SSI IN SIMPLE WORDS
Have you ever thought about the number of documents and their significance that may contain your personal information and can be used in many cases? A simple example is a passport that certifies our identity and nationality and can be used to prove our information, for example, for international travel, to confirm adulthood, etc. Also, we can have a national identification number (such as Social Security Number, or SSN, in the US), driver license, credit history document, bachelor’s diploma, and many other documents except the passport used to prove some of our personal information.
I want to note that all such documents have been used for a long time as simple paper documents under our full control. We may decide who can see information in our passport or driver license, get our national identification number, etc. But today, the digital world is everywhere. Many businesses and government structures use information technology solutions to make our lives simple in many cases. For example, we are able to do online shopping by providing credit card information; we can use our Facebook, Google accounts to get access to different services, apply for credit using SSN in the US, etc.
As we can see, a lot of different digital services can have access to our personal information. Therefore the following question should be in our mind. What can happen if my personal information becomes available to someone with malicious intent? How can I ensure that my private information isn’t revealed to third parties? I think that the answer to the first question is simple. The consequences of stolen data can be devastating, like empty bank accounts and illegal usage of your identity destroying your credit. But what about the second question? It would be naive to think that our personal information is always secure, and the services are not vulnerable, even if they do their best to be GDPR compliant.
In 2016 the personal information of 57 million users was breached at Uber. Facebook faced a database data leak of 419 million users in 2019. According to McAfee’s research in 2018, more than 40% of people worldwide feel they lack control over their data. While the implementation of sweeping regulations like GDPR bodes well for data security, you still can’t trust companies to always follow the rules.
In this post I would like to describe a new paradigm for managing our digital identities: Self-sovereign identity is the concept that people and businesses can store their identity data on their own devices, and provide it efficiently to those who need to validate it, without relying on a central repository of identity data. It’s a digital way of doing what we do today with bits of paper.
Let’s consider the main steps to prove our adulthood using a paper passport.
- First of all, you need to have a paper passport that contains all the required information. For this purpose, you can request it in your local government identity authority. Your passport has all the necessary insignia to distinguish it from fake passport (get attestations)
- You provide the following “I’m an adult” to a third party. (claim)
- After that, the third party asked you to provide information that can prove it. (proof request)
- You provide the passport to the third party (proof)
- The third party can validate that your passport isn’t fake and is issued to you. Also, it validates that you are an adult. (attested information validation).
Simple enough, isn’t it? As we can see, the above sample couldn’t be real without distinctive required insignia that the paper passport and all respective identity information are valid.
But what about digital information? Is it possible to use something similar to insignia in the case paper passport and guarantee that the information is valid? A digital signature that is a part of cryptography can satisfy it.
In this way, digital signatures and other cryptographic algorithms and protocols can enable self-sovereign identity.
HOW WOULD SSI WORK FOR THE USER?
You would have an app on a smartphone or computer, something akin to an “identity wallet” where identity data would be stored on your device’s hard drive, maybe backed up on another device or a personal backup solution, but crucially not stored in a central repository.
Your identity wallet would start empty with only a self-generated identification number derived from a public key and a corresponding private key (like a password, used to create digital signatures).
At this stage, no one else in the world knows about this identification number. No one issued it to you; you created it yourself. It is self-sovereign. The laws of big numbers and randomness ensure that no one else will generate the same identification number as you. You then use this identification number, along with your identity claims, and get attestations from relevant authorities like local government identity authority. You can then use these attested claims as your identity information to prove some your personal information to third parties.
Below you can see a flow of the process of proving one is an adult with SSI.
- Firstly, I need to generate a keypair by myself without any third party participation that is used to represent an identity. (keypair generation)
- Request signed digital passport issued by Identity authority using provided digital passport and respective public key. (get attestation)
- Provide a claim that you are an adult to a third party.
- The third party requests proof.
- You provide the proof that is generated based on your signed digital passport.
- The third party verifies your claim by getting only “True “/” False” without revealing any additional your personal information using the proof.
- The proof is generated using special cryptographic function (“generate proof “) based on your passport that is signed by Identity authority. It’s a one-way data conversion. It means that you need to hack cryptographic functions to get access to initial data.
- Then the proof is sent to the Verifier.
- The proof is verified by the third party using another special cryptographic function (“verify claim “) based on your provided claim and proof. Considering cryptographic properties, the Verifier can get only two available options as an output: true, false.
Therefore, SSI may bring a real value to be captured both by individuals whose personal data is at stake, as well as businesses. The potential applications of SSI are vast, spanning all sectors and industries from the public sector to banking, retail, and healthcare.
An SSI wallet could be used to prove one’s qualifications and identity when applying for a job, opening a bank account, issuing a driving license, securing a mortgage, or making a purchase in an online store. SSI also means no more registration across different platforms using various usernames and passwords, and hence no need to maintain multiple personal accounts. SSI translates to reduced administrative burden and improved customer experience.
To businesses, immediate value comes from the removal of the costly and challenging GDPR compliance. Forbes reports that in 2018 in the UK alone, $1.1 billion was spent by companies on GDPR preparation, while US companies allocated over $7.8 billion on protecting customers’ personal information.