The key piece to enable control and autonomy over our verifiable credentials and attributes of digital identity with security and privacy
Self-sovereign identity explained, what is it and why do we need it?
We explain the concept of SSI and why the shift to decentralized data models based on blockchain is key to protecting digital identity
The term "Self-Sovereign Identity" (SSI) refers to a type of digital identity where the user is the owner of his or her personal data and has, at the same time, full control over it.
To the experts in the field, this description will seem obvious. At first glance, they will understand the need for a self-managed identity. However, for the average citizen, it may even be surprising: Ah, but I have no control over my identity? What do you mean, my data are not mine? How can that be possible?
Let us take a moment to think about the concept of identity. Every individual has an identity which defines and describes him or her uniquely throughout his or her life. To understand this better, let's talk about an imaginary friend: Michael.
The identity of our imaginary friend, Michael
In 1980, Michael was 7 years old. He was a blond-haired boy with green eyes and a slim complexion. He lived in Austin, Texas, and attended Maplewood Elementary School. He loved to play baseball and collected cards of his favorite teams. He was in love with Samantha, his classmate, he never told her, but we all knew it.
Twenty years later, at 30, the same Michael was a man with light brown hair, although he was beginning to show some hairline, gray eyes and an athletic build. He lived in Bilbao, Spain, with his girlfriend Lina. He worked as a software developer and no longer played soccer. He did jogging and fitness. His favorite hobbies had changed to IT and gastronomy.
This example shows that identity is built up over time, it evolves with the individual. Identity must be seen as a global and abstract idea linked to the individual and his or her life. It is formed through a set of components that define, identify, describe and locate the individual. All these components that make up the identity are created in the physical world, in the digital world or in both at the same time.
Let's continue with the story of our friend...
Michael is Michael, at age 7, at age 30 and today. His identity is unique, even if he changes. However, Michael has been expressing his identity in different ways depending on the context. And here we come to the concept of Persona.
A unique Identity and different Personas
When Michael moved to Spain and went to sign up at the gym next door to his new apartment back in 2000, he expressed his identity by providing different data than the ones he used in 2021 to subscribe to the newsletter of Byte TI magazine.
In the first case, he was asked to fill in a form with his ID number, name and surname, date of birth, sex, address and the account number where the monthly gym membership fee was to be charged. In addition, one of the coachs, after verifying the data on his physical ID card, weighed and measured him, and recorded the results on the same form.
To subscribe to the Byte TI newsletter, Michael filled in a digital form with his email address, his name, the name of the company where he worked, the position he held and his country of residence.
And what we are telling about Michael has been and is common in the life of any of us. We have a unique Identity but, depending on the situation, we describe and identify ourselves as different Personas. And we need to identify ourselves constantly. To join the gym, to receive information, to go to the doctor, to change our address on the census...
Then we will see that the concept of Persona is crucial for the self-sovereign identity model, this is, to the digital identity management system because it is closely related to the way in which the individual authenticates. And this brings us to two other key components of identity: Attribute and Identifier.
Identity identifiers and attributes
We continue with our imaginary friend Michael. When he filled in the gym file, he provided data referring to attributes and identifiers of his identity. One attribute, for example, was his weight, 90 kg. But surely there are many people who share that feature. An identifier would be the ID number.
Attributes are properties or features of the Persona, they can vary over time and are not exclusive of a single individual. On the other hand, the Identifier is unique.
If Michael's gym wanted to research its customers, it would classify them by attributes. This would allow it to find out, for example, if there are more men than women, the average age, the concentration of the clients by neighborhoods, etc.
Weight, although it is an attribute, does not serve to identify a person. When Michael goes to his sports center, he presents the membership card he was given when he filled out the form. The number on that membership card is his identifier to access the gym.
Just with these simple processes of everyday life, we realize that identity is not something that the individual builds alone. People, as social agents, construct their identity by interacting with others. Therefore, it is true that, although identity is ours, the elements that make it up are not ours alone.
