The Holy Grail of Digital Identity Is Not Entirely Sovereign

Simon Chandler
Last updated: | 4 min read

Self-sovereign identity would let people own the digital information that identifies them and choose when to share it. The ID information will still need to be established or underwritten by centralised institutions.

Source: iStock/metamorworks

In April, an American tech company IBM joined a little-known not-for-profit alliance called the Sovrin Foundation. Why is this significant? Well, because they are building its own purpose-built blockchain, which it will use to enable ‘self-sovereign identity.’

Self-sovereign identity (SSI) has recently become the holy grail of concepts when it comes to digital identity and data privacy. It describes a state in which people can own the digital information that identifies them and choose when and when not to share it, without having to rely on a third party (e.g. online social networks, businesses or governments).

And naturally enough, it’s not only the Sovrin Foundation that has identified the blockchain as a means for establishing such a state, but also a growing number of startups. However, while decentralised blockchains would appear to offer a more privacy-respecting means of proving identity online than Facebook, for instance, the identities they substantiate will ultimately still need to be underwritten and confirmed by centralised institutions.

Decentralised identifiers

“By creating a global digital identity system, Sovrin is trying to make the online world as authentic and as interactive as the physical world,” said the Foundation’s chair Phillip Windley recently.

In addition to IBM, it counts Berlin’s T-Labs, a joint organization of Deutsche Telekom and selected universities, and Italy’s InfoCert, a digital certification authority, among its members (or ‘stewards’), who are signed on to serve as validator nodes for its distributed ledger.

Conceived as a “global public utility,” this ledger will allow a user to convert their personal info (e.g. name, age, gender) into an encrypted decentralised identifier (DID) stored on the Sovrin blockchain.

Via the use of cryptographic ‘zero-knowledge’ proofs, these DIDs will then be used to confirm to third parties that the user has the credentials or characteristics they say they have, all without revealing what these credentials or characteristics exactly are.

They also promise savings: they’ll eliminate the need for usernames and passwords, which according to Centrify, an identity management company, cost US companies around USD 210,000 a year in lost productivity. They’ll also carve significant chunks out of the costs poured into the identity and access management (IAM) industry (among others), which is valued at some USD 8 billion per year.

Keys, passes and swaps

By using its own Sovrin token, the Foundation’s platform effectively becomes a decentralised marketplace for verifying encrypted identity credentials: ‘verifiers’ demand to see our credentials, and by choosing to accept such demands we send the request to an ‘issuer,’ who then receives a small payment in Sovrin tokens for solving the zero-knowledge proof that confirms certain aspects of our IDs.

Other organisations and companies are using a similar marketplace- and blockchain-based framework for pursuing SSI. SelfKey, for instance, is building a similar platform to Sovrin’s, in which “Relying Parties, Identity Owners and Verifiers” exchange the KEY token as they go about confirming or requesting confirmation of identity.

Another entrant is Blockpass, which defines itself as a “shared KYC [know your customer] platform” and which distinguishes itself from Sovrin and SelfKey by virtue of providing its users with a once-and-for-all “pre-verified” proof of identity. And on a more focused level, Swapy is launching a peer-to-peer lending platform that uses SSI protocols in order to provide users with a portable ID that can be used with any applicable organisation worldwide.

One element is common to all these platforms: by providing only the necessary ID information only when a user consents, they reduce the scope for any abuse of personal data on the kind of scale recently witnessed with a social network Facebook (or Equifax, an American consumer credit reporting agency, to provide another example).

Governments remain

However, while self-sovereign identity looks set to make online identification safer and quicker, there is a limit to the decentralisation being offered by the above organisations.

That is, the ID information they’ll confirm will still need to be established or underwritten by centralised institutions: our names, ages, genders and citizenships will still need to be officially recognised by governments or governmental departments before they can be verified on any blockchain, for instance.

As such, SSI won’t allow us to undermine one of the traditional functions of national governments, which will still retain the power/authority that flows from having sole rights to recognise the existence and status of people.

That said, the aim of SSI was never to replace traditional central governments, but rather to make proving one’s online ID much more efficient and much less personally compromising. And in that respect it will most likely succeed.