Self-sovereign identity
Alexandra Giannopoulou, University of Amsterdam
Fennie Wang, Dionysus Labs
Definition of the term
The concept of self-sovereign identity[1] (SSI) emerged from the aspiration of self-determination and of self-governance (Orgad, 2018) for each individual identity. In particular, SSI relies on technological design to create a digital identity independent of third-party actors, which prioritises security, privacy, and individual empowerment.
Origin
Bringing the Westphalian term of sovereignty to the individual level, identity is considered to be foundational for social equality, freedom, democracy, even financial independence (Verhulst & Young, 2018). Free from exclusive state control, self-sovereign authority refers to ‘the actual default design parameter of Human identity, prior to the "registration" process used to inaugurate participation in Society’ (The Moxy Tongue, 2012). ‘The act of “registration” implies that an administration process controlled by Society is required for “identity” to exist. This approach contrives Society as the owner of “identity”, and the Individual as the outcome of socio-economic administration’.[2] The qualification of autonomy as a determining act of self-sovereignty is aligned with transcendentalism. According to Trotter (2014), ‘each of us is owned by the state, which grants leeway (…) to govern and dispose of certain aspects of our bodies and lives’. Nowadays, the race towards digital sovereignty, i.e. the ability to act independently in the global digital environment, relies partially on digital identity management.
The term self-sovereign identity was recaptured by Christopher Allen (2016), who used it to describe a principle-based framework that would create a decentralised system of user-centric, self-administered, interoperable digital identities. This system is driven by ten foundational principles, following Kim Cameron’s Laws of Identity[3]: 1) Existence, 2) Control, 3) Access, 4) Transparency, 5) Persistence, 6) Portability, 7) Interoperability, 8) Consent, 9) Minimalisation, 10) Protection, that would aim to constitute the (missing) “identity layer” on the internet (Preukschat & Reed 2021). It embodies a specific vision of decentralised digital identity, separated from pre-existing centralised and federated models, which aims to decouple identity issuance by the state in order to bring it to the full control of the citizen (The Moxy Tongue, 2016). Ultimately, SSI ‘makes the citizen entirely responsible for the management, exploitation and protection of one’s data’ (Herian 2019). While implementations of these principles vary substantially, it can be said that SSI aims to ‘enable a model of identity management that puts individuals at the center of their identity-related transactions, allowing them to manage a host of identifiers and personal information without relying upon any traditional kind of centralized authority’ (Renieris, 2020). This does not imply that the (private or public) actors responsible for issuing elements of one’s identity will be stripped from their privilege,[4] but rather that an individual in possession of more identifiers can present all claims correlated to those identifiers ‘without having to go through an intermediary’ (Wagner et al., 2018).
Evolution
The use of SSI has been tied to the use of a blockchain. However, SSI is blockchain-adjacent, but not blockchain-dependent. As Cheesman points out, ‘[s]ome bemoan the conflation of “true SSI” with ill-defined concepts such as “user-centric” digital identity, which may not require blockchain technology or use it to its full imagined, decentralised potential.’ (2020).
The technical dimension of SSI has so far been anchored in decentralised identifiers (DID), verifiable claims (VC) and other related standards from the World Wide Web Consortium (W3C), the same internet standards organisation behind the common internet protocols we are familiar with today such as HTML and HTTPS.[5] We shall refer to these standards collectively as decentralised identity standards. They are a set of technical standards for linking and associating data about an identity-subject together in a persistent and universal manner, such that the identity-subject not only has control over how information is linked and used, but is the owner of the profile, rather than a third-party service provider. Thus, the set of linked data, called attestations or claims, may be globally portable. Attestations may include credentials that grant the identity-subject access rights or privileges, or may include verification of information such as a link to identity documents, professional certifications, credit history, or any other data or information. Every attestation that is linked to an identity-subject must be signed digitally by another identity-subject.
SSI systems may be compatible with a blockchain or distributed ledger for documenting and attaching the transactions to each identity-subject’s profile. The blockchain would record transactions that include the adding or signing of attestations, the granting or revocation of access privileges, and so on. The blockchain documentation creates a record of the data-integrity of a set of information linked to an identity-subject. However, a blockchain is not commonly used to store the underlying personal identifying information, as this would create data protection concerns and blockchain ledgers are not cost-effective for storing large amounts of data.
SSI hinges on the technical efficiency of its core concepts. For instance, no two people should have the same identifier, which can be described as the concept of unicity, whereby the identifier cannot reference more than one identity-subject. This condition can be satisfied through the use of cryptography, i.e. mathematically ensuring that only unique identifiers are issued and preventing them from being reissued. In other cases, such as voting or credit checks for cross leverage, no one person should have more than one identifier, which can be described as the concept of singularity whereby the relationship between the identity-subject and identifier is one-to-one only. This condition may be the most challenging in a pseudonymous and decentralised identity system. In a world which requires singularity of identification, technical tools and/or legal requirements that are exogenous to an SSI system appear to be a solution. The singularity quality of an identifier and identification system has traditionally been solved through centralised databases, wherein all sources of information can be aggregated to one authority that can cross check whether one identity-subject has multiple identities and identifiers (Wang & De Filippi, 2020).
Coexisting uses/meanings
As described above, SSI is oftentimes used interchangeably with terms such as decentralised identity and digital identity (Renieris, 2020). While the first two terms refer to a rather similar identity management system, one that applies technological architectures such as the ones mentioned above guided by political and ideological agendas, digital identity represents a broader techno-legal societal shift towards incorporating physical identity values in a digital form. It is supported by a network of legal reforms, and facilitated by technological developments (Sullivan & Berger, 2017).
The management of (physical and digital) identity is subject to national regulation, as an expression of digital state sovereignty (Madiega, 2020). On a European level, several initiatives have been launched with a focus on digital identity services. In its recent communication entitled ‘Shaping Europe’s digital future’, the European Commission mentions that ‘a universally accepted public electronic identity (eID) is necessary for consumers to have access to their data and securely use the products and services they want without having to use unrelated platforms to do so and unnecessarily sharing personal data with them. Europeans can also benefit from use of data to improve public as well as private decision-making’.[6] Similarly, the ‘Digital Finance Strategy for the EU’[7] specifies that ‘by 2024, the EU should implement a sound legal framework enabling the use of interoperable digital identity solutions’, which would bring technological standardisation, interoperability, and broader security in customer/user identification and authentication by financial institutions.
According to the Commission, the promotion and regulation of digital identity is essential in maintaining an ‘open, democratic, and sustainable society’, which is one of the main objectives of this data strategy. For this, trusted and secure interactions are essential. The objective would be to ensure appropriate, and most importantly, interoperable, identification and authentication frameworks. Current digital identity reforms are tied to SSI efforts for the creation of user-centric data sovereignty (Herian, 2020). However, and as pointed out by Sheldrake, ‘although SSI has been scoped, architected and built as technology, it is not merely technology. By definition, it’s sociotechnology (involving the application of insights from the social sciences to design policies and programs)’ (2020).
Issues currently associated with the term
While there have been considerable reforms that have facilitated the proliferation of identity solutions,[8] numerous legal compliance shortcomings remain with regard to the implementation of decentralised (self-sovereign) identity, and to its adoption.
Specifically, the eIDAS Regulation defines different levels of trust services and provides the regulatory environment that enables the creation of numerous interoperable digital identity solutions (Alamillo, 2020; Schroers, 2018). According to the Regulation, electronic identification is ‘a material and/or immaterial unit containing person identification data and which is used for authentication for an online service’. Any form of cross-border digital identity (self-sovereign or not) would have to function within a mutually recognised identity framework between EU member states for authentication and access to electronic services.
