(This post is adapted from Chris Allen’s sublime blog post, The Path to Self-Sovereign Identity )
lifeID was founded with the vision that every person in the world deserves to own and control their identity. For lifeID and our world-wide community, the future of identity rests on the concept that controlling personally identifiable information (PII) — both online and in the real-world — is a foundational right. This right will ensure a future with simple, secure digital identities; a future with password-free online experiences; a future where individuals can establish who they are, or verify facts about their lives, without the intrusion or oversight from government entities or corporations.
Although there are several self-sovereign Identity solutions in development within the larger blockchain community, they are all quite different. They share some common principles of self-sovereign identity, but not all. There is a definitional gap to be filled, establishing what we think are the foundational attributes of a truly self-sovereign identity. It is our goal to inspire discussion and agreement within our community for what comprises a self-sovereign identity to ensure the success, integrity and sustainability of these solutions for people throughout the world.
In light of this, we hold these truths to be self-evident features of any self-sovereign identity solution.
The Self-Sovereign Identity Bill of Rights
- Individuals must be able to establish their existence as a unified identity online and in the physical world. A unified identity requires that people not only have an online presence, but that presence must function seamlessly across both online and real-world environments. One unified identity for all spheres of life.
- Individuals must have the tools to access and control their identities. Self-sovereign identity holders must be able to easily retrieve identity attributes and verified claims as well as any metadata that has been generated in the process of transactions. There can be no personally identifiable information (PII) data that is hidden from the identity holder. This includes management, updating or changing identity attributes, and keeping private what they choose.
- The platforms and protocols on which self-sovereign identities are built, must be open and transparent. This refers to how the platforms and protocols are governed, including how they are managed and updated. They should be open-source, well-known, and as independent as possible of any particular architecture; anyone should be able to examine how they work.
- Users must have the right to participate in the governance of their identity infrastructure. The platform protocols on which self-sovereign identities are built, must be governed by identity holders. By definition, if the platform is governed by a private entity or limited set of participants, the Identity holder is not in control of the future of their identity.
- Identities must exist for the life of the identity holder. While the platform and protocols evolve, each singular identity must remain intact. This must not contradict a “right to be forgotten”; a user should be able to dispose of an identity if he or she wishes and claims should be modified or removed as appropriate over time. To do this requires a firm separation between an identity and its claims: they can’t be tied forever.
- Identities must be portable. Identity attributes and verified claims must be controlled personally and be transportable and interoperable as desired. Government entities, companies and other individuals can come and go. So it is essential that identity holders can move their identity data to other blockchains or platforms to ensure that they alone control their identity.
- Identities must be interoperable. Identity holders must be able to us their identities in all facets of their lives. So any identity platform or protocol must function across geographical, political and commercial jurisdictions. Identities should be as widely usable as possible. Ultimately, identities are of little value if they only work in niches.
- Individuals must consent to the use of their identity. The point of having an identity is that you can use it to participate in mutually beneficial transactions — whether personal or commercial. This requires that some amount of personal information needs to be shared. However, any sharing of personal data must require the absolute consent of the user — even if third parties have a record of previously verified claims. For every transaction associated with a claim, the identity holder must deliberately consent to its use.
- Disclosure of verified claims must be minimized. For every transaction, only the minimum amount of personally identifiable information should be required and shared. If an identity holder wants to enable an age-related commercial transaction, e.g. buy alcohol, the only verified claim that needs to be shared is whether they are over 21. There is no need to share actual age, street address, height, weight, etc.
- The rights of identity holders must supersede any other platform or ecosystem entities. If a conflict arises between the needs of the platform or entities engaging with identity holders, the governance must be designed to err on the side of preserving these rights for identity holder over the needs of the protocols, platform or network. To ensure this, identity authentication must be decentralized, independent, and free of censorship.
Join us to discuss our self-sovereign bill of rights: