Vignette 3 | Conceptualising self-sovereign identities

Paul Laughton

Self-sovereign identity, also known as SSI, is a digital identity movement that enables individuals to control their identity without intermediary authorities. This enables interaction with the same freedom and trust as one is accustomed to in a conventional offline environment. Self-sovereign Identities ultimately allow individuals to control how their identities are managed on a global level (Sharma, 2020). The traditional centralised identity systems have several security weaknesses and do not support user control. Self-sovereign identity was proposed as an attempt to provide user control and a secure model for managing identities. Traditional centralised models have a number of drawbacks, such as potential loss of data due to common hardware or device malfunctions (Shuaib, Alam, Alam, & Nasir, 2021).

The proliferation of information in the digital economy has led to the fragmentation of identity data currently experienced among numerous online identity repositories. The average person has their data distributed among various governmental, financial, and social data hubs. This can cause complications such as duplicate entries, mismatches, and outdated data, in addition to the challenge of maintaining all these different identity repositories. Added to this, a lack of universal standards and interoperability among the identity repositories makes it challenging for people to store, obtain, remove, or share their personal data (Soltani, Uyen & An, 2021). Nowadays, the digital virtual online and physical worlds have become increasingly interconnected, highlighting the necessity and importance for a self-sovereign identity (Shuaib, Alam, Alam, & Nasir, 2021). Currently popular user-centric designs have turned centralised identities into interoperable federated identities with centralised control, while also allowing some level of user consent about how to share an identity (and with whom). Although this an important step toward true user control of identity within self-sovereign identities, it is nevertheless only one step (Allen, 2016).

There is a significant need for self-sovereign identities, since governments and companies share an unprecedented amount of personal information, while processing and cross-correlating everything from viewing habits to purchases, to where people are located during the day, to where they sleep at night, and with whom they associate. In addition, technology allows for greater access to human rights and to the global economy for Third World countries, who are looking to digitisation and adoption of technology in the 4th industrial revolution. When effectively implemented, self-sovereign identity can offer such benefits, while also protecting individuals from the ever-increasing control of those in power (Allen, 2016).

Historically one of the first references to identity sovereignty occurred in early 2012, when developer Devon Loffreto wrote about ‘Sovereign Source Authority’', stating that individuals ‘have an established right to an “identity”’, but that national registration destroys that sovereignty. At the same time, Patrick Deegan began work on an open-source framework that gives users control of their digital identity and their data in decentralised systems called Open Mustard Seed (Allen, 2016). Due to political differences, self-sovereign identity has begun to influence and feature in international policy. One significant event that has largely created interest is the refugee crisis that has beset Europe (2015), resulting in many people lacking a recognised identity due to their flight from the state that issued their credentials (Allen, 2016).

True user control is the heart of self-sovereign identity, a term that is increasingly popular in fields where user data is required (e-government, e-commerce, health, etc.). An important feature of self-sovereign identities is that users become the rulers of their own identity rather than merely advocating that users be at the centre of the identity process (Allen, 2016). Self-sovereign identity is the next step beyond user-centric identity and that means it begins at the same place: the user must be central to the administration of their identity. User consent is a key focus requiring interoperability of a user’s identity across multiple locations, with the user’s consent, along with true user control of that digital identity, collectively creating user autonomy. To ensure this, a self-sovereign identity must be transportable; not restricted to one site or locale. However, it must be acknowledged that that identity can be a double-edged sword — usable for both beneficial and harmful intent. To achieve its aims, an identity system must balance transparency, fairness, and support of the commons, with continuous protection of individuals (Allen, 2016).