Posts

Trust and data protection: SSI potential regarding privacy

Behind the massive development expected for Self-Sovereign Identity for the coming years, analysts identify in this technology the potential to fill existing gaps about users’ involvement in the management process of their identities.

The first requirement is connected to the increasing need of restoring the famous “layer of trust” which is broken in the Internet world, causing a decrease in security and reliability of the transactions. According to a report published by Accenture [1], the lack of trust in the relationship between companies and customers costs global brands $2,5 trillion annually due to customers switching to more reliable competitors.

The second motivation, more relevant than ever, is the increased demand to companies by global regulators for giving priority to customers’ data protection. In a recent article [2] (beginning of 2020), Gartner analysts affirm that, within three years, 65% of world’s population will have its personal information covered under modern privacy regulations, compared to 10% today.

After the advent of GDPR at European level, came into force on 25 May 2018, more than 60 jurisdictions around the world have followed this example, enhancing or proposing postmodern privacy and data protection laws for their citizens.

 

From these perspectives, Self-Sovereign Identity would ensure a simultaneous benefit on both sides. The person/user, first holder of the data, achieves full control over his or her identity, deciding whether and which certified attributes to make available to external parties, within a framework in which trust and data protection become the main elements.

SSI: data protection without intermediaries

As emerges from the graph proposed by Bernal Bernabé and colleagues [3], Self-Sovereign Identity represents the solution that best meets to date the data protection requirement.

 

Identity Management methods evolution over time, according to privacy preservation capabilities – Bernal Bernabé et al, 2019

At the opposite, traditional centralized solutions of Identity Management could not be considered privacy-preserving, due to their exposure to several risks as data breaches, identity thefts and privacy concerns. These gaps have been partially filled with the advent of federated models of Identity Management, centred on the provision of Single-Sign On (SSO) services, which allow users to use the same identity through different platforms.

A step further was made with the spread of the user-centric approach, with which the user gained for the first time a central position in his identity management. The problems that persisted regarding privacy, identity theft and data loss have been significantly exceeded by the model based on Self-Sovereign Identity, capable of combining a privacy-oriented approach with the guarantee that users have full control over their identity.

The blockchain technology, underlying Self-Sovereign Identity, enables to eliminate the need for a central institution acting as intermediary, assuring instead a pattern of trusted interactions made possible by cryptography and collaboration mechanisms.

In this sense, according to GDPR classification, the user is no more only the data subject, but would even become the controller of his identity and of the information connected to it.

Some analysts [4] confer to Self-Sovereign Identity even the potential to trigger a concrete global alignment with the principles proposed by the GDPR. More in detail, as well as the European Regulation is focused on strengthening users’ right to data protection, so Self-Sovereign Identity gives to the individual/user full over his digital identity.

Moreover, as well as the GDPR has the purpose of granting the free movement of personal data within the single European market, so Self-Sovereign Identity promotes the free movement of information by building, by design, an additional layer of trust and autonomy around transactions.

SSI as a solution to unwanted identity correlation

By combining the need of trust and data protection, this technology allows to tackle another issue that exists in the world of digital identities, namely the problem of “unwanted identity correlation”. This is about the widespread practice of associating, without the consent of the data subject, several information about his/her identity, collected from different platforms and united by a common identifier (in most cases the same email address used for several registrations).  Albeit with the consent, even the Identity Providers model represents a correlation point for digital identities, by providing users convenience (a single ID and password) in exchange for correlation.

Every time a user log-in through the service of an Identity Provider, the Provider acquires further information related to the subject’s identity. Such inferential practices have caused over time a considerable loss of privacy of millions of users.

At the opposite, the logic and purpose underlying the functioning and the system design of Self-Sovereign Identity prevent correlation from being practiced, by ensuring that the decentralized identifiers (DIDs) are not correlatable.

Zero-Knowledge Proof and Selective Disclosure: the data minimization principle in SSI key

In the world of Self-Sovereign Identity there are further mechanisms helping to reduce the exposure of personal information by users, namely the concepts of Zero-Knowledge Proofs and Selective Disclosure, both focused on the principle of data minimization.

According to the first, thanks to an advanced and privacy-oriented encryption system, it is possible to provide evidence of existing attributes concerning an entity (person, organization or thing) without actually revealing correlatable identifiers about that entity. In other words, Zero-knowledge Proof is the ability to prove a secret without revealing what the secret is. Similarly, through the concept of Selective Disclosure, the user who desires to present an information (claim) which is part of a Verifiable Credential, can expose just certain information about the credential rather than the entire document.

The possibility of not revealing correlatable identifiers, added to the concepts of Zero-Knowledge Proofs and Selective Disclosure, represent definitely a relevant step forward in ensuring the users’ right to the protection of personal data.

 

At this point, it is essential to remember that each personal information is and remain owned by the data subject, and will be stored only in his private Wallet, protected by advanced cryptography mechanisms. Information that, directly or indirectly, enables the identification of a user as an individual can not be stored on blockchain.

 

Beyond what has been stated so far, there are still several aspects which need to be explored and clarified in order to define Self-Sovereign Identity technology completely privacy-preserving.

During these years of transition toward a massive use of this tools, it is important to focus the attention on the optimization of effective measures in the field of key-management and recovery mechanisms, as well as on the concept of  system interoperability and the methodologies through which users can exercise their data protection rights, in order to overcome the remaining frictions between blockchain technology and privacy regulations.

Nevertheless, it is evident that a thoughtful approach to Self-Sovereign Identity technology, primarily careful to ensure users’ rights, can represent an important step forward in the management of digital identity, by responding simultaneously to the needs of security, trust and compliance coming from the market and from the regulators.

Sources:

[1] Exceed Expectatons with Extraordinary Experiences, Accenture, 2018

[2] Gartner Predicts for the Future of Privacy 2020, Gartner, 2020 

[3] Privacy-preserving solutions for Blockchain: review and challenges, Bernabè Bernal et al., 2019

[4] Self-sovereign Identity: A position paper on blockchain enabled identity and the road ahead, Identity Working Group of the German Blockchain Association, 2018