November 21, 2018

A case for self-sovereign identity

In October of this year, we learned that Google+ was to be discontinued amidst a major security bug discovered by the company. These news reached us only a few weeks after Facebook reported a security breach affecting the access tokens of 50m users and a little over a year after we learned that social security and driver’s license numbers of 143m Americans were exposed in the 2017 Equifax breach.

Each of these events created massive outrage, shaming of the responsible companies and calls for ever tougher regulation and oversight. While this is an understandable reaction, it is likely not going create any significant improvement. The calls for increased security and oversight address the problem at the wrong level and hence will not produce any long-term satisfying solution. No matter how hefty the fines, how diligent the oversight and how magnificent the cryptography, services based on central data bases and hence single points of attack will sooner or later fall victim to some sort of breach. If breaking into a single vault provides access to millions of valuable data points, it is worth investing a lot of time, money and brain power and sooner or later it will be done. That’s how the incentives are currently set. But this is not the only thing we learn from the three breaches mentioned above. Each of the three breaches clearly demonstrates a different reason for why digital identities and data storage provided by 3rd parties are not a viable option as we move down the path of digitization – and here is why:

They are neither persistent nor easily portable. Google+’s case clearly shows it: There is nothing that keeps a service provider from disappearing from the face of the earth from one minute to the other. While Google+ users have been given a grace period to migrate their content, they will be unable to do the same with their followers or reputation. Fortunately, one might say, Google+ never took off hence the number of “Google + influencers” affected by this is probably limited. However, imagine this was your Facebook, Email or LinkedIn account being shut down. Not being able to migrate your connections, the history and reputation you have built up with these services will destroy a lot of value you have carefully created over the years.

Building services on top of them makes us even more vulnerable. Many people rejoiced when the “sign in with Google, Twitter or Facebook” option was first implemented on third party websites. Understandably so. The number of passwords and usernames we are forced to deal with is simply unsustainable. What is also referred to as “social sign on” is just new name for an old technology called “federated identity”, a system which allows different service providers to collaborate and rely on the same source of identification outside of their own realm. While this may enhance user experience, it also increases the reward for anyone breaking into the system. Instead of being rewarded only with your old Facebook photos, they now also have access to your Airbnb travel history and your Spotify account, for example.

They are universally identical. Today, we have one social security or driver’s license number, that is issued to us for a life time. Because they are so persistent, many services use them as a reliable source of identification. This however creates a different problem: once these universal identifiers get stolen, their persistence turns against us. People who had their social security number stolen are likely to spend a good part of the rest of their lives shutting down fake accounts, disputing bills and paying substantial amounts for credit monitoring. This problem is not to be taken lightly. 15.4 m people fell victim to identity fraud in 2016 in the US alone. [1]

How is self-sovereign identity different?

The basic tenet of SSI is that the identity subject is in full control over the use of his/her identity without having to rely on a third party as intermediary. In this context, “sovereignty defines a boundary, within which the sovereign has complete control and outside of which the sovereign relates to others within established rules and norms.” [2]

In practice, this mean that every identity subject independently creates and remains in sole control over his/her root identity. This seemingly simple shift from intermediaries which issue identifiers to the individual creating and managing the identifier independently has far reaching consequences.

Firstly, the identity subject becomes independent of the goodwill or even survival of identity providers. If a service like Google+ is discontinued, it does not affect the persistence of the individual’s identifier which remains in their control.

Secondly, by storing the root identities in a decentralized fashion – every subject stores their own key pair and no one else’s – incentives are changed. If breaking into a device delivers only one data point instead of millions, this business becomes significantly less lucrative for malicious actors. At the same time, it allows identity subjects to derive many different so call decentralized identifiers (DIDs) for all their trusted interactions from the one root identity they control. This means that instead of having one social security number which we use in many different places, we could issue a different DID for every interaction (e.g. with my bank, my insurance, my doctor, etc.). These DIDs are all tied to my root identity and therefore, I can unambiguously prove that they belong to me. However, if the architecture is designed correctly, it is impossible (or at least difficult) to correlate my DIDs across different services.

These are just some of the ways in which SSI could make our identity system more secure, transparent and reliable. If you would like to know more about SSI check out some of the resources below:

 

One of the fundamental pieces that coined the term “Self-Sovereign Identity”:

https://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html

10 principles of SSI:

https://github.com/ChristopherA/self-sovereign-identity/blob/master/self-sovereign-identity-principles.md

2 good, consecutive webinars that will teach you the basics of DIDs and verifiable claims. A little heavier on the tech:

https://ssimeetup.org/story-open-ssi-standards-drummond-reed-evernym-webinar-1/

https://ssimeetup.org/decentralized-identifiers-did-fundamental-block-self-sovereign-identity-drummond-reed-webinar-2/

The W3C Draft Community Group Report on DID:

https://w3c-ccg.github.io/did-spec/

 

 

By Dominique Kunz

 

 

Sources:

[1] Javlin,  https://www.javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-us-victims-2016-16-percent-according-new#, Accessed on Nov 20, 2018

[2] Sovrin, https://blog.sovrin.org/on-sovereignty-552bf75cf4ea, Accessed on Nov 20, 2018