Self-Sovereign Identity and how we can get there

Success stories from around the world have well established the efficiency and social inclusion case for broad-based access to a foundational digital identity. As we head towards a 3rd year of living with COVID however, it has become increasingly clear that a digital identity is more than that – it is now a necessary foundation for a resilient society. While the pandemic has been universally disruptive to normal life, some have fared better than others in mitigating its effects. For instance, those with well-developed digital identity systems have been quicker to identify vulnerable populations and make instant cash transfers in contrast to their less-digital peers [1].

As government workers return to their offices faced with unprecedented backlogs, attention is now shifting towards building resilience for the future [2]. Evidently, universal access to digital identity and increased acceptance thereof has thus moved to the top of the public sector agenda in a number of countries around the world [3] [4]. Given the increased attention, it is matter of time before broad-based access to a foundational digital identity becomes a reality.

But while digital identities can open up a plethora of new possibilities for citizens, poorly designed identity systems characterised by single identifiers used across services and centralized databases bring with it the risk of a dystopian future marked by surveillance, identity theft and a general breach of one’s right to privacy in everyday life. Recognizing this, citizens around the world have risen up in protest demanding that digital identity programs put in place safeguards that uphold the fundamental right to privacy [5][6]. We thus stand at a pivotal moment in time where our actions today will define how we interact with each other in the digital realm and thus the societies we build for decades to come.

Fortunately, recent technological developments present an opportunity to reimagine digital identity. Enabled by recent advances in the realm of cryptography, mobile devices and decentralized identity standards we can now put citizens firmly in control of their digital identities while ensuring the level of trust needed to unlock the full potential of a digital society. The answer to this challenge lies in self-sovereign identity (SSI).

But what is SSI?

SSI is a philosophy and a technical framework deriving from it that seeks to empower users with control over their digital identity, starting from its creation to its usage and deletion; all in a privacy preserving fashion. Set in the context of rapid digitization, unprecedented growth in data creation and proliferation in the use of social logins, the series of work which led to the concept of SSI can be traced back to 2012 in Devon Loffreto’s post about Sovereign Source Authority (SSA) [7] [8] [9].

Since those beginnings the concept evolved over the years and rose to prominence following Christopher Allen’s landmark blogpost in 2016. In the post, Christopher Allen outlines the 10 principles of SSI which have informed product development at Procivis right from the outset. Yet, when the term Self-Sovereign Identity (SSI) gained popularity beyond developer communities, it raised eyebrows in traditional identity circles. The term “Self-Sovereign”attached with “identity” which we’ve come to associate with passports, driver’s licenses, social security numbers and other such government-issued documents are seemingly in conflict. However, governments have a key role to play as the foundational trust anchor in an SSI ecosystem. In practice, your SSI would be a combination of your foundational identity (your core-identity attributes issued by the government) and contextual identities (self-issued identity attributes or issued by other entities for context specific use) stored in a digital identity wallet. What sets SSI apart is that the user is central to the administration of the identity. Identity claims originate from the individual but the trust in those claims derive from the attestations attached to those claims.

SSI is enabled by two emerging technological standards being developed by the World Wide Web Consortium: verifiable credentials (VCs) and decentralized identifiers (DIDs). By breaking down a user’s identity to its constituent pieces (claims) each of which are cryptographically verifiable, VCs empower the user to limit data shared with a verifier to the absolute minimum necessary to access a certain service, thus complying with the principle of data minimization. DIDs rooted on decentralized registries on the other hand enable verifiability of the said credentials without reliance on centralized identity providers (IdPs) and permit users to share their digital identity data while mitigating the risk of being tracked across services and thus being comprehensively profiled. The latest update to the DID recommendation was published on the 3rd of August 2021, and thus the standard remains very much emergent to date.  

From eID+ to SSI: Our path to Self-Sovereign Identity

Inspired by the eGovernment story of Estonia and recognizing the potential that blockchain offered in restoring control over personal data to users, Procivis was founded in 2016 with the vision of making SSI a reality in Switzerland. Yet, at the time, SSI was in its infancy and work on building up technical standards was just beginning. Furthermore, key stakeholders including government, businesses and most importantly citizens had to get familiar with the concept and thus buy into a self-sovereign future before a program could be successful. Thus, with the goal of making this vision a reality in the following decade, we started working on eID+ while adopting key SSI principles into its development.

Principles of privacy by design, data minimization, user consent and decentralization, all while creating a delightful user-experience formed the basis of our eID+ solution. A user, while going through the process of setting up their eID+, is essentially generating a key-pair within the secure elements of their mobile devices which then secures any interactions carried out by that identity. In line with the data models of the verifiable credential standards, each identity attribute that constitutes a user’s eID+ is signed by the issuer. This permits the user to share and prove the authenticity of individual identity attributes in a data minimizing fashion. Every transaction that involves sharing personal data requires the explicit consent of the user. Furthermore, the user can always access a log of all past transactions with include the data points shared and the recipient of the data. In Schaffhausen and the City of Zug, eID+ provides citizens with a fully functional digital identity solution which reconciles self-sovereign principles with legacy public sector IT infrastructure.

Taking the SSI vision further, we are working towards addressing interoperability among Swiss E-ID solutions with an inter-cantonal E-ID pilot in Switzerland. By the end of Q1 2022, we will demonstrate interoperability between E-IDs in Zug, Schaffhausen and those in other interested cantons including solutions from other vendors. Simultaneously laying the final pieces of the puzzle, we are well on course to demonstrate our SSI wallet solution based on our eID+ technology stack by the end of the year. The wallet leverages the Hyperledger Indy framework to facilitate the transition away from a centralized trust infrastructure to one which is truly decentralized.

With its 26 cantons and strongly federal system, Switzerland serves as a microcosm of the world. By implementing a successful SSI solution and building up a thriving digital ecosystem around it, Switzerland can not only realize its own digital potential but serve as a model for nations around the world to replicate and thus live up to its strong legacy of upholding the right to privacy. While it was always clear to us that the privacy and security challenges faced by us in the digital age required us to move to an SSI-based identity future, our views have been vindicated by the people. With the E-ID referendum of March 2021, the citizens have clearly voiced what they want - a privacy preserving, secure identity solution which places user agency at the forefront. The Swiss government has a clear mandate from its citizens, and we at Procivis are here to help steer digital identity in Switzerland and beyond into a self-sovereign future.

References

[1] https://blogs.worldbank.org/voices/responding-crisis-digital-payments-social-protection-short-term-measures-long-term-benefits

[2] https://www.instituteforgovernment.org.uk/news/latest/performance-tracker-2020

[3] https://www.weforum.org/agenda/2021/01/davos-agenda-digital-identity-frameworks/

[4] https://www.cambridge.org/core/journals/data-and-policy/article/rethinking-digital-identity-for-postcovid19-societies-data-privacy-and-human-rights-considerations/0B9A65B889C341CF535E804256C2816A

[5] https://thewire.in/government/aadhaar-act-constitutional-change

[6] https://www.swissinfo.ch/eng/digital-identity-scheme-faces-scepticism-around-data-privacy/46399636

[7] https://www.sciencedaily.com/releases/2013/05/130522085217.html

[8] https://www.moxytongue.com/2012/02/what-is-sovereign-source-authority.html

[9]http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html