What is Self-Sovereign Identity?
As we transition to a world that’s increasingly dependent on digital means of interacting and transacting, privacy has become a key battleground area. Over the last decade, we’ve seen several high-profile data hacks, culminating in the most recent news of an audacious cyberattack on US government agencies and companies that’s been going on for months. Big tech firms are routinely harvesting more and more of our data to increase their bottom lines. So it’s hardly surprising that, when the global pandemic took hold, citizens have shown an extreme reluctance to download government-sponsored track-and-trace apps, with over half of the public stating that location tracking is “unacceptable.”
The issue comes back to one central problem – we do not have any control or ownership of our digital identity. The very idea of identity has become more complex, thanks to the onset of digitalization.
After all, before the days of the internet, our identities consisted of just a few data points and physical documents, like social security numbers, passports, and driver’s licenses. By and large, only a few parties had access to these identities. Since we moved online, our profiles consist of millions of data points, covering everything from browsing habits to friends lists to login information and more.
The fact is that the big tech firms don’t only have access to all of this digital identity data – they actively control most of it. We now access many other sites and services using our email addresses or logins from Google, Facebook, and Apple. We’ve had to sacrifice any notions of privacy at the altar of a smoother user experience. But in handing over the rights to our digital identities to big tech, we’ve given up on any ability to determine who has access to our data or what they do with it.
Self-Sovereign Identity - A New Way Forward
The concept of self-sovereign digital identity offers the alluring potential to give us back control of our data. The idea is centered around blockchain technology and cryptography. When Satoshi Nakamoto invented Bitcoin, he devised a way for individuals to directly exchange a digital store of value. One person can send Bitcoin to another person by entering their private key.
The same principle can be applied to data if we consider the data itself as the digital item of value. So rather than a wallet full of Bitcoins, imagine you have the keys to a wallet that contains a digital copy of your passport, driver’s license, health records, and your entire online footprint.
Concordium is one project at the leading edge of digital identity, set to launch on mainnet early next year. The project looks set to make waves in the field of self-sovereign identity based on the blockchain, as it has an identity layer built into its technology stack. It uses zero-knowledge proofs to provide an even deeper layer of privacy to users, allowing them to prove elements of their identity without giving away data or copies of physical documents.
So how does it work? When a user creates their account, they are required to confirm their identity with an approved identity provider. This may mean providing a copy of their government-issued ID, driver’s license, or any of the data needed for them to participate in applications developed on Concordium.
The identity provider retains the ID data off-chain and creates a zero-knowledge proof on-chain that verifies the identity. Then, the user can transact on-chain in complete privacy without disclosing their ID attributes to anyone. Furthermore, for enterprises, it frees them up from having to collect and safeguard their users' personal data.
As a safeguard against illegal activity, Concordium operates a process known as “anonymity revocation.” If there is a legal need to identify someone based on a request from a court or another official authority, a third party known as anonymity revoker can instruct the identity provider to hand over a copy of the required identity documents.
The identity provider can only associate the on-chain identity with the off-chain identity documents once the anonymity revoker provides them with a secret key. Furthermore, the anonymity revoker never sees any of the data belonging to the party being identified. Only the identity provider ever knows who is behind the transactions, and only then based on those few cases where a lawful instruction is issued.
In this way, enterprises using the platform are assured that they can meet their compliance obligations, while users can transact with an assurance of total privacy with the only exceptions being based on legitimate legal orders.
Practical and Varied Use Cases
Concordium’s approach to self-sovereign identity lends itself to a diverse range of use cases – virtually any application where a user is required to identify themselves or provide data online. In the case of COVID-19, it may mean someone can store their immunity status on the blockchain and verify their clean bill of health to airlines or conference organizers without showing a vaccine certificate. People could rent a car without having to leave a copy of their driver’s license and check into a hotel without handing over copies of their passports.
Perhaps one of the most compelling use cases is in replacing our physical government-issued ID documents with digital equivalents. As things stand, only a few governments globally have made the leap to a fully digital identity, with Estonia being one of the most notable at 98% digital identity adoption.
However, given the pressing issues of privacy and our increasingly digital societies, governments are racing to adopt digital identity solutions, including in the EU, Australia, India, and the United Kingdom, to name a few.
Ultimately, blockchain appears to be our only hope for a genuinely self-sovereign digital identity. If governments can be persuaded of the same, then there’s every chance that we can take back control of our personal data while governments worldwide can hope to restore some of the trust lost over recent years. It will undoubtedly take many years to steer things away from the course set by the big tech firms. However, the sooner the shift starts, the quicker we can hope to reclaim our online privacy.