Bruce Schneier, Blockchain and Self-Sovereign Identities

In case you don’t know who Bruce Schneier is, he is one of the security gurus of the last decades. For those of us who have been working in this industry, he is a key reference. For this reason, he has caused a big stir with his recent opinion published in WIRED, where he states “there is no good reason to trust blockchain technology”.

When you read the article in detail, you realize that his arguments and his criticism are mainly focused on public blockchains (aka permissionless distributed ledgers) and cryptocurrencies, but he extends the statement to all kind of blockchains.

I was a bit shocked with such a radical statement coming from him. In 2016, Bruce Schneier participated in a Blockchain Workshop in Nairobi where he gave a keynote. The video of the talk is here and I would highly recommend you watching it. Using mainly the same arguments that he lays out in his article at WIRED, he arrives to a different conclusion. In his own words “blockchain has a certain value in some scenarios but it is not a panacea”. If I had the chance to talk with Bruce, I would ask him what made him change his mind.

I am more aligned with the Schneier’s 2016 opinion than with his 2019 one. Although there is a lot of hype around Blockchain, it does provide value-add that can be applied in different areas. One of them is Digital Identity, where very promising work is being done.

Blockchain Hype

The hype around Blockchain has been one of Blockchain’s main enemies. Weird initiatives like WhopperCoin or ICOs sponsored by Paris Hilton did not help the technology. I’ve been at events where some entrepreneurs said they planned to use Blockchain for no matter what, only to attract investors. In many cases, Blockchain seemed to be “a solution in search of a problem”.

Lately, this is changing. We are entering into a “crypto winter”. Cryptocurrency prices have taken a sharp fall (I hope nobody else will sell the house to buy bitcoins), many ICOs have been a failure, and regulations are trying to put some fences in this space.

Some people think that we’re reaching the end of the Blockchain era, but in my opinion, we are just at the beginning. Once the noise and the hype are over, more real and valuable work will be developed with this technology.

Self-Sovereign Identities

Against this ocean of Blockchain hype, there are some promising projects. The work being performed around Self-Sovereign Identities (SSI) is an example. SSI is a term that was coined by Christopher Allen, another respected “security guru”.

It is a disrupting paradigm whereby individuals create their own Identity, control all the information (claims) related to it, and decide which part of it they share and with whom in every single moment.

There is a very good introductory video of Christopher Allen explaining the concept here.

The backbone of SSI is based on Blockchain, as the concept of decentralized Identities is completely aligned with the Blockchain distributed model of trust.

In his publication at WIRED, Schneier is very critic with the model of trust of Blockchain. He states that Blockchain shifts the trust from institutions to technology and that this shift creates new problems. For instance, if your credit card is hacked probably you will get your money back as the Bank has mechanisms to detect that, insurances come into play and so on. If your Bitcoin wallet gets hacked, you have lost your money. When we analyze a system’s trust, it is important to point out that whilst security is something quite objective that is somehow measurable, trust is a very complex concept, and in many cases is subjective (Liars and Outliers is a great book that covers these issues).

In the realm of identity, trust is held by Governments in the physical world. They issue credentials to their citizens. But not all governments around the world are trustworthy parties, and countries could eventually disappear. This means that more than 1 billion people currently live without any officially recognized identity, as stated by ID2020.org, an organization that is trying to resolve this problem using SSI.

In the realm of digital identity, countries have tried to issue digital identity credentials, but those initiatives have been cumbersome and have not met expectations in most cases. The result is that nowadays our digital identity providers are parties like Facebook or Google, whose main business is to sell people’s information. In this context, shifting trust to a new scenario seems quite necessary.

The problem with digital identity is not new and there have been many attempts to solve it. Actually, many of the concepts of SSI come from PGP (designed in 1981). I remember 10 years ago, when I worked at a Certification Authority, that Privilege Management Infrastructure addressed that problem with Certificate Attributes, a very similar approach, and technology to SSI. And there are other big initiatives, like Mobile Connect, trying to solve the same problem.

So the question is why now, why SSI, and why with Blockchain?

I honestly think it is a snowball effect. Blockchain, with its hype, made some experts re-address the identity problem with new tools. This lead to initiatives like RWOT and to the creation of cooperative groups like Decentralized Identity Foundation. Other standardization forums joined the cause like W3C Verified Claims Working Group. Big players like Microsoft also took this path. And initiatives such as ID2020, Sovrin, and Alastria took off. In addition, international regulations like GDPR, and scandals like Facebook with Cambridge Analytica created such a snowball effect, that it is now difficult to imagine that it will be stopped.

In the end, Blockchain is just a piece of the puzzle (actually most of the “magic” of SSI happens off-chain) because it is not just about technology, it is about creating a new ecosystem of trust. But blockchain was the earthquake that made the snowball get started.

The movement around SSI is relevant not just because it is using blockchain. It is because there is a big effort from different people, companies, and institutions to build an interoperable identity layer; it is because it makes possible to fulfill the laws and regulations about privacy (SSI is GDPR compliant by design and fulfills the 7 laws of Identity of Kim Cameron); it is because it empowers and protects people’s privacy, and finally it is because it is the biggest chance we’ve had in decades to solve the problem of Digital Identity on the Internet.