The Technology of Self-sovereign identity (SSI) as the Future of Entrepreneurship
Governments of the European Union, the United States, and Canada, along with technology giants and leading universities worldwide, are adopting a system of digital documents called “self-sovereign identity” or “SSI.” How does this technology work, and why is it currently creating a trillion-dollar market?
What drives the need for SSI?
For centuries, paper documents have been the only form of evidence. Despite the rapid digitization in all areas of life, a significant portion of documents and facts remain in paper form.
Paper documents do not align with the level of technological breakthrough that has occurred in recent years, with the internet becoming a universal means of communication between people, corporations, and governments.
Personal information of individual consumers is now stored on hundreds, if not thousands, of servers worldwide. Data breaches have become the new norm. We try to keep data carriers safe by having a folder of documents at home stored in a secure place. But paradoxically, when we provide these carefully stored documents upon request, we cannot guarantee that our data will not end up in the hands of fraudsters.
In the online environment, personal data is also vulnerable. All the information we provide when registering for a service is stored in centralized databases. If these databases are hacked, as a user, you may not even be aware that your personal data has been stolen.
While the advantages of digital over paper are evident, what has held the world back from transitioning, and why hasn’t a technology for this emerged until 2020?
The first reason is the fragmentation of a large number of IT systems. Solutions that are meant to simplify life end up complicating it in reality: now, instead of having one folder of documents, users have to remember dozens of different logins and passwords for internet services. Each of them has its own interface, usage rules, and mobile application, which only confuses users. Data is either not transferred between systems at all (how many times have you filled in the same fields in forms on different websites?), or it requires lengthy and costly integration.
Another reason is the insecurity of centralized registries and databases. The reason for this is not weak protection but the high value of data. If one well-protected database contains data on the financial history of millions of people, there is a significant motivation for malicious actors to bribe an administrator or conduct a complex and expensive attack to gain unauthorized access to the data.
SSI as a solution to the problem
Fortunately, there is a solution to these problems that is actively being implemented by major businesses and government organizations in leading economies worldwide. Broadly speaking, there are two approaches to working with data in digital form:
The first approach is the centralized (registry) approach, where an authorized organization allows users to create accounts and access services through them, such as a personal Facebook page or a government system for storing medical data. In this case, all the information is stored centrally, and the user does not have complete unilateral control. The risk of cyberattacks increases, and the user cannot protect or control their own data. Furthermore, if one system is hacked, a user who uses the same password elsewhere becomes vulnerable, often without even being aware of it.
The second approach is Self-Sovereign Identity (SSI) technology, which is a software architecture where user data is stored in a decentralized manner (without requiring a central registry) and fully controlled by the user. In this case, the legal significance and verifiability of such data and documents are maintained. In this approach, data is not stored centrally but instead belongs solely to the data owner, the user, rather than corporations and governments.
The sovereignty and portability of data mean that you can choose any “digital wallet” application and store all your documents in one place, from your passport to medical certificates, plane tickets, and diplomas. Similar to paper documents, you decide how to store them, who has access to your data, and how you want to protect them.
The SSI approach involves the use of distributed storage technology to ensure the lifelong availability of data, as well as selective disclosure of information, for example, using zero-knowledge proofs. This allows you to prove any fact about yourself in a digital and legally significant manner without revealing details. For example, you can prove that you are over 18 years old without disclosing your date of birth.
In addition to convenience, this approach provides a higher level of security. A malicious actor cannot simply hack one highly protected database to steal 5 million credit cards. Instead, they would need to hack 5 million individual systems, which is a much more complex task, if achievable at all.
What is SSI?
Self-Sovereign Identity (SSI) technology has two key features. The first is that every individual becomes the operator of their own personal data. You have the sole decision-making power on where to store your data and whom to provide specific information to. As a result, there is no need for a verifier to send requests to various agencies to verify the authenticity of your data since the issuer confirms the authenticity of the issued document with a cryptographic signature.
The format of data transmission is also crucial. Essentially, you don’t disclose anything about yourself in response to a query; instead, specialized software sends the results of mathematical calculations. It is practically impossible to reverse-engineer and determine the original data based on these results.
The second key feature of SSI technology is decentralized storage. This is fundamentally different from how citizen data is stored today. Many government and private institutions have their own databases, each with varying levels of storage quality and protection.
Partially, this problem can be addressed by creating a centralized data repository linked to government agencies and accredited organizations, but such storage is more vulnerable. If such a database is hacked, all records are compromised at once, whereas an attack on a decentralized storage system would only impact a single account. This alone renders the centralized storage idea impractical.
