Self-Sovereign Identity Systems: How Businesses Win From Letting Go of Customers’ Data
Jan Keil is VP of Marketing at Infopulse contributing to blockchain development projects
In the late 2010s, “the data rush” ushered businesses to collect as much user data as possible in the high hopes of making their products, marketing and sales processes more effective.
While some companies have seen major successes from their ramped up data collection and analytics, not everyone ended up being a winner
In 2016, McKinsey estimated that only 1%
of the data generated up to date was being analyzed. Perhaps, we can assume that with the latest advances in BI tools and big data analytics that number could have ticked to 5% or perhaps even 10%.
Still, 90% of data lakes remain untouched. What's even more important is that a lot of that data can never be put into action. In most industries, personally identifiable information (PII) is off-limits for analysis, though Cambridge Analytica definitely taught us of the opposite.
However, collecting, exchanging and securely storing this type of data has become a legal responsibility for businesses across industries. A very costly responsibility.
Since 2011, the cost of compliance increased by 45%
, reaching $5.47 billion in 2017. Technology, albeit helpful, has also played a major role in heightening the compliance costs, specifically those associated with IT infrastructure, cybersecurity and data privacy.
Last year, British companies spent over $1.1 billion cumulatively
on GDPR preparation, with their US counterparts allocating over $7.8 billion for the same matter. For 90% of the businesses, surveyed by Global Scale
, GDPR is the most challenging data regulation to meet. PCI DSS, US State Laws and HIPAA/HiTech are coming in at a close second.
All of these regulations have one thing in common: they urge businesses to respect users’ privacy, anonymity and consent to share or withhold certain information.
The best, though least straightforward, way to achieve this demand may be letting go of customers’ data and switching to a new paradigm of thinking – self-sovereign identities (SSI).
What is SSI
In the offline realm, we have plenty of ways to share different attributes about ourselves without an intermediary to back up the claims we are making.
Showing a photo ID is usually enough to prove that you are who you say you are. Thus, most societal interactions are scalable, flexible and private. However, what is self-identity in the digital space? At present, it’s a compilation of online personas that hundreds of organizations store. One’s digital identity does not exist independently from those systems.
Third parties are also required to orchestrate and authenticate a transaction. When signing up for a new credit card online, you may be asked to provide a picture of your ID document, your social security number and/or other sensitive data that is operationalized by a KYC provider before being transmitted to the bank. Once the process is done, it becomes the bank’s responsibility to digitally protect your identity data
, stored in their systems.
Self-sovereign identity (SSI) emerged as a new paradigm suggesting that identity owners (users) should be placed in the center of their personal data ecosystem. The sovereignty definition, in this case, is that users have sole ownership of their digital and analog identities and can moderate how their personal data is shared and used by third-parties.
What SSI system promises is to ‘place the ID back into your wallet' instead of the bank's on-premises systems. All the personal credentials will be stored on the blockchain and only certain attributes about the identity owner will be shared with a party requesting access to them. For instance, an HR manager will be able to request permission to access the applicant’s university data, provided by the educational institution, but at the same time, will not be able to inquire about your citizenship status without your explicit consent.
Existence – Users must have an independent existence. What self-sovereign identity does is making some aspects of the person’s identity public and accessible.
Control – Users must control their identities, i.e. act as the ultimate authority. They should be able to update, refer to it or even hide it according to their wishes.
Access – Users must have access to their data and have a mechanism to retrieve all the claims associated with their identity.
Transparency – Systems and algorithms must be transparent. Ideally free, open-sources and fully independent of any particular architecture, so that anyone could examine how they work.
Persistence – Identities must be long-lived. They should last for as long as the user wishes.
Portability – Information and services about identity must be transportable. No single third-party entity must hold that data.
Interoperability – Identities should be as widely usable as possible, and become globally recognized at some point.
Consent – Users must agree to the use of their identity. Any data shared is a subject of consent from the user.
Minimization – Disclosure of claims must be minimized. Only the necessary minimum amount of data should be provided to fulfil the claim.
Protection – The rights of users must be protected. The system should always lean towards protecting the users’ rights and remain censorship-resistant and force-resilient.
In short, the main idea behind the self-sovereign identity is to transfer the control over personal data back to the users, reducing the burden of data management and security risks for business as well.
What Data Management Challenges SSIs Can Address?
from Evernym has perfectly summarized the current set of problems with online identities and personal data management:
The proximity problem – users’ identity information is highly fragmented and stored in silos around the Internet and by different organizations. Current single sign-on (SSO) solutions or federated identities, enabling users to sign on to another service using an existing account on Google, Twitter and Facebook only partially address the issue of interoperability. However, they do not always make it easier to ensure that you are dealing with the right type of person.
The scale problem – the landscape is dominated by Centralized ID providers (i.e., Google, Facebook and Twitter dominate the social login landscape). Some businesses are wary about granting access to their customer information to a 3rd party provider, due to the enforcement of compliance standards, liability, monopolization and security risks.
The privacy problem
– personal identifiers are often collected without the user’s knowledge, and afterwards replicated across a variety of systems. The recent wave of data breaches
proves that centralized storage of sensitive customer data is not viable.
The consent problem – sensitive information, buried in the thousands of identity silos, is often distributed to other parties without the owner's explicit permission or knowledge.
