SSI is one of the hot topics in the field of blockchain and new technologies.
There's no doubt that SSI carries exceptional value to internet users, but is there economic potential behind the framework?
What are the business opportunities for companies interested in the SSI paradigm?
What are the implementation challenges?
Over the past years the discussion of how we can protect our identity in the online world has been getting more heated. The various data breaches that mark the last decade have revealed massive imbalance in the approach to personal data — internet users produce data, leaving significant digital footprint behind, while businesses monetise on this data and use it grow revenues. What is more, data breach scandals revealed that personal data collection has become the backbone of modern-day surveillance of citizens, showing that much more is at stake here — not just online privacy but perhaps even our fundamental human rights.
Data leaks, although shocking in their scale and impact, could however be a blessing in disguise. They make people more aware of their personal data trail. They also trigger regulatory changes that make handling of such data more rigid, such as the European GDPR program. Finally, they trigger a discussion on how technology, the double edge sword, could be used to protect our identities in the digital world.
Core to this discussion is the Self Sovereign Identity paradigm — an idea that each individual should be in charge of their own digital personal information, and that it is the data owner who should decide on how this data is being used and by whom.
While the benefits of SSI to end users are clear, the business value is less straightforward. In the economy, where value is determined by easy access to data, what is the economic incentive for companies to join the SSI ecosystem? Is there an opportunity for new business models and revenue growth under the SSI framework? Finally, which factors will determine whether SSI sees wider adoption and real-life applications?
I like to think of Self Sovereign Identity as a digital wallet that stores various types of information about a person, and that can reveal important information about them. Just as in the physical world we own a wallet where we keep our ID’s, or a folder where we store our certificates, diplomas, bills, receipt data etc., SSI is a type of digital storage only we have access to.
SSI provides an alternative to the current models of identity management:
- the siloed model, where users have to undergo a new (burdensome) registration for each service they want to use
- and the federated one, where users and companies “outsource” their identity management to third parties to facilitate access to services (i.e. login with Facebook, Google, etc).
By using each of these models the user “agrees” for the service provider to store and manage their personal data.
Now, information about us can be grouped into two general categories: personally identifiable information (PII) that refers to any non-anonymous information that can reveal our identities, and non-personally identifiable information (non-PII) that is in theory anonymous and cannot be used to trace one’s identity (although it is up for discussion how much of a challenge it really is with the right algorithms and data models ). It is precisely the former type of data that is intended to be protected by SSI.
In the SSI framework, the different pieces of information about a person are called “verifiable credentials” — they can be deployed under the user’s consent to identify them without using any of the identity verification providers or without having to register to a new service altogether. What is more, users can consensually deploy only the information that is relevant in a given context, so that other pieces of their personal data remain confidential.
For example, if you want to purchase alcohol, what is relevant is whether you are over 18 (at least in Europe), and not really the date you were born. To make the process even more secure, the authenticity and validity of your identifiable information is cryptographically verified on the blockchain. As a technology that relies on decentralisation, distribution of data and immutability of records, blockchain is ideally suited to work as a verification system. The Sovrin Network, powered by Hyperledger Indy, is one of the existing blockchain infrastructures specifically dedicated to SSI and identity management.
How would a typical application of an SSI framework look like? Let’s say I want to open a bank account. In order to do this, I need to provide the bank with personally identifiable information that proves my identity. Today this could be a national ID or a passport. In the world of SSI, I would provide the bank with a Decentralised Identifier (DID), a verifiable credential that could have been issued i.e. by another bank or a government institution, in line with local regulations. If the DID was issued by bank A, this bank would be the issuer of a verifiable credential, I would be the credential holder, while bank B would be the verifier. Importantly, what is stored on the blockchain is not the identity credential itself, but the information on whether the credential is still valid. The credentials on the other hand are kept offline and can be accessed and deployed only by the DID holder for quick, easy and cheap identity verification.
The potential applications of SSI are multiple, spanning all sectors and industries from public sector, through to banking, retail, and healthcare.
An SSI wallet could be used to prove one’s qualifications and identity when applying for a job, opening a bank account, issuing a driving license, securing a mortgage or making a purchase in an online store. SSI also means no more registration across different platforms using various usernames and passwords, and hence no need to maintain the multiple personal accounts. This translates to reduced administrative burden and improved customer experience.
To businesses, immediate value comes from removal of the costly and challenging GDPR compliance. Forbes reports that in 2018 in the UK alone $1,1 billion was spent by companies on GDPR preparation, while US companies allocated over $7.8 billion on protecting customers’ personal information.
Further SSI-infused cost cutting lies in reduced need of cybersecurity. According to IBM’s report, in the first half of 2018, over 4,5 billion records were exposed as a result of data breaches containing sensitive personal data. According to estimations, in 2020 a cost of a data breach will raise to over $2,1 trillion globally per annum. Since with the SSI framework personal data remains in the hands of the user, the costs related to compliance, data management and data security can be dramatically reduced. SSI will allow businesses to securely validate their customers and eliminate the need for 3rd-party KYC providers. Instead, a decentralised, neutral blockchain ledger can perform the role of a verifier.
