Decentralized Identity: The Dawn of the Self-Sovereign Individual

Decentralized identity has been a much discussed topic among developers since the invention of the internet. In recent years it gained further relevance due to numerous data breaches and the rise of blockchain technology. With Microsoft’s pre-release of its decentralized identity network ION, the development received the long-overdue media attention. In this piece we take a look at the evolution of digital identity, Microsoft’s decentralized identity network, and how decentralized identity could contribute to the digital transformation.

Key takeaways:

• Microsoft is the first major tech company to release a public, permissionless, decentralized identity network that implements a protocol (ION) on top of the Bitcoin blockchain.
• Our current digital identity is fragmented over dozens of apps, rented to us by centralized entities and linked to overloaded identifiers (email, social network).
• New compliance regulations put significant pressure on enterprises in terms of cost and administrative burden.
• Decentralized identity could pave the way to a new web era with serverless apps, credential markets and decentralized messaging. As well as provide identity to over one billion people who are unable to prove their identity.

On May 13th, Microsoft announced an early preview of its decentralized identity network. While previous blockchain-related announcements from major companies (e.g. JP Morgan, Facebook) have been controversially discussed within the Crypto community, Microsoft’s approach to decentralized identity has been met with a largely positive response. This is primarily due to Microsoft’s strategy to embrace the open source community. In fact, their network, called ION (Identity Overlay Network) comes out of collaborative work at the Decentralized Identity Foundation (DIF) of which Microsoft is a founding member and which brings together many of the companies and projects that push the boundaries of identity on the internet. To be fair, a lot of enterprise infrastructure is built on Microsoft products, which would profit a lot from a real identity layer built on open standards. On the other hand, companies like Facebook benefit disproportionately from their data silos giving them a hard time to figure out a business strategy to embrace blockchain technology.

ION: Microsoft’s Decentralized Identifier Network

Microsoft’s ION constitutes a public, permissionless, Decentralized Identifier (DID) network that implements a protocol on top of the Bitcoin blockchain. It leverages a blockchain-agnostic protocol called Sidetree, another development coming out of the DIF (see figure below with Bitcoin as the target blockchain). Sidetree is a second-layer solution that supports scalable Decentralized Public Key Infrastructure (DPKI) on top of a ledger. The ledger itself is not necessarily required to be a blockchain, but is favored in almost all recent developments. Microsoft currently uses the Bitcoin testnet and prepares to switch to the mainnet in the coming months. Other popular alternatives are the Ethereum and the Sovrin network (see here for a full registry of DIDs).

Apart from a choice of the ledger, Sidetree can also connect to a file storage where users can store their private data that might be required for verification or authentication (such as a university diploma or a passport). This storage can in theory be at home, but will most likely leverage cloud infrastructure or a decentralized protocol such as IPFS (Interplanetary File System). One of the main challenges is to ensure secure storage, modification, extraction and communication of private data in centralized cloud systems while maintaining user ownership and control over it with no possibility for the cloud provider to interfere. In case of ION, Microsoft decided to go with Sidetrees IPFS but is also running their own Azure node according to Daniel Buchner, the lead for Decentralized Identity at Microsoft. In fact, other companies, users and entities might run their nodes on their own infrastructure as some of the early partners in the ecosystem might do.

Update: An earlier version said that Microsoft plans to transition from IPFS to its own Azure cloud storage in the future. This was of course wrong. Thanks Daniel Buchner for pointing that out.

Source: Decentralized Identity Foundation, Sidetree component overview.

The Evolution of Digital Identity

Compared to other blockchain use cases Decentralized Identity seems to mostly fly under the radar of (social) media coverage despite (or maybe because of?) its groundbreaking importance for the next digital era. To understand the impact of decentralized identity we have to first take a look at the evolution of digital identity.

Digital identity is a fairly new concept and has evolved ever since to include further personal information that resemble more and more the personal or physical identity that we usually associate with the word identity. While at the beginning of the century people would only give their names and emails to a website, nowadays everything including private videos, photos, shopping items, calendar entries and much more is stored in centralized data silos. In his 2005 essay The Laws of Identity Kim Cameron, Chief Identity Architect at Microsoft, defined digital identity as

(…) a set of claims made by one digital subject about itself or another digital subject.

