Identity is the essence of who we are. It consists of immutable characteristics like ethnicity, race, sex, date of birth, etc., and mutable aspects like online personas, the businesses we interact with for banking, insurance, healthcare, cellular phone provider, streaming services, etc. All these components influence the daily exchanges with people, companies, and things that rely on our identity.
The connection and level of trust we have with various entities will affect the outcome of our interactions. Our relationship with a parent or guardian will be more personal than those we have with commercial entities, for example. As more and more services, utilities, and infrastructure move online, we face a growing problem–trust. Building assurance or good faith takes time.
Entities can be individuals, businesses, corporations, things, natural or digital. It is a general term for something/someone with whom we have a connection.
There is implicit expectation to trust these entities. This is a fallacy. Who are Google, Apple, Microsoft, or a utility or service provider? Is it one person? Who is at the other end? When I contact them, do I interact with the same person? The answer to these questions is no, or we don't know. However, the premise is that we hastily assume we can trust these entities and share personal information with them.
If we look past this problem, we run into another–what are we sharing? The personal information we share with family or friends would typically be more intimate than what we would like to share with our cell phone provider. Even in this scenario, there are different levels of family and friends, some closer than others, so the information we share will be selective.
When we interact with a new service or utility, we expect to provide personal information to them. This data we share gets stored in a database somewhere where people with whom we have no connection can access it. Is the information we have secure? Private? Do we have control of our identity and data in the way things function today? Not really.
Central and Federated models of identity
Let's review a quick example of how this works today: Many social media services require a photo ID and a dossier of info to sign up. Isn't their service intended for me to connect with people I already know? Why would they need to know so much personal information about me? Terms and conditions (TOCs) outline what data gets used for, but few people read them. In some cases, TOCs are specific about selling data, and others use the data in-house to target ads based on the data collected. Even if they tell us how our data gets used, shouldn't we have a say in it?
In addition to the information gathering, the social media service acts as a mediator. They are the gateway for me to converse with friends. They may be entirely reputable and trustworthy, but why do I need to speak through them to chat with my friend Alice? This concept is slightly more complex that we won't dive too deep into right now, but consider that similar services don't require personal information for the same functionality.
The current state is a centralized or federated model with centralized control. Before engaging a service, we have to go through an identity provider (IDP). This IDP can be the service itself or a third party. One way IDP works today is relatable to something called single sign-on (SSO). It may sound unfamiliar, but most people have used this in some aspect of life. If you have ever seen any of the buttons below, this is what SSO or an IDP is–where we use one account to sign in to another.
Where do we go from here?
Don't fret–there is a solution. Self-sovereign identity (SSI) is a model that can solve this growing problem through decentralization. Before we go further, let's explain what we are talking about:
- self: a person's essential being that distinguishes them from others
- sovereign: supreme or indisputable authority
- identity: fact of being who or what a person or thing is, characteristics determining who or what a person or thing is
- decentralization: transfer of control from a central authority to the edges, transfer to a distributed network from a single location
SSI is a set of concepts and principles that shift the control from central authorities to the edges (users), where everyone is considered a peer. Without diving into any of the other concepts, being a peer is a giant step forward because it removes the centralized authority.
So how would this be applicable in the real world? If we open our physical wallets, we will find many forms of identification, from IDs, credit cards, auto insurance, healthcare, library cards, etc. Imagine all of these documents are digitized and stored in a digital wallet.
Now, let's remove our name from our new digital documents and replace it with a random string of characters called an identifier. This step will anonymize the credential by removing our name. The next logical step is hiding the information on our documents. This information is entirely private between us and the entity that issued it. It may seem this is a risk, but the issuer only knows our identifier–not our name. Even better is that we choose with whom we share information. This topic is exciting but requires a deeper dive into other concepts before we can fully flesh out what is happening.
It would be impossible to condense all the principles and concepts into a single easy-to-digest format. This blog series will take the principles and concepts and break them down into bite-size pieces that aren't overwhelming.
As we peel back the layers on the SSI onion, things get more exciting but can be pretty complex. Our goal is to simplify explaining these concepts into non-technical terms as much as possible and use real-world examples to help relate to the world we know.
Adopting new technology can be scary, especially for something personal and intertwined in our lives, like identity. Our goal is to examine those concerns and hopefully alleviate them for you. Stay tuned for more content in our deep dive into SSI Fundamentals.