Identity is created through interactions with others in which there are three main roles: issuer, holder and verifier
Identity is forged through relationships that people establish with other people, with companies or organizations, and even with things. It is forged by interacting with others.
If Michael didn't keep going to the gym, he might lose his athletic build. But he developed his passion for fitness when he met his friend Jorge at university. And who knows... If Samantha had known about his feelings as a child, maybe today one of his 'attributes' would be 'married' instead of 'single'.
As for identifiers, the ID number is exclusively Michael's and it will accompany him throughout his life. It has been a third party (in Spain the Ministry of the Interior) who assigned it to him in order to prove his identity, and another third party (the gym) decided that this was the best identifier to verify his identity and gave it as valid. The gym also provided Michael with a membership card, another identifier, although this is only useful in that center and to get a discount at the healthy food restaurant in the neighborhood.
We see in these interactions there are always three roles: an issuer (for instance the Ministry of Interior), a holder (our friend Michael) and a verifier (the gym).
This example with the gym would make us ask ourselves, "Well, so what? So what's the problem? Michael wanted to go to the gym, he filled out a form, provided his identity card to authenticate his identity, etc., etc. Moreover, after signing the registration, there was a clear paragraph indicating that everything would be registered in compliance with the Organic Data Protection Law, and years later it was updated in accordance with the General Data Protection Regulation (RGPD). In short, Michael did not feel that he was losing control of his identity or his data at any time.
But the case of Michael and the gym has been very simple. We placed our friend in an offline world, where decentralized use of data is less complex. Michael carried his credentials in his wallet, he had control of them, he could access them and carry them with him. And he could decide whether to use them or not. Just as the gym chose to ask for his ID card.
With the online world, things get more complicated. Personas, attributes and identifiers start to multiply because digital interactions between issuers, holders and verifiers increase exponentially…
What happens with our personal data?
There are many attributes (data about his identity) that Michael (and his different Personas) has been sharing digitally in his life. Here are just three examples.
Not only did he subscribe to Byte It magazine, to which he provided an email address and information about where he works and what position he holds. He also made a Facebook account, where he has been posting pictures of his vacations, talking about his interests and sometimes on politics (he shows attributes of his persona).
And in 2020, his gym was acquired by a franchise and is now a big fitness center. His data is kept by another company he doesn't know. Everything has been digitized in Michael's fitness center. To gain access, he has a token. Every time he enters a class, he registers via the token. Every time he does a workout on the machines or when the instructor sets up a routine, everything is recorded: how many times he goes to the center, at what time he participates in group classes, whether he prefers Zumba or body combat…
We could continue with examples of how Michael, through his daily interactions, is sharing in the digital world data about his identity (informing about attributes of his personas).
And where does all this data go? It is true that it is no longer in his wallet. It is true that in practice they are no longer Michael's. How is it that in the digital world there are so many 'people' who know about his interests? Who has his data? With whom is it shared without him knowing? The conclusions about the membership profile that Michael's gym could draw are far from everything that the new fitness center franchise is able to know, adding up the information from all its databases.
Michael, like many other individuals, has doubts about the security, destiny and privacy of his identity. And citizens like Michael begin to talk about the concerns that arise with digital identity. In parallel, foundations, non-governmental and governmental organizations, groups of technologists and scientists begin to pinpoint these problems and propose solutions for the control and management of digital identity.
The need of a Self-sovereign digital identity is more than evident. In fact, Michael, now a European citizen, will soon be able to have by law a digital identity wallet, this means an SSI digital wallet, with which to manage his data and actions. As early as June 2021, the European Commission announced its new proposal for a secure and trusted digital identity. Ursula von der Leyen, President of the EC, stated:
"Every time an app or a website asks us to create a new digital identity or to easily log in via a large platform, we actually have no idea what happens to our data. This is why the Commission will propose a secure European e-identity. An identity that we trust and that any citizen can use anywhere in Europe for anything from paying taxes to renting a bicycle. A technology with which we ourselves can control what data is used and how".
Why does the problem with digital identity arise?
