There has been a lot of coverage in the media as of late regarding digital identity, be it Microsoft’s Dream of Decentralized IDs Enters the Real World | WIRED or Covid-19: Mastercard sets sights on digital health pass (finextra.com) and there have even been articles regarding large sums of money being invested in specific aspects of ID, for example Digital ID firm Socure raises $100m (finextra.com). So while all this is very positive to see, in terms of digital identity receiving more focus, it is increasingly worrying at the same time.
I say it is a worry because all these solutions mentioned, along with many other identity solutions, compromise our individual rights to privacy. There are so many aspects where our privacy is forgotten, not to mention provider disregard (or simply an oversight) for compliance with certain privacy regulations, like that of GDPR in Europe.
So, while it’s a positive we are talking about digital identity, we need to make sure we focus on solutions that meet the right set of principles, that protect our privacy and ensure our data cannot be abused. Any form of centralised identity provision, likewise federated solutions and single providers of underlying infrastructure compromise our security and privacy. They do this by either pooling data together or being the “controller” of our data. Equally of a concern is the threat of third parties being able to correlate our data together. Even movements like the UK governments desire to bring trust to digital identity struggles with some of these principles. Why you may ask. Well the answer is simple, its just a foreign way for our minds to think, largely because we have been for years focussed on the benefits and ease of single centralised infrastructure / solutions.
In order to “test” if a solution can be secure, can ensure our privacy while providing us with the right levels of control, ownership and flexibility – its best to revert back to abiding by some core principles. As luck would have it, here are 12 principles that form the foundation of a secure, private centric digital identity infrastructure, they are the 12 principles of Self-Sovereign Identity (SSI).
An SSI ecosystem shall provide the means for any entity—human, legal, natural, physical or digital—to be represented by any number of digital identities.
An SSI ecosystem shall enable digital identity data for an entity to be represented, exchanged, secured, protected, and verified interoperably using open, public, and royalty-free standards.
An SSI ecosystem shall not require reliance on a centralized system to represent, control, or verify an entity’s digital identity data.
4. Control & Agency
An SSI ecosystem shall empower entities who have natural, human, or legal rights in relation to their identity (“Identity Rights Holders”) to control usage of their digital identity data and exert this control by employing and/or delegating to agents and guardians of their choice, including individuals, organizations, devices, and software.
An SSI ecosystem shall not require an identity rights holder to participate.
6. Equity and Inclusion
An SSI ecosystem shall not exclude or discriminate against identity rights holders within its governance scope.
7. Usability, Accessibility, and Consistency
An SSI ecosystem shall maximize usability and accessibility of agents and other SSI components for identity rights holders, including consistency of user experience.
An SSI ecosystem shall not restrict the ability of identity rights holders to move or transfer a copy of their digital identity data to the agents or systems of their choice.
An SSI ecosystem shall empower identity rights holders to secure their digital identity data at rest and in motion, to control their own identifiers and encryption keys, and to employ end-to-end encryption for all interactions.
10. Verifiability and Authenticity
An SSI ecosystem shall empower identity rights holders to provide verifiable proof of the authenticity of their digital identity data.
11. Privacy and Minimal Disclosure
An SSI ecosystem shall empower identity rights holders to protect the privacy of their digital identity data and to share the minimum digital identity data required for any particular interaction.
An SSI ecosystem shall empower identity rights holders and all other stakeholders to easily access and verify information necessary to understand the incentives, rules, policies, and algorithms under which agents and other components of SSI ecosystems operate.
Zero knowledge proofs
One of the key concepts of SSI and a secure digital infrastructure, is the ability to confirm something, say an attribute about myself, without disclosing any underlying personal data. The easiest example is that of confirming my age. For example, to purchase alcohol I have to be over the age of 21, but that doesn’t mean I need a digital identity solution to share my date of birth, no, what I should be able to do is disclose in a trusted fashion that I am indeed over 21. This is called a zero knowledge proof or ZKP.
Many identity solutions fail to provide this functionality, rather they simply share personal data. This is of concern, and actually does raise serious questions regarding a business’s implementation of GDPR. Under this legislation, I as a business must have a legitimate business need to request data or store it. However, it is clear, with ZKPs you do NOT need to ask for, nor store an individual’s date of birth for many use cases, so are you breaching GDPR if ZKPs are available to you? I would argue that you are…
What’s odd is that, in the rush to try and “own identity infrastructure”, organisations are putting forward solutions that compromise privacy and technically breach legislation like GDPR. Take Microsofts own dream of decentralised digital identity. This is lacking some pretty fundamentals, the first is that you as an individual have your unique identifier written to a public blockchain. Now that means an element of personal identifiable information is now on a blockchain which is publically accessible. Wow, that’s not a good start. Secondly, they don’t support ZKPs, rather they see everything relaying back to the issuer of identity. Again, wow, that means not only do I have personal information in the public domain, I know have a correlation issue.
We have seen all over the world, for hundreds of years the risks associated with identity – and what can come when bad actors can abuse that data. Digital identity needs to be there to protect us from these risks, to de-risk systems while at the same time open up identity for greater levels of inclusion. This is only possible if privacy and security is at the heart of the solution, coupled with the rights of the identity owner to own and control their data.
So while digital identity gaining headlines and traction is great, beware that ultimately we must ensure the right principles are in place – if not, the consequences will either be catastrophic for individuals, or individuals will simply chose to not engage…