While cost cutting and increased customer experience are the quickest wins for companies investing in SSI, the real win will be when SSI allows to bring revenue, i.e. by enabling companies to generate new business models and/or onboard (new) customers faster. However, the existing implementations of the SSI framework make it difficult to predict its revenue-generating potential.
There is definitely a business opportunity related to providing SSI products and services — platforms, identity wallets, verification services, such SeLF and MySudo, both powered by the Sovrin Network. Public sector organisations are also leaning towards the innovation. For example, the Government of British Columbia is trialing SSI to launch an OrgBook VC — a searchable directory of public, verifiable data about businesses in British Columbia such as permits and licenses that have been issued by government authorities and are linked to legal entities.
In the private sector, banks seem to be the frontrunners of the SSI opportunity. The Dutch Rabobank is testing the application of SSI in several areas — to replace the costly KYC customer due diligence process or to optimise the mortgage flow by enabling direct verification of the mortgage data and the source. The bank is also testing the solutions internally, with the goal to allow Rabobank’s employees to be in charge of their identifiable data such as certificates, diplomas or assessments they achieved, thus drastically reducing employee onboarding times.
The promising potential of SSI unfolds together with the challenges related to its business implementations. The bootstrapping of the SSI infrastructure requires not just a strong market frontrunner but also tight collaboration between business partners and competitors, typical of the coopetition model. As with other blockchain solutions, the technology works best in a context where many different subjects work together in a decentralised and distributed network, which makes the at scale implementation not a technology, but a business challenge. The hard part is setting up the governance and collaboration model that will ensure that the federation is reliable, secure, and affords appropriate data protection.
Similarly, the SSI paradigm will have the greatest impact in a large network of SSI issuers, holders and verifiers. But what is the optimal bootstrapping strategy that will help achieve the scale? Who will pay for the verification of credentials? For example, if Rabobank pays for the verification of their customers, will they be happy to share the data with competitors to build a trusted relationship and leverage the SSI network?
In addition, accurate setting up of the SSI infrastructure should by definition require no upfront equity to prevent single entity dominance. We could therefore be facing the chicken and egg strategy problem.
In the first instance, the SSI framework aims to protect the aforementioned personally-identifiable information — the type of information that is not anonymous and could be used to uncover a person’s identity. However, there is also an enormous data footprint we produce in the digital space that falls into the other category — the non-personally identifiable data. This data holds information about the websites we visit, the places we’ve been to, our shopping habits, hobbies, music and movie choices, social network characteristics and so on. Although technically this data is anonymous, it provides a wealth and breadth of information about who we are, and with the right algorithms it makes it fairly easy to reveal our identity. In this light, the boundary between what constitutes personal data and what doesn’t gets a little fuzzy.
What is also fairly obvious is the commercial value of the digital footprint we leave behind. Over the past few decades this data has been extracted and accumulated in centralised platforms and clouds of few companies. These companies treat, what we consider to be our personal information, as an economic asset that serves as a major source of income. Over the years internet users have been left out of this equation and made powerless, despite being indispensable in this process.
In theory, the SSI framework could be instrumental in fixing this problem and provide a more consensual infrastructure of data sharing. While it’s common sense that businesses should tap into user data in order to innovate and generate economic value, they should at least do so with the user’s consent, and ideally in a way where the user is also presented with opportunities to capitalise on the value of their personal data. Practically though, setting up the model of consensual data sharing is extremely challenging. Not only do companies have little if any incentive to promote a model that essentially translates into restricted access to commercially valuable data, but most of internet users continue to give away their data for “free”, in return for access to applications or social networks.
While there is no shortcut or a magic solution to this problem, a multidirectional approach has the highest chance of creating a ripple effect that could trigger a change in both people’s mindset and economic models. First, it is essential to firmly set up the SSI model for personally identifiable information to show that an alternative paradigm is feasible. Secondly, through continuous enforcement of regulatory restrictions such as GDPR, that stretch beyond personally identifiable information. Finally, through harnessing the potential of new technologies, such as blockchain, AI, IoT to create alternative and more evenly distributed value models and marketplaces that fundamentally rely on privacy protection and sovereignty of the user, but that do not lock out the economic potential.
There is growing momentum around SSI with real value to be captured both by individuals, whose personal data is at stake, as well as businesses. For businesses, SSI provides most of all an opportunity to significantly reduce KYC costs, remove the need and costs related of GDPR compliance and improve customer experience. As with other blockchain solutions, there are roadblocks to successful at scale adoption of SSI, such as the unclear bootstrapping framework and the governance of the SSI-powered infrastructure. Finally, there is the ultimate challenge of protecting our digital footprint as a whole. It remains to be seen whether SSI will stand up to the current economic model that relies on easy access to users’ personal data, and whether the alternative, tech-driven, open economic data ecosystem gains traction.
At this moment I don’t have good answers to these questions. Perhaps few have. What I’m hoping for is to trigger a discussion that will start shifting the centre of attention away from what SSI is and why we need it, and towards addressing the issues of how we can successfully implement the SSI model to generate social and economic impact at scale. If the early Internet was a place where “nobody knows you’re a dog,” today it’s a place where knowing that you’re a dog is the least of it... It’s high time we change that.