Almost every day it seems there is a new revelation about how our personal data is being mishandled by those to whom we trust it.
Recently, we learned how Facebook had given device makers access to the private data of millions of users, and then “failed to police” how its partners used that data. That follows news of the combination of bugs in several of its services that left the accounts of more than 30 million users exposed to hackers for over a year.
Nor is it just Facebook. We also recently learned that a flaw at Google+ had left user data exposed since 2015. This followed the leaks at Equifax, Uber, Target, Yahoo and the rest. The list of serious data breaches appears endless at this point.
While these are major betrayals of our trust, it would be a mistake to place the blame solely at the doors of these companies. The root of the problem lies rather with the outdated technologies we use to manage personal data and identity online. The good news is that there is an alternative in the works. It’s known as "self-sovereign identity" and it's a big deal.
A great leap forward for identity
Really a collection of technologies and methods, self-sovereign identity is the next step in the evolution of digital identity and personal data management.
It builds on advances in hardware and software that make it possible for users to control their own online identities and personal data, removing the need to trust someone else to do it for them.
These advances include new generation smartphones powerful enough to serve as personal identity platforms; new techniques in cryptography – in particular the invention of the blockchain – that make user-controlled identity and data feasible; and new standards, including decentralised identities (DIDs), to help make this work at scale.
With SSI we can build the digital equivalents of the physical proofs of identity, like our driver’s licenses or passports, that we keep in our wallets or desk drawers today. The main differences are: a) they are completely owned by the individual, residing in digital "wallets" or folders on our phone or PC, b) they are far harder to forge than their analogue counterparts, and c) they are more flexible and easier to use.
In the self-sovereign identity paradigm, when it comes time to authenticate ourselves or provide data online, instead of creating a new account or asking Facebook Connect to log us in, we simply present our appropriate digital credentials. The site can easily check if these credentials are valid, and we can then grant access to our data.
This has a number of benefits.
With self-sovereign identity we can make our personal data more secure. In future we won't have to entrust the keys to our digital lives to a large corporation like Facebook, Google or anyone else.
We can also better protect our privacy by being able to grant and revoke access to our data at will, and having far more choice as to how much information we disclose for a given transaction. For example, to buy wine online we only have to prove to the merchant that we are old enough to purchase alcohol, not what our actual birthday is; self-sovereign identity would make this possible to do. By ensuring businesses are only able to access information relevant to a given transaction, self-sovereign identity could also mitigate the potential damage caused by a data breach, or by the behaviour of an aggressive actor.
As well as being safer and more private, this technology should also make using the Internet more convenient. Self-sovereign identity means we won’t have to set up a new account and password for every new site we visit, and may one day lead to a “passwordless Internet”. It also makes it much easier to update our data across all our sites. Gone will be the days of having to reenter credit card or address information on all our websites every time we open a new account or move house: we can simply make a one-time update of our digital ID, and the job is done.
With self-sovereign identity it will also be easy to make verified "ID cards" for all sorts of things, both those we are used to and those we are not. From proof of address, age or citizenship to membership in a local club, almost anyone will be able to issue a bona fide credential that we could then use at will. This could open a whole new world of applications for digital identities and personal data, with intriguing possibilities.
On the brink
While self-sovereign identity is still in its early days, it is more than just theory. Working solutions already exist, such as the city of Zug in Switzerland that offered Ethereum blockchain based digital identities as an option to residents, or the Swiss national railway, which recently piloted the use of self-sovereign identity in tracking the credentials of its contractors and employees doing work on the tracks.
That said, most people downloading a digital identity wallet today would find its uses limited. This is set to change. We think self-sovereign identity is a technology on the brink of mass adoption, and represents one of the most important developments in the ongoing efforts to improve the World Wide Web.
For anyone who has had their data exposed online – which likely means almost everyone at this point – this should come as good news.
Tom Lyons, Executive Director, ConsenSys Research and Advisory, Switzerland
Rouven Heck, Co-Founder and the Project Lead, Digital Identity Platform (uPort), ConsenSys