Self-sovereign identity

: The concept of self-sovereign identity (SSI) describes an identity management system created to operate independently of third-party public or private actors, based on decentralised technological architectures, and designed to prioritise user security, privacy, individual autonomy and self-empowerment.


Definition of the term
The concept of self-sovereign identity (SSI) 1 describes an identity management system created to operate independently of third-party public or private actors, based on decentralised technological architectures, and designed to prioritise user security, privacy, individual autonomy and self-empowerment.

Origin
Bringing Westphalian state-centred sovereignty to the individual level, SSI emerged from the aspiration of self-determination and of direct self-governance (Orgad, 2018, p. 253) for each individual, outside state intervention. Identity is considered foundational for promoting social equality, freedom, democracy, and financial independence (Verhulst & Young, 2018). Originally, self-sovereign authority-the ideological progenitor to SSI-referred to 'the actual default design parameter of Human identity, prior to the "registration" process used to inaugurate participation in Society. The act of "registration" implies that an administration process controlled by Society is required for "identity" to exist. This approach contrives Society as the owner of "identity", and the Individual as the outcome of socio-economic administration' (The Moxy Tongue, 2012). Autonomy is viewed as a determining element of self-sovereignty, ideologically aligning with transcendentalism. According to Trotter (2014, p. 245), 'each of us is owned by the state, which grants leeway (…) to govern and dispose of certain aspects of our bodies and lives' .
In the race towards digital sovereignty, i.e. 'the ability of individuals to take actions and decisions in a conscious, deliberate and independent manner' (Pohle & Thiel, 2020) aiming to establish control 'over their data, device, software, hardware, and other technologies' (Couture & Toupin, 2019, p. 12), identity management is key.
Identities and their respective technological infrastructure vices begin to merge, while becoming a resource for the global economy: biometrics are turning into governmental infrastructures and are associated with state-issued identifiers and citizen IDs establishing citizenship (Lyon, 2008). Behavioural identity is derived from consumer personal data, collected and monetised by private actors. Technical identities are formed by local access control IDs. Health identities start to appear 1. We will use the term sovereign identity and SSI interchangeably. as immunity passports. Financial identity escapes financial institutions and generates value in fintech (Westermeier, 2020). Situated within broader digital identity development discussions 2 (United Nations, 2015), control over identity becomes instrumental as individuals, state, and private actors compete for power over its physical and digital expressions.
The concept of SSI has been elaborated as an expression of personal digital sovereignty by Christopher Allen (2016). He used it to describe a principle-based framework that would create a decentralised system of user-centric, self-administered, interoperable digital identities. This system is driven by ten foundational principles, following Kim Cameron's Laws of Identity (2005): 1) Existence, 2) Control, 3) Access, 4) Transparency, 5) Persistence, 6) Portability, 7) Interoperability, 8) Consent, 9) Minimalisation, 10) Protection, that would aim to constitute the (missing) "identity layer" on the internet (Preukschat & Reed, 2021). It embodies a specific vision of decentralised digital identity, separated from pre-existing centralised and federated models, which aims to decouple identity issuance by the state in order to bring it to the full control of the citizen (The Moxy Tongue, 2016). At the minimum, SSI 'makes the citizen entirely responsible for the management, exploitation and protection of one's data' (Herian, 2019, p. 115). While implementations of its principles vary substantially, it can be said that SSI aims to 'enable a model of identity management that puts individuals at the center of their identity-related transactions, allowing them to manage a host of identifiers and personal information without relying upon any traditional kind of centralized authority' (Renieris, 2020). This does not imply that the actors responsible for issuing elements of one's identity will be stripped from their privilege 3 , but rather that an individual in possession of more identifiers can present all claims correlated to those identifiers 'without having to go through an intermediary' (Wagner et al., 2018, p. 9).

Evolution
The use of SSI has been tied to the use of a blockchain. However, SSI is blockchain-adjacent, but not blockchain-dependent. As Cheesman points out, '[s]ome bemoan the conflation of "true SSI" with ill-defined concepts such as "user-centric" digital identity, which may not require blockchain technology or use it to its full imagined, decentralised potential.' (2020, p. 6).
The technical dimension of SSI has so far been anchored in decentralised identifiers 2. According to goal 16.9 of the United Nations 2030 Agenda for Sustainable Development, the objective is to 'provide legal identity for all, including birth registration' by 2030.
3. In that regard, it distances itself from the concept of sovereignty (Manski & Manski, 2018).

(DID), verifiable claims (VC) and other related standards from the World Wide Web
Consortium (W3C), the same internet standards organisation behind the common internet protocols we are familiar with today such as HTML and HTTPS. These decentralised identity standards are a set of technical standards for linking and associating data about an identity-subject together in a persistent and universal manner, such that the identity-subject not only has control over how information is linked and used, but is the owner of the profile, rather than a third-party service provider. Thus, the set of linked data, called attestations or claims, may be globally portable. Attestations may include credentials that grant the identity-subject access rights or privileges, or may include verification of information such as a link to identity documents, professional certifications, credit history, or any other data or information. Every attestation that is linked to an identity-subject must be signed digitally by another identity-subject.
SSI systems may be compatible with a blockchain for documenting and attaching the transactions to each identity-subject's profile. The blockchain would record transactions that include the adding or signing of attestations, the granting or revocation of access privileges, and so on. The blockchain documentation creates a record of the data integrity of a set of information linked to an identity-subject.
SSI hinges on the technical efficiency of its core concepts. For instance, no two people should have the same identifier (unicity), whereby the identifier cannot reference more than one identity-subject. This condition can be satisfied through the use of cryptography, i.e. mathematically ensuring that only unique identifiers are issued and preventing them from being reissued. In other cases, such as voting or credit checks for cross leverage, no one person should have more than one identifier ( singularity), whereby the relationship between the identity-subject and identifier is one-to-one only. This condition may be the most challenging in a pseudonymous and decentralised identity system. In a world which requires singularity of identification, technical tools and/or legal requirements that are exogenous to an SSI system appear to be a solution. The singularity quality of an identifier and identification system has traditionally been solved through centralised databases, wherein all sources of information can be aggregated to one authority that can cross check whether one identity-subject has multiple identities and identifiers (Wang & De Filippi, 2020).

Coexisting uses/meanings
As described above, SSI is oftentimes used interchangeably with terms such as decentralised identity and digital identity. While the first two terms refer to a rather similar identity management system, one that applies technological architectures such as the ones mentioned above guided by political and ideological agendas, digital identity represents a broader techno-legal societal shift towards incorporating physical identity values in a digital form. It is supported by a network of legal reforms, and facilitated by technological developments (Sullivan & Berger, 2017).
The management of (physical and digital) identity is subject to national regulation, as an expression of digital state sovereignty (Madiega, 2020

Issues currently associated with the term
While there have been considerable reforms that have facilitated the proliferation of (private/public) identity solutions, there remain numerous legal compliance shortcomings in the implementation and generalised adoption of decentralised (self-sovereign) identity.
Specifically, the eIDAS Regulation defines different levels of trust services and provides the regulatory environment that enables the creation of numerous interoperable digital identity solutions (Alamillo, 2020;Schroers, 2018). According to Article 3, electronic identification is 'a material and/or immaterial unit containing person identification data and which is used for authentication for an online service' . Any form of cross-border digital identity (self-sovereign or not) would have to function within a mutually recognised identity framework between EU member states for authentication and access to electronic services.
In addition, identity providers have to conform to data protection regulation such as the GDPR (Renieris, 2020;Giannopoulou, 2020). Compliance appears to be rather challenging, due to constraints related to the governance, architecture, and the technological design of the identity project. For instance, actor liability of decentralised architectures remains uncertain (Finck, 2019). Similarly, the exercise of data subjects' rights within a self-sovereign identity architecture has yet to be tested, especially with the emergence of new types of trust actors.
Many applicable legal norms are sector-specific. In financial regulation, the Pay- Public discourse highlights SSI's foundational goal of placing the identity subject in control of their identity data 4 (user-centric identity), and views SSI solutions as a much needed global infrastructure that would provide documentation to large populations that have none, better integrating them in modern digital society (World Bank Group, 2018;World Economic Forum, 2018). However, there are considerable risks related to the expansion of global SSI systems for purposes such as refugee identification. As pointed out by Cheesman (2020, p. 14), 'the emancipatory potential of decentralised, user-owned modes of identification came into tension with the geopolitical reality of the nation-state system in which states' prerogative is to control the legitimate means of movement -or, indeed, identification'. The persistent integration of an identity layer cannot account for anonymity nor for the contextual, 4. This objective is perfectly aligned with the ideals of decentralisation that drove the development of blockchain technology in general (Bodó & Giannopoulou, 2020).
There is a rapidly flourishing digital identity market, with previously isolated technological infrastructures converging, and enabling the circulation and commodification of identity-data. While often lauded, the commodification of identity by various private identity providers (Birch, 2014) (Bodó, 2020), decentralised identity is regarded as an equalising force between power asymmetries. However, lately, new intermediaries have started to emerge in the field of decentralised reputation systems, and with them, comes the potential for a new societal order of surveillance (Foucault, 2004), defined by the consequences of assigning persistent identities to control financial, criminal, and human flows.

Conclusion
Self-sovereign identity (SSI) is rooted in the belief that individuals have the right to an identity independent of reliance on a third-party identity provider, such as the state or any other central authority. Its implementation requires the development of technical standards, as well as socio-political adaptations rooted in legal amendments in order to be successful. Overall, SSI is implemented as blockchainadjacent, but not blockchain-dependent identity management systems, which are guided by the fundamental principle of user-centric design, using technical standards that enable user-generated and user-controlled decentralised identifiers, associated credentials, and attestations. This is supplemented by legal and policy requirements to ensure that the objectives for particular use cases are achieved, including balancing competing societal goals between user privacy, security, law enforcement, financial inclusion and risk management.