Self-sovereign identity: the future of personal data ownership?

With the digitalization of various services in recent years, there are more and more opportunities for our personal identities to be utilized online in our daily lives – for instance, in e-commerce and social networking. In fact, it is predicted that the use of online identities could unlock the economic value equivalent of 6% of GDP in emerging countries and 3% of GDP in developed countries in 2030.

On the other hand, there is a growing concern about privacy issues in the use of identity information. For example, more than 60% of people in the US are concerned about how the collected information will be used by companies and governments.

Thus, balancing the utilization and protection of digital identity has become a global social issue. In this context, personal data management regulations, such as GDPR (General Data Protection Regulation) in the EU and CCPA (California Consumer Privacy Act) in California, are being strengthened in many countries.

Until recently, the main methods of managing digital identity have been the centralized identity model and the federated identity model.

In the centralized identity model, each service provider manages users’ identity. Users access the service using authentication information, such as user identifier and password, that varies by services. The centralized identity model is widely used today. However, from the user's perspective, there are various disadvantages such as the need to manage authentication information for each service, fragmentation of identity for each service, and giving control of identity to the service operator.

In the federated identity model, several identity providers establish agreements between each other and operate under a common trust framework, or “federation”. Anyone who has an identity in an identity provider can access other identity providers. For example, logging into new services using a Google or Facebook account. However, most of the current federated identity services rely only on one service provider to serve as the trusted identity verifier.

Compared to centralized identity model, the federated identity model improves user convenience because less authentication information needs to be managed, but the sovereignty of the identity remains with the identity service providers. It also creates the risk that a piece of authentication information can be leaked, leading to unauthorized logins to multiple services.

To address these problems, the concept of self-sovereign identity has been proposed. Although a universal definition of self-sovereign identity is difficult to find, the core notion is arguably that users are given control and autonomy over their identity data, how it is used and who it is used by.

In self-sovereign identity, the user has his or her identity information digitally signed by a trusted third party. When the user provides the identity information, he or she also digitally signs the information before providing it to the user of the identity information. The public keys of the user and the third-party organization for verifying the digital signature are recorded in a distributed ledger, and the user of the identity information verifies the provided information using them. In this way, users can control their own identity information without relying on a specific central administrator.

Demonstrations of services using this technology are already underway. For example, Kiva is building an identity protocol based on self-sovereign identity for building credit history in Sierra Leone. Another example is the COVID Credentials Initiative (“CCI”). They are working on a digital certificate based on self-sovereign identity that lets individuals prove they have recovered from the COVID-19, have tested positive for antibodies or have received a vaccination.

The use of self-sovereign identity is being promoted in a variety of fields, but there are still various issues that need to be addressed. One of the challenges is to ensure interoperability. Self-sovereign identity will likely not replace existing all identity management systems but be used and coexist with them. It is also expected that various self-sovereign implementations will appear in the future. Therefore, interoperability with existing identity management systems and other self-sovereign identity systems is required.

Key management is also an issue. In self-sovereign identity, identity information may be held in a wallet held by the user, which makes key management more important than ever. Therefore, a user-friendly solution is required so that users can properly manage their private keys. It is also expected that a certain number of users will lose their keys, so a key recovery mechanism is also essential. Although self-sovereign identity is a model where users manage their own identity information, there are cases where users such as children and the elderly cannot properly manage their identity information and keys on their own. For this reason, a mechanism to manage keys on behalf of the user is also important.

Self-sovereign identity is a promising technology to allow you to control your own data. However, to provide the true value of the technology, it is essential to establish governance framework for its operation.