Self-Sovereign Identity Principle #9: Minimization

The ninth guiding principle of Christopher Allen’s Ten Self-Sovereign Identity (SSI) Principles is minimization. This principle underscores the significance of protecting personal data of users when disclosing identity-related information. For example, if the minimum age of a user is called for (to access a page), a user should not be required to give the precise day, month, and year of their birth. Instead, the user’s disclosure should be minimized by providing the bare minimum requirement (years of age).

By implementing selective disclosure, range proofs, and other zero-knowledge techniques, developers can facilitate minimization to best support privacy, according to Allen. Fundamentally, active minimization enables greater privacy-preserving interactions between users and systems.

How does minimization fit into the bigger picture of SSI?

Minimized data exchange can encourage users to adopt a self-sovereign identity. A breakthrough brought on through self-sovereign identity is that interactions between systems and users can be executed without any sort of identification (that may reveal personal information of users). Interactions can instead be executed through the exchange of attested permissions or Verifiable Credentials. Verifiable Credentials allows for other entities or parties to attest the validity of a user’s claim without the user having to disclose any sensitive information.

The European Union’s General Data Protection Regulation (GDPR) has also advocated for data minimization. The regulatory body emphasizes how data processing should only use as much data as is required to successfully accomplish a given task. The GDPR has gone as far as to issue laws and processes to limit the amount of personal data collection, storage, and usage by private and public enterprises.

Closing Thoughts

When developing a decentralized protocol to facilitate self-sovereign identity, developers and system administrators must consider data minimization. Omitting unnecessary data collection commands from systems protects the privacy of users. A more concise approach to data collection will also facilitate greater efficiency for users in the long-term (given the effort taken to parse through smaller datasets over larger ones).

This article is the ninth in a Self-Sovereign Identity Principles series the Metadium team is putting together for you. If you want to learn more please follow us on Facebook, Twitter, Instagram, and LinkedIn! Keepin App is available on the App Store and Google Play.