[ARTICLE] What is Self-Sovereign Identity and should States be afraid of it?

by Pierre Noro

Who are you when you browse the Internet? This seemingly trivial question covers a very complex, deep, and fundamental issue in our online and even offline life. Ever since the emergence of the first computer networks and the invention of the TCP/IP “Internetwork Protocol” by Vinton Cerf and Robert Kahn, in 1974, digital identity has constantly evolved to enable more use cases, features, and services. While State-based digital identification remains very limited in our everyday life, we increasingly rely -sometimes without our full knowledge or content- on the convenient services of giant platforms such as Facebook or Google to handle our identity online, granting tremendous power to these economic actors. Drawing inspiration from cryptocurrencies, blockchain technologies might enable a revolution of digital identity, empowering individuals to own their data in more decentralized, user-centric systems. 

What is wrong with digital identity?

In order to assess someone’s reputation, create a common understanding and reduce counterparty risk, sharing one’s identity is essential to interact between entities who do not know or trust each other up front. As defined by Audun Jøsang and Simon Pope in 2005, one individual does not possess just one representation of her identity. Individuals present different sets of attributes, of “identifying” characteristics depending on the context and the entities they are interacting with. Each set of attributes constitute, in itself, “a persona” representing the individual who uses them, based on which an identity management system can assign a unique “identifier” to each user (Wang and de Filippi, 2019). For instance, a bank will require from a customer a very complete set of attributes, while a supermarket will be fine dealing with a less comprehensive persona.

Attributes can be temporary, transient or permanent, externally attributed (e.g. name, social security number…) or claimed by the person itself (e.g. pseudonym). In some contexts, an identity claim will suffice to enable an interaction, while more high-stakes situations will require the individual to prove her identity with credentials, most of the time using identifying documents issued by trusted-third parties. If some transactions require credentials issued by a financial institution or an employer, the State and its administration oftentimes acts as the primary authority responsible for managing the core identity of its citizens and residents through the maintenance of public records and civil registries and the emission of the issuance of official documents like ID cards, driver’s licenses, passports… Indeed, the centralization of the information at the State-level enhances trust in the identifying attributes that are certified unique, coherent, and trustworthy.

In the digital realm, we use a wide variety of identity attributes on a daily basis. Some are bound to the hardware we use, such as the MAC addresses of the device we use, some are attributed through communication protocols (IP addresses…), some are created by the user (pseudonym, email address…). We are even sometimes invited to submit digital transcriptions of our physical identity through the scanning of official documents. 

With the advent of the “Social Web” and the rapid expansion of digital platforms, the amount of data collected by online service providers increased dramatically. Tim O’reilly’s enthusiastic depiction of the Web 2.0 and its data-driven applications that “seek to own a unique, hard-to-recreate source of data” has been quickly followed by some harsh reality checks. While “digital personae” were getting qualitatively richer, with much more attributes collected by service providers enabling more targeted advertising and experiences tailored to the user, the management systems of these digital identities gave birth to many issues in regard to the excessive collection and misuse of personal data which are only becoming more blatant with scandals, whether they are leaks, breaches of privacy or political instrumentalization of personal information.

In the introduction of its working draft, the current W3C working group on Decentralized Identifiers lists some of the nefarious effects of digital identity attributes and identifiers escaping the control of the user: “They are issued by external authorities that decide who or what they identify and when they can be revoked. […] They may disappear or cease to be valid with the failure of an organization. They may unnecessarily reveal personal information. And in many cases they can be fraudulently replicated and asserted by a malicious third-party (“identity theft”).”

Self-sovereign identity (SSI), as the next step in the evolution of digital identity management models, would offer interesting solutions to better distribute power through a decentralized governance structure, allowing users to “own” their digital identity (Ferdous, Chowdhury and Alassafi, 2019). 

Using blockchain to decentralize identity while enhancing trust

The risks of seeing data-rich, personal identities governed and exploited by digital platforms have intensified over the years as digital identity management systems moved from siloted architecture, where each service provider would assign its own identifier to a user, to federated architectures, where one user could access connected services sharing a common identification system. Identity providers would act as gateways to service providers, the user enjoying a smoother experience thanks to “Single Sign-On” (SSO) authentification. Nowadays, many independent service providers trust large platforms such as Facebook and Google to authenticate their users through their identity management systems. 