He goes on to describe a digital subject as

(…) a person or thing represented or existing in the digital realm which is being described or dealt with.

It is no coincidence that the concept of digital identity, outside of purely technical low-level specifications, was introduced only a decade after the internet. The Sovrin foundation, a non-profit organization that develops a digital identity network based on the concept of self-sovereign identity, mentions in their whitepaper The Inevitable Rise of Self-Sovereign Identity that

(…) the Internet’s addressing system is based on identifying physical endpoints (machines) on a network. People are not endpoints on a network. Therefore, the Internet has no way to uniquely identify people. Because the Internet can’t identify people, websites and applications must do that job.

For a long time websites and applications have been only concerned with data management as a technical requirement. Although there have always been people advocating for stronger privacy-enhancing technology (the Cypherpunks movement, development of PGP, etc.) it was only when data became a resource, exploitable on a massive scale by machine learning algorithms, that digital identity was acknowledged as the digital counterpart to personal identity. Christopher Allen, co-chair of the W3C Credentials Community Group, distinguishes four major developments in the evolution of digital identity:

1. Centralized Identity is the most common version. Examples are domain owners such as e-commerce shops who are in control of their domain and any account registered with them but can’t port the customer identity outside of it.
2. Federated Identity increases portability by outsourcing identification processes to federations. This can be a simple Login-By-Facebook or the use of a government issued digital ID for various governmental services. The initial idea of multiple authorities being in control of user identity quickly turned into oligopolies or domination by a single company.
3. User-Centric Identity puts the user in control of his data. However, the intent was never realized and due to technical barriers and lack of user experience often ended up in the hands of a single provider. This can be large social networks or smartphone OS that let you control app permissions but can take away control at any time. As Timothy Ruff, CEO and Co-founder of Evernym points out in his essay: “you’re still a user and not the owner, and that means the underlying service is siloed or federated, not self-sovereign. (…) In simple terms, with SSI [self-sovereign identity] you can fire your service providers without losing your data or relationships, which you can’t easily do when you are a user.”
4. Self-Sovereign Identity (SSI) is the final step that keeps the portability of the previous phases, but ensures control and ownership of all aspects of your digital identity. However, the fact that identity is in part defined by relationships means that SSI never grants absolute control over identity, since it is not desirable to lose identity if one party decides to terminate the relationship. Think for example of a government taking away your citizenship. Thus, in SSI third parties still exist as a way to establish trust in the network. The fact that the self-sovereign part in SSI seems to suggest otherwise is the reason why many have been unhappy with the term. However, the rise in Blockchain technology brought up another term that seems to acquire adoption very fast: Decentralized Identity.

The User: Resident in a World of Fragmented Identity

Decentralized identity has the potential to fix many identity-related issues that were laid open by various data breaches and hacks. Currently, our digital identity is fragmented across numerous websites without any control and ownership of the data and mostly secured by username/password combinations. The increasing importance of digital services in our everyday lives has led to a massive increase in accounts. In the US, an average of 130 accounts are linked to one email address, and even outside the western world the number stands at a staggering 92, with the number of accounts doubling every five years. Despite the advances in password management tools, only 12% of Americans use a password manager (+18% if you consider browser password managers, although there might be an overlap). The rest prefers a mix of memorizing or writing down strategy which vastly increases the risk of reuse or loss/theft. On the other hand single-sign-in tools, most commonly offered by social networks such as Google or Facebook, just further diminish privacy. Even if these companies fully respected data privacy they are at best a single point of failure as demonstrated by many hacks and data (model) abuses in the past. This adds to an ever growing amount of personal data being digitized, while stored in the cloud and interconnected to an array of digital services, our identity goes beyond simply a digital identity. It now reaches deeply into personal privacy and security where full ownership and control are key to establish a sovereign (digital) individual and progress to the next step of the digital transformation.

