Bullish Case for Self-Sovereign Identity
This is the first part of the 2-part series covering self-sovereign identity technology. First part is covering the key problems that this technology is aiming to solve and how it is being achieved, and in the second part I’m focusing on the business model and go-to-market aspects.
The first step in every economic activity is to establish trust between economic actors. Here’s a few examples:
- For the buyer — trust in the manufacturer and seller
- For the retailer — customer’s ability to pay
- For the business — trust in their suppliers and contractors
- For an employer — employee’s skills and competencies
- For an airline — negative COVID test results of the passenger
- For an airline — gold status membership of the customer
- For an embassy — trusting that tourists will visit, behave and then leave
- For a bank — employment of the borrower
- For a bar — the age of the visitor
- For a pharmacy — the validity of customer’s prescription
…and thousands of other scenarios. Each of the tasks above is currently done in one of three ways:
- In person (I know you, thus I trust you)
- Via “paper trust” (formal document that you need to receive somewhere and bring to somebody else)
- Through isolated databases within organizations (and costly integration between them)
In this post I want to discuss a new approach to solving this problem that will radically reduce cost and increase the efficiency of trust building process.
Digital identity is a collection of assertions and claims regarding a person, an organization or a thing. Daily we interact with hundreds of online and offline applications, such as Google, Facebook, Bitcoin, e-government service, local grocery store, hospital or university. Each one of those has its own isolated data storage as well as trust and reputation system which is not really in our, users, control.
It is estimated that the average internet user has about 70 online identities. Each one of those services stores the user’s password and personal information in centralized databases. If they are hacked you as a user won’t even know if your personal data is stolen. Moreover, most of those legacy systems don’t even have technical capabilities to provably delete your data.
But most importantly: while we’re inside Facebook, Google or Amazon’s world we can have a trusted identity, build up a reputation and use it to prove things about ourselves. But how can I make sure this data is usable in different contexts? How can I own and reuse my online reputation when applying for a loan or a job? How can I share my educational credentials with anyone in just one tap? How do I ensure no one has access to my medical records but still have an option to share it quickly with my doctor?
Self-Sovereign Identity Value Propositions
The promise of SSI (self-sovereign identity) technology is to create universal portable lifelong digital identities and credentials that do not rely on centralized providers. The economic benefits of this tech can be realized through some of unique properties that SSI has:
- Reducing the cost of issuance and verification of documents: $1 for print, delivery, storage and verification of a typical paper document vs ~$0.01 for digital verifiable credential
- Data standardization: portable and universal data standards instead of paper-based or point-to-point API integrations
- Drastically decrease the possibility of fraud: cryptographic signatures are hundred times more secure than physical ones; decentralized encrypted storage is not as vulnerable as centralized gigantic databases
- Unification of contexts: data from multiple sources can be combined programmatically to prove not only the content but also the audit trail of that data
- Instant data privacy compliance: end customers are ultimately own and control access to their data, which makes SSI systems instantly complaint with most data protection regulations
- Hyper-personalization: end customers are able to build their lifelong portfolio of preferences or achievements and use it to get a hyper-personalized service.
What are the core problems we are solving?
One major reason for technology companies and products not being successful is that they start with some cool new technology and then try to find the right problem to solve. This is why many blockchain or VR companies have failed in the past. For SSI we can identify four major problems:
Siloed data → Need for the new type of documents
Highly connected digital world requires a new type of documents — the one that is open and free for anybody to use, natively digital, available on your phone or PC, permanent, provable and does not require vendor lock in.
Instead of having multiple trust domains like your social network, bank or government SSI offers a portable and universal solution that can unite all those applications and enable seamless data sharing across all of them. Machine-readability and pre-defined standards make it not only easier to adopt but also much cheaper to maintain and evolve. Unlike traditional ways of setting up hundreds and thousands of APIs, with SSI you only need to define a document schema once and it becomes instantly available to any 3rd party. In addition to that, even though schemas are public any personal data is only shared after explicit consent of the holder.
Another benefit of unifying isolated data storage systems is that we’re suddenly making raw and useless data very actionable. Factory worker always getting to work on time can prove his punctuality to future employer. Thousands of completed assignments by a school child can be used to build a personalized learning trajectory for when she goes to high school.
Inefficient document processing → Need for the new bureaucracy system
Value of the credential is usually not in the content of that document but the services, products and possibilities that become open for its owner. For example, educational credentials might be required to find a job or get a scientific research grant; financial data is needed to get a credit card or open up a corporate bank account; driving license allows you to buy beer at the local bar and your passport is needed to travel freely around the world.
