Designing digital identity to meet high levels of trust, while ensuring credentials are interoperable, portable, accessible and protect the holder’s personal data, is no easy task. Customers are becoming more and more aware of their online identities, they want security, data privacy and control.
On many occasions, when verifying your identity online you are really verifying your eligibility for a certain product or service. Yet users often have to share more information than is necessary for the specific transaction. Worse still, they have to do this time and time again, with multiple different services providers.
Often these providers centralise control of a user’s personal data, making it very difficult to update or correct. Many online companies’ practices also leave much to be desired in the way of transparency and data protection.
From around 2015 onwards, the term ‘self-sovereign identity’ began to be used in response to these concerns. One of the earliest and most influential articles to lay out the principles of this model was ‘The Path to Self-Sovereign Identity’ by Christopher Allen in which he states, “Rather than just advocating that users be at the centre of the identity process, self-sovereign identity requires that users be the rulers of their own identity.”
In recent years self-sovereign identity (SSI) has gained real traction, with new solutions emerging onto the market constantly. If properly designed and implemented, SSI places control back in the hands of consumers, who become the guardians of their own verified credentials, collected from certified issuers.
Dia Banerji, Country Ambassador at Women in Identity is an advocate for self-sovereign identity to give individuals ownership and control of their online identities. She explains, “My passport or driving licence is stored in a drawer in my house, it’s in my possession. I decide to give it to a bank when I want to open a bank account, it’s in my control. When I pass away information and its secured and stored in a central repository of one particular organisation, I am no longer the custodian.”
And Dia believes that it won’t be long before SSI comes to fruition. “It is not just a concept it has been proven and we know it is possible. Once we get to the stage of mature blockchains and interoperable identity solutions we will see it as a reality.”
The self-sovereign industry today is a growing ecosystem of companies aligned to various standards. The Decentralized Identity Foundation are working with notable players including Microsoft and Consensys, Digital Bazaar are closely aligned to the W3C specifications, and the Linux Foundation is working on Hyperledger Indy, with Evernym and Accenture, among others.
We are starting to see a number of real-world case studies emerging across financial services, government, healthcare and other sectors. Significantly, the European Union just delivered a major revision to its eIDAS regulation, which now includes several aspects of self-sovereign identity.
Until now, EU member states have issued their own digital IDs, which are not all compatible. The pandemic has drastically increased our reliance on online channels, and the EU bloc-wide ID is promoted as a way for citizens to access public services more easily. Under the new regulation, citizens and businesses will be offered digital wallets, linking their national identities with proof of attributes such as driving licences, diplomas, bank accounts and medical data. Users will be able to prove their identities and share electronic documents from their wallet using a mobile phone.
The idea is for Europeans to be able to access services while retaining full control over the data they share. They won’t be forced to use private identification methods or share unnecessary amounts of personal information.
This is definitely not a minor amendment but represents a substantial change in direction. The proposals, which appear to align very closely to SSI principles, has understandably led to much excitement among this community.
The significance has also been recognised at a government level. Margus Arm, Deputy Director General of the Estonian Information Systems Authority has been following the development closely, he said, “we are looking very carefully at this initiative which is coming from a basis of self-sovereign identity. Citizens will collect the evidence to their wallets, and they will decide the kind of data they will share, and to whom.”
Margus can see a justification for the need to give individuals more sovereignty over their identities. “In some cases, I just need to verify my age, but don’t need to show exactly who I am. Perhaps we share a little too much information to third parties, with this SSI solution there is the possibility to only share simply whether you are a certain age or not.”
However, there are some notable ways in which the proposal doesn’t go as far as many SSI advocates would like. Users will not have complete freedom over which wallet to use for example. Wallets may be provided by public authorities or private entities, but only wallets recognised by member states will be permitted for use. Also, users will not have complete freedom over where they can use their wallets. Parties wishing to rely on information provided by the wallets will be regulated to ensure citizens do not share their information with untrustworthy parties.
Some critics are already expressing doubt as to whether the new regulations will be able to deliver on the progress promised. It has taken a long time, considerably longer than first predicted, to make progress on eIDAS. The promise that within 6 months of the regulation’s adoption technical standards will be complete, and another 6 months later member states must have their wallets ready seems overambitious.
Others have pointed out that the concept is monolithic to fit in with the EU standards process which enables country-specific changes in line with local needs. There is also the fear of creating a centralized goldmine of data for any criminal actor able to breach the system.
Technology continues to move fast and if citizens are to be protected online, then digital identity has to keep pace. Standardisation may have been slow at a government level, but institutions have recognised the need for innovation to secure data sovereignty and reduce dependency on multinational corporations with irresponsible practices. While the EU wallet may not align entirely with every principle of self-sovereign identity, it is certainly a massive leap in that direction.