This “Open trust”, user-centric model, although highly convenient, entails a centralization of digital identities within platforms through the collection of massive amounts of data throughout digital ecosystems. Moreover, those collection processes are rarely transparent and constitute a “hidden cost” for the users who might not assume that clicking on “Log in with Facebook” might grant access to their navigation data on an unrelated website. This data collection is then used to deepen the user’s persona and thus further reinforce the value of the Identity provider in a positive feedback loop.

In a context of new emerging trends, such as eGovernment or the “Internet Of Things” (IoT which defines the intensification of interactions between humans and connected machines on various networks), where the “interconnectedness of people,  services and device” became increasingly central in our society and economy, members of the global academic and technical communities elaborated many attempts to break away from those models and design “secure digital identities” based on new foundations of privacy and trustworthiness (Uwe Der, Stefan Jähnichen, Jan Sürmeli, 2017).

Coining the term “self-sovereign identity” in a very influential blog post, Christopher Allen established ten principles for an identity system that could “balance transparency, fairness, and support of the commons with protection for the individual.” Those ten principles, existence, control, access, transparency, persistence, portability, interoperability, consent, minimalization and protection, depict a user-centric system where users enjoy full ownership over their privately stored identity data. On an ad hoc basis, users can transparently authorize a service provider to access the minimum amount of attributes without depending on an intermediary. In Allen’s vision, this ambitious system would therefore not “cancel” the benefits of data economy or worsen user-experiences but would protect privacy and prevent any centralization in one or a handful of trusted third parties.

This vision echoes many of the characteristics of blockchain technology. Keeping things at a very basic level, blockchain relies on a decentralized, secure, and immutable ledger to record information that is available across the entire network, but only readable to the parties of a transaction. Blockchain users are identified by a pair of public and private keys, which cryptographically ensures the ownership of their assets as well as a certain level of privacy. Indeed, the private key is always kept secret (losing it means losing ownership over any asset it is associated with) and can be used to generate different public keys, creating alternative public “personae” which can be associated with different attributes whose access is controlled by users through the cryptographic signature of their private key.

As “second-generation blockchain” infrastructures being able to execute small applications (often called “smart contracts”) rose to prominence, a flurry of independent projects emerged to build digital identity systems achieving SSI principles. Most of them are built on “permissionless” public blockchains. uPort, Civic, and Jolocom are all based on Ethereum while Sovrin decided to create its own infrastructure exclusively dedicated to SSI. Other consortium-based projects, especially supported by financial institutions but also by humanitarian NGOs, are taking a less open approach, like KYC Chain or ID2020.

If they vary in their technical implementations, most of them let users handle a portfolio of Decentralized Identifiers (DIDs) associated with a verifiable claim, an attribute or a set of attributes that have been cryptographically signed as authentic by a known verifier, with the consent of the user. DIDs, which is a W3C standard (World Wide Web Consortium), allow users to interact in a “semi-trusted” environment, presenting service providers with identifiers they fully control. Those identifiers are only backed by credentials that verify the claim without disclosing any further proof, as long as the verifier is also trusted by the service provider. Users can choose who will certify which attribute of their identity then disclose granular pieces of information about themselves, without intermediaries.

Use cases are numerous. For instance, in theory, a bank could sign a DID certifying a user has cleared the KYC (Know-Your-Customer) process and is eligible to open an account, lowering the cost of switching to the competition. Citizens could request their State to verify their age -or even just confirm they are above 18- and use this DID to prove they can access a betting website without disclosing any further information about themselves, thus limiting the risks of privacy leaks. More importantly, candidates to a job could circumvent potential discrimination using DIDs to prove their qualifications without revealing their other attributes.

It is worth noting that implementing an SSI system on a blockchain remains a technical challenge. The immutability of the ledger makes the enforcement of legal measures such as the “right to be forgotten” particularly difficult. As underlined in the EU Blockchain Observatory and Forum report dedicated to Blockchain and Digital Identity, SSI implementations should aim to minimize the data irrevocably stored on the blockchain. Finally, the storage of the users’ private keys remains an issue, as those needs to be properly and individually secured, since any decentralized process to recover lost keys seems difficult to envision.

