Legal

By Emily Fry and Elizabeth M. Renieris

Despite numerous predictions by industry analysts that “self-sovereign identity” (or “SSI”) would be a key trend by now, in reality there is still limited adoption outside of research labs and proofs of concept. As two industry experts in the SSI space, we are here to argue that it’s time we stop talking about “self-sovereign identity” if we want to make any meaningful changes to identity management for the benefit of individuals. Not only is the term itself misleading, and often polarizing, but the zealous attachment to “self-sovereign identity” overshadows the core innovation of the future of identity management—full data portability.

While definitions of the term vary, the basic idea behind “self-sovereign identity” is to enable a model of identity management that puts individuals at the center of their identity-related transactions, allowing them to manage a host of identifiers and personal information without relying upon any traditional kind of centralized authority. One emerging school of SSI relies upon the combination of distributed ledger technology (often a blockchain) and the use of decentralized identifiers, as well as other technical standards, under development by the World Wide Web Consortium (WC3), and is sometimes also known as “decentralized identity.”

SSI advocates are ardent and impassioned, often using hyperbolic language to characterize self-sovereign identity as a revolution, the foundation of the next Web, a panacea for privacy, and even the solution to child labor, emphasizing specific technologies like blockchain and ideologies like decentralization. They cite from the same hymn sheet of SSI Principles by Christopher Allen. In the past we have cited these too, but in the future we question whether it is wise to do so. With the term at peak popularity, and large corporates, governments, and other key players exploring what it means, it is time we bring a set of realistic expectations to the table and focus on what will really change the individual’s experience for the better.

Governments and other stakeholders exploring SSI are less interested in ideology and more interested in improving the user experience for their customers and constituents. They want to increase access to services, improve service delivery, and safely digitalize interactions, while mitigating privacy and data security-related risks. The key to these objectives lies in full data portability—this means granting individuals robust legal rights, as well as straightforward technical tools and capabilities, to manage and use identity credentials and other personal data with more trust, confidence and ease, so that they can share medical records with a new doctor, port professional credentials to a new employer, and the like.

SSI is focused on the technical tools and capabilities for data portability but offers little by way of legal architecture. Despite bold claims about the legal implications of SSI, often by technologists and other non-lawyer advocates, SSI introduces new technology but has no impact on legal rights or privileges. For example, while it might enable technical portability of credentials (at least theoretically, the market will determine who will accept them), it has no impact on rights to portability under new and emerging regulations like the GDPR or the CCPA. SSI does not address the challenging questions of risk mitigation, liability allocation, or enforcement or redress mechanisms—all things requiring new or modified legal solutions.

One example of an emerging legal solution to solve for the non-technical dimensions of full data portability is the notion of a trust framework. A trust framework necessarily lifts cryptographic and other technical trust mechanisms into a coherent set of legal, business, technical (and we argue, ethical) rules. Its purpose can be boiled down quite simply—to ensure that technical tools are developed and deployed in a manner that does in fact support the coherent individual end-user experience and legal protections we all want.

The assumption that regulations will remain relevant and in place for long periods of time has been upended. Trust frameworks must evolve and adapt in order to foster innovation. But don’t let that mislead you. Trust frameworks can and should have teeth, placing appropriate legal obligations on entities to adhere to particular standards or rules, with repercussions for breach and actual mechanisms for enforcement. This means they must inevitably address questions of liability.

To date, digital intermediaries have famously resisted governance, claiming that because they control the tools, they can also sort out the problems without regulatory intervention. We know the existing and potential future repercussions, so let us not make the same mistakes again. Trust frameworks are a mechanism by which to address policy concerns from the outset—providing guidance within a legal architecture. A number of Governments, including New Zealand, are exploring this approach, though few have taken on the hard questions of risk mitigation, liability allocation, enforcement and redress.

Time is of the essence. We hope that this discussion will serve as a reminder to look up from debates on terminology and refocus on the outcome we all actually want— meaningful and universal data portability facilitated by technology but also, critically, backed by law. Without state-of-the-art legal architecture, SSI is just a techno-utopian pipedream.

Authors

Emily Fry is the head of Digital Trust at MATTR, a New Zealand based company developing open standards, technical infrastructure, and software for better Digital ID. She specializes in bridging law, technology, and policy though innovative legal architectures.

Elizabeth M. Renieris is the Founder & CEO of HACKYLAWYER, specializing in law and policy engineering. She’s a privacy lawyer (CIPP/E, CIPP/US), identity expert, and a fellow at the Berkman Klein Center for Internet & Society at Harvard University, where she researches data governance frameworks for the digital age.

What do you do in the world of identity?

I work in internet policy advocacy. In 2016 I began a fellowship to look specifically at internet shutdowns during Ugandan and Kenyan elections, as it had become a normal part of sub-Saharan African elections. Over time it’s become more and more apparent that a government would not shut down the internet because they were using it for their own political ends, which has focused my interest in data and how it migrates between private to public data bases and vice versa.