In such a registry, you can store not only passports, driver’s licenses, or other government-issued documents but also receipts from stores, train tickets, and any digitized certificates that individuals encounter in their daily lives. This system can be implemented using blockchain technology.
The main problem with a centralized system, besides its lack of security, is that integration with other existing centralized systems is costly. For example, if a driving school wants to integrate with government services and place their electronic certificates of completion on that platform, and there are thousands of such schools, they would need to hire programmers to perform complex integration with a large information system.
If driving schools were to adopt the concept of self-sovereign identity, they could generate electronic certificates for their students instantly. This would only require accessible and universally accepted software, and the authenticity of such a document could always be verified.
The use of SSI can be illustrated with the example of purchasing a bottle of wine at a supermarket. When making the payment, the cashier asks the customer to present identification. To avoid sharing excessive personal information with a stranger, the customer generates a QR code from their digital wallet. The cashier scans the QR code and verifies that the customer has reached the legal drinking age.
There can be numerous examples like this, where not only passports but any personal data can be converted into the SSI format. From a technical implementation perspective, this can utilize zero-knowledge proofs, which are cryptographic protocols that enable the confirmation of an operation while preserving the confidentiality of transmitted data.
One of the standards within SSI, Verifiable Credentials, was adopted by the international consortium W3C in November 2019. W3C is responsible for developing standards for the Internet, such as HTML, XML, and HTTP. This standard defines the creation, issuance, and verification of any digital information and documentation. By using a unified standard, there is no longer a need to integrate different IT systems. Your digital diploma, issued according to the VC standard, will be automatically recognized by job search systems, and your receipts, warranties, and product compliance certificates will be automatically stored in your digital wallet.
The European General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other regulatory acts in various countries cannot guarantee 100% protection of information.
Any use of centralized systems implies the presence of an operator who is responsible for collecting and storing information. In the event of a hack, fraudsters gain access to a database of millions of users. However, in a decentralized system, a hack would only expose the data of an individual.
According to the World Bank, nearly a billion people worldwide lack any form of legally recognized identification. Another 3.4 billion people with some form of legally recognized ID have limited opportunities to use it in the digital world. Only the remaining 3.2 billion people have a legally recognized ID and participate in the digital economy.
It remains to be seen how many of the 3.2 billion people will be able to seamlessly use their IDs online. SSI has the potential to create economic value for each of these three groups, improving access to goods and services while reducing fraud and violations of citizens’ rights.
What does a digital sovereign identity system consist of?
The system of digital sovereign identity consists of two components. The first component is the digital account, while the second component is the data, which can be documents associated with that account. For example, an OMS insurance policy is essentially a digital account with a unique barcode. The policy is linked to a medical card that contains the individual’s medical history. In this case, blockchain is used to create accounts, and the user is not dependent on a centralized platform.
If malicious actors hack and disclose your conversations and photos from WhatsApp, it means that the information was not stored on your phone or in the cloud but on the messenger’s server. WhatsApp is a completely centralized system.
In SSI architecture, all data exists in electronic form and is constructed according to the widely accepted technical standard for Verifiable Credentials developers. The unique feature is the absence of a centralized database owned by banks, companies, or governments that can be stolen, read, or altered.
The sole operator of this data is the owner themselves, who can choose whom to provide which documents. All the information is stored, for example, on the phone or in the cloud.
This technology has two additional advantages over traditional data storage.
Data standardization: All documents are brought to a unified digital standard and linked to the sovereign identity technology.
Cryptographic verifiability: Each issuer has an electronic digital signature (EDS) with which they sign the documents. For example, only an accredited university can issue diplomas, and only healthcare institutions can issue pool certificates.
Any user with authorized access can obtain additional information. For instance, while a traditional university diploma consists of two pages – one with the recipient’s name and the other with grades – an electronic diploma can contain information about the student’s competencies, the professors who taught the course, or even a video of the thesis defense.
Digital documents enable the creation and accumulation of a unified digital portfolio, where information about education, health, or real estate can be stored, for example. However, this portfolio will be the “property” of the individual, and its protection will not rely on multiple people, any of whom could compromise the data. Despite the limited number of bank employees having access to customers’ personal data, such information regularly ends up on black markets and falls into the hands of fraudsters.
What are the benefits and conveniences of this technology?
End users will have control over their own information. They will have the ability to decide with whom and what information they want to share. For example, instead of sharing their entire electronic passport, a user could choose to only reveal their name or year of birth.
