By Emily Fry and Elizabeth M. Renieris
Despite numerous predictions by industry analysts that “self-sovereign identity” (or “SSI”) would be a key trend by now, in reality there is still limited adoption outside of research labs and proofs of concept. As two industry experts in the SSI space, we are here to argue that it’s time we stop talking about “self-sovereign identity” if we want to make any meaningful changes to identity management for the benefit of individuals. Not only is the term itself misleading, and often polarizing, but the zealous attachment to “self-sovereign identity” overshadows the core innovation of the future of identity management—full data portability.
While definitions of the term vary, the basic idea behind “self-sovereign identity” is to enable a model of identity management that puts individuals at the center of their identity-related transactions, allowing them to manage a host of identifiers and personal information without relying upon any traditional kind of centralized authority. One emerging school of SSI relies upon the combination of distributed ledger technology (often a blockchain) and the use of decentralized identifiers, as well as other technical standards, under development by the World Wide Web Consortium (WC3), and is sometimes also known as “decentralized identity.”
SSI advocates are ardent and impassioned, often using hyperbolic language to characterize self-sovereign identity as a revolution, the foundation of the next Web, a panacea for privacy, and even the solution to child labor, emphasizing specific technologies like blockchain and ideologies like decentralization. They cite from the same hymn sheet of SSI Principles by Christopher Allen. In the past we have cited these too, but in the future we question whether it is wise to do so. With the term at peak popularity, and large corporates, governments, and other key players exploring what it means, it is time we bring a set of realistic expectations to the table and focus on what will really change the individual’s experience for the better.
Governments and other stakeholders exploring SSI are less interested in ideology and more interested in improving the user experience for their customers and constituents. They want to increase access to services, improve service delivery, and safely digitalize interactions, while mitigating privacy and data security-related risks. The key to these objectives lies in full data portability—this means granting individuals robust legal rights, as well as straightforward technical tools and capabilities, to manage and use identity credentials and other personal data with more trust, confidence and ease, so that they can share medical records with a new doctor, port professional credentials to a new employer, and the like.
SSI is focused on the technical tools and capabilities for data portability but offers little by way of legal architecture. Despite bold claims about the legal implications of SSI, often by technologists and other non-lawyer advocates, SSI introduces new technology but has no impact on legal rights or privileges. For example, while it might enable technical portability of credentials (at least theoretically, the market will determine who will accept them), it has no impact on rights to portability under new and emerging regulations like the GDPR or the CCPA. SSI does not address the challenging questions of risk mitigation, liability allocation, or enforcement or redress mechanisms—all things requiring new or modified legal solutions.
One example of an emerging legal solution to solve for the non-technical dimensions of full data portability is the notion of a trust framework. A trust framework necessarily lifts cryptographic and other technical trust mechanisms into a coherent set of legal, business, technical (and we argue, ethical) rules. Its purpose can be boiled down quite simply—to ensure that technical tools are developed and deployed in a manner that does in fact support the coherent individual end-user experience and legal protections we all want.
The assumption that regulations will remain relevant and in place for long periods of time has been upended. Trust frameworks must evolve and adapt in order to foster innovation. But don’t let that mislead you. Trust frameworks can and should have teeth, placing appropriate legal obligations on entities to adhere to particular standards or rules, with repercussions for breach and actual mechanisms for enforcement. This means they must inevitably address questions of liability.
To date, digital intermediaries have famously resisted governance, claiming that because they control the tools, they can also sort out the problems without regulatory intervention. We know the existing and potential future repercussions, so let us not make the same mistakes again. Trust frameworks are a mechanism by which to address policy concerns from the outset—providing guidance within a legal architecture. A number of Governments, including New Zealand, are exploring this approach, though few have taken on the hard questions of risk mitigation, liability allocation, enforcement and redress.
Time is of the essence. We hope that this discussion will serve as a reminder to look up from debates on terminology and refocus on the outcome we all actually want— meaningful and universal data portability facilitated by technology but also, critically, backed by law. Without state-of-the-art legal architecture, SSI is just a techno-utopian pipedream.
Authors
Emily Fry is the head of Digital Trust at MATTR, a New Zealand based company developing open standards, technical infrastructure, and software for better Digital ID. She specializes in bridging law, technology, and policy though innovative legal architectures.
Elizabeth M. Renieris is the Founder & CEO of HACKYLAWYER, specializing in law and policy engineering. She’s a privacy lawyer (CIPP/E, CIPP/US), identity expert, and a fellow at the Berkman Klein Center for Internet & Society at Harvard University, where she researches data governance frameworks for the digital age.