Self-Sovereign Identity for more Freedom and Privacy - SelfKey
Blog
app
10 minutes

Self Sovereign Identity

Self sovereign identity (SSID) is a new way of managing digital identities that aims to put individuals in control of how their private data is stored and managed. Discover the benefits and challenges of using SSID in order to operate more safely in the digital world. Learn about data breaches, risks, data safety, and how to prevent your private information from being stolen and sold.
01 Mar 2023
SelfKey
A crown within a shield on a digital background, representing the idea of Self Sovereign Identity, or SSID.
SelfKey Protocol is maintained by a DAO of SelfKey iD Holders. Join us and help revolutionize identity management in Web3!
JOIN SELFKEY DAO

Summary

Have you ever wondered what happens to your personal data once you share it with a website or an application? Have you thought about where your information is stored and who has access to it? Were you aware that data breaches happen daily and your information is at risk of being compromised at any time? 

This article touches upon a new technology which is currently being developed to help you manage your private information online. In the near future, you may no longer have to rely on other parties that might put your sensitive, valuable, or personal data in danger. 

We’ll be discussing the concept of self sovereign identity (SSID), how it works and how it impacts our daily lives as individuals operating in a digital world.

Highlights:

  • Online Safety
  • How will Self Sovereign Identity improve our online activities?
  • Self Sovereign Identity
  • Issues with the current implementation of Self Sovereign Identity
  • How can the current Self Sovereign Identity implementation be improved and scaled?
  • The Trust Triangle
  • Agents of The Trust Triangle
  • Trust in the digital world
  • The Three Pillars of Self Sovereign Identity
  • Blockchains
  • Decentralized Identifiers 
  • Verifiable Credentials
  • Zero Knowledge Proofs
  • Conclusions

Online Safety

Digital revolution: Both a blessing and a curse

In the past several decades, mankind has shown magnificent progress in computer science. So much so that society quickly became accustomed to using Information and Communication Technologies on a daily basis. Whether it is for recreational purposes, communication, work or education, mundane tasks are made significantly easier with the help of cutting-edge technology and wireless systems. 

Artificial Intelligence (AI) is capable of performing convenient assignments, such as reading, generating, integrating, and theorizing information. However, it is also heading dangerously fast towards mimicking a trait which, up until now, has been uniquely human: identity

When personal data is leaked, AI can potentially make use of that information to steal or forge human identities. Thankfully, the future will also bring ways to prevent that. A Self-Sovereign Identity solution is being developed with the aim to protect our data from being stolen and sold.

How safe is it really out there?

Using technology and having a digital presence has become so common nowadays that many people don’t think twice about the security of their personal information

Although they are within the safety of their homes, their data is still potentially visible to millions of users online. Among those millions, there are many individuals with bad intentions, who look for ways to use other people’s private data for their own personal benefit.

More often than not, however, it is entities that individuals are supposed to trust who end up selling or divulging their personal information to other parties. And those parties, whether willingly or not, will put that personal information at risk of being unlawfully used by bad players.

At the moment, unfortunately, people have come to depend on centralized systems in order to benefit from online services to perform their daily tasks. Without those online services, it would be impossible for individuals to function in the present day society. 

It is more of an obligation rather than a choice,and it has become so normal that we simply go with the flow. Otherwise, we will not be able to keep up with the fast-paced changes in the way we work, study, and communicate.

Our digital identities

Personally Identifiable Information (PII) belonging to individuals, firms or organizations is being stored online in the form of digital data. This collection of digital data is then used to build our digital identity.

A digital identity is used to facilitate access to services that make it easy for computers to efficiently mediate transactions between two or more individuals. The web provides us with a quick way of performing these transactions. However, it is not the safest place to store our private information. 

Data breaches happen on a daily basis without our knowledge. Through data breaches, important and valuable information can be stolen and sold, including our very own digital identities.

Ideally, individuals should be able to make use of the advanced, modern day technology without the risk of their private data ending up in the wrong hands. In order for that to happen, individuals need to have more control over how their information is stored and who has access to view or share it, at all times.

The illusion of choice

Nowadays, control seems less impactful on our lives, because the deception of freedom is given to us through choices. However, when access to necessary modern applications is being restricted unless personal data is consensually shared, choice becomes an illusion.

With the choice to opt in being enforced, people have grown used to accepting the privacy policies of applications without a second thought. These policies, that we barely even bother to read, do mention how data is shared with third parties. However, we cannot do anything but blindly trust that service providers will not abuse or mishandle our data.

At the moment there is only the illusion of consent, of trust, all in the detriment of the individual. Because of this deceitful way of forcing users to consent to their data being used, trust between individuals is becoming more and more difficult to establish.

