Self-Sovereign Identity: Is This the Real Life or Just a Fantasy?
We continue to talk about potential uses of smart contracts in different areas. Today our topic is a bit different. Digital self-sovereign identity is not an area, it is the concept that will make our lives way lot easier. Moreover, self-sovereign identity will provide more room for smart contracts usage between individuals, because this way, processes will be automated.
The idea of self-sovereign identity is not new. In fact, it has its roots originating from the 1970’s when pioneers like Whit Diffie, Martin Hellman, and Ralph C. Merkle, creators of Public Key Cryptography aimed to help people protect their privacy in the new digital age of computers. Blockchain technology is the crucial breakthrough that is now propelling digital identity forward into the era of self-sovereign identity — a watershed powerful enough to reshape the future of the decentralized P2P economy.
Governments and companies are struggling to protect citizen and customer information from escalating cyber-attacks. This includes a major event that compromised over a billion identities. On the other hand, there is an increasing awareness from Internet users around the world that there is no free lunch. When you are not paying for a service online, you are the product i.e. you are paying for it with your data. Data is literally becoming the fuel of the digital age, and the owners of that data literally have the keys to the future.
But before talking more specifically about self-sovereign identity, we should focus on one of the curious constructions of the Internet is the term identity provider. You don’t need anyone to provide you with an identity, of course. You have an innate one by virtue of being human. Rather, so-called identity providers, or IDPs, provide you with an identifier, a means of recording attributes important to that provider, and some method of proving it’s you — usually a password.
This is not surprising since online identity has traditionally been viewed through the lens of an organization and its needs, not the individual and his or her needs. Identity systems are created to administer identifiers and attributes within a specific domain. The result: people end up with hundreds of online personas at hundreds of organizations. Each of these administrative identity systems is proprietary and owned by the organization that provides it; you really don’t have an online identity that’s independent of these many systems. Got a new address, or an updated credit card number? You’ll have to deal with each of these systems one at a time in whatever manner they require.
Now we can get back to the concept of self-sovereign identity. Self-sovereign identity means that we all are the makers of our own identity, online and off. Because they do not rely on any centralized authority, self-sovereign identity systems are decentralized, mirroring the way identity works in real life.
Offline, our interactions flexibly support the use of attributes and credentials from numerous third parties, all presented by the very person they’re about, typically by taking those credentials out of a wallet or purse and presenting them to someone else to verify. For example, take a driver’s license. States issue it as a credential that you’re authorized to drive. But, it’s useful for a lot more. When you show up at a bar and the bartender wants proof you’re over 21, you show them your driver’s license.
Self-sovereign identity works great in real life, where we carry paper or plastic credentials with us; it’s been much harder to duplicate online. Online identity has suffered from five very real problems:
- The proximity problem: when you’re dealing with people at a distance, opportunities for fraud abound.
- The scale problem: online identity systems are based on business relationships and technical integrations to root trust authorities. All this is expensive and only done for high-value use cases.
- The flexibility problem: current identity systems are rigid, with fixed schema and use cases.
- The privacy problem: shared identifiers, like browser cookies, allow personal information to be accumulated and correlated behind our backs. Ongoing hacks convincingly show that big centralized stores of personal information are not safe.
- The consent problem: identity systems rely on universal identifiers like email addresses, phone numbers and even Social Security Numbers that make it easy for third parties to correlate behavior and keep tabs on people without their permission.
Self-sovereign identity systems solve these problems using decentralization and cryptography. Decentralized identity has been difficult because one of the core requirements of functional identity is discovery: if you give me an identifier, I need to look it up. In the past, this has always led to centralized directories, which led to centralized identity systems.
Distributed ledgers don’t solve the identity problem by themselves, but they do provide a missing link that allows things we’ve known about cryptography for decades to suddenly be used. That allows people to prove things about themselves using decentralized, verifiable credentials just as they do offline.
To be self-sovereign, an identity system must have certain key features:
- An identity that can be taken away isn’t self-sovereign. It must be persistent. Identifiers in a self-sovereign identity system are long-lived, non-reusable and owned by the person who creates them. People aren’t the only ones who need self-sovereign identities. Organizations and connected things also need them, and can use the same infrastructure as individuals.
- It should be peer-based. Sovereignty defines a border within which people have control and outside of which they interact with others as peers. People are in control of the relationships they form and the information they share, but others get to make the same choices. Self-sovereign identity systems aren’t client-server, but rather peer-to-peer.
- Protect your privacy. Self-sovereignty puts the person in control of how information is shared. Consequently, any identity system that doesn’t prevent correlation, minimize attribute disclosure, and provide for explicit consent puts people’s information at risk and removes it from their control.
- It should be easy to use. Self-sovereignty implies choice and control. Vendor lock-in destroys both. Identifiers and associated credentials must be portable and self-sovereign identity systems must be interoperable to protect choice and control.
The concept is still new and undergoing rapid changes. Standards for decentralized identifiers and verifiable claims are being developed. Ultimately, these systems should promote human dignity and protect the basic human desire for self-determination. Several self-sovereign identity systems exist now in various stages of development. We would to briefly inform you about the projects working on this concept:
- Sovrin. Project is based on the open concepts of DIDs and verifiable claims. Sovren allows users to create digital credential that can do for trust between any two peers on the Internet what packets did for communications between any two peers on the Internet.
- uPort. Project’s open identity system allows users to register their own identity on Ethereum, send and request credentials, sign transactions, and securely manage keys & data.
- Civic. A marketplace for the transaction of trusted identities. Platform provides multi-factor authentication without a username, password, third-party authenticator, or physical hardware token.
Implemented correctly, self-sovereign identity systems provide scalable, flexible, private interactions with consent despite the issues that distance introduces. More importantly, they support natural human activities without threatening the privacy or liberty of people who use them.
What do you think? How long will it take us to adopt this concept, at least partially? Leave your thoughts and comments in our Telegram group and in the comments section below!