Self-Managed Digital Identity, what is it and why do we need it
The term self-managed digital identity ("Self-Sovereign Identity or SSI") refers to a type of digital identity where the user is the owner of their personal data and has full control over it at the same time. This is the first thing that appears on Google if we enter the search term directly translated from English "Sovereign Digital Identity".
For those knowledgeable in the field, this description will seem obvious. They will immediately understand the need for self-managed identity. However, for ordinary citizens, it may even be surprising: Ah! Don't I have control over my identity? What do you mean my data is not mine? How can that be?
Let's take a brief moment to reflect on the concept of identity. Every individual has their own identity that defines and describes them exclusively throughout their life. To better understand it, let's talk about an imaginary friend: Pepe.
The identity of our imaginary friend, Pepe
In 1980, our friend Pepe was 7 years old, a blond child with green eyes and a thin complexion. He lived in a town near Madrid, in Getafe, and went to Los Escolapios school. He loved playing football and collecting cards of his favourite teams. He was in love with Samantha, his classmate, never told her, but everyone knew it.
Twenty-odd years later, at 30, the same Pepe was a man with light brown hair, although he was starting to see some baldness, grayish eyes and athletic complexion. He lived in Bilbao with his girlfriend Lina. He worked as a software developer and no longer played football. He jogged and did fitness. Additionally, he had stopped following the Atleti games. He was interested in computer science and gastronomy.
This example shows that identity is forged over time, developing with the individual. And that identity must be considered as a global and abstract idea linked to the individual and their life. It is built through a set of components that define, identify, describe, and locate the individual. All those components that make up the identity are created in the physical world, in the digital world or both at the same time. Continuing with the example of our friend...
Identity is forged over time, developing with the individual
Pepe is Pepe, at 7 years old, at 30 and today. His identity, his 'I', is unique, although he changes. However, Pepe has "manifested" his identity differently depending on the context. And here we come to the concept of Person.
Single Identity and Different People
When Pepe went to enroll in the gym next to his house back in 2000, he expressed his identity by providing different information than what he recently transferred to subscribe to the Byte TI magazine newsletter.
In the first case, he was asked to fill out a form with his ID, name and surname, date of birth, sex, address, and the account number where to charge the gym membership fee. Additionally, one of the monitors, after verifying the data on his physical ID, weighed and measured him and noted the results on that same form. For the Byte TI newsletter subscription, Pepe provided in a digital form his email address, his name, the name of the company he worked for, the position he held, and his country of residence.
And what we have told about Pepe is and has been our daily routine. We have a single Identity, but depending on the situation, we describe and identify ourselves as different People. And we need to identify ourselves constantly. Enrolling in the gym, to receive information, to go to the doctor, to change the data on the registry...
Later we will see that the concept of person is crucial for digital identity management systems because it is closely related to the way the individual authenticates themselves. And this leads us to two other key components of identity: Attribute and Identifier.
Identity Attributes and Identifiers
We continue with our imaginary friend Pepe. When completing the gym form, he provided data referring to attributes and identifiers of his identity. An attribute, for example, would be his weight, 90 Kg. But surely there are many people who share that feature. An identifier is his ID.
Attributes are properties or features of the person, they can vary over time and not be exclusive to a single individual. On the other hand, the Identifier is unique. If Pepe's gym wanted to study its clientele, it would qualify and classify its members by attributes. This would allow him to know, for example, if there are more men than women, the average age, the concentration of clients by neighborhoods, etc. The weight, although it is a feature of Pepe, does not serve to identify him. When he goes to his sports center, he presents the member card that he was given when he filled out the form. The number of that member card is his identifier to access the gym.
With these simple everyday processes, we realize that identity is not something that the individual builds alone. People, as social beings, build their identity by interacting with others. That is why it is true that, while identity is ours, the elements that make it up are not just ours.
If Pepe did not continue going to the gym, he might lose his athletic complexion. But that passion for fitness developed when he met his friend Jorge in college. And who knows... if Samantha had known of his childhood feelings, one of his 'attributes' might be 'married' instead of 'single'. Identity is forged through relationships established by people with other people, with companies or organizations, and even with things.
Regarding identifiers, the ID is exclusively Pepe's and its number will only accompany him and throughout his life. It was a third party (in Spain, the Ministry of the Interior) who assumed the responsibility of providing Pepe with a unique identifier, which serves as his identity card.
What happens to our data?
Many attributes (data about his identity) that Pepe (and his different people) has been sharing digitally in his life have been shared. Let's use just three examples. He not only subscribed to the Byte It magazine, where he provided an email address and information about where he works and what position he holds. He also created an account on Facebook, where he has been posting photos of his vacations, talking about his interests, and sometimes commenting on politics (showing attributes of his person). And in 2020, his gym was acquired by a franchise and is now a fitness center. His data is now being kept by another company he doesn't know.
