In a nutshell, Self-Sovereign Identity (SSI) is a new technology which gives you, an individual, direct control over your data online. SSI allows you to build a trusted digital identity which you can use and reuse to prove who you are in digital and physical interactions with companies, the government and other people.
Self-Sovereign Identity (SSI) is a new layer to the internet which will allow individuals to hold their digital data on their phone, just like holding identity cards in a physical wallet. This technology will allow people to prove who they are online, in a trusted way, when they choose to do so. If a third-party asks for proof of your name or that you are over 18, you can use a verified ‘credential’ to unequivocally prove these attributes.
The key difference between SSI and the current model of the internet is the way data is controlled. In SSI, data is controlled by you. You can choose to share it with companies, and you can revoke companies’ access to your data at your fingertips. SSI is a transparent and secure way of interacting online, in accordance with the GDPR, and is a necessary step for the development of the internet.
SSI works by attaching a layer of trust to data. Companies can ‘issue’ data directly to an individual which has been cryptographically signed, instead of only holding it on their servers. This signature is like a royal seal or stamp which proves that it is authentic. The individual then holds this signed packet of data (credential) on their phone and can reuse this signed data if a third-party chooses to trust the cryptographic signature. All of the cryptographic signatures exist on a directory powered by distributed ledger technology (DLT) which enables third-parties to search for them.
With SSI, individuals can build up multiple attestations for identity attributes such as their name, their nationality etc. and build a very strong level of assurance in the claim that ‘I am X’. Once there is a certain level of trust in a digital identity, people will not have a different username and password for each account – they will have reusable credentials which sit, like cookies, on their devices. These cannot be hacked, phished or scammed away.
The diagram above shows the flow of 'credentials' from your device to different organisations
It is easy to view the current model of the internet with rose-coloured lenses. This is because the internet provides the world with significant value in terms of accessibility of information, ease of communication and entertainment. However, the internet is far from perfect – it is increasingly controlled by large companies which process personal data as a form of currency.
“Whilst at surface level, the internet is free to use, in reality, people are paying with their privacy.” (Alex Tweeddale, IDWorks)
Many people do not have a problem with their data being used as payment for services. This is because, to date, no real harm has been able to arise from this data model. Yet, there are three problems which have gradually arisen on the internet which many people may overlook.
One of the main problems with interacting on the internet is that it was initially designed to connect machines together, and the identity behind these machines was an afterthought. Nowadays, people generally set up social media and account profiles in their own name and with their personal information, but there is no trust or verification that this information is true. This certainly has its advantages in terms of privacy and allows people to express themselves without fear of being judged in the real world. However, when people want to undertake secure interactions, such as online banking or perhaps meeting someone in person who they met on the internet – it is important to have a degree of trust in who you are interacting with. This trust is not currently present, and the lack thereof has been exploited by cybercriminals and organsations seeking to aggregate and collect data.
Currently, your digital identity and personal data is scattered across multiple companies’ centralised databases. For example, you are probably reading this article in LinkedIn, Medium, Twitter or perhaps Facebook. Your account details for that platform, alongside your profile information, likes, comments, photos, activity, location information etc. are siloed on a central server probably in a warehouse and backed up in another. This means that if Facebook or LinkedIn, for example, was to switch off due to unforeseen circumstances, you would lose a large portion of your current digital identity and personal data.
Nearly every company across the internet bases its business model around processing, aggregating and selling your data. This is how most websites run for free. There are two problems with this:
Firstly, developments in AI and big data algorithms mean that companies know a strikingly large amount about you, and can concisely profile that information, painting a progressively clearer picture of exactly who you are. The issue with this is that these companies can then manipulate your online experience with psychological targeting, ‘priming’ and ‘nudging’ – exploiting the fragilities in the human sub-conscious for commercial gain.
Secondly, given that individuals have no direct control over their data, when it is leaked, lost or stolen there is little a person can do to recover it. Over the last 10 years, cybercrimes which rely on social engineering such as phishing and fraud have drastically increased and very few cybercriminals get caught. The UK Office for National Statistics show that, in 2019, online fraud is almost 3 times as prevalent as domestic burglary or robbery. In terms of the actual amount which is stolen online, it is unclear, but reports are between £1 billion (UK Finance) and £5 billion in the UK (Norton Security, 2017).
We are in danger of entering a data dystopia where our experience online is so heavily affected by targeted advertising, ‘nudging’ and ‘priming’ that we lose our sense of autonomy. At the same time, we are losing our security and privacy because the data is becoming more difficult to manage and easier to fraudulently obtain. With the rise of the Internet of Things, surveillance and data capture alongside cybercrime, the need for privacy and greater control online is quickly becoming more important.
With the way the world works becoming increasingly complex, it is imperative to ensure that we protect the integrity of our interactions in a user-friendly way. It is time that data was decentralised, and was not stored in companies’ servers, sitting as honeypots for cybercriminals. People should have control over their data and to be able to see where and how data is being used and processed. It is time to take our privacy, security and control back online - this is something that IDWorks believe Self-Sovereign Identity can facilitate.