SSID aims to dispel these illusions and bring authentic consent and trust to the mainstream.

Seeking safety in a digital world

Sadly, Big Tech often profits off of individuals at the expense of the latter’s safety, which may lead up to identity theft. 

Many users are unaware of the unlawful incidents happening underneath the brightly colored backgrounds of websites and applications as they perform their daily online tasks. Living under the impression that, as long as there is no malware alert on their devices, they have nothing to be concerned about. 

The alarming truth, however, is that security violations occur on a daily basis. These cumulative cyber attacks can potentially cause millions of dollars in damages to the individuals whose data was involved.

How will Self Sovereign Identity improve our online activities?

Fortunately, a potential solution to the above-mentioned risks is currently being developed by SelfKey. It may be the sword and shield for individuals to function and perform transactions in the safest way possible. 

Self sovereign identity not only gives back the freedom of choice, but it also prevents this kind of disaster from happening. SSID users give access only to individuals that they wish to engage with. During this interaction, only a very limited amount of information is shared.

Therefore, sensitive, protected and important data is less likely to be sold to or shared with harmful individuals and organizations. Self sovereign identity was conceived to prevent data leakage in this sense. It gives users the power not only to manage and control, but also to protect what they deem valuable. 

Self Sovereign Identity

A brief introduction

Self sovereign identity (SSID) is a new way of managing digital identities, which aims to put individuals in control of how their accounts and private information are managed. With SSID, individuals have full ownership over their personal data. They no longer need to rely on centralized systems that might share their data with unknown parties for personal gain. 

Users can store their private information into their devices and present it for validation when it is specifically needed. This way, the risk of having their data compromised is considerably reduced. Individuals are in complete control over how their information is used and stored, at all times.

How self sovereign identity is currently being implemented

Once Self Sovereign Identity users store their private data on their devices, they can quickly take the opportunity to interact with trusted partners. In order to benefit from the services offered by these trusted partners, users need to accept the processing of their information by the partners. This is declared by the relying party once the user attempts to onboard into their services.

Issues with the current implementation of Self Sovereign Identity

Adoption and Convenience

At the moment, SSID users must store their data on their private device instead of the traditional central database. This method allows the users to have full control of their personal data. On the down side, the flow by which users interact with the system is less convenient than centralized alternatives. 

Storing data on one private device makes it difficult for it to be accessed by the user’s other devices. Individuals have to manually introduce their information into devices they want to use, which can become time consuming and frustrating.

Scalability

Currently, users can only exercise their self sovereign rights with partners within the SSID environment. More so, individuals need to trust that the parties they choose to interact  with will handle their personal data with respect to their privacy and store it securely.

How can the current Self Sovereign Identity implementation be improved and scaled?

Should we use Centralized Systems for convenience?

Centrally controlled systems are databases in which an individual’s digital identity is stored in one or more servers belonging to a centralized entity. Once personal data is stored in this type of server, an individual has no way of knowing who has access to it, who it is shared with, or where it ends up. 

When personal data is being shared with unknown, third parties, there is a high risk of unintentional information disclosure. This can lead to dire consequences like identity theft or secret information being disclosed to the public, stolen or sold. 

While centralized systems are not necessarily malicious, their security is weak, which leads to data leakage. With AI progressing alarmingly fast, this is a particularly serious concern. As a conclusion, centralized systems can not be used to improve the adoption and scalability of SSID solutions.

Are Decentralized Systems a better option?

On the polar opposite of centralized systems are decentralized systems. This type of system stores and verifies information in multiple computers that work together as nodes in a network, popularly known as a blockchain

By transferring the control from a centralized entity to a dispersed group, decentralized systems aim to reach a level of fairness among its users, without one individual having authority over the other. 

The way data is stored in a decentralized system makes it very difficult for malicious parties to manipulate it, because it is secured by the blockchain. A decentralized system is perfect for storing public and openly-accessible data, such as a record of transactions.

However, storing personally identifiable information (PII) in a decentralized system is highly unadvised, even if it is encrypted. PII can be anything from full name, phone number, full date of birth, full address, or credit card information.

Once data is made public, it can not be erased or changed, and it is openly accessible to anyone. Therefore, decentralized systems alone are not ideal for storing private information, due to inevitable and permanent loss of privacy. 

They are part of the solution, though, and we will discuss in the following sections.

Is there a solution to this dilemma, then?

At the moment, SelfKey is actively working on and is committed to delivering an ideal solution to increase the adoption of SSID, using cutting-edge technology. 

