There’s an old adage in advertising: if you’re not paying for the product, then you are the product. That same quip may as well have been made about the average online experience. Most websites, after all, are free at the point of use. Banners explaining cookie collection and analytics, however, are a daily reminder that numerous parcels of our personal data – our phone numbers, images, email and real mail addresses – are zipping around the internet and frequently landing in corporate databases, completely out of our hands.
All of this makes for a needlessly impractical online experience, as users struggle to remember passwords for multiple accounts and corporations spend exorbitant sums on securing personal data for thousands, if not millions of customers. But there is a better way, suggest privacy campaigners. A system of self-sovereign identification (SSI), they say, would redress the balance of power between the consumer and the corporation by creating a single, secure space for verifying one’s identity – one that would force businesses to explicitly ask users for permission to use their personal data every time they need it. Different forms of identification such as passports or driving licences can be verified by the acknowledgement of their validity, rather than a copy of the whole entity. This ensures no extra data, like gender or date of birth, can be scraped by the company demanding proof of identity.
All that remains are the technicalities of operation – of which there are many. Many advocates of SSI, for example, believe that such a system cannot work without relying on blockchain technology to successfully verify an individual’s identity, although others argue that it’s entirely possible to build such a framework without recourse to technology that remains largely unproven outside cryptocurrencies and trade finance. Fundamentally, the interoperability of such a scheme is open to debate. While SSI may prove revolutionary in rebalancing the relationship between the individual and the corporations online, how such a system works between nations – especially those with divergent policies around data localisation and surveillance – remains unclear.
In some ways, the theory behind SSI has already entered the market – albeit in reverse. Big tech giants already provide interested consumers with the means to create and craft a single, online presence from which they can interact with much of the rest of the internet. But while ‘Would you like to log in with Google’ has now become a familiar refrain for millions of users, this framework still entrusts the personal data with an acquisitive search engine all too eager to monetise buying and browsing habits en-masse.
Even then, only a minority have signed up to such a system, with a poll last year conducted by security firm LastPass finding that 90% of respondents had up to 50 different online apps and accounts. It’s a natural consequence of the internet’s growth into a truly global network, explained blockchain security technologist Christopher Allan in a recent blog post. “As the internet grew, identities were increasingly balkanised,” wrote Allan. “They multiplied as websites did, forcing users to juggle dozens of identities on dozens of different sites – while having control over none of them.”
It’s left researchers like Avivah Litan, an expert in AI and the blockchain at Gartner, wondering whether this federated framework for digital identity is sustainable in the long run. “The current paradigm of users having to prove their identity repeatedly across online services is not efficient, scalable, or secure,” says Litan.
This is what SSI should help to improve, Litan hopes, by creating a system wherein only parties authorised by the user can ever have access to the latter’s personal information. “By establishing trust, privacy and security through identity attributes contained in decentralised verifiable claims, decentralised identity provides a more secure alternative to storing identity information centrally,” he argues.
This concept should become more popular over the coming decade. “Already 10.2% of the global online population own cryptocurrency, accessed via wallets that users can leverage to manage their Web3 identity data,” says Litan. By 2025, she predicts, at least 10% of users under 20 years old will have a decentralised identity wallet on their mobile device for managing their identity attributes.
Others have argued that the concepts of decentralisation and the necessity of blockchain have become needlessly conflated in SSI. The concept, argued Andreas Freitag of identity startup Jolocom in an essay last year, was dependent on cryptography, not distributed ledgers. Blockchain wasn’t necessary, he wrote, to guarantee a secure SSI platform. “It would even be possible to use existing PKIs (Public Key Infrastructures),” said Freitag. “It only has to be ensured that privacy of the holder is ensured, and that no third party receives information about the use of the data.”
While this line of thinking might seem logical to an aficionado of cryptography, however, such reasoning is likely to pass most laypersons by. That touches on another challenge impeding the further development of SSI: comprehensibility. For the concept to truly gain momentum, argues Sten Tamkivi, a partner at venture capital firm Plural, its advantages have to be clearly understood by the public at large.
“Very often, people prefer to use the path of least resistance rather than using a difficult system,” argues Tamkivi. “Despite the benefits it would give, self-sovereign identity is a really complex thing to try to explain to your mother.”
Making self-sovereign identity interoperable
The same applies to the state, which would doubtless be left with the task of building a regulatory framework around SSI should it gain momentum as the future of digital identity. There are national governments that have warmed to the concept. The Philippines and Morocco have both committed to using a privately-developed, open-source digital identity framework called the Modular Open-Source Identification Platform (MOSIP).
The system works by providing citizens with a temporary Virtual Identification Number that provides one-time authorisation for a data request from a company. The data is stored on a separate channel where the requesting party does not have access. This party will be given a Token ID to verify the existence of the requisite data. This token ID remains the same for future transactions with the party. However, the token can be revoked at any time by the owner of the data. Criticised by some as being functionally too similar to India’s controversial Aadhar biometric identity system, uptake of MOSIP has nevertheless been strong, with some 71.7 million people enrolled into different versions of the scheme across Asia and Africa.
The EU has also developed its own decentralised, digital identity system. eIDAS 2.0, a successor to the Electronic Identification, Authentication and Trust Services Regulation of 2014, also incorporates elements of self-sovereign identity. In time, its implementation may lead to a form of SSI taking hold across the EU, building the momentum for the framework to go global. However, questions remain to be answered as to how such a system would interact with other national projects – in particular, whether the core elements of bringing control of personal data back to the user would have to be necessarily adapted to fit international trade deals or comply with a new wave of data localisation laws.
Even so, Tamkivi remains optimistic that self-sovereign identity will have its day, and soon: “SSI on the Blockchain is a massive opportunity to take the idea of giving citizens control over their own data into open source software that anybody globally can use.”