Empowering humans for a digital age and global economy via Self-Sovereign Identity
This article is based on the article Self-Sovereign Identity in a Globalized World: Credentials-Based Identity Systems as a Driver for Economic Inclusion by Fennie Wang and Primavera De Filippi.
The term “identity” can be defined in different manners as for example in psychology regarding personality, beliefs and other personal attributes. From a legal standpoint, an identity can be associated with the concept of a “natural person”, an actual human being, or a “legal person” which might refer to a company, collective or community.
In science, identity formation is recognised as an ongoing and liquid process, whereby a person’s identity is developed over the course of the years, and constantly evolves as a result of the interactions with the person’s environment. Therefore, identity management system must be designed in such a way as to be sufficiently flexible, resilient, and dynamic to accommodate the variable and complex nature of human identity.
When designing an identifier, an institution or a system that can identify humans, in order to facilitate the process of identification and authentication, it is often desirable that an identifier be able to identify a person in a unique and unambiguous way. This requires an identity management system to fulfil at least two basic criteria:
- No two people should have the same identifier (unicity)
- No one person should have more than one identifier (singularity) in the same domain.
For example, in the case of the Internet, the most fundamental identifier is the IP address, which makes it possible to route packets from one machine to another until it reaches the right machine. Another example are cryptocurrencies and blockchain-based system, where identifiers are generally managed with public/private key pairs, which uniquely identify the wallet holder. The private key is necessary to execute transactions to and from the blockchain address identified by the public key.
There are also vital differences between public, private and permissionless blockchains. For example, in public and permissionless blockchains like Bitcoin or Ethereum, operating without any centralized authority or intermediary operator, the nodes maintaining the network (“miners”) operate without association to a particular given identity.
Another example is the system of permissioned blockchain, where a centralized entity or consortium is in charge of identifying or policing the nodes that maintain the blockchain ledger. In such a system, the key pair controlled by each miner is generally associated with real-world identities and their ability to police and punish behaviours, thereby enabling permissioned blockchains to dispense with some of the security measures that anonymous and permissionless public chains must use as Proof of Work or Proof of Stake.
In a centralised identity system, the centralized authority must collect personal information to ensure the singularity of any given identifier issued into the system. However, such a system is generally expensive and bureaucratic and subject to data abuse, and cybersecurity risks.
For example, in 2012, India has launched the Aadhaar identity management system, using biometric data to identify its 1.3 billion inhabitants, many before that lacked any formal identification. Participation in the Aadhaar system has become a requirement for Indians to receive welfare benefits, sign up for mobile phones or register at school. However, such a system has raised concerns from civil liberties groups with multiple lawsuits before India’s Supreme Court whether such a system violates India’s constitutional right to privacy.
Social inclusion, migration and ID22020 Alliance
At the current moment, around 1.5 billion people, mostly living in Africa and parts of Asia, are excluded from accessing basic services due to their inability to prove their identity. At the same time, according to the UNHCR10, there are currently over 70 million forcibly displaced people as a result of conflict or persecution, 25 million of which are refugees — mostly from Syria, Afghanistan, and South Sudan. There are also approximately four million stateless people, who have been denied a nationality, and therefore have been cut off access to basic services and rights.
New systems for identification, as via blockchain and self-sovereign identity could improve things as by providing the following possibilities:
• Inclusion and access to essential services such as health care and education, electoral rights, financial services, and social safety net programs;
• Effective and efficient administration of public services, transparent policy decisions and improved governance — particularly to reduce duplication and waste
• More accurate measure of development progress in areas such as reduction in maternal and infant mortality.
In the case of refugees lacking proper identification, in particular, digital identity could be used as a means to identify specific individuals or families who are eligible for cash aid or other types of benefits.
The ID2020 Alliance has shown particular interest in blockchain technology, as a possible solution to provide digital identities in a way that is both traceable and immutable, and potentially not under the control of one single company or organization. One of the fundamental requirements defined by ID2020 for digital identities is that identities remain portable and that people retain control over their personal data by choosing with whom it can be shared and for what purposes.
Problems and risks with biometric data
A decentralized solution, as via SSI, would enable people to maintain full control over their personal data but the lack of a centralized database of identities would make it difficult to guarantee the “unicity” and “singularity” of these identities. One identified solution to offer a persistent identity from birth, without the need for a centralized authority in charge of assigning a particular identifier to each person, is to rely on biometric data to generate a unique identifier associated to every individual.
Biometrics may be relatively more secure than existing authentication systems. Still, the use of biometrics within an identity management system may raise significant security and privacy risks, depending on how biometrics are used, stored, and permissioned. For example, biometrics stored in centralized systems, without mitigating data access policies or security design measures may be subject to greater security risk than if the data were stored locally on the user’s device.
