‘Self-Sovereign Identity’ management, data ownership and the future of digital identity
While ‘classical’ human identity has kept philosophers busy for millennia, ‘Digital Identity’ seems primarily machine related. Telephone numbers, E-Mail inboxes, or Internet Protocol (IP)-addresses are irrelevant to define us as human beings at first glance. However, with the omnipresence of digital space the digital aspects of identity gain importance. In our recent paper ‘Digital Identity and the Blockchain: Universal Identity Management and the concept of the ‘Self-Sovereign’ Individual’ we assess the theoretical conditions and the practical examples that establish the practice in first attempts to create self-sovereign digital identity systems. This treatment by necessity covers issues around digital identity, data ownership and privacy.
There are a set of boundary conditions that define the practical application of identity management systems. We consider identity frameworks moving on a continuum between individual identity as represented by the physical and mental embodiment of a person. At the same time they are bound to a limited set of legal norms that regulate the ownership of data related to identity, like privacy, intellectual property and copyright law, the right to one’s picture, rights related to belonging to certain groups (including minority rights) and duties around taxation and citizenship. This creates what we call a digital identity space within which all identity management systems need to operate by either legal or socio/technical necessities.
We can categorize identity management systems by distinguishing:
Centralized identity systems, where a single organization establishes and manages identity. This is typical for the direct relationship between the state and the individual.
Federated identity systems, where different public and private institutions establish stand-alone systems. These systems are subsequently linked through agreements or regulation. This allows for some re-purposing of identity credentials, yet the activity remains driven by the initial purpose.
Decentralized identity systems, where the individual is at the center and institutions or private corporations just add (verified) credentials to a central ‘identity hub’, ‘application’, or ‘vault’ that is controlled by the individual. In such a system, digital identity (DID) is initially purpose-free and becomes a resource or an asset as credentials are acquired.
One of our main findings is that the management of DID is transforming from a purpose-driven necessity towards a self-standing activity that becomes a resource for many digital applications. In other words, whereas identity traditionally is addressed in a predominantly sectoral fashion whenever necessary, the emergence of Distributed Ledger Technology (DLT) transforms digital identity management into a basic infrastructural service, sometimes even a commodity. This coincides with a trend to take the ‘control’ over identity away from governmental institutions and corporate actors to ‘self-sovereign individuals’ who with the emergence of DLT have the tool to manage their digital self autonomously.
Focusing now on the governance of digital identity systems, we can further distinguish three models:
Centralized Top-Down-Approach, such as for example applied in the world’s largest DID ‘Aadhaar’ that is administered by the Unique Identification Authority of India since 2009. This is a centralized system with more than 1.2 billion enrolled users that is not DLT based but hinges heavily on biometrics to identify users. It is also discussed in the context of self-sovereign identity.
Individual Incentive Programs, such as for example the E-residence scheme of Estonia. Here individuals become virtual residents of Estonia which gives them a platform for business, regardless of where they originate from.
Community-Based Bottom-Up Approach, such as the decentralized identity platform Forus in the Netherlands, or the uPort based self-sovereign identity system of the city of Zug in Switzerland. These systems are decentralized by design and entirely user focused. The platforms develop features incrementally as they grow from concrete use scenarios within communities to regional and potentially global relevance.
Beyond the technological fix
All of these systems have their merits and challenges relating to issues such as scalability, effectiveness, and their ability to respect, protect and promote human rights. A sound framework of DID management needs to take into account questions of privacy, data ownership, and relationality of identity data. Specifically, the question of data ownership remains still unanswered. The emergence of DLT and the abundance of private and public sector initiatives as well as the emergent debate around DID make it profusely clear how important it is to gain a proper understanding of the legal, social and philosophical conceptions and norms that govern identity in general and digital identity specifically.
DLT has only enriched the governance toolkit, so that private and public sector actors can select from among a range of top-down to bottom-up DID management approaches. Even if decentralization is ‘en vogue’ right now in both the governance debate and among blockchain advocates, it is by no means a panacea for all old ailments. Ultimately, form needs to follow function and necessity. If translated well into practice, DLT can be useful if socio-legal and philosophical necessities can be incorporated in decentralized DID systems.
Andrej J. Zwitter - University of Groningen, The Netherlands
Oskar J. Gstrein - University of Groningen, The Netherlands
Evan Yap - Tykn.tech