Go Self-Sovereign: How to Own Your Identity on the Internet
We’re all used to the notion of proving our identity in the physical world. We present driver’s licenses and passports as needed as a matter of course. The facts on the identity document, like our age, are considered verified because we trust our government to have checked them somehow. In the digital realm, things are more complicated. We need to provide an identity to every website where we want to establish some type of relationship. That can be as simple as the site using a tracking cookie to remember us from one visit to another, as mundane and annoying as setting up a login and password combination unique to that site, or as complicated as having to submit “real-world” documents to prove something about ourselves.
Federated Identities: From the Frying Pan Into the Fire
This situation suits the big internet companies just fine. But it’s troublesome to anyone worried about privacy and the power of individual users to own their identity. Recent privacy moves like the EU’s GDPR do address one of the problems with current federated-identity solutions, by requiring that the user at least approve what information is shared and have the ability to delete it.
The Holy Grail: Self-Sovereign Identities
The above doesn’t address the problem of ownership, though, which is where the concept of a Self-Sovereign Identity comes in. With a self-sovereign identity system, each user controls their own identity and identity-related data and can keep it all on their physical device if desired, or encrypted in the cloud. While there isn’t any widely-adopted system for self-sovereign identities yet, there are quite a number of approaches that are being actively researched or are under development.
A self-sovereign identity typically starts with a number, unique to an individual, that is associated with a public key for which the user has the private key. They can then prove that as needed. From that base, the users can then make claims about themselves, which a Trusted Provider can, in turn, validate and sign. Users can give others the right to see and verify one or more of their claims. But they don’t need to see the original information. For example, the Trusted Provider may use a driver’s license to validate that the person is over 18, but all that the potential service provider or website knows is that they’re over 18 — not any other identifying information.
To make this type of system work, we need unique, decentralized, memorable (human-readable) IDs and a secure system for managing them. Until recently it wasn’t thought possible to create a system with all of those attributes (a situation called Zooko’s Triangle). However, with the advent of Blockchain, a number of potential solutions have been proposed. One of the first, based on an early fork of Bitcoin called NameCoin, was Dot-bit, which allowed users to link domains to .bit addresses.
A much more promising example is OneName, which has become the identity provider for the re-imagined internet called Blockstack. While it’s hardly a household name, Blockstack has a well-funded and active developer community working to create distributed applications (dApps) that build on self-sovereign identities and allow users to own and control their associated data.
How Self-Sovereign Identities Work in Practice
Once you have created a Digital ID (DID) and established ownership, then it’s easy to verify that you own the identity whenever the need arises. You can simply sign appropriate documents with your private key, and recipients can tell “it is you” by using your public key. So creating your own anonymous ID is trivial. However, it doesn’t get you very far in most situations. It isn’t securely tied to your name (so others won’t have much of a guide as to whether you are who you say you are), or your address (for shipping things), or any financial information (for paying for things). It’s when you want to add these other properties that the need for a third party to validate your “claims” becomes important.
If there are one or more trusted third parties who agree to validate some type of documentation (driver’s license and photo, credit card info with security code, or whatever) they can be used to enhance the functionality of the DID you’ve created. In many countries around the world, some form of this is already happening using either the government or other large institutions like banks to verify claims.
If those trusted third parties are to be held to the high standard of not harvesting the data, they’ll need to be compensated for this effort, or like the government, have it be a role assigned to them and funded some other way. A key word here, though, is trust. These entities need to be trusted both by the person with the identity and by the service provider looking to validate the entity. The claims can be stored on a person’s own device, or on the blockchain, or with a custodian, but the trusted third party still needs to play an active part in its validation. If not, we’re basically just back to the same-old Federated system we have today when using a Facebook or Google login at other sites.
Sovrin: Aiming to Solve the Trust Problem for Self-Sovereign Identities
There are a lot of approaches to solving the trust issue that lays at the heart of bootstrapping self-sovereign identities. Far too many to cover here. But along with Blockstack, one of the more promising is the Sovrin effort. Sovrin builds on the idea of personally owned keys that anchor Digital IDentifiers (DIDs) by providing a non-profit and hopefully above-reproach system of stewardship for managing them. The implementation uses a purpose-built blockchain so that once an ID is established and owned, that information is available to everyone in a securely distributed way.
The Sovrin project proposes a global, non-profit foundation to administer the blockchain. But that means that the foundation is a possible point of failure in the system and that major corporations and governments would need to trust it for the system to work. A reasonable number of major institutions have signed on to Sovrin, giving it a good start in developing its Web of Trust — the name for a set of inter-connected trust relationships designed to replace a central administrator like today’s Certificate Authorities.
Will Self-Sovereign Identities Help Cure What Ails the Internet?
Personally, I really hope they do, but I believe that only time will tell whether they can address what I see as the three major classes of challenges they have to overcome. I call these the Facebook, Google, and Politics problems:
The Facebook Problem: Being in charge of your own identity is great, but if you wind up sharing a large portion of yourself with a service provider, then de facto, they now have all the same information about you that they have now. For example, Facebook. Even if there was an anonymous ID service that let you log in to Facebook, if you spend enough time on its site or using its services, then they will have the same ability to manipulate you as they do now.
The Google Problem: While the notion of some disinterested third party being a high-minded provider of identity services, it is more likely that most users will default to a major brand they already patronize to provide this service. For example, the largest user of OpenID Connect is Google — it’s the technology you use every time you employ your Google login to access another site. That means Google not only knows how you use its services, but what other services and sites you use around the internet.
The Politics Problem: Projects like Sovrin envision a trusted foundation that would, in turn, authorized qualified parties to write information to its public-but-permission-based blockchain. This approach has sometimes worked, with ICANN, for example, providing internationally-recognized services for the internet community. But that was then, before everything got politicized. It’s not clear what would force governments and tech titans like Google, Facebook, and Amazon to recognize a system of self-sovereign identity management instead of using their own.
For now, these efforts and others are moving to solve these issues in a variety of ways, and many are in various limited forms of deployment that you can experiment with. You can get an ID that you own from Blockstack, for example. Ironically, the simplest way to start to validate your new Blockstack ID is to prove your identity by posting to your Facebook and Twitter accounts.
Top image credit: [Wikimedia, Blockstack]