Sovring identified 5 issues that generate the problem of identity on the Internet, explained in its blog by the president of the Sovrin Foundation, Ph.D. Phillip J. Windley.
Proximity: no physical interaction, but at a distance. The possibilities for fraud emerge. Traditional ways of knowing who we are dealing with are useless in the digital world. Authentication schemes based on username and password are insufficient to create the basis for trusted interaction.
Scale: refers to the fact that digital identity depends on large information and identity silos. We use for example Facebook or Google as identity providers. These 'identity providers' are few and large.
Flexibility: many of today's digital identity solutions are limited to fixed schemas or sets of attributes. Today's digital identity systems are rigid.
Privacy: Today's digital identity solutions are based on a collection of data, often collected without the user's knowledge. Data is replicated over and over again in different systems. Third parties employ universal identifiers such as social security number or phone number to correlate identity information without the subject's knowledge. Identifiers shared by browser cookies allow personal information to be accumulated and correlated. Personal information is not secure with centralized data storage systems.
Consent: data contained in thousands of identity databases is often shared with others without consent. Sometimes this is done to provide a service. But it also happens, and a lot, that the focus is on providing a service to the organization that controls the data silo. Identification systems are based on universal identifiers such as email addresses, phone numbers or even SS numbers. This makes it easy for third parties to correlate behaviors and keep records of individuals without their permission.
In short, in Windley's words, in the physical world most identity transactions are self-sovereign. They are "scalable, flexible, private and happen with the consent of the identity owner. The Internet introduced the proximity problem." It is the limitations of currently available solutions that have led us to the situation we now find ourselves in.
How do we solve this problem? The transition from centralized to decentralized models
Christopher Allen talks about how we have arrived at the current situation in The Path to Self-Sovereign Identity. Allen explains how the idea of digital identity has evolved over the last few decades: centralized identities, 'federated' identities and user-centric identities.
The approach we are in today is that of a self-sovereign digital identity, which puts the individual back in control and allows them to interact online and offline without 'suffering' from the problems described above.
To understand this evolution of digital identity, we can also use an article by Alex Preukschat entitled "Self Sovereign Identity - a guide to privacy for your digital identity with Blockchain".
In it, he explains that there are two sets of centralized identity models, Scandinavian and continental. In the former, private companies (financial and telecommunications) provide the centralized digital identity services to interact with the government. In the continental model, governments provide digital identity services to companies enabling interaction with their citizens.
However, one of the basic requirements of functional identity systems in these centralized models is discovery: if you give me an identifier, I need to look it up. In the past this has always led to centralized directories and thus to centralized identification systems.
However, the concept of self-sovereign identity offers a different approach to the centralized model because it puts the focus not on 'who we are' but on 'what we do'.
Self-sovereign identity, how do we define it?
Although not all experts agree on a definition, they do emphasize the need for the individual to regain control and management of his or her digital identity, to freely decide with whom he or she shares what, and in practice to be the owner of his or her identifiers and identity attributes.
We can summarize that the self-sovereign identity model proposes that people can manage and present their digital credentials using digital wallets and that they can share and exchange them with guarantees of autonomy, security and privacy.
In the article "What is an SSI digital wallet" we explain the important role that wallets play in making self-managed digital identity a reality. They are a key piece in the ecosystem of issuers, holders and verifiers.
In short, self-sovereign identity means that individuals decide how to manage and deliver their digital verifiable credentials using personal and portable digital wallets.
The concept of self-sovereign identity includes another important element: it eliminates the need for the third-party entity (the verifier) to which a digital credential is presented to have to go directly to the issuer to verify its authenticity or validity, as it can do so against a decentralized registry such as blockchain networks.
The role blockchain technology plays in giving individuals control of their digital identity
Self-sovereign digital identity systems make use of blockchains so that decentralized identifiers can be searched without recourse to a central directory. The technology itself does not solve the problem around digital identity, but it does provide the missing link to make use of cryptography. In this way, people can authenticate themselves using trusted, decentralized credentials, just as they do offline.