If social media platforms utilized decentralized SSI technology on the blockchain, platforms like Twitter, Facebook, Instagram, and YouTube would never be able to block accounts, such as that of Donald Trump. Social networks would be unable to censor anything. Content would always be accessible and stored in decentralized addressing and file-sharing systems (IPFS, Solid). Since decentralized systems do not have a central operator, it would be impossible to delete content or block a user, even if security agencies wanted to do so.
SSI would be beneficial to companies and universities. They would no longer have to spend millions of dollars on issuing diplomas and certificates. SSI would reduce the number of counterfeit documents and bureaucratic costs in international relations, as the technology is international. The use of a digital standard, such as the Fast Healthcare Interoperability Resources (FHIR) for healthcare or the Europass standard for all levels of education, would expedite the transfer of documents.
Where is SSI applied?
The concept of SSI is relatively young technology. Despite the advantages of a decentralized system, some developers remain skeptical about its practicality. They believe that SSI will not work in reality.
However, there are already known examples of the application of this concept in the world. For instance, in the banking sector, the UK government has successfully launched a test version of SSI-based KYC (Know Your Customer) for users of the Financial Services Authority (FSA) management website and plans to further apply the technology in other sectors.
Why is this a massive market?
The European Commission, the United States Department of Homeland Security, the Government of Canada, major universities ranging from MIT and Harvard to the University of Munich, as well as prominent businesses like Oracle, SAP, IBM, Microsoft, and Workday, are already prioritizing the development of SSI systems to address various tasks, from issuing passports and driver’s licenses to enhancing transparency in the labor market’s competency accounting.
Many countries are considering the use of SSI technology for creating digital passports and identity documents. The program addresses a range of issues, from establishing a digital identity for use in other government and commercial services to tackling the problem of physical document forgery.
Digital diplomas and certificates based on self-sovereign identity technology are being issued by numerous universities worldwide. However, one of the leading non-profit organizations in this field, the Digital Credentials Consortium, established by MIT and Harvard University, has gone further by aiming to standardize not only the technical format but also the data structure specifically in the context of education. This work is being carried out in collaboration with IEEE, the largest association focused on standardizing technological standards in microelectronics and information systems.
Digital diplomas not only help solve the problem of forgery and significantly reduce the cost of creating a single document but also enable the consolidation of competency and qualification data acquired at different levels of education within a unified profile. For instance, within a unified profile, an employer can verify facts such as the attainment of certificates and diplomas, work experience, completion of online courses, and participation in conferences. Each fact is associated with an issuer and a legally significant signature, which helps reduce the costs employers incur when assessing and verifying information from job applicants’ resumes.
One of the most widespread applications of SSI technology is in the certification and passports for various physical goods. In 2020, American companies Digital Bazaar and Transmute Industries implemented a system for digital certification of raw material imports into the United States. These certificates, for example, help verify the quality and production history of steel and crude oil.
Europass, the pan-European resume system, is preparing to transition to SSI-based verifiable digital documents. Over 100 million residents of the European Union will have the opportunity to create a verifiable resume that automatically takes into account all sources of education, multiple languages, and a detailed competency model.
The Velocity Network project, a non-profit partnership of major IT employers, enables not only Europeans but also citizens of any country to create verifiable and demonstrable resumes that include work experience, additional education, and performance evaluations. Over 20 IT corporations, including Oracle, SAP, IBM, Microsoft, and Workday, have already joined the project.
One of the most active applications of SSI technology is the digitization of all medical documents based on an open standard. Such projects have become particularly relevant against the backdrop of the COVID-19 pandemic, but the technology also simplifies interaction with not only test results but also any other medical documents, including medical records, vaccination cards, veterinary passports, and various certificates and reports.
In addition to the technical implementation, self-sovereign digital identity requires the modification of existing legal frameworks or the creation of entirely new ones. Over the past few years, the European Commission, the Government of Canada, and several non-profit associations have made tremendous efforts in this direction.
In conclusion
Every year, billions of documents and trillions of records are created worldwide in thousands of disparate information systems. Until recently, there was no way to consolidate this data based on a unified digital protocol that truly belonged to and was controlled by the user. The speed at which major businesses and leading economies in the world are adopting self-sovereign identity technology demonstrates its necessity and value. Similar to the internet, regardless of the industry you work in whether it’s automotive services, banking, or government organizations – this technology will optimize processes, improve security, and enhance the convenience of services provided to customers.