Self Sovereign Identity Promises to Return The Power of Personal Data Protection to the People
If you’re into Blockchain, Web3, or emerging technology in general, you’ve probably heard of self-sovereign identity (SSI) and identity tech at this point and its promise to develop technologies that return personal data to the people providing it rather than letting it sit precariously in the hands of businesses that have repeatedly failed to secure it. That may sounds like an exciting proposition, but understanding what SSI is, how it works, or where it’s being used is an entirely different story. If you want the background on SSI, this article’s got you covered.
SSI falls under the part of the Web3 movement to create a decentralized internet that deals with providing tools and services for identification and authentication. I used to not think twice about handing a bartender or door person my ID until a friend pointed out that handing over your ID means providing a complete stranger with a lot more information than they need to know to prove your age — full name, address, driver’s license number, etc. — and this happens all the time at a point in which personal information has become the primary means for accessing your valuables. Just because I trust my local bartenders and door people doesn’t mean I should have to compromise my safety by making extra information available to someone who doesn’t need it.
Whether or not you’re among the 10% of Americans who experienced identity theft in 2016, SSI offers a new way of thinking about digital identity that puts the user at the center of the authentication process. Think about it like this; instead of going to the DMV and getting a license with all of my personal information on it, imagine if I could register my identity with the DMV and then have the ability to create a QR code on my phone that says “I’m over 21” the bartender or door person can then scan without seeing the rest of my personal information.
The 3 Models of Digital Identity
We currently have three different models for identity: centralized, federated, and user-centric. Centralized identity is the most common: if you’ve ever made up a username and password to create an account with a piece of software or a website, you’ve used centralized identity. Applications using centralized identity require users to enter information into their database, often including personal data, and trust whoever built the application to secure that data and make sure it’s used appropriately.
If you’ve ever clicked a button to login to an application using credentials from other applications like Google, LinkedIn, or Facebook, then you’ve already made use of federated identity as well. As a user, you agree to allow the centralized third party (Google, LinkedIn, Facebook, etc.) to share your information with the application you’re logging into.
SSI turns the tables by providing a user-centric approach that allows users to maintain their own digital identities instead of relying on documents from centralized third parties. Like we mentioned in the example, it’s not that you won’t have to go to the DMV to get a license anymore, but once you do you’ll be able to print your own license with any of the information you’ve already verified with the DMV. In a nutshell, SSI is about how we refer to unique individuals, devices, or pieces of data in a digital setting and how we can tell that a person, device, or piece of data that’s communicating with us digitally is the person, device, or data we believe we’re talking to.
How Does It Work?
SSI uses blockchain technology to empower individuals to administer their own digital identities. The brilliant minds working on SSI have developed a protocol for the use of Decentralized Identifiers (DID’s) that temporarily connect things or events in the real world with a permanent digital record. A DID gets registered on a blockchain or other form of distributed ledger technology, which creates a public record that anyone can view. It’s important to clarify that using blockchain technology for SSI does not mean that your personal information will be recorded to the blockchain, but it does mean that a record has been established that someone could refer to and couple it with their own information to determine what that record is supposed to mean.
When confronted with SSI, those who understand that blockchains provide an immutable record of the information kept on the chain often question the wisdom of making personal information permanently available to the public; that is NOT how SSI works. A number of technical hurdles still need to be overcome before we see widespread adoption of SSI but those leading its development have recognized the value in establishing standards through a collaborative approach and hope to make it as easy as possible to build out new applications of identity tech.
What’s With The Name?
That’s a great question. “Self sovereign identity” is a mouthful and the phrase doesn’t exactly conjure images of hopeful new technologies. First proposed by Christopher Allen in 2016, SSI consisted of principles to guide the development of identity technology. The ten principles of self sovereign identity include: existence, control, access, transparency, persistence, portability, interoperability, consent, minimalization, and protection.
You can read more about them here and find other foundational writing on SSI in the self-sovereign-identity branch folder in the linked repo, but in a general sense the principles aim to define what “self-sovereign” means in the context of identity tech. In the same way #DeFi is about making financial tools, products, and services as widely available as possible, the principles of SSI aim to make tools, products, and services for identity as widely available as possible. However unfortunate the naming may have been, we’ll likely (and hopefully) see better names for SSI when the technology gets adapted to consumer devices. Will you opt for the open-source version, or go with the inevitable iSSID?
What’s Next For SSI?
In spite of the lack of awareness of SSI outside of tech circles, SSI has already seen a number of successful test pilots and implementations. Uport has been registering digital ID’s in Zug, Switzerland since 2017 and the government of British Columbia announced the launch of a directory of public, verifiable business data back in January, 2019. Created in partnership with the Sovrin Network, government-issued data will be made available in accordance with the coming W3C Verifiable Credentials standard with the goal of moving Canada toward a digital economy. In the corporate world, Evernym has partnered with R3 Corda to apply SSI credentials to services offered by R3 member banks and continues to lead the development of SSI technologies.
Tech-friendly governments in places like Canada, Estonia, and Switzerland have recognized the economic efficiency of identity tech and will be among the first to enjoy its benefits, but it will likely be a while before those of us in the United States get into a bar with a SSID. In any case, the development of SSI has been recognized as being critically important to the future personal data protection and will continue, under the largely open-source umbrella that it has been or otherwise. However its development shakes out, if you’re tired of hearing about massive data leaks from the same companies making billions of dollars off your data or dealing with identity theft because some business failed to store your personal data safely, then SSI should get you excited about finding a better way to secure private information!