Do You Control Your Identity?
Written by OMERS Ventures associate Lauren Epstein.
Every individual has the right to control his or her identity.
At first glance, this statement may seem uncontroversial — even obvious. However, although we may have that right in theory (or we ought to, at the very least), we do not have it in practice.
What we are talking about here is self-sovereign identity, the concept that an individual should have complete power over her identity, which is the collection of characteristics that differentiates her from others. But we don’t have that power. Our identity — including our citizenship, birthdate, driver’s license status, credit history, blood type, Starbucks loyalty status, and Costco membership — is almost universally controlled by third parties, typically the organization that issues or verifies the credential in question.
A few of us here at OMERS Ventures have been thinking about self-sovereign identity (also known as digital self-sovereignty) in part because recent developments in the area dovetail with two of our areas of focus:
1) privacy and data-ownership (written about here in the context of a recent investment in privacy-oriented search company DuckDuckGo); and
2) blockchain (most recently written about here, in which we touch on some of our existing investment in blockchain, which include OB1, Citizen Hex, and Digital Currency Group).
Why self-sovereignty now?
Although not a new idea, there has been a recent surge in interest in self-sovereign identity in conjunction with the rise of concern about data ownership and privacy. In the last two years, these issues have burst onto the public consciousness as a result of various highly publicized data breaches and abuses.
According to the 2018 CIGI-Ipsos Global Survey on Internet Security and Trust, 52% of global users are more concerned about their privacy than they were one year ago. These fears are not just centered on black hat hackers and rogue agents; 63% report that their own government was a source of their concerns about privacy, and across the board, users reported a high level of distrust of social media platforms, search engines, and internet technology companies.
Centralized governments, organizations, and corporations have increasing power over our identities at a time when individuals are producing more data than ever before. Think about what the totality of your internet search history might say about you.
We are identity serfs — bound to the records and verifications regulated and controlled by other people and organizations. We do not have self-sovereign identity because we do not possess or control the foundations of that identity, which are instead under the power of external third parties: local and national governments, agencies, organizations, schools, banks, and even Costco.
This concentration of identity creates several problems including single points of failure weaknesses, honey pots for bad actors, and vulnerability to centralized manipulation. Concentration also often leaves individuals without recourse in the event of one of these scenarios — i.e. if the credential is lost, there is rarely an effective way to retrieve it.
Initial waves of internet innovation have held the promise of putting power back in the hands of individuals, but instead power is more centralized than ever. However, that could be changing, and self-sovereign digital identities is one means to propel the flow the other way.
What would self-sovereignty look like?
To combat the problems outlined above, a self-sovereign digital identity must provide the individual with immutable control over each aspect of her identity (the collection of characteristics that distinguish her from others) and must not be dependent upon the existence or cooperation of any third party.
There are three necessary core characteristics.
1. Trusted Issuance and Administration
An identity credential is only as valuable as the trust we can place in it. These credentials must be issued and administered in a way that is transparent and prioritizes the rights and interests of the individual identity holders as opposed others, such as those that control the network.
Although most of this discussion focuses on the benefits that accrue to individuals through self-sovereign identity, the benefits to the issuing organizations should not be overlooked. Trusted issuance reduces the incidence of fraud, which is bad for issuers as it increases both complexity and cost of administration while decreasing the credibility of the credential being issued (e.g. people fraudulently claiming that they have a degree from a particular school).
2. Individual Ownership
Individual ownership is a core and essential characteristic of self-sovereign identity. Without it, there is no self-sovereignty, which we can think of as the ‘self’ having supreme power or authority.
Ownership is a collection of rights over a certain thing. In this case, it must include control, access, and consent. The individual must be able to decide where, when, and how she wants to use, store, hide, share, modify, or delete aspects of her identity. This level of control also requires the ability to share selectively and with precision (i.e. just the specific data you choose to share, instead of the entire record).
Ownership in the context of identity also requires that a credential not expire other than as initiated by the individual. In other words, it must be persistent.
3. Third-Party Independence
In order to achieve true self-sovereignty, the identity must be independent of any third party, including the party that issued the credential. This is one of the key departures from the current system of managing identity, in which credentials reside within the power and control of the issuers, including government authorities (e.g. driver’s licenses), health care organizations (e.g. health records), financial institutions (e.g. banking and credit information), academic institutions (e.g. degrees and accreditations), and others (e.g. club memberships, loyalty points, user access).
Instead of having to rely on your alma mater to verify that you received your bachelor’s degree (which, having earned it, should be a component of your identity that you “own”), you should be able to control access to and verification of that credential independent of the academic institution.
Moreover, the credential must persist beyond the lifespan of the issuing organization. In practice, this means that if your school ceases to exist, you maintain the ability to provide verification of your degree. Similarly — and significantly — if the government of the country in which you were born is overthrown or collapses, your identity would not be tied up within that maelstrom but would freely travel with you.
In other words, the identity must be interoperable — able to be deployed how the individual chooses — and portable — able to be physically or digitally moved without restriction.
The challenge then is to create a system in which the various facts and credentials that collectively make up an individual’s identity have trusted issuance and administration, individual ownership, and third-party independence.
How can self-sovereignty be achieved?
This is not a new problem, and some have been working on it for a long time. However, what is new is the collection of capabilities uniquely provided by blockchain. On a basic level, blockchain’s decentralized ledger technology has the potential to deliver the characteristics we seek.
First, it can provide a method of trusted and fraud-free issuance of credentials. This is particularly true with open-source projects, but can also be executed by issuing organizations (e.g. a government agency) through a blockchain platform that provides such a service.
Second, blockchain enables mechanisms (through technology such as decentralized identifiers and private keys) that facilitate true individual ownership of identity. Theoretically, the individual would be able to access, control, possess, change, and selectively share the identity through the sharing of keys or other permissioning tools. An interesting side-effect of blockchain-based ownership is that new capabilities emerge, most notably the ability to monetize your information. If you own your health data, for instance, you could decide to contribute it to research or analytics and receive compensation (or a donation tax credit) in exchange.
Third, blockchain has the potential to create identities that are truly third-party independent. Through the use of open-source projects and if properly crafted, digital credentials can be vendor/issuer agnostic and outside the influence of any third-party. Significantly, blockchain provides decentralization, creating a system wherein credentials are confirmed by many actors across a network, instead of one centralized authority.
Blockchain is not a panacea. At this stage, it still suffers from significant limitations. For instance, at the moment, it is completely impractical for an individual to have possession of a series of private keys that provide the single point of access to her entire identity. The ways such a situation could go wrong are numerous.
Another question is how to deal with the changeable nature of certain components of identity. A government could not issue a digital driver’s license credential without some ability to alter it, should the individual lose their licensing status (permanently or temporarily). In this sense, certain identity credentials cannot be immutable in the traditional blockchain sense.
Also, a key question is how to motivate blockchain-oriented companies to create a system where they are issuing a digital asset over which they will have no control and from which they cannot directly profit on an ongoing basis. That being said, there are some engaging in this space and monetizing primarily through the issuance of identity credentials. There are also some open-source projects like Blockcerts.
Perhaps the most critical problem is inertia. This proposal contemplates a foundational transformation of how we manage our credentials. There is a clear chicken-and-egg problem as to how to get the ball rolling to initiate the transition to digital credentials.
We are not there yet. But many are working on digital self-sovereign identity and there has been some encouraging progress.
The potential of blockchain technology combined with increased concern about individual privacy, data ownership, and the concentration of informational power within a small number of large organizations may yet spur productive innovation toward finding a workable system to achieve digital self-sovereign identity.
If you are building a company in this space, please reach out. We would love to learn more.