Tag Archive for: SSI

Trust and data protection: SSI potential regarding privacy

Behind the massive development expected for Self-Sovereign Identity for the coming years, analysts identify in this technology the potential to fill existing gaps about users’ involvement in the management process of their identities.

The first requirement is connected to the increasing need of restoring the famous “layer of trust” which is broken in the Internet world, causing a decrease in security and reliability of the transactions. According to a report published by Accenture [1], the lack of trust in the relationship between companies and customers costs global brands $2,5 trillion annually due to customers switching to more reliable competitors.

The second motivation, more relevant than ever, is the increased demand to companies by global regulators for giving priority to customers’ data protection. In a recent article [2] (beginning of 2020), Gartner analysts affirm that, within three years, 65% of world’s population will have its personal information covered under modern privacy regulations, compared to 10% today.

After the advent of GDPR at European level, came into force on 25 May 2018, more than 60 jurisdictions around the world have followed this example, enhancing or proposing postmodern privacy and data protection laws for their citizens.

 

From these perspectives, Self-Sovereign Identity would ensure a simultaneous benefit on both sides. The person/user, first holder of the data, achieves full control over his or her identity, deciding whether and which certified attributes to make available to external parties, within a framework in which trust and data protection become the main elements.

SSI: data protection without intermediaries

As emerges from the graph proposed by Bernal Bernabé and colleagues [3], Self-Sovereign Identity represents the solution that best meets to date the data protection requirement.

 

Identity Management methods evolution over time, according to privacy preservation capabilities – Bernal Bernabé et al, 2019

At the opposite, traditional centralized solutions of Identity Management could not be considered privacy-preserving, due to their exposure to several risks as data breaches, identity thefts and privacy concerns. These gaps have been partially filled with the advent of federated models of Identity Management, centred on the provision of Single-Sign On (SSO) services, which allow users to use the same identity through different platforms.

A step further was made with the spread of the user-centric approach, with which the user gained for the first time a central position in his identity management. The problems that persisted regarding privacy, identity theft and data loss have been significantly exceeded by the model based on Self-Sovereign Identity, capable of combining a privacy-oriented approach with the guarantee that users have full control over their identity.

The blockchain technology, underlying Self-Sovereign Identity, enables to eliminate the need for a central institution acting as intermediary, assuring instead a pattern of trusted interactions made possible by cryptography and collaboration mechanisms.

In this sense, according to GDPR classification, the user is no more only the data subject, but would even become the controller of his identity and of the information connected to it.

Some analysts [4] confer to Self-Sovereign Identity even the potential to trigger a concrete global alignment with the principles proposed by the GDPR. More in detail, as well as the European Regulation is focused on strengthening users’ right to data protection, so Self-Sovereign Identity gives to the individual/user full over his digital identity.

Moreover, as well as the GDPR has the purpose of granting the free movement of personal data within the single European market, so Self-Sovereign Identity promotes the free movement of information by building, by design, an additional layer of trust and autonomy around transactions.

SSI as a solution to unwanted identity correlation

By combining the need of trust and data protection, this technology allows to tackle another issue that exists in the world of digital identities, namely the problem of “unwanted identity correlation”. This is about the widespread practice of associating, without the consent of the data subject, several information about his/her identity, collected from different platforms and united by a common identifier (in most cases the same email address used for several registrations).  Albeit with the consent, even the Identity Providers model represents a correlation point for digital identities, by providing users convenience (a single ID and password) in exchange for correlation.

Every time a user log-in through the service of an Identity Provider, the Provider acquires further information related to the subject’s identity. Such inferential practices have caused over time a considerable loss of privacy of millions of users.

At the opposite, the logic and purpose underlying the functioning and the system design of Self-Sovereign Identity prevent correlation from being practiced, by ensuring that the decentralized identifiers (DIDs) are not correlatable.

Zero-Knowledge Proof and Selective Disclosure: the data minimization principle in SSI key

In the world of Self-Sovereign Identity there are further mechanisms helping to reduce the exposure of personal information by users, namely the concepts of Zero-Knowledge Proofs and Selective Disclosure, both focused on the principle of data minimization.

