Self-sovereign identity – is it feasible?

Self-sovereignty with respect to digital identity, and the desire for individuals to have genuine control over their data is a very interesting subject. In my eyes, this is a monumental challenge, one that I fear isn’t even realistic at the moment, though that shouldn’t stop anyone from trying. Part of me sees it as idealistic; something that would be great to have, but might never be achievable due to laws and regulations requiring certain ways of working in order to protect those involved. I also find, that depending on who I speak to, there are different beliefs and guiding principles surround self-sovereignty, some stricter than others, and I find it will likely be a case, that we will never be able to please all of the people, all of the time.

The reason I write about this topic is that I am focused on digital identity for society as it is now, based on those digital identities that have been successful. I define success based on longevity, population penetration, and value to the end-users (and of course, level of security). Looking at successful digital identity solutions around the world, I see that they all rely on a trust anchor, most often, a Certificate Authority, and they also put trust in processes and procedures that must be carried out by the service provider. Laws and regulations are built around them in order to ensure individuals, as well as organisations, are protected from fraud, as well as enabling additional value; legally accepted digital signatures being one example. So, when it comes to self-sovereignty, I sometimes find it hard to imagine.

I’ve spoken about the difficulty of getting digital identity right before, and explained how we must strike a balance between anonymity, security, convenience, value, and trust. We will never be able to get 100% or 0%, as necessary, in each, or, as I said above, please all of the people all of the time. When it comes to self-sovereignty, there’s often a need for 100% anonymity while being able to work with 0% trust. This is hard to achieve and we can’t forget, we also need to get as close to 100% security as possible when it comes to data storage and transmission. Of course, to gain popularity and compatible services, we’ll also need convenience and value.

If we start with data, I first think about what kind of data and where it is stored. When we talk about identity data, this can be very minimal, like name, date of birth, and a unique identifier. But with self-sovereign identity, we need to be in control of a lot more; things like medical data, address, family, education, property and vehicle ownership and insurance, and more. Now we’re looking at some very sensitive data, and so how, and where, we store it becomes very important.

There are many options when it comes to storing data, but I’ve yet to feel like any provide the balance I mention above, or truly fulfil the principals, as I understand them, behind self-sovereignty. Right out of the gate, I do not accept that a mobile phone is sufficiently secure to store this kind of data. Yes, some newer, top-end models are evolving into the kinds of devices that are genuinely designed to protect secrets, but if there is any desire to achieve inclusivity, we must also consider those that can only afford the most basic smartphones, which are far from sufficient. Hardware tokens might be an option, but we start to move away from convenience.

If not on our phones or hardware tokens, then the data must be stored remotely, and in this very notion, we start to drift from self-sovereignty. One option that’s often touted is to use blockchain. When I hear “blockchain”, I think about data being secure from change or deletion. And when it comes to personal data, this way of working can actually be counter to regulations; GDPR coming to mind. This also creates a risk that if an account is ever taken over through a scam or hack, all information, and likely, transactional details, are available - not just some, but everything going back to day one. A huge amount of trust must be placed in this system and the security and technology are heavily relied on. The question could also be asked, “is the user truly in control”? If, for any reason, the blockchain provider shuts up shop, what happens to that user’s identity information? Gone? Owned by another organisation? Up for sale? We can look to hashing and encryption which are likely remedies to these concerns, but where the keys are stored and the process of decryption raise further issues, of course not unsolvable.

When it comes to anonymity, it can be difficult to function in society without a heavy reliance on trust. These days, when purchasing most services and products online, there are review systems in place, giving people a way of knowing whether the provider is reliable or not. But from the side of the service provider, they must also be able to trust the customer, especially when it comes to high assurance transactions like loans, mortgages, large purchases, etc. There must be a path of recourse in the event fraud is committed, and this is just one example of where a digital identity regulation, here in Estonia, comes in; transaction data (i.e. parties involved, date, and time) must be stored by the digital identity service provider in order to be used in court if either side contests a transaction. This may be where blockchain technology would help.

There are several people and organisations working on this, with many different ways to achieve self-sovereignty; a couple worth looking into are Evernym and a man called John Phillips. I certainly don’t just want to bring problems without solutions. I want to have these conversations. I want to discuss the technology, as well as the procedures that may solve the key issues. I want to continue to hear from those that are working in this space, as there’s nothing to say we won’t get there in the future. We may even have the technology already; it’s just not being combined in the right way.

There’s a lot more to this topic, like enabling technologies and platforms to consider, or specific problems self-sovereignty can solve in both developed and developing world societies. I hope you’ll get in touch so we can continue the conversation.

Written by Maximiliaan van de Poll