Nonetheless, as digital platforms garnered considerable economic power and influence, endorsing a role traditionally held by public authorities and thus, filling in the Internet’s “absent native identity layer”, as Kim Cameron, chief architect of Identity for Microsoft, put it in 2005, SSI systems might be a game-changing opportunity for States to reinvest the space of digital identity, to break Big Tech’s domination, and to better protect the rights of their citizens.

Self-Sovereign Identity as an opportunity for States to preserve their authority and better serve their citizens

Back in 2009, the OECD was already publishing a document for policy-makers explaining how confidence-strengthening digital identity systems are crucial to the “growth of the digital economy” and could be an “enabler for e-government, e-commerce, and social interaction”. Estonia is also often referred to as a pioneer when it comes to the digital public policy, as the young Baltic State built part of its famous X-road digital administration on Guardtime’s Keyless Signature Infrastructure (KSI). 

Although not a blockchain according to its creators, the KSI shares some common characteristics of decentralization, encryption, and data-ownership with distributed ledger technologies. It plays a core role in the national eResidency program and is used by Estonia, which often refers to it as a blockchain in its official communication, to secure many public records and services, such as the Healthcare Registry, Land Property Registry, Business Registry, Digital Court System, Official State Announcements… This public digital infrastructure enables a digital identity solution that follows the principles of SSI. For instance, a citizen can give selective access to her health records and will always be able to check who read and/or modified what kind of information.

Many ambitious SSI projects are focusing on providing a strong digital identity for migrants, refugees, and displaced persons. The ID2020 consortium, which recently caught the public eye due to Covid19 related conspiracy theories, is a large public-private consortium initiated by Microsoft, Accenture, and several United Nations agencies seeking to give a user-owned digital identity to the “over 1 billion people worldwide [who] are unable to prove their identity through any recognized means.” Despite its ambition, the two years old consortium is supporting only two pilot projects in Thailand and Indonesia. 

Some UN agencies have been quicker to implement SSI-inspired solutions for migrants and refugees, such as the World Food Program’s Building Blocks initiative. Launched in 2017, this program helps around half a million Syrian refugees securely access humanitarian aid and transferring funds within the humanitarian camp thanks to a permissioned blockchain ledger and biometric authentication. Working with the UN as well as with the government of Sierra Leone, microfinance non-profit Kiva is ambitioning to provide every Sierra Leonean citizen with a decentralized, blockchain-based identity. The National Digital Identity Platform, whose primary goal is to allow its users to “open or access an account at any financial institution in the country”, is scheduled for deployment by the end of 2020.

Public support to the development of self-sovereign identity management infrastructures is not limited to countries facing a large “identity-less” or bankless population. Blockchain technologies are one of the pillars of the Smart Dubai strategy and the United Arabic Emirates recently announced that the Covid19 pandemic has accelerated the transition of its citizens towards UAE Pass, its blockchain-based digital identity system. 

In Europe, the July 2014 electronic IDentification, Authentication and trust Services (eIDAS) regulation laid the framework for a European-wide interoperable and transparent digital identity system, prefiguring some of the SSI tenets. According to this regulation, from September 2018, EU citizens can use their national electronic identification (eID) in every Member-State. Facilitating the Digital Single Market, citizens and companies can also access a European market of recognized “Trusted Services” whose certifications and authentications are legally valid across the European Union. Several other contributions in this dossier are dedicated to the European efforts to build an international public blockchain-based SSI infrastructure and how it would fit within the eIDAS framework.
Although a new and still evolving concept, Self-Sovereign Identity has inspired many initiatives around the world to build, on top of a blockchain infrastructure, more responsible and privacy-oriented identity management models. By creating a new framework where traditional, paper-based identities are failing, by enabling safe, transparent, and trustworthy digital interactions between individuals, businesses, and governments across borders, or simply by restoring States as essential trusted-third parties instead of digital platforms with a predatory appetite for personal data, SSI is a promising tool for governments to reclaim part of their digital sovereignty and protect the rights of their citizens. If they clear the many technical hurdles to achieve decentralization, data-ownership, interoperability, and user-friendliness, projects such as the European Blockchain Services Infrastructure might change our -not just digital- life for the better.

Pierre Noro is lecturer at Sciences Po School of Public Affairs and Digital, Governance and Sovereignty Chair coordinator