According to the first, thanks to an advanced and privacy-oriented encryption system, it is possible to provide evidence of existing attributes concerning an entity (person, organization or thing) without actually revealing correlatable identifiers about that entity. In other words, Zero-knowledge Proof is the ability to prove a secret without revealing what the secret is. Similarly, through the concept of Selective Disclosure, the user who desires to present an information (claim) which is part of a Verifiable Credential, can expose just certain information about the credential rather than the entire document.

The possibility of not revealing correlatable identifiers, added to the concepts of Zero-Knowledge Proofs and Selective Disclosure, represent definitely a relevant step forward in ensuring the users’ right to the protection of personal data.

 

At this point, it is essential to remember that each personal information is and remain owned by the data subject, and will be stored only in his private Wallet, protected by advanced cryptography mechanisms. Information that, directly or indirectly, enables the identification of a user as an individual can not be stored on blockchain.

 

Beyond what has been stated so far, there are still several aspects which need to be explored and clarified in order to define Self-Sovereign Identity technology completely privacy-preserving.

During these years of transition toward a massive use of this tools, it is important to focus the attention on the optimization of effective measures in the field of key-management and recovery mechanisms, as well as on the concept of  system interoperability and the methodologies through which users can exercise their data protection rights, in order to overcome the remaining frictions between blockchain technology and privacy regulations.

Nevertheless, it is evident that a thoughtful approach to Self-Sovereign Identity technology, primarily careful to ensure users’ rights, can represent an important step forward in the management of digital identity, by responding simultaneously to the needs of security, trust and compliance coming from the market and from the regulators.

Sources:

[1] Exceed Expectatons with Extraordinary Experiences, Accenture, 2018

[2] Gartner Predicts for the Future of Privacy 2020, Gartner, 2020 

[3] Privacy-preserving solutions for Blockchain: review and challenges, Bernabè Bernal et al., 2019

[4] Self-sovereign Identity: A position paper on blockchain enabled identity and the road ahead, Identity Working Group of the German Blockchain Association, 2018

SSI as a tool of GDPR compliance

Personal data represent today one of the most valued goods on the market. Consequently, those who holds the personal data can exercise a considerable amount of power toward those who the data belong, in the other words, the individual to whom these data refer.
In the digital age, identity management has been affected by an important process of evolution and revolution, moving from a centralized approach to an increasingly decentralized concept of identity.
For years, the notion of identity required the presence of an organization that was involved in the management of such personal data, placing the user in a subordinate position.
This point of view has been completely reversed with the advent of a new approach in the identity management, driven by the notion of Self-Sovereign Identity. The person, the holder of the data, achieves full control over the identity, deciding whether and which certified attributes to make available to third parties.
As a result, the benefit is twofold: there is a gain in data security and data flexibility, allowing the user to share only the necessary data (the minimum amount) for the specific purpose and without intermediaries.

SSI & GDPR: perspectives in comparison

The user-centric approach of Self-sovereign Identity is fully in line with the one promoted by General Data Protection Regulation (GDPR), also focused on the concepts of individual sovereignty and personal data security. Self-Sovereign Identity and GDPR are also aligned on the concepts of flexibility and free movement of data. SSI ensures and develops the free movement of certified attributes between individuals and entities, within a trusted environment. Similarly, GDPR insists on the free movement of personal data within the UE.
The similarities between the two perspectives become even more evident if we focus on the ten principles of Self-Sovereign Identity, outlined in 2016 by Christopher Allen.

