The regulatory environment is becoming ever more stringent for companies who collect and process clients’ personal data. The fines for non-compliance with the modern data protection laws (such as the GDPR) are extensive, and the reputational damages for mishandling personal records seem irreversible. There’s also the general public’s growing distrust of corporations and government bodies caused by frequent reports of their inability to protect databases from hacking and data breaches.
The “traditional” digital identity management model is fundamentally flawed.
Self-sovereign identity (SSI), according to many, can resolve these issues. The core principle behind SSI systems is putting end-users in complete control of their identity data and allowing ordinary people to sign digitally and verify claims/transactions without third-party involvement.
In this post, we’ll discuss in detail what issues SSI platforms are attempting to fix.
The evolution of digital identity
Identities encompass all the determining characteristics that make an entity (a person, a business, etc.,) distinguishable. A digital identity is a snapshot of a real identity that’s created, typically, for a specific domain.
Currently, our digital identities are siloed. People’s personal records are stored on centralized servers that belong to corporations such as Facebook, Google, Yahoo, etc., and everyone is required to maintain a great multitude of personal accounts, that aren’t really theirs to control, to interact with various platforms and access services.
Employers create digital profiles for their staff members, so they can act within organizations’ virtual spaces and the federal government, too, links personal data to accounts so that people can pay taxes.
The problem is, these authorities can also revoke access, delete and alter users’ accounts as they see fit.
As new stringent regulations are coming into force, companies are obligated to put effort into restructuring their data processing activities and making identity processes more user-centric; they must be able to prove they’ve achieved explicit consent before collecting and using personal info or sharing it with a third party.
This puts individuals, as opposed to centralized service providers, in the middle of the identity process and grants them more control. But in no way does it provide autonomy.
Besides that, personal records are still stored on vulnerable centralized databases – data honeypots – that hold enough economic value for malicious actors to mount attacks on them.
It is for those reasons that the concept of self-sovereign identity has emerged and proliferated. SSI systems, typically hosted on blockchains, set out to give users not just the administrative rights but also an exclusive ownership and control of their identity data.
The definition and the specifics of how SSI systems should be implemented are still fluid. Some believe self-sovereign identity should be addressed as a mathematical policy and that cryptography should be used to enforce the individual’s rights and protect them even against state-level actors. Others think there must certain legal policies that ensure the networks maintain user’s privacy and only use personal data as authorized.
Though debates are still going on as to the proper way of execution, most seem to agree on the ground rules every SSI platform should be guided by.
What are the principles and defining characteristics of self-sovereign identity systems?
- An individual is the only authority capable of giving permission as to how and in which context their personal data is to be used. Individuals are able to update or refer to their personal records; no other entity can monitor, manage, alter, suspend or delete a user’s account.
- The identity must be transportable and interoperable. Storing personal information with a single third-party – no matter how credible – is unsafe as there’s no guarantee it won’t, at some point, start acting maliciously or disappear completely from the web. Digital identities, therefore, are portable (users should be able to carry them around), not restrained to a single network’s ecosystem and limited by any geographic boundaries.
- Transactions with minimum exposure. The users of SSI platforms are able to disclose personal data selectively and omit the details unrelated to the task at hand. The entire SSI ecosystem strives to limit the exposure needed to complete a transaction and the tools that can support this rule, such as zero-knowledge proofs, are adopted widely.
- SSI must focus on users, not service providers. In contrast to the traditional centralized (or federated) digital identity model, where the identity provider ultimately holds all the power, SSI ecosystems are designed with a user’s interest at heart. In case there is a conflict of interests between an ID network and an individual, the rights of the latter are always maintained and prioritized. This is only possible if the authentication algorithms used in the ecosystem are decentralized, tamper-proof, and censorship-resistant.
- The administrative procedures used by identity networks must be open-source and transparent. There can’t be any secrecy as to how the networks are managed and updated. Each modification is recorded and the algorithms by which the networks operate are independent, to a reasonable degree, of any particular architecture; at all times the system is open for reviews.
- Users must be able to maintain persistent identifiers. The data and claims associated with an account might be changed/updated over time. The private keys might be rotated also. But the identity itself stays valid for as long as the user needs it to exist and there are mechanisms in place that allow restoring access to an identity in case a user loses their private keys or the device holding them. One of the ways this could be achieved is by tying the accounts to individuals’ biometric data.
- A right to be forgotten should be maintained. Any claims or data a user no longer deems necessary, he or she is able to retrieve without undue delays. The network a user operates in doesn’t keep hold of the data the user wants to see erased; there are no secret copies or gatekeepers.
The importance of not getting carried away
Though many in the blockchain community are enchanted by the idea of complete independence from authorities, it’s crucial to recognize an outward refusal to cope properly with existing regulations can hugely undermine an SSI ecosystem.
The countries and the communities we live in all have established laws that govern and restrain our behavior. Most governments and financial institutions agree there needs to be a set of regulations and KYC/AML standards in place to prevent money laundering and other fraudulent activities. Refusing to engage with regulating bodies on these concerns would put an SSI system in hot water with the authorities who will then pull every lever they can to limit its reach.
We can’t expect a shady platform on which unlawful acts are potentially being committed to be allowed to interact with government-regulated healthcare structure, and, therefore, the Identity ecosystem will be severely limited.
It’s possible to disagree defiantly to collaborate with governments and ignore completely all of their requirements. We can still build an SSI platform on a blockchain that no regulating body will be able to shut down. However, such approach might turn out very short-sided; the governments can restrict the individuals using such platforms from paying taxes with it, or renting a car, etc., and the users will have to create separate identities, involving centralized authorities, to complete such transactions. This is at polar odds with what the SSI movement is trying to achieve.
Looking into building a self-sovereign identity system on a persmissioned or permissionless blockchain? Want to learn more on the subject? Contact our expert for a free consultation.