Let's go back to Michael's example. To register at the gym he is asked for an eID. In the case of Spain, the issuer is the Ministry of the Interior, which would give the holder (Michael) the verifiable credential. The Ministry of the Interior would use keys linked to its decentralized identifier on the blockchain to sign the credential so that it cannot be manipulated and anyone who receives it can verify that it was issued by the relevant entity.
Michael would hold all his verifiable credentials in his digital wallet. When the fitness center asks for his ID number, Michael would give permission to verify that his eID is indeed issued by the corresponding authority. It is Michael who authorizes the fitness center to access the credentials stored in his wallet and retrieve any public key.
This is illustrated by Phillip J. Windley, who gives the example of asking for a driver's license at the entrance of a bar to verify the age:
Any organization or individual could issue whatever verifiable credentials they wanted, and Michael would be able to carry as many credentials as he wanted in his wallet. Likewise those acting as verifiers (in the case above, the gym, and in the case of the graph, the bar) could choose which credentials they trust to verify identity. Decentralizing everything means that SSI systems can be used in any situation.
Details about verifiable credentials, another key concept linked to SSI, can be found in the article "Verifiable credentials for digital identity projects".
We have given simple everyday examples, but imagine the benefits of applying the SSI model in key areas, such as the healthcare sector. People, while maintaining control and privacy of personal data, can keep in their wallet (for example, their cell phone) their medical history, vaccination records, allergy information... Everything. You can read a use case in "SSI and Blockchain in the healthcare industry".
In this way, if our friend Michael were to fall ill while traveling and had to go urgently to a medical center that is not his usual one, he could share his data with that center to facilitate better service and avoid delay in diagnosis or medication due to lack of immediate information. His credentials and data would not stay with the medical center, but would be withdrawn, no longer shared, and returned to his digital wallet.
At the European level, the implementation of SSI will soon be a reality and key industries, such as healthcare, will have to comply with the new eID regulation under the European eIDAS regulatory scheme.
By the end of 2023, beginning of 2024, they will have to provide citizens with a digital identity wallet with which they will be able to perform different actions, including accessing or requesting a medical certificate or storing a medical prescription that can be used anywhere in Europe. We talked about all this in "What is an SSI digital wallet".
Let's go deeper into the operative of the Self-Sovereign Identity model to visualize what happens with Micahel's data.
How SSI systems work
SSI (Self Sovereign Identity) systems use decentralized identifiers (DIDs) to identify people, organizations or things. These DIDs provide the cryptographic basis for the system and can be used without a central administrative system having to manage and control the DIDs. Exchanging DIDs is how SSI system participants (issuers, holders and verifiers) create relationships.
SSI system participants -issuers, holders and verifiers- use the exchange of verifiable credentials to share information (attributes and identifiers) with others to strengthen or enrich those relationships.
SSI systems support participant autonomy, which implies that participants interact as peers.
These are the schemes that we used at Wealize in a project of Vaccination Card for the Andalusian Health Service carried out in collaboration with Alastria and Additum.
Requirements for an SSI model
In order to be self-managed with autonomy, security and privacy, a digital identity system based on the SSI model must meet the following requirements:
Immutable. Identifiers are established, at least, for life. They are not reusable and belong to the person. Individuals, organizations or connected things can use SSI using the same infrastructure.
Peer-to-peer relationships. As in offline relationships, individuals are in control. They freely choose who or what they relate to. That freedom is for everyone in the system. The scheme is not that of a clientelistic relationship, but of a peer-to-peer relationship.
Protection of privacy. Each member of the system has control over how information is shared. Therefore, SSI systems must avoid correlation and minimization of attribute disclosure and require explicit consent. Otherwise, information would be put at risk and system members would lose control over the information.
Portable. Choice and control. Identifiers and associated credentials must be portable and SSI systems must be able to operate with each other to protect free choice and control.
At Wealize we have worked on different SSI projects using blockchain technology and biometrics. More and more companies and organizations are opting for SSI systems: Healthcare, E-Commerce, Banking, NGOs... And we are willing to help you do so too.