Much has been written and said about Self-Sovereign Identity. SSI, in short, is an approach to giving individuals back control of their digital identities. But no matter how clear this explanation may sound, a large number of methods and approaches on the Internet can also lead to confusion and even false statements. In this article, we take a detailed look at topics and individual statements that have been discussed in the media in recent times. In doing so, we examine more closely whether SSI can increase or reduce risks for data misuse in certain cases. We conclude with the core thesis that the misuse of personal data will remain possible regardless of the digital identity used – and how one can still protect oneself against data misuse with the help SSI.
Jolocom stands behind better digital identity solutions.
First things first: SSI alone does not increase the risk of data being misused. Due to its architecture, it opens up opportunities to increase data security and privacy. The greatest risk lies in the fact that user data is passed on to an online service and then stored there. Today we all know this only too well as a user profile or account. From the moment I enter my details on a platform online, I have to trust that the service protects its database well and keeps my data safe from attacks by hackers and identity thieves. Unfortunately, experience shows that in the end, hackers are often successful and thousands of profiles and accounts fall into the hands of data thieves each day. This can become an absolute nightmare for those affected and motivates us at Jolocom to work on better digital identity solutions.
So we have two options, either we don’t give the services any more data or we force them to secure the data better. Of course, it would be best to do both: to transfer less data, and at the same time to create better data security.
Login – Continuous onboarding
In order to save less data with services and still be able to fully use what they offer, there is a great possibility offered by SSI that ensures that I have my data completely under control. The concept is called continuous onboarding and means that the profile data is retransmitted every time I log in (in the case of car sharing, for example, my relevant driver’s license data, my IBAN and billing address). As soon as the user logs out (and has parked the car again), the service can delete their data and only keep an individual code for itself, with which it recognizes the user on the next visit. Admittedly, one is dependent on the service actually deleting the data, but there are many incentives to do so, because the risk of a hacking attack with serious consequences decreases enormously. And not to forget, if something changes for one user (e.g. the telephone number), the service will be notified about this change via continuous onboarding the moment the user next logs into the service.
With SSI, data can be shared with one click, without any additional effort. Today, the process of continuous onboarding described above would be practically impossible, since the data would have to be entered manually for every visit, and even the driver’s license or ID would have to be confirmed by video. This is a complex process and unattractive for both sides. With SSI, data can be shared with one click, without any additional effort. The service also saves a lot of money due to this reduced risk, which is yet another reason to work with SSI.
However, it will not work entirely without regulation.
As much as we can use SSI to help services stop storing data about us, there’s no guarantee they won’t. Regulation is the only way to ensure that they do not request more data from us than is necessary. Because in the situation in which we as individual users negotiate with the services, we often have less leverage. We want to use the service and the only way to do so is accepting their terms, whether justified or not. In a digital world in which we practically cannot do without many services, this is like blackmail. We are often at the mercy of data misuse and have to watch how we are either excluded from society or how our data is used for participation in the digital life.
Jolocom positions itself against data trading and tracking.
Fortunately, there already is a very promising legal situation in Europe. Because the GDPR (General Data Protection Regulation) sets clear limits on what can be demanded of users. Most recently, the Digital Markets Act was passed, which again strengthened the rights to services. While it’s true that SSI comes from liberal thinking, that doesn’t mean our European version of SSI should be completely unregulated. Do we just have to wait for regulation? However, such a regulation for SSI can also be implemented in very concrete terms even before the legislature acts, in that the actors involved in an SSI ecosystem give themselves common rules and determine the means to enforce them. The whole thing is called the Trust Framework.
In an SSI ecosystem, it can be restricted which data can be queried from the user and by whom. The Verifier must then clearly justify what happens to that data and is bound by the Trust Framework. We at Jolocom are also working on these trust frameworks as part of the BMWK (Bundesministerium für Wirtschaft und Klima) showcase projects and are supporting the development of eIDAS 2.0 in Brussels, a new regulation in which similar questions are addressed. In fact, eIDAS can be understood as a kind of European trust framework. The electronic identity card is already one of them today and in the near future, very likely, self-sovereign identity will be too.
To put it bluntly, one could say that with SSI you can only decide who you give your data to and by what means, but not what happens to it. However, that is a lot compared to the status quo. What happens to the data is then a new question and not a technical one. Then it is about the trust framework and the implementation of policies.
Ultimately, the whole thing has to be regulated via certification and approval.
While it is true that SSI comes from liberal thinking, that doesn’t mean our European version of SSI should be completely unregulated. In any case, in the medium term it can be assumed that only wallets that are also approved/certified in a trust framework and only speak to issuers and verifiers who are also approved can assert themselves on the market. The SSI system is not responsible for poorly secured databases.
Does self-sovereign identity mean that I can decide everything for myself?
The idea that as a user of SSI I have complete sovereignty over my digital identity is often misunderstood. At its core, SSI is about my digital identity being under my own control, so I can decide to whom I show my data, when, and for what. This important principle is already contained in the first article on SSI by Christopher Allen from 2016. With SSI I can also create identity data about myself and, for example, claim to be an astronaut. But at the latest when I want to board a space shuttle with this identity, I would be exposed. In reality, we construct our identity primarily from what others say about us. Our identity card is only appreciated because it was issued by the state and a sovereign authority confirms my identity. It is similar with a student ID, which is only credible if it was issued by the university.
Allan, Christopher (2016): The Path to Self-Sovereign Identity.