You’ve been giving evidence in a court case in Kenya, what’s been happening with digital identity there?

The case is against the Kenyan government’s digital identity scheme, Huduma Namba. The first one main point of contention is exclusion. Registration of the program is dependent on a person having a primary identification document like a birth certificate or a national identity, which can then be presented for biometric enrolment. There are a number of groups, particularly border communities that have historically been marginalised, never had birth certificates and are totally excluded. Border communities are the people are most in need of government services and yet the system is designed to be the sole means to access them.

The second big issue is the design of the system, as all the data is stored in a centralised database. There was no comprehensive data protection law in Kenya and yet there was no public discourse on what that means for social welfare services, or services that are provided for people, healthcare and for people receiving treatment for HIV. A lot of the NGOs/non-profits who work in identity inclusion have been working with people who are at risk of statelessness for a number of years, which brings up conversations on digital rights and data protection law. There was a sense of betrayal as people have been talking to parliament and government committees to get this legislation in place, but the digital identity programme was an omnibus bill containing 54 amendments, so there was no opportunity to discuss the implications.

How has the court case affected the scheme?

When the court case started the government was ordered to stop using the data, which they have done. That’s positive as there’s a fear it would be exported to another country. They haven’t fully stopped the enrolment, instead it’s been made voluntary. Unfortunately the marketing of the project has meant a lot of people enrolled. Huduma means service, so it was communicated as a new scheme that would enable you to get government services, something that most people find really difficult. They have to use intermediaries or travel from one part of the country to another, so there was hope this would solve their problems. It’s particularly important for anybody who’s at risk of statelessness, for example the Nubians. For a Nubian child to get an ID, they need to show the ID of their parents and grandparents, so anyone who’s at risk in that sense was the first to sign up for a permanent record of their documentation and nationality. Today the reality is if you lose your ID, you’re risking your children ever getting an ID as the process for getting a new one is so complicated. We put the cart before the horse by attempting to implement a big project without first making a comprehensive policy. The court case should take everybody back to the drawing board and there will have to be some transparency and involvement of more players.

How did you end up in the identity space?

I’ve always been into politics and then when following the election, it was interesting how politics and technology intersect. People would receive messages that were targeted to them because of their tribal names, which is effective because for a long time our politics have been mobilised on an ethnic bias. These messages weren’t as extreme as hate speech or anything that’s outlawed, but they were targeted. That is fascinating because we’re getting to a point where even democratic processes are being redefined by technology in a way that has never been anticipated in current laws. It’s really hard to say that political parties broke any rules, because a lot of them were religious, poems or Bible verses about leadership, but they were tweaked to touch the emotions of tribal politics.

How do political parties have access to people’s names and contact details?

There’s a detailed voter register that has contact details and voting stations and so on. It’s a requirement under law that this should be published so it can be inspected by anyone who wants to, because previously there were a number of issues like people on register who are too young to vote or others who are actually dead.  However the first time it was published, it contained too much information like people’s identity numbers. Policy advocates immediately called the electoral management body and brought it to their attention. In that period, some of that data was harvested or bought from officials of the election body. Now there was a whole new economy people who were buying, selling and repackaging data. People are providing bulk messaging services to target voters registered of your particular area and even voters who are likely to vote in your favour because they’re members of the same tribe.

The influence from digital political companies like Cambridge Analytica has meant political actors learnt a way of being perpetually politically active with messages and memes. We’ve been in a state of active campaigning ever since the elections. It’s ridiculous, sometimes you listen to the news and you have to remind yourself that we’re still 3 years away from the next election because the political messaging online makes its way into traditional news.

What channels does this come through?

A number, but one interesting one is WhatsApp. It’s so reflective of our society. Everybody who has a smartphone is in several WhatsApp groups; whether you’re organising a wedding, going to a funeral, or attending a baby shower, you form a WhatsApp group. These kind of groups generally do not die after the function is over, so people continue to wake up in the morning and send messages to all the groups, send jokes and send memes, some of which are political messages. Some of them are subtle, some of them are really funny jokes that make light of everything in Kenyan life. Ultimately it keeps you in this perpetual hold, so you never forget who the president or key members of the administration are because they have an active post every 2 hours.

What’s next on your agenda?

I’m still in the public advocacy space and generating public knowledge to get more discussion on the issues of how society is organised. Digital identity can have really positive social and economic benefits on our society, but it’s been approached from the aspect of security and control. In Kenya we’ve had ID for over 100 years. We were a settler colony, that historically had a scheme called ‘kipande’ which controlled the movement of people. Now we have a duty to make inclusive ID which helps us distribute resources more fairly to people who need them more, to save on resources and help the government plan better. There’s a need to talk about these things and put pressure on the government to do it in a better way. We often hear that ‘We are going to lose out on the fourth industrial revolution, we will not be left behind. We Africans must leap frog.’ For this the human element and inclusivity is key. We have almost given up all our thinking and want to say everything can be solved by AI or better technology, yet if we don’t first resolve the human problems, I don’t think technology will help us.

Find Grace @Bomu