Another example is regarding cryptocurrency because it is important not to use biometric data as the seed of the private key unlocking access to cryptocurrency funds. Otherwise, anyone who can acquire access to an individual’s biometric data would be able to derive that individual’s private key, and therefore unlock the cryptocurrency funds. Even if a decentralized blockchain infrastructure like Bitcoin or Ethereum is used as the backbone of an identity system, the security benefits of decentralization do not transfer insofar as custody of keys remains centralized without mitigating security design factors.
Except for the case where the biometric template is stored locally on the user’s device, the biometric and personal identifying information is not under the possession of the data subject, but rather that of the organizations that collect, store and administer the data for a particular identity system. Privacy laws and data protection regulations cannot always change our biometric data.
Also, biological information is effectively public information as well since we are leaving biological information everywhere as fingerprints, DNA, recordings of our gait, photographs of our faces or irises from which advanced computer algorithms can extract a biometric template. Even fingerprints are easily stolen, copied, or lifted, while facial recognition can be easily spoofed through photographs or videos.
SSI and central management systems
One idea of the self-sovereign identity model is those identity providers should not have the possibility to prevent individuals from exercising basic human rights, such as the right to be oneself, the right to freedom of expression and the right to privacy.
An important precondition for self-sovereign identity is that digital identities are not locked into any given platform, nor controlled by a given operator, but rather remain portable and interoperable across multiple platforms so that individuals are free to choose the identity operator that they trust the most and to move from one operator to another if so desired.
There are also criteria and principles when it comes to self-sovereign identity solutions:
1. Existence: individuals must have an independent existence, independently of the digital identifiers that merely serve as a reference to them.
2. Control: individuals must control their identities, they should always be able to refer to them, update them, or even hide them — even if others can make claims about these identities.
3. Access: individuals must have access to all the data related to their identities, and should be able to retrieve their claims whenever needed.
4. Transparency: systems and algorithms used to administer and operate digital identities must be open and transparent, with regard to both their operations and maintenance.
5. Persistence: identities must be long-lived, preferably they should last forever, or at least for as long as the user wishes to maintain them.
6. Portability: information and services about identity must be transportable, and not be held by a single third-party entity, even if it’s a trusted entity.
7. Interoperability: identities should be as widely usable as possible, as opposed to being framed only to work in siloed environments.
8. Consent: individuals must agree to the use of their identities, sharing user data must only occur with the consent of the data subject.
9. Minimization: disclosure of claims must be limited to the minimum necessary to accomplish the task at hand
10. Protection: the rights of users must be protected at any cost, even if doing so would go counter to the interests of the identity providers.
As people become more and more mobile, a working identity system that can operate on a global scale will become a precondition for ensuring equal opportunities in the global economy. The current approaches of centralized governmental-based identity systems relying on biometrics have serious limitations with regard to both security and privacy. Therefore, a decentralized and self-sovereign identity system using verifiable credentials and access controls is not only more flexible and efficient but can contribute to securing fundamental human rights, especially in countries with unstable governments and fragile institutions.
A true self-sovereign identity system would require a certain level of infrastructure, primarily high penetration of affordable smartphones that can securely store private keys and reliable connectivity. Therefore, it is not possible to assume wide availability of the technical infrastructure and sophistication for self-management of private keys. Another problem with localized key storage is the larger issue of key recovery, since, in a self-managed environment, losing one’s phone necessarily entails losing one’s private key.
The use of blockchain ledgers for peer-to-peer money transfer has numerous implications in development economics, further highlighting the need for self-sovereign identity solutions. One interesting application of blockchain technology is the digitization of local or complementary currencies as a natively digital cryptocurrency. Community currencies are usually softly pegged to the national currency, and therefore primarily function as a medium of exchange, rather than a store of value or unit of account.
The development of cryptocurrencies as a new type of open-source mobile money, particularly stablecoins, will enable users to benefit from an increased range of economic opportunities brought about by the new financial services built on top of these systems. Verifiable credentials issued by trusted actors can function as identity claims.
Self-sovereign identity is a relatively new area of research, which is only now starting to materialize into real-world applications of new digital identity management systems. This is particularly valuable for applications that have the ability to scale and greatly improve the financial and social inclusion of vulnerable populations.
Also, it is important to keep in mind that while there are emerging best practice standards and primitives for self-sovereign identity there is no generic identity protocol that solves all use cases. Interoperability and standardization will be important for scale, but the success of a particular identity application will depend on how its deployment is tailored to the use cases and local conditions. A successful identity management system will therefore need to be sufficiently flexible to adapt to the inherently malleable nature of human identity.
Thanks for reading. Please support and reward my writing via:
Pay Pal — firstname.lastname@example.org
Seeds — vladlausevic
Steemit — @lauvlad89
Skycoin — ZxjhWMJRbTNCRQzy5MekZzH4fhdWFCqBP8
Swish — 0762345677
Tezos — tz1QrRzkTAKuPKF8dmGW6c1ScEHBUGvoiJBM