Our personal data is fragmented online across a number of institutions and services, compromising its security and citizens’ privacy. Now an innovative new solution proposes to put us back in control
Where are you? It’s an easy question with one correct answer: you are where you are, whether that’s at your desk, in bed or on a train, for example. But where are you online?
You can probably count the digital accounts you use most frequently on your fingers: a ride-hailing service, a social media platform, a banking app. However, you need only to look at your inbox to realise how many services you’ve signed up for, the countless companies that you’ve given your address, date of birth, mother’s maiden name. The truth is that on the internet, you’re all over the place.
We have different digital identities for the different services we use and we’re only ever one “what was the name of your first goldfish?” away from realising just how messy this can be. This system is known as centralised identity, where different organisations are responsible for keeping an abundance of people’s data safe.
Over the last few years, a federated identity system has taken off, in which companies such as Facebook and Google allow you to log on to different platforms through their service. It is convenience at a cost as these tech giants can follow you across the web, collecting data from your healthcare apps, shopping accounts or any platform you’ve used the “log in with Facebook” button for. Not only is this troubling in terms of your privacy, it’s a goldmine for hackers.
Enter Self-Sovereign Identity (SSI), an enticing solution that promises to keep your data under your control. As Irra Ariella Khi, co-founder and chief executive of cybersecurity startup Zamna, puts it, with SSI you are “the king or queen of your identity”. But this revolutionary new solution is not without its drawbacks.
What exactly is SSI?
SSI is an alternative digital identity model by which each user controls their verifiable credentials – tamper-proof electronic versions of physical credentials like a passport, permit or proof of address – and can selectively hand over bits of data to those who need them.
While SSI’s proponents agree on its principles – it should be decentralised, users empowered, and everything must remain portable, private and, most importantly, secure – there is some debate over exactly how this can be achieved.
Most believe blockchain could be the answer: each data attribute can be registered to a block on the decentralised chain, which businesses can access to obtain an individual’s data without the need to store it themselves.
Many different entities are currently trialling SSI systems, from the Catalan government in Spain to an NHS hospital in Blackpool. Banks are also dipping their toes in the water, with Barclays previously exploring the benefits of SSI with specialist Evernym. “SSI has considerable potential when it comes to improving customer experience: users may be able to register with a single click, instead of having to fill out lengthy forms,” according to Barclaycard’s website.
How can SSI benefit businesses?
SSI might be costly to implement, but could save businesses money in the long run. At present, companies can be fined hefty amounts if customer data is lost or hacked and maintaining security systems that prevent this is expensive. SSI both shifts the onus from corporations and makes them less appealing to hackers.
Michael Shea, managing director of technology consultancy The Dingle Group, says SSI can also improve data quality, which will save on administrative costs. “If the customer is able to present part of their credential, say their home address, because it’s now in this cryptographic bundle that’s been issued and verified, then nobody’s entering any information on the keyboard,” Shea explains. “It’s done automatically, and so you eliminate the human-entry error or production mistake. There’s huge value there.”
He also notes that SSI won’t just change how existing businesses operate, it can create entirely new opportunities, referencing Energy Web, a company that uses SSI to allow anyone to participate in the energy market.
“Traditionally, if you had solar panels on your house and you produced more power than you could use, it flowed back into the grid and your meter might run backwards. The grid operator cannot use it to balance the power on the grid because there are too many unknowns,” says Shea. SSI allows Energy Web to verify individuals and the equipment they use. “They’ve created this sort of identity bundle that’s all cryptographically signed, so you can become an active member of the power grid,” he says.
What problems does SSI pose?
Of course, problems arise when theory is turned into practice. Zamna’s Khi notes there’s an issue with SSI as it doesn’t recognise what centralised institutions provide us in return for our data.
“If you state the user is the most important person in this ecosystem, then we’re ignoring the fact that the hard work of assessment and risk management, business processing and decision-making, and service providing actually doesn’t happen on the user side,” she says. “There are prices of admission to the services we as individuals want to have.”
Zamna’s co-founder Alex Gorelik adds that “technology by itself doesn’t really solve anything”, and a rush to apply SSI can be directionless, with theorists not understanding how it can solve the problems faced by individual businesses.
Susan Morrow, head of research and development at identity data specialists Avoco Secure, has written about her doubts surrounding SSI. While in theory she supports giving users control of their data, she says SSI models in practice do not take human behaviour sufficiently into account.
“They’re techies building for techies,” she says. “When it comes down to it, if you want this to be the panacea, then it has to cover everybody and everything.” In reality, many people don’t have the smartphone or reliable internet access that a “wallet” system would rely on.
Questions also remain about the trust layer of SSI. Verified credentials are confirmed as cryptographically sound and untampered with, but Shea points out they do not prove whether a document was issued by a legitimate organisation. Khi has exposed such flaws, showing how easy it is to purchase a domain name using the title of a coronavirus-testing company. This means people could abuse the system where a border force requires travellers to have negative tests before they enter a country.
SSI identity custodians explained
If our digital identity remains totally decentralised, then there’s no one we can call if everything goes wrong. Identity custodians are individuals or entities we can rely on to help us recover our data. Some argue banks are a natural fit for the role, as we already trust them with our money and identities. Others, however, may prefer governments to take on the job.
Much remains to be resolved with SSI, but the coronavirus pandemic has accelerated interest. Shea says the landscape has shifted and more of his clients are focused on digital identity and SSI, with investment increasing. “It’s getting a lot of attention,” he says. Perhaps controlling your own digital identity is just around the corner.