In the early 2000s, there was a lot of work around defining what digital identity was and how it could be used in a connected digital world. In 2005, Kim Cameron of Microsoft came up with a set of laws for a digital identity metasystem. He named them the “Laws of Identity.” Within the remit of these laws were some key ideas that outlined the tenets of “user-centric,” privacy-enhanced digital identity for all. These concepts, which focus on user-control, are behind the movement of self-sovereign identity.
Digital identity has come a long way since then. Identity Access Management (IAM) was once the preserve of the enterprise and controlled within the closed environment of the enterprise perimeter. Then the perimeter was smashed by hyperconnectivity and cloud computing, and then along came the ubiquitous consumer use of the Internet. In the midst of all of this, cybersecurity threats took hold and forced focus onto the protection of the very data that made up digital identity. All of these things changed the technical requirements of IAM systems, forever.
Whilst more traditional IAM systems morph to accommodate the new era of identity, a movement known as self-sovereign identity (SSI) is afoot in the digital identity space
A Quick Overview of Self-Sovereign Identity
Before I begin to dig into the weeds of self-sovereignty and its applicability to modern identity, I’ll give a quick overview of what it actually is — in a nutshell.
Self-sovereign identity is a system that utilizes a blockchain to manage a person’s digital identity and the attributes that it comprises. It is different from a traditional database-linked identity because blockchain is decentralized.
It is this decentralization of identity that is the key differentiator of self-sovereign identity. The attributes, or claims, that a user has that make up their digital identity are proofed (checked to be true) and a cryptographic hash of the information is registered to the blockchain. When a person needs to share these data, for example to access an online resource like a bank account, the bank can query the chain to get the information. The query can be via an eWallet that the user presents. Zero-knowledge proof methods (more on this later) are usually applied to minimize the data during registration and presentation and preserve privacy.
There are a number of companies building platforms that provide the blockchain and governance to make self-sovereign identity technically possible. The best known of these is Sovrin.
What Is Self-Sovereign Identity All About?
It has been said, time and again, that the Internet was developed without an identity layer. This has been an Achilles Heel of the Internet ever since. There have been a number of methods used in this new world order of digital identity to facilitate the widespread use of identity services. However, finding the right method has proved difficult as it means developing a ubiquitous, federated (connected) identity system, which is challenging (to say the least).
Some governments have been a driver for mass adopted identity systems. And those that are providing citizen identity tend to follow an “ecosystem” model using one or more centralized identity providers. An example is the UK Verify scheme which offers citizens a choice of identity providers supplied by commercial organizations (IDPs) each handled using a “hub” (government-hosted) which allows citizens to create a verified digital identity that they use across federated government services.
The issue with this type of system is that personal data is shared across the ecosystem and minimal disclosure of data is not attended to. The user-centricity of the ecosystem is attempted but far from perfect in design. The use of a hub to separate the government service from the commercial IDP is, in theory, supposed to act as a privacy enhancement component. However, ecosystems like this, rightly, or wrongly, have had privacy criticism aimed their way.
This privacy debate is also ballooning as more and more organizations, from Facebook to Amazon to your local shopping website, collect personal data, create accounts and then share these data across multiple connected silos of services.
Self-sovereign identity has come about to resolve the issues in the personal data privacy and control debate. It is designed to be user-centric by default, under the power of the identity owner and ultimately fully decentralized.
How Does Blockchain Fit In With the Self-Sovereign Identity Model?
Let’s examine what a blockchain is and isn’t. When we think of blockchain we most commonly think of cryptocurrencies like bitcoin. This is because the concept of a blockchain was the mechanism behind bitcoin. A blockchain is so called because it is a series of interrelated blocks of information — a chain of blocks or a “distributed ledger.” A block is immutable because it is created using a hash formed from the hash of the previous block in the chain. This is what differentiates it from a traditional database. In effect, you create a distributed digital signature that gives verification status to each block; if anything changes, the entire hash is changed, and the chain is then repudiated.
