The Road to Self Sovereign Identity
Blockchain and smart contracts have the potential to radically reduce transaction costs and cut out the middle man. However, it is important to recognise that any structural fulfilment of this potential relies on first solving the fundamental question of identity: can we trust the entities who will be involved in these transactions, and how will we identify them?
Imagine a new delivery service, let’s call it DeSendtralise. With DeSendtralise, you order an espresso machine directly from the factory without using an online shopping platform like amazon and the like. This machine will be less expensive, as you have gotten it directly from the producer, and in case of product malfunction, the return and exchange process will be quicker and easier as you can deal directly with the factory.
However, the questions remain: DeSendtralise offers only the delivery service but does not take care of verification, so when you place the order, over email or over the telephone, how can you be sure that these are the identity attributes of the factory? And how can this factory know that you are, indeed, the buyer of this particular machine?
The current model of digital identity– focused on service access, rather than true representation– does not provide these answers. Blockchain itself does not provide an identity layer. In fact, the Internet itself misses an adequate identity layer. In the past, this has created considerable operational-, opportunity- and usability costs for the internet economy, both for the companies and users.
Because the Internet currently misses a native identity layer, companies and public institutions have implemented an ad-hoc system of workaround like internal databases– incompatible data silos in which they then manage the identities of people and things in their data ecosystem.
Problems that arise from these data silos:
- It is expensive to maintain security of identity data (theft or loss of data)
- Data compatibility with other institutions comes at a high cost.
- Users have no control of their data and do not know when it is passed on to other institutions
- Users waste a lot of time creating and managing multiple usernames for a single app or new service they register for.
- No control over their own data: The user doesn’t have a consolidated digital identity, but rather tens or hundreds of fragments of themselves scattered across different organizations, with no ability to control, update or secure these fragmented identities effectively.
- Fraud: (a) Companies cannot uniquely identify bad actors that might order goods they never pay for; (b) Users might be paying for goods or services online that they never receive.
Some numbers (Sovereign white paper):
- 30-40% of contact center call volume is related to password and account recovery
- 18% of shoppers abandon their shopping cart due to username and password issues
- 82% of businesses struggle with fake users and on average 10% of a web-facing organization’s user base will be fake
- The average retailer cost for each stolen record containing sensitive and confidential information is $165.
- 25 people in the US fall victim to identity theft every minute—leading to $15 billion in losses from 13.1 million consumers in 2015.
Blockchain-based transactions across jurisdictions will face these same problems, and as agreements become auto enforceable and entries in the database immutable, these problems may become even worse. To understand how we could work towards fixing this looming issue, we first need to understand where we are today and how we have gotten here.
History of Identity
Historically, our identity documents that we need in our day- to- day interactions– passports, driver’s licenses, social security cards, serial numbers for goods, etc.– are issued by centralized institutions like nation states and private institutions. While this might have been the method of choice in the analog world, it also created a host of issues for the users of this style of identification::
- Individuals can lose their identity if a state revokes their credentials.
- Identities are issued by nation states and often not accepted by other states.
- Centralized control of issuing and managing identities, that are only valid within one jurisdiction or one online service.
The increasing importance of the digital world created the not only new opportunities for issuing identification, but also the necessity of redefining analog-derived concepts of identity.
Evolution Online/Digital Identities
The Internet was built around connecting machines, not people. It was built without a way to know to whom or what you are connecting, which was fine in the early days, as we were just using email to send messages and the WWW retrieve information. However, in Web 2.0, as applications became more complex and as e-commerce and social media became prevalent, the question of identity became more pressing and various solutions for this question were implemented on the application layer.
- Centralized identity
- Federated identity
- User-centric identity
- Self-sovereign identity
Source: Sovrin White Paper
Though the early days of the Internet focused on building a network which would decentralize the world, this decentralized network ultimately operated on a base layer of centralized identities. Centralized organizations like IANA (1988) determined the validity of IP addresses, and ICANN (1998) arbitrated domain names. Eventually, trust became an issue on both sides of e-commerce. Can I trust my customer to pay their bills? And can I trust the service provider to deliver my goods? Therefore, in 1995, certificate authorities, as well as centralized institutions, stepped up to help Internet commerce sites prove they were who they said they were.
Unfortunately, the granting of control over digital identity to centralized authorities of the online world suffers from the same problems as its counterpart in the physical world: users are locked into a monopolistic identification scheme controlled by a single authority who could potentially deny their identity or even confirm a false identity. Centralization of the digital identity innately grants the access to and control over identity data to the centralized entities, and not to the users to which it should belong.
As the Internet grew, as power accumulated across hierarchies, a further problem was revealed. Every service provider started issuing their own identity. They multiplied as websites did, forcing users to juggle dozens of identities on dozens of different sites, ultimately resulting in the user having little to no control over any of their personal data.
Still today, most Internet identities are centralized. They are owned and controlled by a single entity, like an e-commerce website or a social network. A centralized identity can operate within its own domain but struggles to keep pace with the rapid growth and variety of online websites and services with which today’s users interact. We, therefore, live in a world of data chaos and data slavery:
- Data Chaos
Fragments of our identity and other personal data are scattered all over the web
Users have to manage hundreds of usernames and passwords
- Data Slavery
we do not own and control our own data. Digital identities are owned by certification authorities, domain registrars and individual sites (facebook, google, your bank, your university…), and then rented to users or revoked at any time.
Administrative control by multiple, federated authorities.
