Skip links

Self-Sovereign Identity – A Possibility for More Data Control for Users

The internet was originally designed without an identity layer, which means, that even tough two devices can connect and interact online, it is difficult to guarantee that the one you are interacting with is who they claim to be. It also means that currently there do not exist any global digital identity solution that you can use for all your interactions online. To solve this problem different types of digital identities have been created: centralized-, federated- and user-centric identities.

You know the centralized identities from creating a profile on online platforms. Because a global digital identity solution currently does not exist, you must provide the same information such as your name, address, email, phone number and age every time you register to an online service. The centralized identities are a silo-based solution, and neither your login information nor your activity on platforms are portable. This means that your digital identity exists in many small pieces with several companies knowing different information about you. This also means that you must create a unique password for every profile you make, which can be cumbersome, and many tend to use the same password more than once. All of this creates security risks since your personal data is being stored and managed by many entities and because a password breach might give access to several of your accounts.

An attempt to address these issues are federated identities that are being offered by companies such as Facebook, Microsoft, Google and Apple and also governments. Here companies or governments manage your data in centralized system and distribute the information to other digital services when you need to register or log-in. This gives you a single-sign-on solution to make your online activity easier. However, a federated identity is still silo-based, since it only can be used with web services that accept this solution. If you for instance want to open a bank account, you cannot use your Facebook account to prove your identity. A reason for this is the risk of fraud. Since you yourself provide the information of your online identity, such as your name, address, and age, it is very easy to make a fake identity. Federated identities issued by governments are more trustworthy. But they are only issued to citizens of their own country and can only be used for a limited selection of online services and often only nationally.

When using a federated identity solution, you therefore need to trust the entity managing your data, since they have access to information of, not only who you are, but also when, where and how often you log-in to services. This gives them an opportunity to monitor and map your online activity and share this knowledge with others. A federated identity solution might be more convenient, but it does not give you of your data and users often are not aware of which information is being shared with third parties. The current digital identity solutions therefore create ethical problems when users must choose between security, privacy and convenience, since many choose easy solutions that might compromise their online security or personal privacy.

A third generation of identity solutions that is currently being developed and taken into use is self-sovereign identities (SSI). This type of digital identity is a user-centric identity solution that allows you to be in control of your data and only share the strictly relevant information. An example would a situation where you need to prove that you are of age. With an SSI you can document that you are over 18, without disclosing your exact age. Another example is documenting that you have received a specific vaccine, without disclosing information about all the vaccines you have ever gotten or other sensitive health data.

Self-sovereign identity exists in a system of identity -owners, -holders, -verifiers and -issuers. The owner is the person having the identity e.g., Sofia Nelson, the holder (also sometimes called a wallet) is the entity that stores the identity for the person. The issuer grants the credentials, this could be a university issuing a diploma or the police granting a driver license. The issuer could also be a private company e.g., a bank documenting a customer’s creditworthiness. The verifiers are the ones checking that the credential is trustworthy and true. In this system the users can be in control of their digital identity and decided how much information they want to reveal to whom and when. Furthermore, their data is portable and are therefore not lost if a customer or user decides to switch to a different service provider.

There are currently being developed many SSI solutions with the common goal of being interoperable. The aim is to break down the silo-structure of digital identification and create safer online interactions with more data control for the users. Standards are being developed by W3C, EU and others, but nothing is yet written in stone. When designing the SSI solutions developers must be aware of technical, ethical and security pitfalls. Christopher Allen have created 10 principles for self-sovereign identities, to ensure safe and ethical SSI solutions. These principles encompass: Existents, Control, Access, Transparency, Persistence, Portability, Interoperability, Consent, Minimalization and Protection. SSI solutions must be designed to protect privacy and give data control to the users and allow them to disclaim as little information as possible. Furthermore, SSI must ensure transparency, interoperability, and transportability to guarantee an open and fair system for the users.

But also, the general populations’ computer skills must be taken into account when designing the solution, along with legal considerations of whether individuals should be allowed to sell sensitive data, such as health data to third parties. If it is legal to monetize personal data, users can be tempted to share personal data in a way that might harm them later e.g. sharing health data and later being denied an insurance. Monetization might also create a gap in the society and the world, having rich people prioritize protecting their privacy while less fortunate citizens might feel like they have no other option than selling their data. Thoughts about the monetization of data need to be considered in a legal context as it has been done with the donation of blood, when creating a self-sovereign identity solution. Furthermore, safeguard measures must be made against discrimination like only providing identity for a selected few, and to ensure that everyone have equal access to creating a trustworthy digital identity.

Self-sovereign identity solutions are being used today but they are still not worldwide adopted or acknowledge. The promise of an ethical digital identity solution makes the development and evolvement of SSI worth pursuing, even though there still exist practical, legal and ethical challenges that needs to be reflected on.

Signe Agerskov is a member of the European Group on Blockchain Ethics (EGBE) and is researching blockchain ethics at the European Blockchain Center