The use of a blockchain is not limited to currency. One of the key ideas behind blockchain is that it is decentralized. That is, it has no single point of control — no central user directory; the records are publicly verifiable. The identity community is exploring how this immutable record of decentralized data can be applied to digital identity.
Self-sovereign identity is about having true user control. The ethos is one where the user owns their own identity and determines, fully, its use. Or at least has the option to do so. The reality may be different, but this is to do with an identity power struggle within a given commercial ecosystem.
What self-sovereign identity does well is provide a mechanism, through blockchain, of immutable records of identity “claims” (attributes). These claims are persistent, can hold a verified status by trusted parties and can be privacy-enhanced. The result is called a ”decentralized identifier” (DID). A DID is an open standard being developed by W3C. A DID is a fully decentralized identifier which no central authority has control over: The only authority is the identity owner, you.
A number of companies are building platforms that can govern and develop Self-Sovereign Identity. One of the first in the field was Sovrin, who have developed a trust framework governed by “stewards” who take responsibility for the upkeep of the Sovrin distributed ledger nodes.
Out of the ideology of self-sovereign identity, a new update to the “Web of Trust” has begun. This working group is looking at the scope of application of self-sovereign identity systems and creating guides and advisories on using SSI. The Web of Trust is worth watching.
Self-Sovereign Identity for Good?
One of the contender uses for Self-Sovereign Identity is within the refugee community. Monique Morrow of Humanized Internet states that blockchain’s infrastructure “creates a ‘jurisdictional space’ that maintains individual privacy but also preserves traceability for verification purposes.”
Another example of self-sovereign identity for good is the potential to help reduce data exposure and cybercrime. Blockchain provides a network of verifiable transactions that use cryptographic methods to maintain repudiation — the data therein has a level of assurance it has not been tampered with.
Problems of Self-Sovereign Identity
Privacy and data minimization are key features of self-sovereign identity. The method used to achieve this is known as “zero-knowledge proof.” This is a cryptographic technique used to demonstrate you have something without actually showing that something. It is not a new concept. One of the reasons it has not had massive uptake as a technique is that it is complicated and has potentially large overhead in production systems. However, there are alternatives to zero-knowledge proof that could be used by SSI that use programmatic obfuscation.
The identity power struggle I spoke of earlier is between the service consuming an identity and data, and the owner of these data. Facebook is an example. They consume your identity (in the widest sense) to give you a service. However, the respect afforded by Facebook to your identity is questionable and recent issues of privacy have caused ructions for Facebook. Identity systems need to be built on mutual trust and respect built over time. It is how successful relationships in the real-world work and this is no different in the virtual world. For self-sovereign identity to take off, the commercial world needs to find models that work for themselves as well as for the user.
The Commercial Realities and Self-Sovereign Identity
Digital identity systems need to have mechanisms that provide trust, security, privacy, portability and usability. They also need to find strong commercial drivers to provide the infrastructure that hosts, manages and consumes those identities and the data that they comprise.
Self-sovereign identity has the potential to provide an infrastructure for self-managed identities that can remove the complex nature of federated services. However, to make it into production there will need to be a major overhaul of how digital identity is viewed by both the general public and by the consumers of identity — the commercial services.
The blockchain holds many of the answers to the problems that our evolving needs for digital identity are presenting. Work on perception and solving technological challenges such as heavy crypto use for privacy, need to be addressed. Perhaps the step up to self-sovereign will be baby steps, with blockchain appendages to consumer IAM first before making that giant leap for humankind.
The Laws of Identity, Kim Cameron
Bitcoin: A Peer-to-Peer Electronic Cash System, Satoshi Nakamoto
Rebooting Web-of-Trust, Web of Trust
Imagining Blockchain for Social Good, Monique Morrow
BitCardID: Visualizing the Blockchain, Avoco Identity