between the various different approaches?
Elizabeth: I think one starting point that is near to my heart is this notion of trust frameworks. I think one of the things that we’re very conscious about is building trust within these systems has to be tailored to the environment or the industry or the jurisdiction so to speak, so sort of a one-size-fits-all approach to trust isn’t going to work. For example, if you’re dealing with a heavily regulated industry, financial services, you have different elements of a trust framework that you’d have to build that would be different from say digital rights management or an entertainment space. We’re trying to build the foundational level, the core elements of enabling trust in these ecosystems, without losing sight of the unique requirements of specific industries or jurisdictions.
Andy: I’ll just give a couple of things on a slightly more technical level. Sovrin is based on open standards and is open source; if Evernym goes away, Sovrin stays, so it is vendor agnostic. A couple of the standards that are very important, and Jason can maybe cover them in a bit more detail, are decentralised identifiers, DIDs, and it’s a standard that came out of work that Evernym was doing on how to ensure you get interoperability. The Sovrin ledger itself contains these identifiers called DIDs, that’s an open standard now that’s being worked on at W3C level, and the way you move the credentials around is… The standard is not yet mature, but there’s various working groups at W3C level — Verifiable Claims Working Group, I think it’s now renamed Verifiable Credentials Working Group is one of those — and Sovereign is the protocol that sits on top of a ledger that allows this transfer to take place is based on these verifiable credentials.
Jason: And there’s a lot of work going on in this space. For example, one of the things that we feel strongly about is the ability for me to get a credential or an attestation from an issuer and to be able to present selectively the pieces that I want to and in a privacy-respecting way, and in order to do that some changes have to happen. One of the things that we’ll be doing over the next few weeks is submitting some proposed changes to W3C Verifiable Credentials Working Group, we’re working with folks in Hyperledger Indy, which is great, because large companies with great capabilities have come together in this project that have allowed for… The contributions are not encumbered from a patent perspective, and so people can really bring their best games, because the companies that they’re with have committed to this effort with Hyperledger, and we can now start to take advantage of all of this great research. So there’s more to come, and I think that over time we’re going to see more extensions of what’s done with DID spec, we’ll start to see that happening more and more up the protocol layers, so I’m excited about what’s going to happen.
David: That’s really interesting. I wanted to pick up a little bit on something that you mentioned briefly, and which is clearly core to your product, it’s even in the name, this notion of self-sovereign identity. I wondered if you could talk for a couple of minutes about what that means to you, not necessarily from a technical point of view but perhaps in a philosophical point of view? What does self-sovereign identity mean to you, as an organisation?
Andy: It’s actually really quite simple. There’s often a mix-up about self-sovereign versus self-attested. Self-attested is where I say I’m Andy Tobin and you can believe that if you want, but self-sovereign identity is slightly different, because it is basically the digital equivalent of what you have now. At the moment, I’ve got a bunch of credentials that I carry around with me, and there’s this sort of feeling that decentralised identity is a brand new thing, but it’s not. The government has given me this, and I can take it and present it anywhere I want, and in my wallet I’ve got a bunch of other credentials that I can take with me, I’ve got a driving license and I can present this anywhere I want.
It’s the digital equivalent of that. I have these things that I own, they’re given to me, this one particularly, by the government, but I can carry it around and I can present it and not be correlated everywhere I go, I can show it to you and nobody else needs to know about that, and I can show you a bit of it, or I can decide not to show it to you. So it’s the digital equivalent to doing that, and that capability has not been possible until the rise of decentralised ledgers essentially. Because the solution has always been let’s put it all in a silo, and then the question is who owns the silo and where does it sit and so on. The big advance that ledgers bring along is the fact that there’s no one organisation in charge. I can be given this, it can be revoked, but I still have the artefact and I could still prove that I’m a British citizen to you, but you can check that it’s revoked. That’s fine, maybe you’re not a British citizen, but I could still prove by my date of birth to you for example. So it’s about being in control and looking after these things myself, rather than relying on a Facebook to do it for me.
Elizabeth: I would agree with Andy that it’s sort of the digital version of the offline world, but I think there are two additional pieces to that, and I think Jason could also speak to this. I think the audit trail and the auditability of the public record is key. I think the other piece is the peer-to-peer nature and the lack of an intermediary. I think one of the differences now is if I wanted to provide my Bar certificate or law school diploma to someone, I’d have to go through either the Bar or my law school, which is very different from the model that we’re looking to build, where I could provide that myself without going to anyone for permission or control. I think it maps quite well to the GDPR and principles of data portability, and the ability for the individual to exercise those pieces in a way that we haven’t seen before. Jason, I don’t know if you want to mention the public ledger as well.
Jason: Yeah. I went on Sunday, I was one of the accelerators at the Blockchaingers hackathon — let me just say, it was as incredible as you saw on the screen, these people that were there. One of the things that I see a lot when people start to think about blockchain, one of the early mistakes that people will make with blockchain is they tend to want to put a bunch of records on this ledger. When you start dealing with personal information, when you start dealing with correlation, you start to think about how can we leverage the power of blockchain, without creating this immutable record that persists forever. And so really understanding, as we’re building solutions in this space, understanding why are we putting it on a ledger, that’s the key critical piece. We’d been very selective I guess, and we’ve learned the hard way, through a lot of trials and doing it wrong, selective about what actually goes on the ledger, and making sure that you’re using it to verify things, not to reference things.