In addition, identity providers have to conform to data protection regulation such as the GDPR (Renieris, 2020; Giannopoulou, 2020). Compliance appears to be rather challenging, due to constraints related to the governance, architecture, and the technological design of the identity project. For instance, actor liability of decentralised architectures remains uncertain (Finck, 2019). Similarly, the exercise of data subjects’ rights within a self-sovereign identity architecture has yet to be tested, especially with the emergence of new types of trust actors.
Many applicable legal norms are sector-specific. In financial regulation, the Payment Services Directive 2 aims to facilitate financial data sharing in order to expand the technological abilities of the existing financial infrastructures (Westermeier, 2020) and to ‘promote innovative mobile and internet payment services’. Identity and the use of strong authentication technological standards are both key in applying and implementing the aspirations of the European legislator within the financial sector. This is also apparent when reviewing the anti-money laundering (AML) and know your customer (KYC) obligations, revised by the AML5 Directive, which require a digital identity that facilitates transparency and accountability of financial intermediaries. Evidently, the application of these obligations in the broader cryptocurrency network of actors remains unclear. However, the proposed MiCA Regulation[9] does address issues of identity, in relation to the cryptocurrency market.
Public discourse highlights SSI’s foundational goal of placing the identity subject in control of their identity data[10] (user-centric identity), and views SSI solutions as a much needed global infrastructure that would provide documentation to large populations that have none, better integrating them in modern digital society (World Bank Group, 2018; World Economic Forum, 2018). However, there are considerable risks related to the expansion of global SSI systems for purposes such as refugee identification. As pointed out by Cheesman (2020), ‘the emancipatory potential of decentralised, user-owned modes of identification came into tension with the geopolitical reality of the nation-state system in which states’ prerogative is to control the legitimate means of movement – or, indeed, identification’. The persistent integration of an identity layer cannot account for anonymity nor for the contextual, interpersonal nature of most expressions of our identity (Hopman & M’Charek, 2020). Following a tradition of identification technologies, ‘intensified regimes of surveillance, securitisation and control’ (Lyon, 2008; Cheesman, 2020) would tend to emerge, further solidifying existing inequalities (Gstrein & Kochenov, 2020). As pointed out by Sheldrake, ‘viewed atomistically, technologically, SSI looks quite sensible. At scale, as sociotechnology, the emergent consequences are malignant’ (2020).
While often lauded, the commodification of identity (Birch, 2014) could result in states competing in an open market for (sovereign) citizens. Finally, as reputation (Mac Sıthigh & Siems, 2019) is becoming essential in producing trust within modern platform-mediated digital services (Bodó, 2020), decentralised identity is regarded as an equalising force between power asymmetries. Lately, new intermediaries have started to emerge in the field of decentralized reputation systems, and with them, comes the potential for a new societal order of surveillance (Foucault, 2004), defined by the consequences of assigning persistent identities to control financial, criminal, and human flows.
Conclusion
Self-sovereign identity (SSI) is rooted in the belief that individuals have the right to an identity independent of reliance on a third-party identity provider, such as the state or any other central authority. Its implementation requires the development of technical standards, as well as socio-political adaptations rooted in legal amendments in order to be successful. Overall, SSI is implemented as blockchain-adjacent, but not blockchain-dependent identity management systems, which are guided by the fundamental principle of user-centric design, using technical standards that enable user-generated and user-controlled decentralised identifiers, associated credentials, and attestations. This is supplemented by legal and policy requirements to ensure that the objectives for particular use cases are achieved, including balancing competing societal goals between user privacy, security, law enforcement, financial inclusion and risk management.
