Self-Sovereign Identity: Regaining Control of Our Personal Information

These days we are asked to share bits of our personal information in order to do business with companies, communicate with government agencies and access applications.  As a result, details identifying us are scattered across the organizations we interact with.  When this data is collected and combined, a profile can be created that may be used against us to commit fraud, manipulate us etc…  What exacerbates the problem is the fact that we don’t have access to our personal data.  We don’t have visibility into the ways it’s aggregated, we don’t know when it’s exchanged or even how it’s used.  This leaves us vulnerable.

Not everyone is concerned about this vulnerability.  In fact, the pendulum of concern swings on both ends of the spectrum.  While some people are very concerned about privacy and take steps to protect their data, others are willing to trade it for convenience or for free stuff.  There is also another category of people who have given up on the concept of data privacy entirely.  This group assumes that it’s too late to protect their data because it’s now public data.  Considering the increasing number of data breaches, particularly wide-ranging breaches, their point of view is understandable.  The way things are today, it’s easy to assume that the cat’s out of the bag; but if that’s true, can we reign it back in?  As someone who has spent years teaching people about cybersecurity, I would say a resounding YES!  Here’s the interesting thing about our personal data, its fluid because we are ever changing and it represents us.  Of course, there is some identifying information that won’t change such as our date of birth.  However, much of the information used to identify us can and often does change.  So, the sooner we get started on protecting it, the better.

The question is how do we do this?  Is there a solution that would allow us to take proactive security measures and maintain our privacy while transacting with whomever we wish?  The concept of a self-sovereign identity may be the answer.  A self-sovereign identity is analogous to the way we handle our most personal documents today.  We don’t give our passports, birth certificates, marriage certificates etc… to 3rd party companies for safekeeping and we certainly don’t upload such documents to the Internet (at least I hope no one does).  Instead, we place them in secure offline locations where no one else can access them and we share them only when necessary.  A self-sovereign identity would allow us to emulate what we do with our sensitive documents today; the key difference is that it would be done digitally.

A number of companies are working on making this concept a reality.  While the initiatives that are underway vary in their approach and in their stage of development, what they have in common is the use of a blockchain as the underlying technology.  In future posts I will dive into the details of some of these initiatives.  However, in this post I’ll describe at a high-level, how it could work from an individual user’s perspective.  Please note, the outline below is hypothetical.

You (the user) will:

1. Start with an empty identity wallet (a software program that could be stored on a computer,  
   mobile or dedicated hardware device

2. Create a unique code that will be used to identify you (this would be done in your wallet).  
   The code will use cryptographic keys:
   • A public key which will serve as your ID number (think of this as your username)
   • A private key which will serve as your digital signature (think of this as your password)
3. Gather information that will be used to identify you
   • Your public key (the ID number you created in your wallet)
   • A claim or statement about your identity (e.g. my date of birth is …)
   • A document that serves as proof of your claim (e.g. birth certificate)
4. Present your information to a trusted 3rd party institution (e.g. passport agency)
   • Your claim and identity document will be reviewed by the 3rd party
   • Your identity document will be stored by the 3rd party for record keeping
5. Receive a digital signature from the 3rd party institution
   • Upon approval, a timestamped digital signature confirming the authenticity of your claim 
     will be created (an attestation)
   • The digital signature will be tied to your public key and sent to your wallet
   • Your claim is now officially certified by a trusted authority
6. Start using your ID

Since you have been pre-verified, you can start making transactions with a minimum amount of identifying information.  For example, let’s say you want to rent a car.  Before you rent it, you need to show proof that you are of legal age to drive and that you have a valid driver’s license.  In this case you would offer only two digital IDs, one that attests that you are 18 or over and another that confirms that you have a valid license.  No other identifying information or documentation would be needed.  Additionally, the rental car company isn’t burdened with having to store excess data because you didn’t overshare personal information.  While the rental car company could profit from owning more of your sensitive data, it also benefits from not owning it because it doesn’t have to pay for storing and securing data that they could later be held accountable for if it was stolen.

An identity wallet containing multiple digital IDs could look like this:

In this use case a trusted 3rd party institution collects your personal documents in order to verify your identity.  The documents it collects would presumably be limited to the official records required to qualify for a certain type of certificate.  Going further, if you give your documents to multiple trusted institutions, each would collect records required for issuing a certificate or certificates for which they are deemed to be an authority.  However, none would have access to all of your personal documents.  In fact, you would be the only central authority of your data.  You would decide who to share your personal information with and how much of it to share.  You could even set conditions around how your data should be used and then track it.  Also, the digital IDs that are created would be yours and yours alone.  No one would be able to take them from you and no one would be able to change them.

This is a significant shift from the way identities are managed today.  Today, our data is controlled by others and scattered across countless centralized systems that are inherently vulnerable to hacking.  In this new model, users control their own data and build a web of trust with the help of certificate issuing institutions.  The verification process conducted by these institutions makes it possible for all other organizations that users interact with to accept and store less identifying data which in turn reduces their likelihood of selling, sharing or inadvertently exposing such data to cybercriminals.  Less personal information in circulation means fewer data breaches and more privacy for users – this is what a self-sovereign identity brings to the table.

In theory, a self-sovereign identity could work this way if we, the users, are willing to take responsibility for managing and securing our identities and if governments and corporations are willing to lose control of our data.  Even if all the stars are aligned and all relevant stakeholders come to an agreement, it would still take some time for such a solution to be effectively implemented and widely adopted.  If/when this happens, the impact of a self-sovereign identity on our daily lives will be significant.  For the time being, I’ll keep an eye on the projects that are paving the way towards this path.

Click on the heart icon directly below this post's title if you liked what you read and/or leave a comment.