To provide those services faster and in more convenient fashion we need to automate bureaucracy systems so that verification, stacking of credentials and acting upon those presented documents is done by the algorithm rather than a person. This will streamline and speed up the process as well as solve some of the corruption / discrimination / personal bias problems.
Moreover, as more and more bureaucracy systems are using verifiable credentials and SSI, the trust created in the process can become transitive. For example, once a bank does a KYC check and background check the result of this operation can be used to get another service with a different organization given that the second provider is trusting the bank to do a good job.
Fragmented data standards → Data standardization & semantic web
To scale and automate existing trust systems even further we need a shared standard that is native for both humans and machines. As more and more document issuance and verification is happening through software, the need for machine-readable universally standardized data formats is growing. Existing digital document types like PDF or paper document scan is very hard to navigate for software and can produce high levels of errors. Good news is that verifiable credentials is a natively digital semantic and cryptographically secured format.
Data standardization is also solving the problem of integration between various data providers and verifiers. Instead of building one-to-one API integrations which is costly and time consuming, the whole industry or country can agree on using a shared data format enabled by verifiable credentials.
Privacy concerns → Growing role of privacy
There’s a growing attention to the user data privacy coming both from end users as well as regulators. Businesses need to take into account regulatory requirements such as CCPA, GDPR, FISMA, EFF and many more similar regulations in other geographies. It is estimated that GDPR compliance will cost Fortune Global 500 companies $7.8 billion a year, and initial CCPA compliance will cost US businesses $55 billion. SSI technology enables all required privacy features out of the box: transparent data usage, right to be forgotten, data usage audit trail and consent management via VCs.
In the digital era SSI seems like the most elegant and the easiest solution to the surveillance capitalism problem. If only the user is able to control their personal data and choose whom to share it with and when to revoke access — this data can’t be used maliciously. Internet companies won’t be able to monetize their users without explicit consent or profit sharing. Incentives for online businesses shift from maximizing what they know about the users to providing better service.
How does it all work?
First two key concepts you need to understand about SSI are DIDs (decentralized identifiers) and VCs (verifiable credentials).
Decentralized Identifier (DID)
DID is just a machine-readable identifier of any person, organization or a thing. Owners can prove their control over digital identity and issue or receive verifiable credentials on behalf of it. Each user can have multiple identifiers (one for business, one for government and one for close friends) and it’s usually free and very easy to generate and control those.
Verifiable Credential (VC)
Verifiable credentials are documents and facts that were issued by one specific DID (issuer) and then transferred to another one (holder). Issuer and holder can be the same entity, although usually this is not the case. Verifiable credentials can be a very simple piece of information like proof of email, phone number or address but it can also be a very complicated structure like your full bank statement or travel history, depending on the use case.
I have a separate article on the SSI products taxonomy where I go into details of what exact product the SSI industry has and needs. However, to give a short description of how this actually works we can think of SSI ecosystem as 4 major parts. Traditional use cases of SSI would start with the issuer (government, university, hospital, bank) issuing some type of credential to the holder. Holder then takes this digital verifiable credential (VC) and presents it to the verifier in order to receive service (e.g. provide diploma transcript to the employer, providing bank statement to the landlord, providing COVID test result to the airline).
In order for data to originate in the system there has to be a set of tools for data providers and issuers to convert, sign and issue verifiable credentials to the holder. This can be done manually or automatically via integration with existing software.
Holder typically uses some kind of digital wallet (mobile, in browser or just in their email inbox) to store, manage and share credentials and identity information.
Verifiers need tool to specify what kind of data and from which issuers do they want to get in order to provide services to holders.
Three systems described above need some kind of glue to tie it all together. This includes network protocol as well as trust framework that will make sure that all three parties can trust each other’s cryptographic signatures. In addition, in some use cases this also has to be tied with existing regulatory frameworks regarding use of digital signatures, data privacy and storage or personally identifiable information.
The system described above is not very different from traditional electronic document management systems like Docusign. The only clear distinction is that there’s no direct link between Issuer and Verifier, meaning that Verifier does not need to explicitly send requests and verify information with the Issuer. Rather, all the required details to make sure that provided credentials are authentic are already baked into the VC. Now, let’s explore how we can decentralize this system and what benefits does the decentralization bring.
Second part of this story is focusing on answering the question “What are some limitations and opportunities for making profitable business in self-sovereign identity?”
> Second part.