References
Allen C (2016), The path to self-sovereign identity, Life with Alacrity, 25 April. Available online at: https://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html#dfref-1212
Alamillo Domingo I (2020), SSI eIDAS Legal Report. How eIDAS can legally support digital identity and trustworthy DLT-based transactions in the Digital Single Market?. Available online at: https://joinup.ec.europa.eu/collection/ssi-eidas-bridge/document/ssi-eidas-legal-report
Birch D (2014), Identity is the new money, London Publishing Partnership
Bodó, B. (2020). Mediated trust: A theoretical framework to address the trustworthiness of technological trust mediators. New Media & Society. DOI: 10.1177/1461444820939922
Bodó B & Giannopoulou A (2020), The Logics of Technology Decentralization: the case of Distributed Ledger Technologies. In M. Ragnedda, & G. Destefanis (Eds.), Blockchain and Web 3.0: Social, Economic, and Technological Challenges Routledge
Cameron K (2005, May), The Laws of Identity. Available online at: https://www.identityblog.com/?p=352
Cheesman M (2020): Self-Sovereignty for Refugees? The Contested Horizons of Digital Identity, Geopolitics, DOI: 10.1080/14650045.2020.1823836
Finck M (2019), Blockchain Regulation and Governance in Europe, Cambridge University Press
Foucault M (2004), Sécurité, Territoire, Population. Cours au Collège de France, 1977-1978, Seuil
Giannopoulou A (2020), Data Protection Compliance Challenges for Self-Sovereign Identity. IN: J. Prieto et al. (Eds.): BLOCKCHAIN 2020, AISC 1238, pp. 1–10.
Gstrein O & Kochenov D (2020), Digital Identity and Distributed Ledger Technology: Paving the Way to a Neo-Feudal Brave New World?, Frontiers in Blockchain, DOI: 10.3389/fbloc.2020.00010
Herian R (2019) Regulating Blockchain. Critical perspectives in law and technology. Routledge
Herian R (2020), Blockchain, GDPR, and fantasies of data sovereignty, Law, Innovation and Technology, DOI: 10.1080/17579961.2020.1727094
Hopman R & M’Charek A (2020), Facing the unknown suspect: forensic DNA phenotyping and the oscillation between the individual and the collective, BioSocieties 15, 438–462, DOI: 10.1057/s41292-020-00190-9
Lyon D (2008) Biometrics, identification and surveillance. Bioethics 22 (9):499–508, DOI:10.1111/j.1467-8519.2008.00697.x
Mac Sıthigh D & Siems M (2019), The Chinese Social Credit System: A Model for Other Countries?, Modern Law Review, 82(6):1034–1071, DOI: 10.1111/1468-2230.12462
Madiega T (2020), Digital Sovereignty for Europe, European Parliament EPRS Ideas Paper, PE 651.992.
Manski S & Manski B (2018), ‘No Gods, No Masters, No Coders? The Future of Sovereignty in a Blockchain World, Law Critique 29:151–162
Orgad L (2018). “Cloud communities: the dawn of global citizenship?” In: Debating Transformations of National Citizenship. IMISCOE Research Series, ed R. Bauböck (Cham: Springer), 251–260.
Preukschat A & Reed D (2021), Self-Sovereign Identity. Decentralized Digital Identity and Verifiable Credentials, MEAP
Renieris E (2020), SSI? What we really need is full data portability. Available online at : https://womeninidentity.org/2020/03/31/data-portability/
Sheldrake P (2020), The dystopia of self-sovereign identity (SSI), 19 October. Accessible online at: https://generative-identity.org/the-dystopia-of-self-sovereign-identity-ssi
Schroers J (2018), The final piece of the eIDAS Regulation, Available online at: https://www.law.kuleuven.be/citip/blog/the-final-piece-of-the-eidas-regulation/
The Moxy Tongue (2012), ‘What is sovereign source authority”, 15 Februrary, Available online at: https://www.moxytongue.com/2012/02/what-is-sovereign-source-authority.html
The Moxy Tongue (2016), ‘Self-sovereign Identity’, 9 February, Available online at: https://www.moxytongue.com/2016/02/self-sovereign-identity.html
Trotter, G (2014), Autonomy as Self-Sovereignty. HEC Forum 26, 237–255. DOI : 10.1007/s10730-014-9248-2
Verhulst S G & Young A, (2018) Field Report - On the Emergent Use of Distributed Ledger Technologies for Identity Management. GovTech report. Available online at: https://blockchan.ge/blockchange-fieldreport.pdf