David: I think we’ve got about five minutes left, so I’d like to throw things open to the audience. Do you have any questions?
Question: I guess one of the big questions most of us probably have got is how long do we think this would take to get it sorted?
Andy: It’s a great question actually, and the first speaker was talking about the network effect. The Sovrin ledger is there, it’s live, it’s in what’s called a provisional status now, there’s 29 stewards who are the organisations who run it, and projects have already started. We’re running probably about 15 proof-of-concept projects now, and that’s just Evernym. There’s other people doing all sorts of things with Sovrin at the moment, particularly in Canada, in the Nordics, in Holland as well, and what we’re seeing is use cases where you have an ecosystem which is relatively closed. It could be a company employee identity or employees that are qualified in a certain way, like if they’re able to trade financial instruments, they need to prove that. And other ecosystems, like proving you’re a doctor is a great one we have in the UK now, which has some hospitals, some universities # who do medical degrees, and doctors and other qualifying organisations, and they’re going to create their own ecosystems which will then start to overlap.
Then we’re seeing much larger ecosystems, like the credit unions in the US are all getting together to create something called CUID, Credit Union ID, where they’re going to all give all of their customers self-sovereign identity, which they’re going to primarily use to lock back into the credit union and identify themselves to their own credit union, but obviously every credit union member will have vouched name, address, date of birth from their credit union that they can use anywhere, so there will be a network effect. Early days at the moment, but it’s moving ludicrously quickly now.
Elizabeth: I think some of it is adoption and network effect, I think some of it is what Vinay mentioned earlier this morning about you can’t move faster than the speed of regulation, and I think we still have a lot of laws and regulations that are antithetical to this model of data ownership and the exercise of SSI. For example, there are regulations on record that still require username and password, so there are some that we’re going to have to completely overhaul and have better, smarter regulation before any of this can actually be adopted en masse.
Jason: I’m not an attorney, so I’m going to say something that Elizabeth will promptly correct me, but regulation I think is… Regulators strive not to be overly prescriptive, but they can’t really help it, because they have to identify, they have to put things in terms of what they understand in the world today. Self-sovereign identity changes a paradigm pretty fundamentally from what’s being done in the digital world today, and that paradigm shift is going to take some time to work through. There luckily are enough use cases that would benefit greatly from this that don’t need to wait for regulatory change, but I don’t know. Is that a fair way to say it, or would you correct some of that?
Elizabeth: I think it’s a fair way to say it. I think for broad adoption, they’re still going to need to sync with regulation. I think it’s hard for the regulators to keep up, but, as you say, their consideration is different as well. I think this is where the distinction between things like insurance and indemnity is really interesting. Someone mentioned earlier that a lot of people will conflate commercial risk with the regulatory risk, and I think it’s important to keep those distinct, because one can move faster than the other. One thing you see is the desire to have reasonable KYC in an ICO space; people lose sight of the fact that you can shift the commercial risk, but you can’t always shift the regulatory risk, and when you have something like strict liability offences for an OFAC violation, there’s very little you can do if you outsource those functions.
Andy: I think things are, on the governments’ side, moving quicker than I would have expected actually in a number of areas. We’ve got a couple of DMVs in the US working with the State of Illinois on birth certificates, giving people birth certificates in this way, and there’s work with various government organisations in Holland and in Finland at the moment as well. So it’s going surprisingly quickly, compared to what I thought it would do, on the government side.
Question: Just going back to the global perspective, at the beginning we had a sort of outline of three broad approaches to identity across different jurisdictions, for EU, US, and India and China being given as paradigms. I wonder how you see your approach to identity working with each of those, and does any of them present particular challenges?
Andy: That’s a really good question about trust frameworks, isn’t it?
Elizabeth: Well, I think it’s trust frameworks. I guess the three were the US model of the sort of business as usual, Wild West, the EU model moving from top-down to more of a…. flipping the paradigm, and then sort of the APEC model of top-down, state-controlled. I think we’re pretty squarely in the middle. This is my third week at Evernym, but from having worked in lots of jurisdictions, practiced in both the US and the EU and the Middle East, I think it’s definitely somewhere in the middle. These guys can speak more to that.
Andy: I think the important thing to understand here is that Sovrin is a sort of an infrastructural layer if you like. It’s a bit like the Internet: it’s not owned by any one organisation, and anyone can improve it and use it, and it allows you to do some things that you could never do before, using… My term is exotic crypto, because I’m not a cryptographer, but it allows you to do things like selective disclosure, zero-knowledge proofs, peer-to-peer transfer of information that can be validated and checked that it’s not revoked, without having to speak to anyone else — those are things that you could never really do before.
How that’s then used is a bit like the Internet. You could look at the Internet and say, “Well, how does it vary in different countries? What sort of websites can you do here and can you do there?” and so on, but the Internet itself is an infrastructure that allows you to build websites and exchange information in certain ways. Sovrin is a bit like that, it’s like an Internet for identity is probably the best way to think of it, and it allows you to take advantage of some of the most advanced crypto in the world, to do some things that you couldn’t actually action before, that vastly improve the way identity works. So you can layer on top of that a trust framework for eIDAS for the EU for example, you can layer on top of that something specific to the US, you can layer on top anything you want, just in the same way you can build any sort of websites you want on top of the Internet.
Learn more:
All materials from the conference http://internetofagreements.com/identity/
Mattereum https://www.mattereum.com/
Join the telegram https://t.me/mattereum
