SSI Fundamentals V: Privacy by Design

Decentralized identifiers (DIDs) roots are in Self-Sovereign Identity (SSI) principles, which introduce what should be a default setting by now: privacy by design.

2 years ago   •   3 min read

By Pete Vielhaber

In the modern digital age, privacy has come to the forefront of our minds: data breaches, identity theft, and data mining are concerns for anyone accessing the internet. Decentralized Identifiers (DIDs) roots are in Self-Sovereign Identity (SSI) principles, which introduce what should be a default setting by now: privacy by design.

DIDs

Earlier in this series, we discussed DIDs and mentioned their anonymity. We are going to expand on that idea here. Today, when we get issued a document, like a driver's license, it has an identifier. It is possible to collect information about the ID if it is used for any other purpose, like establishing utilities, bank accounts, doctors, stores, etc.

It is incredibly invasive–and, it does happen. This violation of privacy can allow an actor to trace us digitally. This concept is not far-fetched, it is happening all around us. In Canada, in 2022, accounts had been frozen or closed because individuals were at a protest. It happened again in China with little to no explanation for the reasoning for the freeze.

Regardless of political stances and beliefs in any cause, we should all recognize this is dangerous. Someone on the other side of an issue or political party can gain control and shift the focused oppression in our direction. How does decentralized identity fix this?

The concept is called a Decentralized Identity pair. When we connect our DID to a doctor, bank, utility, etc., these connections do not use the DID initially used to make the connection. A new DID pair gets created. It is a pair because each party in the connection receives one of the DIDs.

What this allows for is the inability to track our connections. Because the DID pair represents the connection, nobody could trace this relationship to my personal DID. This feature completely turns the existing identity models on their heads––it provides true privacy out of the box.

Sharing info

When using credentials today, like a driver's license, the person who sees it gets to see all of our information: name, address, height, weight, etc. It is impractical and does not make sense if the party we share info with does not need to know it. A great example that demonstrates the potential consequences of disclosing personal information is a pub.

If we show our driver's license with the attributes we mentioned above at an establishment where we may lose our inhibitions–there are potential physical dangers of this interaction. Not all exchanges have such severe ramifications.

Using a credit card online is a risk because if the website is not secure, that information can get stolen and used by another party. It is a risk for sure and a considerable inconvenience to deal with. This scenario can apply to any credential in the digital or physical world.

Verifiable credentials can solve some of these problems. As we discussed in the verifiable credentials blog, ZKPs are used to prove a fact without disclosing it. If you want to know about this concept, go back to that post for a detailed description.

One thing we have not mentioned yet is digital signatures. If someone happened to get a verified credential that belonged to me, they would be unable to use it without digitally signing it. Signing occurs using the private key the credential was issued to–so only the person in control of the DID can sign it. Technically anyone could have my credential, but it would not matter unless they could digitally sign it, proving they owned it.

Selective Disclosure

Another feature of verifiable credentials is limiting what information we share with another party. Sticking with our driver's license, if a bank wants to know our name and address, we could choose to only communicate that information with them and not the other details. This feature allows users to share and prove information about themselves without disclosing information another party does not need to know.

The balance of sharing information is a careful line to walk. We want to provide info, but only that which is minimally required. As it has become clear over the past decade, data is the new gold. We should have control of what data we share and with whom. If we allow that information to be shared, we can do that via an opt-in protocol. Outside of this exception, companies should not be sharing user data.

Wrap up

Privacy is a huge concern for many of us as more of our lives enter the digital world. The current state of identity does not allow users to control their identity and data. Decentralized identity solves this problem and can set the standard for the digital world moving forward. Next up, we will be discussing security in-depth.

Spread the word

Keep reading