Self-sovereign identity: 3 key questions

If you work in the area of identity you will have noticed a lot of talk about self-sovereign identity (SSI).  As a concept, it applies the goal of placing the user at the center of digital identity management and control. User-centric digital identity is not a new idea. I first came across it back in 2008 when I read Kim Cameron’s Laws of Identity — the piece itself going back to 2005. Law 1 states that “No one is as pivotal to the success of the identity metasystem as the individual who uses it.”

SSI is user-centric, but you don’t need to have a self-sovereign ID system for it to be user-centric.

On paper, I like the idea of a self-sovereign identity. After all, digital identity is about what you do with the information that makes up who you are — surely that should be under your control. Yet still, I have lingering questions that make me question the ability of SSI to fulfill my identity needs.

What is self-sovereign identity?

Self-sovereign identity uses blockchain to register the attributes of a person’s identity. What does that mean? Your identity data (attributes or claims) — the stuff that determines your digital you, or that thing is that thing — are registered to a block on a blockchain. The blockchain is a distributed ledger (i.e., it has no central authority controlling it, it is decentralized); the subsequent decentralized claims are then part of a person’s identifying data that they can share, under their control, with a requesting party like a bank or a government service, etc.

The substance of the SSI is based on the idea of verifiable claims. If you follow my blog you’ll know that verification is a thorny issue in the digital identity space. It is certainly not straightforward and can do with a sprinkle of “user friendly” if you ask me. But organizations like Sovrin, who are offering a backbone for SSI, are built upon the notion of verifiable claims being managed through a distributed ledger technology backbone specifically attuned to digital identity.

What is a verifiable claim?

I just want to talk a little about the notion of a verifiable claim. For a piece of data on an individual to carry any weight it has to be true or at least have a probability of truth that satisfies the service provider. Claims that are checked (verified) by a trusted third party are deemed to be verifiable. Web standards custodians, W3C, have looked at the issues around standards for verifiable claims.  The research findings of the group come down heavily on the side of user-centric and privacy enhanced. There is a very strong value statement driving their work “No User-Centric, Privacy-Enhancing Ecosystem Exists for Verifiable Claims.”

The research concludes several things including:

Trust is decentralized. Consumers of verifiable claims decide which issuers to trust.

And

Users may share verifiable claims without revealing the intended recipient to the software agent they use to store the claims.

But, in the context of this article, do you need a decentralized identity system to have decentralized verifiable claims? Are the two mutually exclusive?

Three critical questions about self-sovereign identity

Who will pay?

We live in a world that is built upon certain commercial structures. These structures are pretty much universally driven by money. I want to understand how we can fit an identity framework, that is based on presenting verifiable claims, to a service. Who will pay for the verification? If one organization pays, will they be happy if that data is then shared with a competitor to build up a trusted relationship with them?

Are we back to the same issues we had with federated identity? As Phillip Windley said back in 2006: “Not surprisingly, the hard part isn’t usually the technology. Rather, the hard part is governing the processes and business relationships to ensure that the federation is reliable, secure, and affords appropriate privacy protections.”

Will self-sovereign systems come up against similar commercial issues to those faced by federated identity, but this time from a pay for use basis?

An interesting look at how this could be solved is from the Web of Trust working group and their work-in-progress treatise “How SSI Will Survive Capitalism.” This is something I will be keeping a close eye on. This is my main concern from their SWOT analysis: “Lack of upfront financing due to lack of platform (chicken & egg problem).”

And a last point before I move on that was brought up by a government official in the UK: Is a government verified identity document like a passport actually your data to own?

Where is the weak point?

I’m also not sure about the whole SSI being a magical panacea for refugees. There is a nagging feeling in the back of my head around the ‘stewards’ model. Self-sovereign frameworks like Sovrin use a steward’s model to maintain trust. The stewards are trusted third parties – organizations that operate the nodes in the distributed ledger. Sovrin currently has over 50 stewards that provide human and computing power.

I can see the positive aspect of this. It extends the notion of decentralization to another layer. But will the steward will become a weak point in the system? Will cybercriminals target stewards to gain control of the nodes?

How private is it, really?

The privacy aspects of decentralized, SSI are part of the charm of the system. Sovrin, for example, uses Zero Knowledge Proof as the underlying mechanisms of minimal disclosure of data. “Are you over 18?” Only Yes/No is revealed. Of course, SSI isn’t the only system that offers privacy of attributes. There are several ways of achieving the same thing using traditional identity services. One such mechanism was developed by Sid Sidner back in 2006, and named “Variable Claims.” I’ve seen it applied in a traditional identity service. It works in a similar manner by only revealing certain data, i.e., yes/no or partial reveal of attributes.

The problem is this. It is all well and good having minimal disclosure. But what if you want to buy a pair of shoes online? You have to allow the online vendor to know what address to send the shoes to. They will likely also want your name and other demographic data if they can get consent, for marketing purposes. Your data is then outside the SSI and held in a more traditional manner. And…it is now outside of your control too.

An identity ecosystem

I remember looking at pretty good privacy (PGP) way back. It offered the hope of secure email communications based on the idea of a “web of trust.” PGP always seemed very “techie” to me; you virtually needed a Ph.D. in computer science to use it. Usability, rather than methodology has probably killed PGP — even Phil Zimmerman, who invented PGP, doesn’t use it anymore. I get the same techie feel of PGP within the SSI movement. I know that folks in SSI are working hard to get neat apps together to help with usability, but still, there is an air of PGP about it.  I can’t shake it. I want to, but I think it comes down to this: We need to understand the true nature of why we use digital identity, the real use cases, the pitfalls of such use cases, as much as we need the technology to make them happen.

I do not, however, want to write a technology off just because I have a few unanswered questions. I can see, for example, that blockchain has some use cases that fit well and as an additional layer in a tech stack it has enormous potential.

Tim Bouma, senior policy analyst for identity management at Treasury Board Secretariat of the Government of Canada, recently summed up the SSI debate perfectly, and I agree wholeheartedly with his very pragmatic take. Tim explores technology with open eyes and the hard head of experience. He said in a recent tweet and Medium post on SSI:

The extreme (decentralized) case is no service provider, but likely it will be a mix of centralized, federated and decentralized options. That’s ok because options make for a healthy ecosystem.

SSI is on the extreme end of the digital identity spectrum. Its focus is putting control back in the hands of you, the user. But SSI is not the only way to skin a cat. My own view is that a mix of technologies will, at least for the foreseeable future, be needed to accommodate the vast array of needs across the identity ecosystem. I can see use cases for SSI. But will it become the overarching way that humans resolve themselves in a digital realm? I don’t know. I don’t have a crystal ball, but my gut says it won’t … unless there are compelling answers to the three questions I have listed above. Maybe the SSI community can help me to understand?