In the next segments we will thoroughly discuss SelfKey’s proposed solution, which pertains to:

  • The Trust Triangle
  • The Three Pillars of self sovereign identity
  • Zero Knowledge Proofs

The Trust Triangle

Presently, we are accustomed to the traditional “peer-to-peer” interactions between identity owners and verifiers. To better facilitate the goals of SSI, a three-party system is proposed. In this triangle, two individuals that want to interact securely can rely on a third party to issue and to confirm the authenticity of their credentials. 

For example:

  • We have individual A and individual B, two entities who are about to make an exchange. B has obtained their verifiable credentials (personal data that can be checked for validity) from C, a third, neutral party. C is legally permitted to vouch for B’s authenticity. 
  • B wants to make a purchase with A, but the services provided by A are age-restricted. Therefore, A must check with C if B legally qualifies to access that kind of service. 
  • In this case, there is only one specific inquiry that must be clarified: whether B is a legal adult. That is the only information that C will validate with A.
  • A does not have access to extra information that would otherwise be physically printed on an ID or a passport. This information can be name, full address, full date of birth, social security number, photos, etc. Basically, any identifier that B does not want to share with A or to divulge to the public.
  • This also eliminates the risk of A, if potentially ill-intended, retaining private information from B. There is no visible data for A to read and memorize. There is only C’s confirmation that B qualifies (or not) to purchase a service from A, without giving out specific details.

This applies to any kind of identifier which is needed to validate interactions between persons or companies. The risk of personal data being visible to individuals outside of the trust triangle is eliminated this way. And even within the trust triangle, only the minimum, relevant information will be shown or confirmed.

Agents of The Trust Triangle

The issuer is the entity that releases verifiable credentials after verifying the claims given by the holder. 

  • It is typically an institution, an organization or an individual who possesses the legal authority to verify and to vouch for the holder’s authenticity. 
  • Examples of issuers are governmental institutions; universities, departments, companies, agencies, authorities, training institutions, etc. 
  • The issuer is a neutral party whose role is only to validate a claim in a holder-verifier transaction.

The holder (data owner) is the individual, a person, a company or an organization who owns unique, personal data.

  • The holder earns verifiable credentials after providing proof of authenticity to the issuer. 
  • The data owner will use those verifiable credentials to prove authenticity before benefiting from various services, making purchases or transactions.

The verifier (relying party) is the entity which verifies a holder’s verifiable credentials.

  • The relying party will need to verify only a specific piece of information. Only the bare minimum which is relevant to provide a service to the holder.
  • The verifier checks if the holder’s data is issued by a competent and legally authorized issuer.
  • The verifier makes sure that the holder’s data has not been tampered with, forged, expired or revoked. 

Trust in the digital world

What makes this triangle work is that the three parties are willing to trust one another. The element of trust is important, especially in a time where information forgery and theft happen quite frequently. But within a trust triangle, the user (or holder), has complete control over the management and visibility of their data.

As stated above, digital identities are the counterparts of physical identities that are verified through paper documents. The way trust works digitally is similar to the real, tangible world. However, the consequences of having personal information exposed to the public digitally are much greater. 

Having to trust a centralized database is more or less forced upon individuals. Otherwise they couldn’t benefit from services required to perform daily transactions, either for personal or professional gain. Within a trust triangle, SSID can facilitate these daily transactions without holders having to concede to “blind trust” and risking the safety of their personal data. 

The Three Pillars of Self Sovereign Identity

Within the trust-triangle framework, there are three main components, or “pillars”, that enable the realization of the ideal solution SSID is aiming to achieve:

  • Blockchains
  • Decentralized Identifiers
  • Verifiable Credentials

Blockchains 

A blockchain is a ledger which is shared across thousands of computers around the world. These computers act like nodes within a network, storing and verifying information in a way that makes it nearly impossible to modify or cheat the system.

Within a blockchain, data is saved like a compilation of records, linked to one another. Each user has a copy of this collection, which makes it particularly difficult for hackers to unlawfully modify the information stored within. 

To enhance security, data is protected using complex cryptography which, at the moment, cannot be deciphered by malignant parties. The blockchain will provide the security layer necessary for users and relying parties to interact within the SSID framework. 

Decentralized Identifiers 

DIDs, for short, are the digital counterparts of physical documents, IDs, passports or licenses used to verify one’s identity.

What qualifies as an identifier is any kind of information that proves an individual’s identity and individuality. Traditionally, identifiers are issued and stored by centralized systems, such as governmental institutions and organizations.

Decentralized identifiers no longer depend on a central system to manage, issue, and store valuable, private information. They ensure that individuals are able to generate their own identifiers with the help of systems that they trust. Individuals can then use cryptographic proof, such as digital signatures, to authenticate their new identifiers as their own.

Decentralized identifiers are unique. They cannot be forged or stolen, because identity itself is unique and pertaining to only one individual. For example, a digital wallet address can be used as a decentralized identifier.