As a result, some customers' have found themselves with the shorter end of the stick – improved convenience achieved by giving away control over their personal identifiers and other identity-related information. Businesses, in turn, are pressured to over-rely on selected few IDPs and SSO providers, who control large amounts of data. Organizations, who are required to store sensitive data locally, are as well pressured by the increased compliance demands.
Self-sovereign systems, based on blockchain, have recently emerged as a strong contender to solve the data management conundrum.
Introducing a universal, decentralized digital identity layer can help establish a new ecosystem of digital interactions with independent actors (self-sovereign individuals) granting access to their personal data, stored on an immutable decentralized ledger, to a 3rd party requesting trustworthy identification.
From a technological standpoint, such self-sovereign identity blockchain systems will operate on two distinct levels as Kai Wagner suggests
Credential-based roles: an individual or organization controls a certain credential and its uses.
Subject – an individual or entity that a given credential is about. In this context: we are the subjects of our passports, bank accounts, or social media profiles.
Holder – an individual or entity that stores and fully controls the use of a given credential. For instance, you can be a holder of your own digital passport, as well as your children's.
Issuer – an individual or entity who provided a credential in the first place. It could be the government or your university.
Verifier – the individual or entity who verifies or relies upon a presented credential.
Decentralized identifier roles: an individual or entity who owns and/or controls certain DIDs and their uses. This is a unique key, granted to any type of data online, that remains under full control of the Identity Owner, and is not dependent on a centralized authority or identity provider.
DID Subject – an individual or entity that can be identified by a given DID.
DID Owner (or Identity Owner) – the individual or entity who stores and controls the private keys associated with that DID. In other words, the one who's granting permission to access certain data.
Let's give this model more context with another example: you need to digitally prove to someone that you live where you say you live. However, you need another entity to attest your claim, for instance, a utility provider or a governmental authority. They can provide you with some form of credential (a fresh utility bill). Once you receive that bill, you become the Holder of that Credential. You can present a self-attested claim (your statement about where you live), paired with a Verifiable Credential issued and cryptographically signed by the utility services provider, meaning that it's an authentic document. Now, your opponent (the Verifier) can ensure the legitimacy of your claim. Or they may request another verification document from an Issuer (a governmental body) to cross-check the information. In any case, you as the Holder will always remain present in the interaction, and grant control to the requested information, using cryptographic signatures.
The particular draw here is that none of the participants needs to create a new digital identity for the user or store sensitive data locally. Every piece of data and transaction information is kept in a decentralized network, simplifying data management and compliance.
As a result, businesses can gain several major advantages by adopting self-sovereign identity systems:
Speed: SSI-powered apps are ready for immediate use. No data syncs are required or extended onboarding. Users can start using the system once they receive their credentials.
Interoperability: SSI credentials, stored on blockchain, are cross-app, cross-border, cross-silo and can be leveraged for different use cases.
Security: Blockchain is nearly impossible to tamper, meaning that only the true owner can have access to their credentials.
Privacy: SSI can be a major step towards "privacy by design", as personal identifiers never change hands. Identity owners store their information in secure wallets (not on the ledger) and can grant access to their data to 3rd parties when requested. This can majorly reduce the data storage and compliance costs for businesses, especially in regards to GDPR.
Industries That Will Benefit The Most From SSI
Industries with the tightest KYC procedures (banking, insurance, healthcare) will be among the prime benefitters. Though, self-sovereign identity introduction can turn the tables for virtually any business dealing with customer data in one way or another:
Public services and government management: Alastria
– a Spanish non-profit blockchain consortium is developing a national blockchain ecosystem for the country that would help with the identification of natural and legal persons in the country. The State of Illinois has signed up a partnership agreement with Evernym
to create a pilot of blockchain-based birth registry. And last year, the government of British Columbia and Ontario in Canada issued over 6 million self-sovereign credentials
representing business registrations and licenses for businesses as part of their blockchain pilots.
Civic startup is working on a reusable KYC solution and blockchain wallet
for storing personal identity information, fiat money, and crypto-assets that could be securely used cross-merchant. The company also offers age-verification technology for vending machines
. EVRY and Infopulse together developed an SSI solution that can be leveraged by e-commerce companies instead of standard authentication apps and payment gateways. This 1-click-pay mobile payment solution, for instance, requires just 8 taps to complete a transaction versus 160+ taps that an average user now needs to make. A good example when the convenience does not come at a cost of personal data exposure.
startup is building an SSI identification management system on Sovrin, aimed at securing access to patient records. Instead of creating new online identities for patients, healthcare institutions can request access to patient status and medical data, securely hashed into a 12-digit code and recorded on the blockchain.
Introduction of SSI can majorly streamline the KYC process for banks, reduce fraud levels and minimize the compliance costs. This year, five Canadian banks
released a new blockchain-based user identification, allowing customers to prove who they are using the information they've already given to their financial institution. To improve customer service and risk management, EVRY in cooperation with Infopulse developed blockchain-based KYC banking system
that makes a complete audit trail helping banks with regulatory compliance and reduction of data validation costs across the whole financial network.
To conclude, self-sovereign systems enable businesses to securely validate who they are dealing with and eliminate the need for any 3rd-party KYC providers. Instead, a decentralized, neutral blockchain ledger can perform the role of the verifier. Personally identifiable information will remain in the hands of users, reducing the compliance, cybersecurity and data management costs. As a result, we could enter the new age of scalable, flexible and private interactions online, performed with the user's consent.
Subscribe to get your daily round-up of top tech stories!