Wagner K, Némethi B, Renieris E, Lang P, Brunet E, & Holst, E. (2018). ‘Self-sovereign identity' Position Paper. Blockchain Bundesverband. Available online at: https://www.bundesblock.de/wp-content/uploads/2018/10/ssi-paper.pdf
Wang F & De Filippi P (2020), Self-Sovereign Identity in a Globalized World: Credentials-Based Identity Systems as a Driver for Economic Inclusion, Frontiers in Blockchain, DOI: 10.3389/fbloc.2019.00028
Westermeier C (2020) Money is data – the platformization of financial transactions, Information, Communication & Society, DOI: 10.1080/1369118X.2020.1770833
World Bank Group (2018). ID4D Annual Report. Available online at: https://id4d.worldbank.org/sites/id4d.worldbank.org/files/2018_ID4D_Annual_Report.pdf
World Economic Forum (2018). Identity in a Digital World - A New Chapter in the Social Contract. Available online at:
http://www3.weforum.org/docs/WEF_INSIGHT_REPORT_Digital%20Identity.pdf
-
We will use the term sovereign identity and SSI interchangeably. ↑
-
See transcendentalism, and libertarian individualistic approaches towards societal constructs. ↑
-
https://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf ↑
-
In that regard, it distances itself from the concept of sovereignty (Manski & Manski 2018). ↑
-
Communication from the Commission to the European Parliament, the Council, the European economic and social committee and the committee of the regions, ‘Shaping Europe's digital future’, COM(2020) 67 final, 19.02.2020. ↑
-
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Digital Finance Strategy for the EU, Brussels, 24.9.2020, COM(2020) 59 ↑
-
See for example eIDAS Regulation and the new Payment Services Payment 2 Directive (PSD2). ↑
-
Proposal for a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Directive (EU) 2019/1937, COM/2020/593 final ↑
-
This objective is perfectly aligned with the ideals of decentralisation that drove the development of blockchain technology in general (Bodó & Giannopoulou, 2020). ↑
Oskar Gstrein
PUBLISHED ON: 19 November, 2020 - 17:43
This is a very well written, succinct, yet comprehensive overview on the concept of self-sovereign identity. Potentially, one of the following points could help to improve it even more:
1) The very last sentence of the piece could be more helpful if stated earlier, since it clearly shows which kind of areas/discourses this concept relates to.
2) While several areas for application are mentioned throughout, it might be useful to have currently popular areas of application/projects also in a summary at the beginning. This is not easy, but could help some readers to relate the concept to more practical settings.
3) Maybe the relationship between collective and individual sovereignty could be emphasized more strongly. Sovereignty as a Westphalian concept is already mentioned, but especially from a cyber-security perspective SSI could also be considered as means of enhancing collective autonomy, which in turn raises the question what the underlying standards are that create a community (e.g. 'open' standards, platform/technology dependent, vendor lock-in etc.).
4) Finally turning to a more philosophical point, it is already mentioned that SSI necessarily comes with a limitation of human identity to financial capability, reputation etc. We have elaborated on some of the philosophical elements of this necessary limitation in this piece: https://doi.org/10.3389/fbloc.2020.00026
I hope this is helpful.
Alexandra
PUBLISHED ON: 24 November, 2020 - 15:36
Thank you Oskar for these great comments. It is an omission on our end to not include your contribution, which was certainly helpful in the research for the concept. We considered mentioning some key projects, but we decided against it due to space limitations and to highlight our holistic approach to the concept,- separated by its applications. I am particularly intrigued by your third comment, which I would love to discuss further. There is certainly a push from the SSI community to create the technical standards that would enable its functionalities and privacy and security objectives, but I wonder what you mean by "collective autonomy". Is the sum of individual autonomy of users/citizens/ etc. creating a "collective autonomy" in your view?