At its simplest, federation gives a degree of data portability to a centralized identity, for example enabling a user to login into one service using the credentials of another. Federation is common within large businesses, where single sign-on mechanisms allow a user to access multiple separate services.
During the 1990s, every single online service required you to register a proprietary username and password (incl more data if needed) with their services. Password management became chaotic. Microsoft’s Passport in 1999 was one of the first initiatives to provide a solution. It imagined federated identity, which allowed users to utilize the same identity on multiple sites. However, it put Microsoft at the center of the federation, which made it almost as centralized as traditional authorities.
In response, Sun Microsoft organized the Liberty Alliance in 2001. They resisted the idea of centralized authority, instead of creating a “true” federation. But, the result was instead an oligarchy – The power of centralized authority was now divided among several powerful entities. Federation improved on the problem of balkanization: users could wander from site to site under the system. However, your identity data remained under the authority of each individual site.
individual control across multiple authorities without federation
Idea: The individual fills their own data store with information. This information is then provided to other organizations with the permission of the individual, and a record is kept of these provisions. However, this style of identity still relies on the user selecting an individual identity provider and agreeing to often one-sided adhesion contracts – for example Facebook.
In 2001, the Identity Commons began to consolidate all works on digital identity with a focus on decentralization. This lead to the creation of the Internet Identity Workshop working group in 2005. The IIW community focused on a new concept that countered the server-centric model of centralized authorities: user-centric identity. This concept suggested that the process of determining digital identity should be established around the user, and underlined the need to put users front and center of their online identity. This definition of a user-centric identity soon expanded to include the desire for users to have more control over their identity, and for trust to be decentralized. User-centric methodologies tend to focus on two elements:
- User consent
- Full control
By adopting them, a user could decide to share an identity from one service to another and thus consolidate his or her digital self. As a result, a user could theoretically register his own OpenID, and use it autonomously. However, this took some technical know-how, so the casual Internet user was more likely to use an OpenID from one public website as a login for another.
This was one of the reasons why Facebook Connect (2008) became more successful than OpenID: it had a better user interface. Unfortunately, Facebook Connect did and does not offer a choice of provider. With this system, Facebook became the default identity provider. Facebook has had a history of arbitrarily closing accounts, censoring artists for using pictures of naked people, as well as questionable actions such as those sparking the real name controversy. As a result, people who access other sites with their “user-centric” Facebook Connect identity may be even more vulnerable than OpenID users to losing that identity in multiple places at one time, and again fall victim to the classic issues of centralized authority.The comparison could be made to state-controlled authentication of identity, but without a constitutional layer to protect user rights.
To cut a long story short: without true decentralization, being user-centric simply isn’t enough. While user-centric designs were an important step toward true user control of identity, the next step requires full user autonomy.
individual control across any number of authorities
For the last two decades, there’s also been a growing push to return control of digital identities to the users to whom they belong. From a humanistic point of view, individuals should have an established right to an identity, but national registration of identities destroyed that sovereignty. Around 2 billion people worldwide lack state recognized identities. The refugee crisis showed how people – refugees – suffer from this, having to wait for months if not years, that their identities can be proven to the countries they are seeking asylum with. On the other hand, it produces enormous bureaucratic costs for the countries integrating refugees into their society, producing anxieties and costs for all stakeholders involved. In a globalized and data-driven world powered by blockchain and smart contracts, we could solve many of these problems, with new decentralized solutions.
The move to self-sovereign identity is, accordingly, a move from a silo mentality to a layer mentality: In order to have true self-sovereign identity, we need to decouple the data layer – where I make claims about who I am and what I can do (my driving or language skills, my university degrees) – from the verification layer – where one could verify if that information is true. This concept is very much pushed by the Web of Trust initiative and has its roots in PGP.
In 1991 PGP introduced the “Web of Trust” established trust for a digital identity by allowing peers to act as introducers and validators of public keys. Anyone could be a validator in the PGP model. This created a decentralized trust for the management of identities. Unfortunately, this initiative only focused on email addresses, which meant that it still depended on centralized hierarchies like ICANN which issued these email addresses). For a variety of reasons, PGP never became broadly adopted, but the idea had been planted.
Individuals like Christopher Allen, and initiatives like Rebooting the Web of Trust, continued these thoughts in the light of blockchain technology. They advocate that autonomy is the heart of self-sovereign identity. Rather than just advocating that users be at the center of the identity creation process, self-sovereign identity requires that users be the rulers of their own identity.
A number of startups have started implementing self-sovereign identity solutions – an extensive list of which can be found here.While many of these startups claim that they are doing self-sovereign identity, the way they define it, or the approach to implementing it, differ widely.
In the next two blog posts, we will go into details of self-sovereign identity and analyze and compare the startups that are claiming to provide self-sovereign identities.
- Establishing Identity without Certification Authority, 1996, Carl Ellison
- Rebooting the Web of Trust, Papers and Specs
- Sovereign Source Authority, Feb 2012, Moxie Marlinspike
- Pretty good Privacy, PGP, Web of Trust
- Self Sovereign Identity, how the term has evolved, Marlin Spike
- The Promise of managing identities on the blockchain, Sep 10, 2017 by Ron Miller
- SPKI/SDSI project. Its goal was to build a simpler public infrastructure for identity certificates that could replace the complicated X.509 system.
- The Augmented Social Network, White paper, 2000
- Sovereign White Paper, Drummond Reed, Andrew Tobin