Everything has been digitized at Pepe's fitness center. To access it, he has a token. Every time he enters a class, he is recorded through the token. Every time he trains with machines or when the monitor sets him a routine, everything is recorded. It is known how many times he goes to the center, what time he participates in group classes, if he prefers Zumba or body combat, how many miles he runs on the treadmill in a week... We could continue with examples of how Pepe, through his daily interactions, is sharing data about his identity (informing about attributes of his person).
And where do all those data go? It's true that they are no longer in his wallet. It's true that they have practically ceased to be his. How is it that in the digital world there is so much 'people' who know about his interests? Who has his data? With whom are they shared without him knowing? The conclusions about Pepe's gym member profile are far from everything the new fitness center franchise is capable of knowing, by adding information from all their databases.
Pepe, like many other individuals, doubts the security, destination, and privacy of his identity. And citizens like Pepe are starting to talk about the concerns that arise with digital identity. At the same time, foundations, non-governmental and governmental organizations, groups of technologists and scientists are starting to determine these problems with accuracy and to propose solutions for the control and management of digital identity.
In 2021 the European Commission announced its new proposal for a secure and trusted digital identity
In fact, Pepe, as a European citizen, will soon be able to legally have a digital identity wallet to manage his data and activities. In June 2021, the European Commission announced its new proposal for a secure and trusted digital identity. This was stated by Ursula von der Leyen, President of the EC:
"Every time an application or website asks us to create a new digital identity or easily connect through a big platform, in reality, we have no idea what happens to our data. This is why the Commission will propose a secure European electronic identity. An identity we trust and that any citizen can use anywhere in Europe for any operation, from paying their taxes to renting a bicycle. A technology with which we ourselves can control what data is used and how."
Why does the issue of digital identity arise? According to experts:
Sovring identified 5 issues that create the problem of identity on the Internet, which are explained on its blog by the President of the Sovrin Foundation, Ph.D. Phillip J. Windley.
- Proximity: there is no physical interaction, but at a distance.
- The possibility of fraud arises. The traditional way of knowing who we are dealing with does not work in the digital world. Authentication schemes based on username and password are insufficient to create the foundation for a trusted interaction.
- Scale: refers to the fact that digital identity depends on large information and identity centers. For example, we use Facebook or Google as identity providers. These "identity providers" are few and large.
- Flexibility: many of the current digital identity solutions are limited to fixed schemes or sets of attributes. Today's digital identity systems are rigid.
- Privacy: current digital identity solutions are based on a collection of data, which is often collected without the user's knowledge. Data is replicated over and over again in different systems. Third parties use universal identifiers such as the social security number or phone number to correlate identity information without the subject's knowledge. Shared browser cookie identifiers allow personal information to accumulate and be correlated behind our backs. Personal information is not secure with centralized data storage systems.
- Consent: the data contained in thousands of identity databases is often shared with others without consent. Sometimes this is done to provide a service to the subject. But it also happens, and a lot, that the focus is to serve the organization that controls the data silo. Identification systems are based on universal identifiers such as email address, telephone numbers, or even the SS. This makes it easier for third parties to correlate behaviours and keep records of people without their permission.
In Windley's words, in the physical world most identity transactions are self-sovereign. They are "scalable, flexible, private and happen with the consent of the identity owner. The Internet introduced the proximity problem". It is the limitations of the available solutions that have led us to the situation we are in now.
How do we solve this problem? The transition from centralized to decentralized models.
Christopher Allen speaks about how we got to the current situation in the path to Self-Sovereign Identity. Allen explains how the idea of digital identity has evolved over the last few decades: centralized identities, "federated" identities, and user-centered identities. The approach we are in today is that of self-sovereign digital identity, which gives the individual control and allows them to interact online and offline without the problems described.
Understanding this evolution of digital identity, we can also use an article by Alex Preukschat entitled "Self-Sovereign Identity — a guide to privacy for your digital identity with Blockchain." In it, he explains that there are two groups of centralized identity models: the Scandinavian and the continental. In the former, private companies (financial and telecommunications) provide centralized digital identity services to interact with the government. In the continental model, governments provide digital identity services to companies allowing interaction with their citizens.
In any case, one of the basic requirements of functional identity in centralized system models is discovery: if you give me an identifier, I need to search for it. In the past, this has always led to centralized directories and, as a result, centralized identification systems.
However, the concept of Self-Sovereign or Self-Managed Identity offers a different approach to the centralized model because it focuses not on "who we are" but on "what we do".
What do we mean by self-sovereign digital identity?
Although not all experts agree on a definition, they do emphasize the need for the individual to regain control and management of their digital identity, to freely decide with whom they share what, and to be in practice the owner of their identifiers and identity attributes.
Self-sovereign digital identity proposes that people can manage and present their digital credentials using digital wallets
We can summarize that self-sovereign digital identity proposes that people can manage and present their digital credentials using digital wallets and that they can share and exchange them with security and privacy guarantees. In the article "What is a self-sovereign digital identity wallet" we explain the important role that wallets play in making self-sovereign digital identity a reality.