The Enterprise: Data as a Liability

The rampant scandals due to hacks and data abuse in recent years have led to rising privacy concerns in the public. Policymakers stepped in to pass laws enforcing strict data protection for all companies, which store private data, most notably Europe’s GDPR. Despite its success, this has put a significant burden on companies in cost and administrative effort to comply with the law, ironically favoring those with the highest budget and manpower. According to Fortune, the total cost of the Fortune 500 companies will amount to $7,8 billion. The IAPP (International Association of Privacy Professionals) reports that 500,000 European organizations have registered data protection officers (DPOs) within the first year of GDPR with the average DPO’s salary in Europe being $88,000. And Microsoft has confirmed their commitment with more than 1,600 engineers working on GDPR related projects.

Additionally, global efforts to control financial flows have led to tighter AML (Anti-Money-Laundering) and KYC (Know-Your-Customer) laws across the globe. In the US, compliance with KYC has driven up customer on-boarding costs by 19% from 2016 to 2017. Some major financial institutions spend up to $500 million annually on KYC and customer due diligence, according to Thomson Reuters. While customer on-boarding time increased by 18% in the same period. At banks the average on-boarding time for customers is now 24 days with more than half of all banking salespeople spending 27% of their week on-boarding new client organizations, according to GLEIF (Global Legal Entity Identifier Foundation).

Taking all this into account, Vitalik Buterin, the Co-Founder of Ethereum, argued that data has slowly become a liability rather than an asset. The first year GDPR report very well underlines this observation in light of a growing number of complaints and data breaches now totaling 281,088 across all EU countries. With more and tougher data privacy regulations the situation is unlikely to change, especially when taking into account the perceived rise in awareness of data protection rights and demands for answers from major technology companies.

The Path to Decentralized Identity

These statistics show that Decentralized Identity shouldn’t be viewed as a technology to liberate the user from the “evil corporation”. Instead, unlike current regulations, it is a digital solution for a digital problem. It has the potential to significantly reduce the friction of digital processes and ease the mounting compliance liabilities faced by enterprises while putting the users in control of their identity.

In 2005, Kim Cameron laid out the seven laws of identity. Later in 2016, Christopher Allen, co-chair of the W3C Credentials Community Group, drew on these and additional frameworks (The Respect Trust Framework, W3C Verifiable Claims Task Force FAQ) to write down his ten principles of self-sovereign identity. Foundations like the DIF, regular workshops like the Internet Identity Workshop (IIW) and community groups like the W3C Credential Community, are constantly working towards open standards of a decentralized identity layer on the internet.

Although it is still early in the world of Decentralized Identity a lot of work has already been done to lay the groundwork. How early shows the fact that the specification of Decentralized Identifiers, the very core of the identity network, currently stands at version 0.13. Apart from Microsoft, multiple companies have achieved important milestones in driving the development of decentralized identity. Just to name a few:

• Blockstack, a decentralized computing platform that already has 141 apps built on its network, recently released the second version of its technical whitepaper, providing information on the latest full-stack architecture.
• The Sovrin Network is now used by the Government of British Columbia. It has recently announced to launch a searchable directory of public, verifiable data issued by government authorities about businesses in British Columbia.
• Evernym helped the Canadian province of Alberta to launch the Alberta Credentials Ecosystem (ACE). An ecosystem of the provinces leading organizations to join forces in exploring how they can each engage as issuers and verifiers of digital credentials. They plan to run live proof-of-concept pilots with real citizens later this year.
• uPort is partnering with ABC Platform to unlock universal access to the market of hard-to-trade commodities, such as diamonds, through decentralized solutions for KYC and AML

Decentralized Identity is still in its infancy, but once the foundation is laid it opens up wider opportunities beyond single-account authentication. Apps wouldn’t need to store all the personal data. Instead, they could be built “serverless”, using APIs to access particular files in any user-controlled storage. In this case the user could easily grant or remove access rights depending on the situation. Credential markets, similar to ACE above, would expand to ensure a smooth and transparent issuance and verification of credentials. Financial services, like taking out a loan could profit from almost instant processing improving customer experience and reduce compliance costs. Messaging could become really secure, peer-to-peer and independent of correlatable identifiers like email and phone number. Finally, we could provide a secure and unique identity to over 1 billion people who are unable to prove their identity through any recognized means leaving them unprotected by the law. It could be the enabler of a truly digital era.