    1. EXISTENCE: each digital identity always implies a real individual existence. The attributes that a person decides to share exist in advance of and independently from the digital notion. In line with the approach of GDPR, identity is considered an inherently human concept, and the personal data are and remain owned by individuals.
    2. CONTROL: the primary intent of Self-Sovereign Identity is to get the control of identity attributes back to individuals. In the same way, GDPR gives individuals the right to express their willpower regarding data processing, granting or denying the consent to the processing of information (art. 7-16-18 of the GDPR).
    3. ACCESS: Self-Sovereign Identity and GDPR (art. 15) agree that users should have the right to access their information, easily managing their identity attributes. In order to avoid an incorrect use of personal data, through Self-Sovereign Identity users have the possibility to access their personal information without intermediaries.
    4. TRASPARENCY: algorithms and systems at the basis of identity networks must be open, transparent and freely available. Similarly, GDPR states that personal data processing must be licit, intelligible and transparent. Moreover, data subject needs to be aware of purposes and methods of processing, through the Information Notice (art. 12-13-14 of the GDPR). Transparency becomes really central for digital identity protection, and crucial in order to prevent unlawful processing of personal data.
    5. PERSISTENCE: digital identity should follow the individual during the entire existence, or at least as long as the user wants. As stated by Christopher Allen, this concept must not be considered in contrast with the “right to be forgotten” enshrined in the GDPR (art. 17). The user can dispose the information at any time, requesting changes or cancellation. Therefore, two different concepts are arising: identity is persistent, instead attributes (referred to that identity) can be modified or revoked. The focus here is that the decision is up to the user, first owner of the data.
    6. PORTABILITY: digital identity should be portable, so that user can maintain at any time the control over his or her information. If a third-party organization could centralize identity control, this would constitute a threat to the concept of persistence that must be guaranteed to identities, representing a dangerous Single Point of Failure. Portability assures that identity can be transferred and stored into several applications, at user’s discretion. GDPR focuses on the same concept: personal data can move freely within the territory of the European Union, while remaining under users’ control (art.1 of the GDPR).
    7. INTEROPERABILITY: this characteristic of Self-Sovereign Identity, closely related to the concepts of persistence and portability, reinforces the fact that identity should be considered as much as possible on a large-scale. Through the interoperability of management mechanisms, the identity can follow the user wherever decides to move, beyond geographical boundaries. Albeit related only to UE territories, GDPR states the same principle with regard to personal data processing (art. 1 of the GDPR). Ensuring and protecting free movement of data is the way toward the strengthening of subjects’ rights.
    8. CONSENT: GDPR (art. 4 and art. 7) and Self-Sovereign Identity converge on the idea that the user must give the consent to data processing. This aspect enhances the concepts of autonomy and centrality of individuals, assuring they know where, for what purpose and to what extent their data is processed. Consent is therefore an essential element for identity protection, granting users maintain a desirable level of privacy.
    9. MINIMIZATION: the disclosure of identity-related information must be kept on the minimum amount necessary to the specific purpose in place. Once again, Self-Sovereign Identity and GDPR move in the same direction. GDPR (art. 5 and art. 25) states that the data collected must be appropriate and relevant to the task. The collection of personal data must be limited to what is necessary to the purpose to which data is processed.
  1. PROTECTION: user’s rights must be protected at any time. In case of conflict between the needs of an identity network and the needs of a user, user’s rights have the priority, because the individual has the control over the data. Self-Sovereign Identity preserves identity owners’ rights, as well as GDPR protects data subjects (art. 1 of the GDPR).

In this perspective of similarities and synergies, it is evident that Self-Sovereign Identity can represent an innovative and effective tool which is able to promote the spirit and the purposes of General Data Protection Regulation.

Please download here the pdf version of the infographic: DOWNLOAD

SSI: capabilities and future scenarios of a growing market

According to several important consulting firms, Self-Sovereign Identity is a tool capable of recomposing the existing tensions between blockchain technology and GDPR, by demonstrating how a thoughtful use of this technology may even results in an increase of compliance.
However, it is essential to follow several best-practices of the sector, first of all the adoption of systems able to forbid or prevent the storage of personal data on-chain, besides the conduction of a prior impact analysis case-by-case.
A recent report carried out by Juniper Research estimates that the market of Self-Sovereign Identity can count from 2024 a global turnover of 1,1 billion dollars. Therefore, a significant acceleration is estimated in a relatively short time: the figure estimated for the end of 2020 for the same market is 100 million dollars, envisaging a growth of +1000% in just four years.
At the basis of this exponential growth is outlined the increasing importance of safeguarding protection and security of digital identities.

All of this proves that security and privacy are no more linked by a trade-off, which involves a necessary decrease on one concept in return for gains on the other.
Through Self-Sovereign Identity it is possible to gain a simultaneous increase on both aspects, protecting the user from the beginning, who is and remains the owner of his or her identity and the attributes connected to it.