Fostering an ecosystem: SSI hits its stride
The concept of self-sovereign identity (SSI) was born of digitally empowered communities’ efforts to find a decentralized answer to the issue of trust and identity on the internet. As the technology has developed, so have use cases, and the potential of an ecosystem based upon trust that benefits all stakeholders (government, enterprise, and end user) – while protecting privacy – is becoming increasingly clear.
An issue that has confronted practically everybody at some stage: the need to establish your age, so as to access a product or a service. As you read this, people are being asked for a valid identification with a date of birth on it so they can watch a particular movie, or enjoy a performance in a venue that is age-restricted. It could be to buy a drink, or even purchase certain medicines in a pharmacy in specific countries.
In most cases, the user (the holder) will hand over a driver’s license, passport, or similar document issued by a trusted source (the issuer) to the person (the verifier) who needs to see how old the user is. This is the basic triangle of trust, which must be fulfilled in order for a transaction to be completed.
In this case, trust is established because the document hits certain parameters. But has privacy been maintained? The verifier really needs only one piece of information, i.e., a simple answer to the question of whether the person standing in front of the verifier is old enough to access what is being offered. The verifier doesn’t need to know a date of birth, or even a name. Indeed, why should a person you have never met, and know nothing about, be in a position to know where you live?
Control your own identity
Self-sovereign identity (SSI) was born out of a specific need to decentralize the hitherto extremely centralized issue of establishing trust on the internet. It was conceived and fostered by a digitally empowered and technically savvy community whose members were frustrated by the need to remember an ever-growing list of passwords (the siloed approach to identity access management) or trust big tech entities to manage their access for them (the federated approach).
According to the German Federal Office for Information Security, “The basic idea of SSI is to give the users the control over their identity data, insofar that they themselves can manage their identity data and decide which information they want to disclose and to whom.”1
Franziska Muschik, Senior Product Manager Innovations & Business Development, Veridos, is even more succinct: “Think of what we consider ‘identity’ in the ‘real world.’ We define it ourselves. We are not dependent upon big players and centralized structures for it.”
SSI builds upon these ideas of privacy, security, and ownership, by combining a user-centric approach with high security and a level of data protection that is designed to be higher than the existing alternatives. As it has grown, SSI’s simultaneous establishment of trust in a way that benefits all constituents of the triangle of trust, while maintaining the user’s privacy, has caught the eye of the “offline” world as well. Use cases have exploded in number as awareness and technology have grown commensurately.
In some parts of the world already, that person standing outside the performance venue is showing the verifier their verifiable credential (VC), which establishes that they are old enough, but communicates nothing else. Trust is established, privacy is maintained. The verifier is satisfied, the user sees their show, the venue gets their custom. Is this an example of that rare use case where everybody is happy.
How VCs work, and why they matter
A VC is a set of claims on any given subject, which is provided to the holder by an issuing authority (governmental or otherwise, depending on the use case). It is cryptographically signed and secured. When a verifier asks, a presentation of the VC is given that answers only that question.
Once the VC has been issued, the issuer doesn’t have it anymore, either. Being a set of claims, it allows for two things that are key to SSI:
Selective disclosure: The user decides what information (i.e., which claim) to share, at what time, with which verifier. Among other things, this fulfills one of SSI’s 10 core principles as set out by Christopher Allen,2 namely that control of identity rests with the user.
Zero-knowledge proof (ZKP): If the question is whether a particular person is 21 yet, then a yes or no is delivered. A date of birth is not required, and not provided. This too is in line with one of SSI’s core principles, which is the minimization of disclosure of claims.3
As we see, the holder owns their data at all times. They set the limits of what they share, and they never lose control of their information. This enables an ecosystem that has wide-ranging benefits, that takes in all stakeholders, including nations, their citizens, and businesses that serve their needs.
Benefits of an SSI ecosystem
We’ve been discussing the merits of SSI for an individual. The benefits of SSI to that individual go beyond privacy and security, however. Aside from controlling their own data, “a functional SSI-based ecosystem enables users to offer, and avail of, services quicker and more efficiently,” says Michael Edwards, Director Business Development – IDMS & eGovernment, Veridos.
The benefits to industry are equally striking, if we think in terms of an ecosystem with SSI at its heart. As technology enters our life at an ever-more-granular level, it is instructive to remember that SSI isn’t meant only for humans; it also functions as an identifier for digital and mechanical entities, for example in the Internet of Things (IoT) and in machine-to-machine (M2M) communication.
Consider the growing field of e-charging of vehicles. Edwards points to the number of IDs required in every transaction: “The car, the owner of the car, the charging port, the operator of the charging port, the banks and payment gateways, the grid operator, etc.” They must all combine without failure for a seamless user journey. The driver shouldn’t have to fish out their credit card, and industry shouldn’t have to come up with an ever-growing series of apps to manage every transaction. If the ecosystem exists, if trust is established and maintained – in other words, if SSI is enabled and working for all parties – then a single digital wallet takes care of the whole transaction.
This extends to the management of parking garages, supply chains, traffic management, etc. It may take time, but research is steaming ahead, because the benefits themselves are clear to all concerned.
Governments are investing in SSI ecosystems as they want to boost their digital economies. Providing the regulatory framework (and playing the role of an effective admin, if required) for the success of an SSI ecosystem helps their stakeholders, i.e., citizens and enterprises. Equally importantly, by moving verification to secure digital IDs, SSI is a key step toward streamlining every citizen’s access to eGovernment. This will reduce governmental costs in the long run. It also has an immediate effect, which is to make access to government services quicker and more efficient for citizens.
Additionally, as Muschik points out, “A governmental ID can be linked to commercial use cases, which benefits all parties.” A phone or rent agreement that might have required a driver’s license, for instance, now only needs the VC you have in your digital wallet.
The European Blockchain Services Infrastructure (EBSI), a joint initiative between the European Commission and its member states through the European Blockchain Partnership (EBP), provides an interesting example of governments acting in concert to deliver services to users. Among other things, EBSI provides VCs for diplomas of accredited universities and other institutes, so a holder can prove instantly that they actually earned it. This also protects companies and others from having to screen candidates with fraudulent credentials.4
The path ahead
It is clear that such an SSI-based ecosystem is to everyone’s benefit, provided it is well-designed, and completely secure. Companies and governments need to work together to establish and maintain trust at every step, because trust is, after all, what this ecosystem is about. Governments can help provide the right framework in which it can be built, while companies and individuals supply the innovation, so its full potential can be realized.
- Governmental digital IDs in a functional SSI ecosystem foster uptake of eGovernment offerings.
- Individuals retain control of their data, and secure their privacy. Governments can provide and offer services quicker and more efficiently
- Businesses can offer user journeys that are more convenient and with fewer obstacles.
A brief guideline on self-sovereign identities (SSI), Federal Office for Information Security, 2021
Land Registry Framework Based on Self-Sovereign Identity (SSI) for Environmental Sustainability, Shuaib, Hassan, Usman et al., April 2022
EBSI’s success stories: Transcript of records, European Blockchain Services Infrastructure