Verifiable Credentials 

Verifiable credentials are digital versions of physical, paper documents used by persons, businesses, and organizations to identify themselves. Individuals can also use them to prove that they are qualified to access a service or perform a transaction. 

Verifiable credentials are, but not limited to: digital birth certificates, digital education certificates, digital licenses, digital employee identification cards.

Verifiable credentials are issued in a tamper-evident manner that is respectful of the individual’s privacy. Bad players cannot make any unauthorized attempt to modify or forge digital documents without leaving evidence behind. This is something that a relying party will verify at each check.

In the physical world, a tamper-proof document would be sealed within multiple layers that are locked in a specific manner. If anyone attempts to open them, they cannot rearrange the layers in the original way. There is visible evidence that someone has unsealed and tampered with the document.

Using such a tamper-proof document, holders can present them to issuers and be verified immediately. This makes onboarding even more convenient than what centralized services offer nowadays.

But how do individuals make use of these credentials? We believe that the answer to that question lies within Zero Knowledge flows detailed below.

Zero Knowledge

In the current context, the concept of zero knowledge simply means that a relying party (verifier) does not need any additional information, other than the necessary minimum, to confirm whether a data owner (holder) qualifies for the service they provide or not. 

Using the zero-knowledge proof method within a trust triangle, participants will benefit from secure interactions. This is because their full personal information does not need to be revealed in the majority of interactions. 

Let’s revisit our previous example but with ZK in mind:

  • Holder A wishes to access Verifier B’s services, which are age-restricted.
  • B needs to verify with Issuer C whether A qualifies for said services. 
  • C will confirm whether A is of age or not, without revealing the full date of birth, or specific age. Confirmation is expressed in the form of a ZK proof.
  • B will not have access to any kind of additional information, like location, actual date of birth, full name, full address, gender, etc. Likewise, B will not be retaining any data, because there will be no information for B to memorize or share outside of the interaction with A.

Conclusions

The quick progress of technology is both thrilling and anxiety-inducing. It can be challenging to adapt to these fast-paced changes. However, there will always be ways to combat the threat of being controlled by an ill-intended higher power. 

Self Sovereign Identity is keeping pace with this constant technological uprising, making sure to protect its users. It aims to maintain the ideal that there’s a choice that doesn’t trap individuals in exhausting, exploitative loops. 

Its goal is to continuously certify its users to reach their full professional and personal potential. To restore each individual’s ability to be the sole controller of their PII in their digital lives. 

SelfKey is restlessly working towards achieving ways for users to be able to safely engage with partners in an environment that is secure and neutral. At the moment, SSID is an ideal, a work in progress. And SelfKey has the potential to become the bridge that will take its users towards a much safer and empowering future. 

Stay up to date with SelfKey on Discord, Telegram, and Subscribe to the official SelfKey Newsletter to receive new information!

Note:

To the best of our knowledge, the information contained herein is accurate as of the date stated; however, the accuracy and completeness of the information are not guaranteed, and we disclaim any duty to update the information should circumstances change. You should not rely upon the information without conducting your own validation.

This communication is for informational purposes only and does not constitute an offer to sell, a solicitation to buy, or a recommendation for any digital asset, nor does it constitute an offer to provide investment advisory or other services. No reference to any specific digital asset constitutes a recommendation to buy, sell or hold such digital asset. Nothing here shall be considered a solicitation or offer to buy or sell any security, future, option or other financial instrument or to offer or provide any investment advice or service.

Stay Informed with Important Updates!
Get the latest news on the official SelfKey newsletter

Newsletter list

, , , ,

You might also like

09 Mar 2020
The SelfKey Mobile Wallet is now available for download - free for both iOS and Android
You can now download the SelfKey Mobile Wallet on both Android and iOS devices. Get it for free today.
13 May 2020
The SelfKey Exchanges Marketplace
Learn more about the most recent addition to the SelfKey Marketplace - the Exchanges Marketplace! In this article we walk you through our newest addition.
Biometric authentication by iris scan. SelfKey POI (proof of individuality) Staking is an online identity verification solution which may prevent identity theft and online scam.
12 May 2023
SelfKey iD Credential Locking
Determining the authenticity of online individuals can be a challenging task, as there's no guarantee that they are who they claim to be. This uncertainty can…
READ MORE ARTICLES
JOIN SELFKEY DAO
SelfKey is a fast-growing DAO developing digital identity solutions. The DAO seeks to empower individuals and corporations to take back ownership of their identity data
Get updates straight to your inbox!

Newsletter list

privacy policy
Open source platform made with ❤️ by citizens of the world.
Terms and Conditionsprivacy policy
© 2017- 2024 by SelfKey
clockcross