In conclusion, self-sovereign digital identity means that individuals decide how to manage and deliver their digital assets and credentials using personal and portable digital wallets.
The concept of self-sovereign digital identity includes another important issue: it eliminates the need for the third entity to which a digital credential is presented to directly go to the issuer to verify its accuracy or validity, as it can do so against a decentralized registry such as blockchain networks.
What role does blockchain technology play in granting individuals control over their digital identity?
Self-sovereign digital identity systems utilize blockchains - decentralized records - so that decentralized identifiers can be searched without relying on a central directory. The technology itself does not solve the digital identity problem, but it provides the missing link to be able to use cryptography. This way, people can authenticate using reliable and decentralized credentials, just as they do offline.
Using the example of Pepe, to register at the gym they ask for an e-ID. In the case of Spain, the issuer is the Ministry of the Interior, which grants the bearer this verifiable credential. The Ministry of the Interior uses keys linked to its decentralized identifier on the chain of records (blockchain) to sign the credential so that it cannot be manipulated and anyone who receives it can verify that it was issued by the corresponding authority. Pepe carries all his verifiable credentials in his wallet. When the fitness center asks for his ID, Pepe gives permission to verify that his eID is indeed issued by the corresponding authority. It is Pepe who authorizes the fitness center to access the document in his wallet and retrieve any public key.
Phillip J. Windley illustrates this with the example of requesting a driver's license at the entrance of a bar to verify age of majority. Any organisation or person could issue the verifiable credentials they wish and Pepe would have to be able to carry all the credentials he wants in his wallet. Likewise, those who act as verifiers (in the previous example, the gym, and in the graph, the bar) could choose which credentials they trust to verify identity. Decentralizing everything makes it possible for self-sovereign digital identity systems to be used in any situation.
Details about verifiable credentials, another key concept linked to self-sovereign digital identity, can be found in the article "Verifiable Credentials in Digital Identity Projects".
We have put simple, everyday examples, but imagine the benefits of applying self-sovereign digital identity systems in key areas, such as health care. People, while maintaining control and privacy of personal data, can carry in their wallet (for example, their mobile phone) their medical history, their vaccination record, information about allergies... Everything. You have an example of a use case in "Self-Sovereign Digital Identity and Blockchain in the Health Care Sector".
In this way, if our friend Pepe falls ill while traveling and has to go to a medical center that is not his usual one, he could share his information with that center to facilitate better service and avoid delays in diagnosis or medication due to lack of immediate information. His credentials and data would not remain at the medical center, but would be retrieved, shared, and would return to his wallet.
At the European level, the implementation of self-managed digital identity will be a reality soon and key sectors, such as health, will have to comply with the new regulation on electronic identification e-ID framed within the European regulatory scheme eIDAS.
By the end of 2023, early 2024, they must provide citizens with a digital identity wallet with which they can perform different actions, including accessing or requesting a medical certificate or storing a medical prescription that can be used anywhere in Europe. All of this we talk about in "What is a self-managed digital identity wallet."
We are going to delve into the operation of the Self-Managed Digital Identity Systems (SSI) to see what happens with Pepe's data.
How SSI systems works
Self-Sovereign Identity (SSI) systems use decentralized identifiers (DIDs) to identify individuals, organizations or things. These DIDs provide the cryptographic basis for the system and can be used without a central administrative system managing and controlling the DIDs. Interchanging DIDs is how participants in SSI systems create relationships.
The participants in the SSI system use the exchange of verifiable credentials to share information (attributes and identifiers) with others to strengthen or enrich these relationships. SSI systems support the autonomy of participants, implying that participants interact as equals.
These are the schemes that Wealize presented in a Vaccination Handbook project for the Andalusian Health Service, in collaboration with Alastria and Additum.
Requirements for a Self-Sovereign Identity Management System
For a self-sovereign identity system to be truly self-sovereign, it must meet the following requirements, which serve to address the issue of digital identity. By meeting these requirements, the difficulties that we previously exposed are resolved.
- Immutable. Identifiers are established for life, at minimum, are not reusable, and belong to the person who created them. Both individuals, organizations or things connected can use self-sovereign identity using the same infrastructure.
- Equal relationship. Like offline relationships, individuals have control. They freely choose with whom or what they associate. That freedom is for all members of the system. The scheme is not one of a client-based relationship, but of a peer relationship.
- Privacy protection. Each member of the system has control over how information is shared. Therefore, any SSI system must avoid correlation and minimize the disclosure of attributes and require explicit consent. Otherwise, information would be at risk and members of the system would lose control over it.
- Portable. Ability to choose and control. Identifiers and associated credentials must be portable, and SSI systems must be able to operate between them to protect free choice and control.
At Izertis, we have worked on different self-sovereign identity projects using blockchain technology and biometrics. An increasing number of companies and organizations are opting for SSI systems: Health, E-Commerce, Banking, NGOs...
If you want to join them and have your company and organization ready to implement self-sovereign identity, we are eager to help you.