The State of Self Sovereign Identities
September 30, 2019 — Erik Trautman
What do we mean by identity?
Throughout our lives, we take on different identities. What we identify ourselves with ranges from the state identity provided at birth to the identities that we assign to ourselves and that are given to us by others. Depending on the communities that we interact with, we are inclined to tell different stories about yourself. The goal may either be to stand out and portray a unique individual or to blend in with the crowd.
In personal interactions, we can shift our attitude and character depending on the group we engage with. Thus, our counterparty will be able to recognize and respond with an adequate form of interaction. This form of selective disclosure of information is not possible in formal interactions, such as by the government-regulated entities, nor on social media. Users are forced into a split between providing all information and gaining access to a service or product, or refusing access and risking censorship, exclusion, or even becoming subject to state-enforced violence. As a result, personal credentials are scattered across platforms.
When signing up for a new service, the user has to decide between various trade-offs, one is to opt for usability over privacy, another one is the ease of use and the level of inclusion in one’s social circles. The less you know about someone, the harder it is to interact with that person. Similarly, no single entity has the need, nor should be given the right, to access all data that has been generated and gathered on a user.
However, throughout the centralisation of social networks and user-centric services, access to those vast amounts of information has unrightfully been claimed and exploited.
The following section provides an overview of several projects that are working on alternatives to the problems mentioned above. In the most general form, solutions allow users to register and store their identity credentials. Depending on the entity that they are interacting with, the user can provide access to individual attributes that make up their identity. Imagine this to be similar to Facebook Sign-In, with the difference of you owning your data instead of Facebook. Being able to modify the set of information disclosed on every sign-on will allow users to shift and shape their identity in accordance with social situations.
We can differentiate between two broad types of identities, self-sovereign identities and centralised trusted identities. Self-sovereign identities allow users to own and control their identity without the need or influence of an external entity. In contrast, centralised trusted identities rely on a centralised body to provide and verify documentation. Both are designed for different use cases.
The following section provides an overview of three different digital identities, none of which utilise a blockchain.
State-maintained digital identities
The first one being state-owned and maintained identities. If you have travelled abroad, purchased a car, or signed a rental agreement, the chances are high that you were in need of a passport or ID card. The main problem with formal documentation is that they require the establishment of an authority that is globally recognised. According to the World Bank, an estimated number of 1 Billion people do not have access to any documentation. To participate in daily activities, individuals have to rely on the trust of their community. Interpersonal trust is not only highly time-consuming to establish but also makes the participation in legal interactions, such as voting or buying a house, impossible.
Several European countries started developing, testing and implementing digital identities, intending to make government services more inclusive. The principle is that once citizens have access to a government-issued identity, they can reuse the credential for all digital services. The most established implementation is in Estonia. Estonia’s government provides an e-residency to all of its citizens. Once users have the government-issued ID card, they can access a wide range of online services, including health records, medical prescriptions, sign e-documents, and vote.
A similar implementation has been provided by u-Port throughout a pilot program in Zug, Switzerland. U-Port allows its users to register their identity and interact with the Ethereum blockchain. After enrolling with the city hall and u-Port, users have to go to the city hall to verify their identity. Once approved, users can interact with financial services.
Germany and other states are currently working on identity solutions that are based on the same principles. Resulting, those will all run into the same problem: Government-issued digital identities are dependent on the government to provide the necessary infrastructure. If this infrastructure is not available, the e-identity will not be of much use, resulting in the chicken and egg problem.
Self-sovereign identities rely on cryptographic solutions, such as the web of trust, to establish higher confidence in the information that users provide on a platform. The premise hereby is that a user has more credibility within a given system, the more people know him/her and approve of her/his identity. Note that the purpose is not to uniquely identify someone’s identity based on whom they claim to be, but instead based on who they are in relation to everybody else.
If the only credential that is known in the system is a user’s public key, members of the system can sign-off each other’s public keys to build trust-relations. Depending on the implementation of the web of trust, users gain more trust from other users in the system, the more people that have signed-off their public key. The same mechanisms can be implemented in the form of a voting ring, whereby users have to become endorsed by those users, they verified prior. A user will only be trusted if (s)he is part of a cycle of trust. Blockchain-based implementations that rely on the web of trust are Sovrin and brightID.
An alternative to the web of trust is to identify users based on what they have. Consensus solutions rely on a similar premise. To gain trust in the system, users have to provide value. In case they behave maliciously, the value provided will be taken away. Ultimately, the more value a user is willing to provide to the network, the less likely (s)he will want it to be slashed, and the more trustworthy the user will be.
An example of a non-blockchain-based system is Scuttlebutt. Scuttlebutt is a decentralised social network, in which users identify themselves with their public key, which is linked to the user’s device. All data that the user generates and collects from other users lives on the user’s machine. Resulting, the relationship between humans correlates to the relationship between computers.
Currently, there is none “solve it all” solution for decentralised identities. Depending on the use case, different identity solutions will be utilised to generate, store and maintain the user’s identity. Blockchain will become most important in providing secure data storage of people’s credentials, whether a central authority issues those or approved by a network of users. Currently, people keep their most relevant information, such as health records, offline and linked to an analogue, state-issued ID. While the data can be lost, they can only be copied if someone gains physical access to the document. In contrast, any information that is kept on a centralised server will become vulnerable to unauthorised access if it has not been encrypted on the user-side by the user’s key.
Utilising blockchain architecture can remove the need for all middlemen, while the control will remain with the user. This will not only lead to higher security if done right but also empower users to take ownership of their identity generation, maintenance and usage. Once creators don’t have to base their business model around the implementation of use-case-specific identities, unprecedented applications can emerge.
We rely heavily on personal, organisation, and state-issued identities in our day to day life, often forcing us to compromise privacy for usability. While government-issued IDs rely on a trust-enhancing infrastructure, organisations collect and exploit user data in exchange for access to online services.
Solutions are either based on self-sovereign identities or centralised trusted identities, with the common goal of empowering the user to hold and provide access to their personal information. If the infrastructure is in place, governments are working on ID-based e-identities. These employ centralised storage, providing a common attack vector. In contrast, decentralised identity solutions utilise the web of trust or unique value that an individual offers to the network. With this, identity is based on the trust people provide to each other depending on interactions.
While several projects experiment with decentralised, user-owned identities, an application has yet to emerge that provides users with self-sovereignty, usability, and trust.
To follow our progress and learn how you can get involved, check out the following links:
Join the community: