Self-sovereign identity (SSI)
A self-sovereign identity (SSI) allows a person, organization or machine to generate and completely control a digital identity without the need for the permission of an intermediary or a central party. It also allows control over usage and sharing of one’s personal data.
In the centralized identity paradigm, the identity or the associated identifier (such as an e-mail address or a telephone number) of a person is provided by an external entity. In the decentralized identity paradigm, the user is at the center of the framework, creating his/her identity directly.
For several years Boosty Labs team has been successfully developing self-sovereign identity solutions for companies, communities and government institutions. We are a world-class fintech and cloud engineering team with 10 years’ background of practice that combines consulting, strategy, design and engineering at scale.
Where Applicable
SSI solutions can be leveraged to offer a wide array of commercial and other projects a set of identity services in which customers using mobile devices or desktop computers are authenticated, receive a digital ID, and with its help they can enter into trusted relationships with other participants or enterprises.
Another service on the basis of SSI is a solution for organizations that allows to quickly and easily implement a procedure for meeting KYC (know your client) requirements.
Self-sovereign identity solutions can be developed for such institutions as government agencies, offices, enterprises. A person who has passed the identification procedure receives a digital identifier with which he will be able to dispose of his data on the network after the blockchain identification has been passed.
Benefits of Implementation
Under today’s identification system, we do not own or control our IDs and are dependent on another party to “assign” a specific identifier and conditions to everyone – be it corporations like Google and Facebook or the government. In a system of self-sovereign identity management everyone creates their own identifier, owns and controls it, and decides what information to share, with whom and on what conditions. That is, it is a global namespace that is controlled exclusively by the users themselves. Moreover, such identifiers must be globally unique and globally recognizable.
Such a decentralized identifier (DID) will be stored in a distributed ledger, so that it will not be possible to delete it: only update it, which can be done by the owner himself or his proxy. It will be possible to prove the ownership of a certain DID through the public key infrastructure (PKI), which also underlies the system of public and private keys in cryptocurrencies.
What the Implementation Will Affect
A modern system, implemented, in particular, in the form of a social security number in the United States or a Unique Personal Number (AADHAAR) in India, assigns a person a single identification number “for all cases”, that is, this number is used when contacting any, including government , organization and allows you to trace all the activities of its owner in any area of life. In addition, obtaining a user’s personal information allows an attacker to act on his behalf.
With the decentralized identifier system, it is possible to have unique identifiers for each case and for different organizations. At the same time, if one of the identifiers was compromised (for example, when a banking database was hacked), the private key from it will be useless for accounts in all other organiz
Controlling hundreds (or even thousands) of identifiers that can belong to one person will not be difficult with easy-to-use software, mobile apps and cloud services. Providers will be responsible for their work, from which the user will be able to choose the best option for himself.
Also, data management can be transferred to trusted parties – for example, parents in case of a minor, children if an elderly person has difficulties in managing decentralized identifiers independently, as well as a lawyer or accountant.
Some of the personal data is so-called certified information. These include a birth certificate, high school diploma, driver’s license, academic degree, proof of employment, and so on. This is the data that was transferred to the controlling organization and on the basis of which it issued the appropriate certificate and entered an entry about it in the distributed register.
The organization can send this information to the user and in the future he will provide, for example, information about the date of birth through a mobile application at the place of request.
Another feature of a decentralized identifier, aimed at increasing confidentiality, allows you to provide only the required information, while not revealing all the data contained in the decentralized identifier (whereas today, when presenting a passport to confirm the age of majority, the owner simultaneously discloses his name). Decentralized identifier data is also divided into “unchangeable” – that is, always up-to-date (this includes, for example, date of birth), and those that need updating (place of study, work, marital status).
Who is Working on Digital Identity Technologies And What Has Already Been Done
The European Commission, the US Department of Homeland Security, the Government of Canada, the largest universities from the Massachusetts Institute of Technology and Harvard to the University of Munich, as well as large businesses – Oracle, SAP, IBM, Microsoft, Workday – are prioritizing the development of SSI systems to solve various problems: from issuing passports and driver’s licenses to increase the transparency of accounting for competencies in the labor market.
Let’s consider several of the largest projects in more detail.
Digital “green card”
In June 2020, the first stage of the pilot was completed by order of the US Department of Homeland Security (DHS) to develop a digital version of the resident card. Many other countries are also considering using SSI technology to meet the challenge of creating digital passports and identity cards. The program solves a number of tasks: from creating a digital identity identifier for use in other government and commercial services to solving the problem of forging physical documents.
During the first stage of the program, 7 independent solutions were proposed, each of which automatically supports all the others (which was demonstrated during interop testing) without requiring special integration.
Digital diplomas
Digital diplomas and certificates based on the technology of a sovereign personality are issued by many universities in the world. However, one of the leading non-profit organizations in this field – the Digital Credentials Consortium, created on the basis of MIT and Harvard University – went further and set itself the task of standardizing not only the technical format, but also the data structure in relation to education specifically. This work is carried out on the basis of the IEEE – the largest association that deals with the standardization of technological standards in microelectronics and information systems.
Digital diplomas not only allow you to solve the problem of forgery and significantly reduce the cost of creating one document – they also allow you to combine data on competencies and qualifications obtained at different levels of education in a single profile. For example, in a single profile, the employer will be able to check the signed facts of obtaining a certificate and diploma, work experience, taking online courses and participating in a conference. Each fact has an issuer and a legally significant signature, which helps to reduce the costs of employers when scoring and checking facts from the applicant’s resume.
Raw material digital certificate
One of the most widespread areas of application of SSI technology is certificates and passports for various kinds of physical goods. In 2020, American companies Digital Bazaar and Transmute Industries implemented a digital certification system for imports of raw materials into the United States. In particular, these certifications help validate the quality and history of steel and crude oil production.
Digital resume
Europass, the pan-European resume system, is preparing to move to SSI-based verifiable digital documents. More than 100 million residents of the European Union will have the opportunity to generate a verified CV with automatic consideration of any sources of education, all possible languages and a detailed model of competencies.
The Velocity Network project, which is a non-profit partnership of the largest IT employers, allows not only Europeans, but also citizens of any country to create a verifiable and provable resume with work experience, additional education and assessment of results. More than 20 IT corporations have already joined the project, including Oracle, SAP, IBM, Microsoft, Workday.
Digital medical documents
One of the most active areas of application of SSI technology is the digitization of all medical documents based on an open standard. Such projects have become especially relevant against the backdrop of the COVID-19 epidemic, but the technology makes it possible to simplify the interaction not only with test results, but also with any other medical documents: medical books, vaccination cards, veterinary passports, any certificates and extracts.
In addition to purely technical implementation, a sovereign digital personality requires changing the existing one or creating an absolute new legal framework. The European Commission, the Government of Canada and a number of non-profit associations have done tremendous work in this direction over the past few years.
Canada
The task of the Pan-Canadian Trust Framework is the transition to a fully digital interaction between citizens, government and business and in the country. It is a set of practices, regulations, and system design guidelines that address two main challenges in the transition to a digital decentralized trust model:
Digital personality and hierarchy of such personalities. For example, how does a digital entry in a house book, a digital passport and a bank account relate to each other and what rights the owner of a particular type of entry has.
Digital interaction. What atomic functions should be available to citizens and businesses.
Ultimately, the PCTF serves to empower Canadians by ensuring that the human right to digital identity cannot be compromised, that privacy and security remain critical, and that the diffusion of technology gives people the convenience and choice of multiple providers.
California
The California Parliament passed changes to the Civil Code, according to which Verifiable Credentials is the standard for issuing, storing and verifying medical records and, in particular, test results for COVID-19.
European Union
The European self-sovereign identity framework (eSSIF) is part of a European emerging technology initiative that includes sovereign identity and blockchain. The initiative creates regulation and a gold standard for the use of SSI as a digital notary, certification and trusted data exchange. In addition to specific application cases, this initiative regulates the work of sovereign identity systems with European digital identity of the person (eIDAS).
In 2020, the European Commission allocated 5.4 million euros in grants for the development of SSI technologies and the creation of business applications.
We generate about 2.5 quintillion bytes of data every day. That’s 2.5, followed by 17 zeros – or rather 2.5 trillion million – a number that is impossible to visualize intuitively, but nonetheless has tremendous implications for our online privacy, our security, and our ability to keep our digital identity under our own personal control.
Currently, corporations do not do enough to protect their data, while more than half of all C-suite executives and CEOs admit that most consumers have a right to question it.
Nonetheless, given the sheer scale of this problem, it is unlikely that it will be resolved overnight. With the advent of blockchain technology, a new paradigm is now possible – a self-sovereign identity blockchain system that is being shaped to give people direct control over pieces of data and credentials that prove who they are.
Standards of self-sovereign identity are critical, because they allow users to control their digital interactions and protect their privacy. Our data, interactions and reputation have been trapped by large companies with serious consequences, especially through data breaches and the sale of personal data without our consent. Especially in technologies and standards related to identification, it is very important to use open source technology so that the systems of the future are open and accessible to everyone.
Self-sovereign identity standard will help restore the right to privacy through digital interaction; such a standard can have great advantages for the security of personal data.
Cyber attacks are on the rise and new forms of identity verification are required. With SSI, users will have an autonomous digital identity that is the same across all platforms. Thanks to this technology, we will be able to independently determine which information we want to share with which platform.
The self-sovereign identity blockchain systems and self-sovereign identity companies will return digital identity to the user’s power. This will completely change the current media market in which information has become a commodity to buy and sell. E-commerce logins will also be much safer and more efficient. Patient’s medical data will also be protected from prying eyes. Transparency of authorized access to information will become the new standard.
What is self-sovereign identity?
For centuries, paper documents have been the only form of proof of fact. Despite the rapid digitalization of all areas of life, a significant part of documents and facts remain in paper form to this day.
Paper documents fall short of the technological breakthrough that has occurred in recent years, when the Internet has become a universal means of communication between people, corporations and governments.
If the advantages of numbers over paper are obvious, then what was holding the world from transitioning, and why did not the technology for this appear until 2020?
The first reason is the fragmentation of a large number of IT systems. Solutions that are designed to simplify life in reality only complicate it: now, instead of one folder with documents, the user has to remember dozens of different logins and passwords from Internet services.
Each of them has its own interface, rules of use, and a mobile application, which only confuses users. Data between systems is not transferred at all (how many times have you filled in the same fields in the forms of different sites?), or requires a long and expensive integration.
Another reason is the insecurity of centralized registries and databases. The reason for this is not poor security but the high value of the data. If one database, albeit very well protected, stores data about the financial history of millions of people, but there is a strong motivation for attackers to bribe an administrator or conduct a very complex and expensive attack in order to obtain illegal access to data as a result. The proof of this is the regular hacking of the largest banks, corporations and even government IT systems.
Types of information systems
Fortunately, the solution to these problems exists and is being actively implemented by the largest businesses and government agencies of the world’s leading economies. Roughly speaking, there are two approaches to working with data in digital form:
The first is a centralized (registry) approach, when an authorized organization invites users to create accounts and through them get access to a service – for example, a personal Facebook page or a government system for storing medical data. In this case, all information is stored centrally, the user does not have full unilateral control.
The risk of cyber attacks increases, and the user himself cannot in any way protect or control his own data. Moreover, if one of the systems was hacked, then the user using the same password elsewhere becomes vulnerable, but often does not even have any information about it.
The second approach, self-sovereign Identity (SSI) technology, is a software architecture in which user data is stored decentralized (does not require a single ledger) and is completely controlled by the user. At the same time, the legal significance and provable verifiability of such data and documents is respected. In this case, the data is not stored centrally, but instead of corporations and states belongs only to the owner of the data, that is, to the user.
Data sovereignty and portability means that you can choose any digital wallet application and store all your documents in one place – from passport to medical certificate, air ticket and diploma. Like paper, you decide how to store, who will have access to your data and how you want to protect it.
The SSI approach includes the use of distributed storage technology to guarantee the availability of data for life, as well as selective disclosure of information – for example, using zero-knowledge proof. This makes it possible to prove in a digital and legally significant form any fact about yourself without disclosing details: for example, to prove that you are over 18 years old without giving your date of birth.
In addition to convenience, this approach provides a higher level of security: it is not enough for an attacker to hack one, albeit the most secure, database in order to steal 5 million bank cards – instead, he will need to hack 5 million separate systems, which is an order of magnitude more difficult task. if at all doable.
One of the standards within SSI – Verifiable Credentials – was adopted in November 2019 by the international consortium W3C, which develops standards for the Internet, such as HTML, XML, HTTP. This standard defines the compilation, release and verification of any information and documentation in digital format. Using a single standard means that you no longer need to integrate different IT systems. Your digital diploma, issued in accordance with the VC standard, will be automatically recognized by the job search system, and the receipt, warranty card and product certificate of conformity will automatically appear in the buyer’s wallet.
What is a sovereign fact or document?
A product in the system of a sovereign personality is any document or fact – it can be a completely classic contract, a passport of a citizen or a driver’s license, but also any other significant facts and data.
Digital documents and facts differ according to the type of their issuer:
- State and public sector: passport, license, license, identity.
- Education system: certificate, certificate, diploma, badge.
- Health care: health certificate, statement, certificate, test results and sick leave
- Business: discount card or loyalty card, KYC and AML certificate, login on the site, invoices, contracts and acts.
There are also separate classes of documents for different holders:
- Person: certification of fire safety skills and the fact of payment for a parking space, a pass to the office or accreditation for an event.
- Organization: environmental certificate or manufacturer’s license.
- Device: digital technical passport or warranty card.
Summary
Every year, billions of documents and trillions of records are created in the world in thousands of disparate information systems. Until recently, there was no way to combine this data on the basis of a single digital protocol, in which it would be truly owned and controlled by the user. The speed with which the technology of the sovereign personality is being adopted by the largest businesses and leading economies of the world demonstrates its necessity and value. Like the Internet, no matter what industry you work in – from a car service to a bank or a government organization – this technology will optimize processes, improve the safety and convenience of services provided to customers.
The key self-sovereign identity principles are:
- Autonomy. Users exist independently.
- Control. Users are in control of their identity.
- Access. Users have access to their data.
- Transparency. Transparency of the system and algorithms.
- Consistency. Long-lived identities.
- Portability. Information and services must be portable.
- Compatibility. Identity should be distributed as large as possible.
- The confirmation. Users must agree to the use of their data.
- Optimization. Disclosure of complaints or claims is minimized.
- Protection. Users’ rights must be protected.