Self-Sovereign Identity as the New Paradigm

Michael V Khalsa, Visionary and Technical Lead

Oct 2018IdentityPrivacyPlatformSecurity


Some believe that the ability to easily share verifiable information about ourselves with full privacy compliance is the killer application for blockchain technology.

The approach making this possible is called self-sovereign identity, which this blog explains in moderate to simpler terminology.

Many transactions in today’s world are moving online, from shopping to paying our bills, from social interactions to researching where we might move to, jobs, business, housing, reading, education, news, music, and much more.

It is nothing short of a revolution, opening new opportunities and channels of communication - while becoming an integral part of our lives. Yet, the pivot to all of this is our individual identity, and more precisely how it flows within this matrix and the control we maintain on it, or not.

Setting

Corporations tussle for mind-share, even gambling billions of dollars on platforms which initially lose money in the hope that they have captured our attention; and they track this through our identity, including the habits which form around it. Amazon, Uber, and others initially lost billions of dollars per year to keep our interest while they brought their kingdoms to profitability on the strength of mind-share.

There are paradigm shifts in the works that completely rewrite the rules of the game; and its core revolves around our digital identity.

These new rules, so far enacted in the European union, and in California ensure that control of our personal information is reverted back to us; that we get to say who can use our name, address, and personal information gathered about us, including our health records and spending habits. New GDPR regulations even gives us the right to demand that, with the exception of common-sense use cases such as statistical studies and law enforcement, that entities storing our personal information must forget all about us if we ask them to do so.

Another paradigm shift is decentralized block chain ledger technology, which brings immutability, and transparency.

Immutability, means that all the details of an interaction are stored forever without the ability for anyone to change or remove them. The level of trust that can be enforced in trustless scenarios through this technology, such as between two strangers who do not know each other in a trade relationship; can completely disrupt the way business is currently done. It does this by removing the middle man, and could even eat into or overturn recent phenomena such as Netflix, Uber, and Amazon.

Free market forces will drive this, as new possibilities mature into improved efficiency and become a trusted means of exchange and community engagement. Coming back to the pivot of identity, notice the clash between ‘immutability’, and the new laws requiring ‘the right to be forgotten’ with serious financial fines if not implemented. Even without these laws, market forces themselves may drive this reality as ultimately the consumer has choice when there is an alternative.

There are ways to bring together these two seeming opposites, by truly returning ‘ownership’ of our identities to our control. Before we get into that, let's look at we mean by ‘identity’ within a digital context.

An identity consists of some kind of unique identifier, which no other identity processes, along with a set of attributes associated with the identity. So, for example:

  • A Unique ID
  • Your Name
  • Your Birthdate

and so forth, such as your family, likes, jobs, and what you had for lunch yesterday.

A unique ID, at its heart, in the digital world is a bunch of 1’s and 0’s that is unique within a particular domain. This could be your email address, or it could be a seemingly random number like ‘did:earth:423dab4dfe3b5’, as long as there is some way to guarantee that no one else is using the same identifier to represent themselves.

Today, most of us have many digital identifiers and their corresponding passwords, each maintained by the organization whose business it is that we are participating in. Often our email address is used as an identifier for an account, secured by a password. The attributes we reveal in using these services, for example where we used a credit card to buy lunch at, online comments, viewing habits, etc., our sifted through, and gathered into a profile.

Behind the scenes many of these organizations correlate what they know with what other organizations know in order to make a more complete profile of our habits, likes, and dislikes. These are then exploited for targeted marketing, or sometimes for nefarious purposes. The databases our personal details live in, being connected to the internet themselves, our sometimes compromised and used for identity theft, resulting in real theft or discrediting us.

A new paradigm called self-sovereign identity brings the sharing of our personal attributes in the digital world back under our control.

To accomplish this and truly make us the hub of our personal information, a fundamentally different approach is used by forming a different relationship with each entity we interact with that requires an identity exchange. Each of these relationships are defined by a set of unique identifier creates on each side specifically and only for that relationship We then set policies for what information we share within each relationship, and the terms.

To truly come back into our control and ensure privacy, the following characteristics need to occur:

  1. We choose which attributes are associated with our identity, such as our name, birthdate, driver's license, etc.
  2. A separate identity relationship is established for each entity we interact with. This is important to prevent correlation, and to fine tune what we are comfortable sharing within each relationship. This also allows us to forget a particular relationship without affecting our other relationships.
  3. Each relationship has its own set of pairwise identifiers. We create the identifier for our side of the pair ourselves, and then register it. If someone else created it, then there is no assurance that they have not looked at the private key associated with the identity. When registered, the mechanism doing so needs to be fully transparent to assure that it is unique.
  4. Storage of all the associated attributes of our identity is under our control. For example, this could be stored on our phone, or an online service which remains encrypted, and can be easily moved at our will. It is imperative that our personal information is not stored on a public ledger, even if encrypted (because of immutability). A public ledger only serves as a look up mechanism to store the public keys and end-points associated with each of our identifiers, as well as revocations of claims, and public information such as schemas for claims (their definitions).
  5. We give permission to authoritative agencies of our choosing which can vouch for a set of attributes collectively known as a claim, such as our birth certificate, driver's license, schools attended, etc., on a claim-by-claim basis. Either the party that issued the claim, or the holder of the claim can revoke it at any time.
  6. Anyone can issue claims, upon request by an identity holder and their acceptance of the claim. Claim issuers themselves can be attested as trustworthy by others, and through this process a web of trust is built.
  7. If someone wants to know something about us, then we decide what and how much detail they can view, and for how long they can store this information if at all.
  8. When we do share information, it cannot be correlated with information we share with other parties, or even the same party at a different time, to create a secret profile.
  9. We reserve the right to revoke the storage or use of any information we have already granted to a particular party. Exceptions are for law enforcement and pseudo-anonymous transformation of information for statistical purposes, where the statistics cannot revel our personal information.
  10. That we can do all this without needing to be an expert, or having to remember a password which can be stolen through clever means such as a key stroke logger.

All of the above can be accomplished today with the recent advances to technology, and thus solutions are being formed to help to fuel this paradigm shift. Making sure it is cost effective, scalable for mass adoption, and universal are all within reach in the coming years. Standardized schemas and protocols are being developed for how decentralized identifiers operate, and how data is formatted and shared, which in turn allows a blockchain agnostic approach.

The technology is layered, which means that different vendors can swap out implementations of a particular layer, or as new technology gives advantages. Through universal standards and discovery, if two people form a pairwise identity relationship, and are each using a different platform, they can still create a secure, mutually verifiable, encrypted channel of communication and identity exchange. While specific platforms for self-sovereign identity will each have value adds and different cost benefits; common needs such as logging on to a web site, participating in a chat, or making an online purchase will operate across different identity platforms powering each side. It will be similar to choosing which browser to use with its universe of add-ons to browse the web. Platforms that create silos by not adhering to these principals will be left behind, just like no-one will use a browser that can only display 5% of the websites out there.

If the individual truly has control of their identity data, then they are free to pick up all of their digital relationships, claims, etc., and move between implementations of their choosing. From that point onwards, economics and value-adds such as performance, regional value, and premium services, along with demonstrably altruistic intentions, determine the dominant solutions.

Michael V Khalsa