Digital Identity
January 2, 2020
Identity's struggle to transition from the real world to the digital world —
"The Internet was built without a way to know who and what you are connecting to. This limits what we can do with it and exposes us to growing dangers. If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet....you only know the address of the machine that you are connecting to. That tells you nothing about the person, organization, or thing controlling that machine and communicating with you."
— Kim Cameron, Microsoft's Chief Identity Architect
Identity is a construct that was lost in translation from the world of atoms to the world of bits. How we interact in the digital world is not how we interact in the physical world.
Identity comprises all the pieces of truth that pertain to you. In the real world, you carry the aggregate of these pieces of truth with you, often in your wallet (Drivers Licenses, University IDs, Passports, Memberships, etc.). No single piece represents your identity in its entirety, but each reveals some information about who you are. Many of those pieces originate from institutions (DMVs, Universities, Federal Agencies, Organizations, etc.) that ascribe them to you. Where society has chosen to recognize that piece of your identity, the reputation of the institution brings weight to that claim.
If identity worked online as it does in the real world, it would represent this same collage of digital bits of truth that in aggregate comprise it. But the identity paradigm broke down online because these digital bits of truth don't belong to the people to whom they pertain. They belong to the institutions that have proven themselves notoriously untrustworthy stewards of this data in their attempts to capitalize on it - to access the most basic digital services, people relinquish their personal information. The frequency and scale of institutional breaches have revealed the imbalance of data ownership; look no further than Cambridge Analytica, Yahoo!, Equifax, eBay, Marriot, and the slew of other massive data breaches.
The consequence is ~91% of Americans feel they have no agency over how their information is stored, how secure it is, who has access to it, and who is profiting from it. It represents a growing and deep mistrust of centralized data ownership. The problem is that our current data paradigm is not a great deal for individuals - individuals that should own the data that belongs, pertains, and originates from them.
Digital Identity in a Digital World
The current paradigm — where data is controlled (managed, verified, shared) by institutions on centralized databases — is broken. Looking at philosophy of the resurgent data protection regulations (GDPR, CCPA, etc.) and technical standards (W3C) taking root, every underlying principle they are addressing have been violated by the current paradigm with regard to our identities online:
Control: institutions are ultimately the arbiters of individuals' data; individuals have very little control over how their data is used
Access: institutions can prevent access to individuals' records
Consent: institutions share individuals' information with third parties without the consent and permission of those individuals
Transparency: institutions often operate with a veil of opacity. It is rare that they make their stance on these other principles (control, access, consent, portability, interoperability, security) known. If they do, it is difficult to discern their adherence to their stance.
Portability: the inherent centralization of an individuals' information makes portability — the ability of an individual to move their data elsewhere — difficult (both by design and by accident). Arguably, individuals do not exist independently online from the institutions controlling their data which means that if an individual opts to leave that institution, they effectively lose their digital identity.
Interoperability: lack of technical standards and dearth of their adoption makes it difficult for institutions to relay individuals' identity to each other, even if they wanted to.
Security: evidenced by the ubiquity of data breaches, centralized databases are easily hacked and the records they store are easily compromised or removed.
Deliberately, these principles (and their evidenced failures) serve as the foundation of a new Self-Sovereign Identity (SSI) paradigm which shifts ownership to individuals - individuals retain agency of their data, decide who uses their data, and limit how their data is used.
To transact, individuals no longer need to relinquish all personal information to an institution. In a SSI model, individuals provide only the necessary information to transact. There is no middle-institution aggregating and selling your information without consent. All of the information housed in physical wallets can be managed in digital wallets that are controlled by the individual to whom that information belongs.
Consider an analogy. Credit card companies made purchasing seamless. As a consumer, you don't have to negotiate individual purchasing contracts with every single vendor you'd like to buy something from because the underlying credit card infrastructure settles it all in the background if you carry an accepted credit card. Swipe your card, transaction clears, you pay the vendor. In the same way, SSI will make digital authentication seamless. You can show up, present your relevant information to a verifier and know that whatever is required will be authenticated, checked for validity, and approved such that you can proceed without having to explicitly establish a settlement layer in the background. Individuals' self-sovereign identities will become transactable digital assets and SSI networks will become digital proof clearinghouses.
How it Works
In the SSI model, your information is organized as 'verifiable credentials'. 'Credentials' refer to the bits of digital truth —
privileges you have (certifications, access, legal entitlements, etc.)
attributes about you (sex, age, eye color, etc,)
your relationships (familial, nationality, employer, etc.)
— that in aggregate comprise your digital identity.
'Verifiable' simply means that a verifier (an employer, an individual, an institution - anyone you had allowed access to your credentials) must be able to qualify the legitimacy of the credential; namely, by checking your credential, a verifier can:
prove the credential belongs to you,
confirm who issued you that credential,
guarantee the credential has not been tampered with, and
check that the credential has not expired or been revoked
In the physical world, this verification is accomplished by checking a watermark or hologram (some mark of authenticity embedded in the tangible credential) and checking the accuracy and validity of the claims on the credential (for example, on a Drivers License, checking date of birth, address, height, privileges, etc).
A person can consensually offer up their verifiable credential to identify them to a third-party without relying on any identity verification provider. Furthermore, that person can provision the third-party access only to the relevant claims of a verifiable credential so that other information can remain confidential. After receiving access, the third-party is able to immediately verify the validity of that person's information.
In practice — in addition to regulatory compliance (GDPR, CCPA) and improved user-experience — a digital wallet full of verifiable credentials could be used in any context where a third-party needs to substantiate the qualifications and identity of an individual: background checks, job applications, mortgage qualification, license issuance, bank accounts, medical credentialing and privileging, etc. Verification processes that currently take months on account of manual checks that are highly inefficient and duplicative of effort, can occur immediately with verifiable credentials' deployment of cryptography.
The self-sovereign identity movement is nascent but resonating from the current failings of data stewardship. Like many technological developments, the move to SSI can be positive-sum; there is value to be realized by both individuals and businesses. For digital transactions to operate in this way -- seamless, immediate, trusted, accretive -- we have to change the way we handle identity online.
An Aside on Blockchain and Digital Identity
Underlying the technical architecture of verifiable credentials sits a verifiable data registry, which in most implementations is satisfied by a blockchain.
Bitcoin and other digital peer-to-peer currency systems have utilized blockchain to support decentralized validation of information, smart contracts, data origination and data attribution, privacy (pseudonymity), selective disclosure (Zero-Knowledge Proofs), and system integrity.
In the context of SSI, blockchain affords a trust model that allows for the peer-to-peer exchange of verifiable credentials, which stands in contrast to current models with centralized, federated, and hub-and-spoke exchanges. Individuals own and control their information. What is unique about the SSI application of blockchain is that no personally-identifiable information is stored on-chain (as the storage of identifiable information would violate regulatory mandates and also general privacy promises that SSI networks make). Instead, what sits on-chain are the digital signatures (cryptographic hashes) of individuals and institutions in the network (coined ‘decentralized identifiers’), definitions and schema of the types of information that could be kept in an individual wallet, and a list of verifiable credentials that have been revoked. This ensures third-parties do not need to simply trust individuals who pull verifiable credentials out of their wallet, they can verify the legitimacy of a verifiable credential by checking the associated cryptographic keys and proofs.
Sources & Further Learning: