• Christine Martin posted an article

    Embrace the Ethical Implementation of Digital Identity

    It is more important than ever to take back control of our identities. see more

    I just had two different but related things happen with my 18-year-old daughter regarding her identity…

    This week, I took her to the DriveTest Centre to get her G1 (driving license). Since she’s 18, I left it up to her to ensure she had all the necessary documentation. She brought her Ontario Health Card and Canadian Passport. When it was her turn, she went to the counter and presented her documents. The representative looked over the papers and let us know the passport was expired, and thus she could not accept it. She asked if she had another piece of identification, like a birth certificate. Of course, she did not have this with her. As we left the DriveTest Centre, I mentioned that we wouldn’t have had this problem if she had a digital wallet that could store her identity documents. She would have had all her credentials on her phone to prove who she was. She told me, in short, that it wasn’t a better alternative because she just watched a movie on digital identity, and we are all going to turn into tracked and controlled robots of Big Brother if we let that happen.  

    My daughter opened a new bank account online, but she still has to present herself in person to finalize things. With a digital wallet holding credentials and verification via biometrics, she could have completed that step online and had access to the new account immediately. Why does the bank offer the option to open an account online?

     

    You’re already at risk.

     

    Maybe it’s because of the nature of my job in decentralized identity consulting, but lately, I’ve been seeing a lot of conspiracy theories on social media about Self-Sovereign Identity (SSI). People criticize the way it’s being implemented and warn about the negative consequences it will have. It’s almost as if people don’t realize that organizations are already monitoring and influencing us and that Google and social media algorithms have been instrumental in this.

    Right now, Facebook owns your identity and essentially decides what you see in your feed; and Google tracks your every move. These companies claim our data as their asset and make money off it.

    Many acts of ‘digital misdirection’ are happening before our very eyes every day, and we are starting to become more aware of them. Every action we perform online has become a piece of data which is used to coerce and constrain our digital experiences. We see it in the ads that show up across all our devices following an Internet search, in the ever-narrower set of content we’re shown on our social media sites, and in the increasingly compelling, and sometimes spooky, product recommendations we receive. This digital misdirection goes on to the point that we begin to wonder whether we can still exercise any free will online at all.” – The Rise of Surveillance Capitalism

    What if you could monetize your identity? What if you could share extra preference data with Facebook and allow them to share that data with a third party for a fee? You could charge $0.50 for every additional set of preference data you share. Self-Sovereign identity can give you control over your data and generate passive income. Why wouldn’t you pick this option?

     

    How can we trust them to be honest stewards of our data?

     

    lawsuit has been filed against Google that stems from investigations dating back to 2018 by Princeton University and the Associated Press. The lawsuit alleges that “Google falsely led consumers to believe that changing their account and device settings would allow customers to protect their privacy and control what personal data the company could access. The truth is that contrary to Google’s representations it continues to systematically surveil customers and profit from customer data.

    What else are these media giants doing that we haven’t figured out yet? How Bad is the Global Data Privacy Crisis? And you want them holding your information? I’m confused.

    Platforms like Facebook and Google aren’t fond of losing access to people’s data; having less control over the user data makes it far less valuable for monetization. I’m not sure why people aren’t more concerned with this aspect.  I can’t help but come up with my own conspiracy theory: the Facebook algorithm suppresses positive news and advancement in SSI while pushing misinformation.  With digital identity, you (the holder) will be able to control your identity and decide which credentials to share with whom.  That’s a significant loss for big tech.

     

    SSI Architects care about privacy and security

     

    I saw a Facebook post shared with a photo of a copy of The World Economic Forum – Advancing Digital Agency report with the quote, “Digital ID, it isn’t just a rumour, people. WEF wants to control everyone’s life. SHARE“. The WEF report is more about protecting users, the challenges of broken trust, and data intermediaries instead of controlling everyone’s life.  There are many benefits to Digital Identity, particularly with vulnerable and marginalized groups (refugees). 

    We care about privacy and security; we have the same concerns. Organizations like Evernym/Avast want to embed eIDAS in their products, but only if it addresses these four problems and maximizes opportunities. 

    Something crucial for laymen to remember is that governments cannot build and implement these frameworks without help from the private sector. That includes SSI consultants like us here at Continuum Loop. We’re regular members of society; we have friends, family and children that we care about and want to protect: now and in the future. We are involved because we care and are aware of the negative implications and aspects; we can help mitigate these factors, build these frameworks, and make them beneficial for all.

     

    Hold, own, and control your credentials/identity.

     

    Digital ID is nothing new; it’s been around for a while in one form or another. However, the COVID pandemic has caused a “digital acceleration” event where our reliance on technology has catapulted forward. The pandemic has accelerated the adoption in many ways, like the increased use of QR codes and contactless payment to mitigate the risk of exposure to the virus. In particular, it has helped to raise awareness of the need for such a system and its benefits.

    You will take back control of your identity and hold it. Not Facebook, not Google, and you will decide what credentials to share on a need-to-know basis. We don’t have to be scared of the shift; we have to ensure the architecture is built ethically for all.

     

    The Privilege of Hesitation.

     

    We are privileged to be able to be so critical of these emerging technologies. We take for granted that the college or university we graduated from will always be there or that our government institutions will always be in place and functioning to provide us with the services we need. I can’t help but wonder how a current refugee, who had no time to take paper documents, would feel to have the ability to easily prove their identity while starting over in a new county. All we have to do is look to Ukraine and see why centralized Identity systems can cause a problem.

    Many Ukrainians have been displaced and need to apply for new documents to be able to travel and access services in other countries. The centralized identity system can make it difficult for people to get their records. As different groups seek refuge, they face unique challenges. Many Ukrainians of Roma origin, for example, suffer discrimination in Ukraine and may not have any documentation indicating their identity or citizenship. Being undocumented as you flee conflict and navigate foreign countries can lead to many dangers like human trafficking. Desperation can lead to refugees bribing government officials to get their documents. 

    In contrast, Estonia has a practical but highly-centralized digital identity system that makes it easier for people to access the various services they need. While it is centralized and questionable from a privacy and surveillance perspective, this system allows for secure and transparent transactions that make citizens’ and e-residents’ lives more convenient and secure. The Estonian government has been using this technology since 2001, and it has helped them become one of the most digitally advanced countries in the world. 

    While this implementation of digital identity is not ideal for many reasons, it’s a step in the right direction, and we can build from it. The flaws within the system (e.g. privacy, centralization) can be handled.

     

    Rebuilding Trust

     

    These technologies cannot move forward without the general public’s adoption. Organizations must rebuild trust for this to happen. Those building the framework architecture are fully aware of this challenge; the general public has lost confidence in the way organizations hold and use their online information.

    There are many possible ways to rebuild trust. One way is to give people more control over their information. With Self-Sovereign Identity, they can choose what information they share and with whom, and they can also see how their data is being used and change their settings accordingly. 

    Another way to rebuild trust is to ensure that the technology is secure. People need to know that their information is safe when shared online. Organizations need to ensure that they use the latest security technologies, Blockchain Technology, to protect people’s information.

    Finally, people need to know that the organizations they trust with their information are reputable and honest. Organizations need to be transparent about using people’s information and their steps to protect it, and Verifiable Credentials will facilitate this.

    In a world where corporations and governments are constantly harvesting our data, it is more important than ever to take back control of our identities. Self-sovereign identity is a new way of thinking about identity that puts the individual in charge of their information. We should embrace it and use it to create a more just and equitable society.

     April 26, 2022
  • Francesca Hobson posted an article

    Three Questions Around Self Sovereign Identity

    If you work in the area of identity you will have noticed a lot of talk about Self Sovereign Identit see more

    Is Self Sovereign Identity a panacea or an also ran?

    If you work in the area of identity you will have noticed a lot of talk about Self Sovereign Identity (SSI).  As a concept, it applies the goal of placing the user at the centre of digital identity management and control. User-centric digital identity is not a new idea. I first came across it back in 2008 when I read Kim Cameron’s 7 Laws of Identity – the piece itself going back to 2005; law 1 states that “ No one is as pivotal to the success of the identity metasystem as the individual who uses it.”

    SSI is user-centric, but you don’t need to have a Self Sovereign ID system for it to be user-centric.

    On paper, I like the idea of a Self Sovereign Identity. After all, digital identity is about what you do with the information that makes up who you are – surely that should be under your control? Yet still, I have lingering questions that make me question the ability of SSI to fulfil my identity needs.

     

    A really quick bit on what SSI is?

    This isn’t a post about what Self Sovereign Identity is, there are plenty of articles on that topic. But I will give you a very quick and dirty overview of what the technology is about.

    SSI is fundamentally reliant on blockchain to register the attributes of a person’s identity. What does that mean. Your identity data (attributes or claims) – the stuff that determines your digital you, or that thing is that thing – are registered to a block on a blockchain. The blockchain is a distributed ledger, aka it has no central authority controlling it, it is decentralized. The subsequent decentralized claims are then part of a person’s identifying data that they can share, under their control, with a requesting party – like a bank or a government service, etc.

    The substance of the SSI is based on the idea of verifiable claims. If you follow my blog you’ll know that verification is a thorny issue in the digital identity space. It is certainly not straightforward and can do with a sprinkle of ‘user friendly’ if you ask me. But organizations like Sovrin, who are offering a backbone for SSI, are built upon the notion of verifiable claims being managed through a distributed ledger technology backbone specifically attuned to digital identity.

     

    Verifiable claims

    I just want to talk a little about the notion of a verifiable claim. For a piece of data on an individual to carry any weight it has to be true or at least have a probability of truth that satisfies the service provider. Claims that are checked (verified) by a trusted third party are deemed to be verifiable. Web standards custodians, W3C, have looked at the issues around standards for verifiable claims.  The research findings of the group come down heavily on the side of user-centric and privacy enhanced. There is a very strong value statement driving their work “No User-Centric, Privacy-Enhancing Ecosystem Exists for Verifiable Claims”.

    The research concludes several things including:

    “Trust is decentralized. Consumers of verifiable claims decide which issuers to trust.”

    And

    “Users may share verifiable claims without revealing the intended recipient to the software agent they use to store the claims.”

    But, in the context of this article, do you need a decentralized identity system to have decentralized verifiable claims? Are the two mutually exclusive?

     

    The questions on SSI I need to have answered

     

    Commercial use cases?

    We live in a world that is built upon certain commercial structures. These structures are pretty much universally driven by money. I want to understand how we can fit an identity framework, that is based on presenting verifiable claims, to a service. Who will pay for the verification? If one organization pays, will they be happy if that data is then shared with a competitor to build up a trusted relationship with them?

    Are we back to the same issues we had with federated identity? As Phillip Windley said back in 2006: “Not surprisingly, the hard part isn’t usually the technology. Rather, the hard part is governing the processes and business relationships to ensure that the federation is reliable, secure, and affords appropriate privacy protections.”

    Will Self Sovereign Systems come up with similar commercial issues – the business relationships, but this time from a pay for use basis?

    An interesting look at how this could be solved is from the Web of Trust working group and their work in progress treatise “How SSI Will Survive Capitalism”. Something I will be keeping a close eye on. This is my main concern from their SWOT analysis “Lack of upfront financing due to lack of platform (chicken & egg problem)”

    And a last point before I move on. This was brought up by a government official in the UK – the data ownership – is a government verified identity document like a passport actually your data to own?

     

    This governance thing?

    I’m also not sure about the whole SSI being a magical panacea for refugees. There is a nagging feeling in the back of my head around the ‘stewards’ model. Self Sovereign frameworks like Sovrin use a steward’s model to maintain trust. The stewards are trusted third parties – organizations, that operate the nodes in the distributed ledger. Sovrin currently has over 50 stewards that provide human and computing power.

    I can see the positive aspect of this. It extends the notion of decentralization to another layer. Good. I do, however, wonder if the steward will become a weak point in the system. Will cybercriminals target stewards to gain control of the nodes?

     

    Privacy, really?

    The privacy aspects of decentralized, SSI are part of the charm of the system. Sovrin, for example, uses Zero Knowledge Proof as the underlying mechanisms of minimal disclosure of data. ‘Are you over 18? Only Yes/No is revealed. Of course, SSI isn’t the only system that offers privacy of attributes. There are several ways of achieving the same thing using traditional identity services. One such mechanism was developed by Sid Sidner back in 2006, and named “Variable Claims”. I’ve seen it applied in a traditional identity service – it works in a similar manner by only revealing certain data, i.e., yes/no or partial reveal of attributes.

    The problem is this. It is all well and good having minimal disclosure. But what if you want to buy a pair of shoes online. You have to allow the online vendor to know your address to send the shoes to. They will likely also want your name and other demographic data if they can get consent, for marketing purposes. Your data is then outside the SSI and held in a more traditional manner. And…it is now outside of your control too.

     

    “Options make for a healthy ecosystem” – Tim Bouma

    I remember looking at Pretty Good Privacy (PGP) way back. It offered the hope of secure email communications based on the idea of a “web of trust”. PGP always seemed very ‘techie’ to me; you virtually needed a PhD in computer science to use it. Usability, rather than methodology has probably killed PGP – even Phil Zimmerman who invented PGP doesn’t use it anymore. I get the same ‘techie’ feel of PGP within the SSI movement. I know that folks in SSI are working hard to get neat apps together to help with usability, but still, there is an air of PGP about it.  I can’t shake it, I want to. I think it comes down to this.

    We need to understand the true nature of why we use digital identity, the real use cases, the pitfalls of such use cases, as much as we need the technology to make them happen.

    I do not, however, want to write a technology off, just because I have a few unanswered questions. I can see, for example, that blockchain has some use cases that fit well and as an additional layer in a tech stack it has enormous potential.

    Tim Bouma, Senior Policy Analyst for Identity Management at Treasury Board Secretariat of the Government of Canada, recently summed up the SSI debate perfectly, and I agree wholeheartedly with his very pragmatic take. Tim explores technology with open eyes and the hard head of experience. He said in a recent tweet and Medium post on SSI:

    “The extreme (decentralized) case is no service provider, but likely it will be a mix of centralized, federated and decentralized options. That’s ok because options make for a healthy ecosystem.”

    SSI is on the extreme end of the digital identity spectrum. Its focus is putting control back in the hands of you, the user. But SSI is not the only way to skin a cat. My own view is that a mix of technologies will, at least for the foreseeable future, be needed to accommodate the vast array of needs across the identity ecosystem. I can see use cases for SSI. But will it become the overarching way that humans resolve themselves in a digital realm? I don’t know, I don’t have a crystal ball, but my gut says not, unless there are compelling answers to the three questions I have listed above. Maybe the SSI community can help me to understand?

     

    Author

    SusanSusan Morrow

    Having worked in cybersecurity, identity, and data privacy for around 35 years, Susan has seen technology come and go; but one thing is constant – human behaviour. She works to bring technology and humans together. 

    Find her @avocoidentity

     

  • Francesca Hobson posted an article

    SSI? What we really need is full data portability

    Despite numerous predictions by industry analysts that “self-sovereign identity” (or “SSI”) would be see more

    By Emily Fry and Elizabeth M. Renieris

    Despite numerous predictions by industry analysts that “self-sovereign identity” (or “SSI”) would be a key trend by now, in reality there is still limited adoption outside of research labs and proofs of concept. As two industry experts in the SSI space, we are here to argue that it’s time we stop talking about “self-sovereign identity” if we want to make any meaningful changes to identity management for the benefit of individuals. Not only is the term itself misleading, and often polarizing, but the zealous attachment to “self-sovereign identity” overshadows the core innovation of the future of identity management—full data portability.

    While definitions of the term vary, the basic idea behind “self-sovereign identity” is to enable a model of identity management that puts individuals at the center of their identity-related transactions, allowing them to manage a host of identifiers and personal information without relying upon any traditional kind of centralized authority. One emerging school of SSI relies upon the combination of distributed ledger technology (often a blockchain) and the use of decentralized identifiers, as well as other technical standards, under development by the World Wide Web Consortium (WC3), and is sometimes also known as “decentralized identity.”

    SSI advocates are ardent and impassioned, often using hyperbolic language to characterize self-sovereign identity as a revolution, the foundation of the next Web, a panacea for privacy, and even the solution to child labor, emphasizing specific technologies like blockchain and ideologies like decentralization. They cite from the same hymn sheet of SSI Principles by Christopher Allen. In the past we have cited these too, but in the future we question whether it is wise to do so. With the term at peak popularity, and large corporates, governments, and other key players exploring what it means, it is time we bring a set of realistic expectations to the table and focus on what will really change the individual’s experience for the better.

    Governments and other stakeholders exploring SSI are less interested in ideology and more interested in improving the user experience for their customers and constituents. They want to increase access to services, improve service delivery, and safely digitalize interactions, while mitigating privacy and data security-related risks. The key to these objectives lies in full data portability—this means granting individuals robust legal rights, as well as straightforward technical tools and capabilities, to manage and use identity credentials and other personal data with more trust, confidence and ease, so that they can share medical records with a new doctor, port professional credentials to a new employer, and the like.

    SSI is focused on the technical tools and capabilities for data portability but offers little by way of legal architecture. Despite bold claims about the legal implications of SSI, often by technologists and other non-lawyer advocates, SSI introduces new technology but has no impact on legal rights or privileges. For example, while it might enable technical portability of credentials (at least theoretically, the market will determine who will accept them), it has no impact on rights to portability under new and emerging regulations like the GDPR or the CCPA. SSI does not address the challenging questions of risk mitigation, liability allocation, or enforcement or redress mechanisms—all things requiring new or modified legal solutions.

    One example of an emerging legal solution to solve for the non-technical dimensions of full data portability is the notion of a trust framework. A trust framework necessarily lifts cryptographic and other technical trust mechanisms into a coherent set of legal, business, technical (and we argue, ethical) rules. Its purpose can be boiled down quite simply—to ensure that technical tools are developed and deployed in a manner that does in fact support the coherent individual end-user experience and legal protections we all want.

    The assumption that regulations will remain relevant and in place for long periods of time has been upended. Trust frameworks must evolve and adapt in order to foster innovation. But don’t let that mislead you. Trust frameworks can and should have teeth, placing appropriate legal obligations on entities to adhere to particular standards or rules, with repercussions for breach and actual mechanisms for enforcement. This means they must inevitably address questions of liability.

    To date, digital intermediaries have famously resisted governance, claiming that because they control the tools, they can also sort out the problems without regulatory intervention. We know the existing and potential future repercussions, so let us not make the same mistakes again. Trust frameworks are a mechanism by which to address policy concerns from the outset—providing guidance within a legal architecture. A number of Governments, including New Zealand, are exploring this approach, though few have taken on the hard questions of risk mitigation, liability allocation, enforcement and redress.

    Time is of the essence. We hope that this discussion will serve as a reminder to look up from debates on terminology and refocus on the outcome we all actually want— meaningful and universal data portability facilitated by technology but also, critically, backed by law. Without state-of-the-art legal architecture, SSI is just a techno-utopian pipedream.

     

    Authors

    Emily Fry is the head of Digital Trust at MATTR, a New Zealand based company developing open standards, technical infrastructure, and software for better Digital ID. She specializes in bridging law, technology, and policy though innovative legal architectures.

    Elizabeth M. Renieris is the Founder & CEO of HACKYLAWYER, specializing in law and policy engineering. She’s a privacy lawyer (CIPP/E, CIPP/US), identity expert, and a fellow at the Berkman Klein Center for Internet & Society at Harvard University, where she researches data governance frameworks for the digital age.

     March 31, 2020
  • Francesca Hobson posted an article

    Member interview with Jacoba Sieders – listen now

    In this podcast, Women in Identity Ambassador, Angelika Steinacker, interviews Jacoba Sieders on her see more

    In this podcast, Women in Identity Ambassador, Angelika Steinacker, interviews Jacoba Sieders on her journey from a degree in ancient languages to a career in Identity Access Management. Hear why Jacoba believes that being bold, brave and creative are far more important qualities for an IAM leader than being a technical expert!

    Jacoba Sieders is an independent, digital identity expert.  She has held executive positions leading IAM and KYC functions for more than 20 years at major banks in the Netherlands and then in Luxembourg at the European Investment Bank. She also lived and worked in New Delhi, India for ING Group.

    She is a member of various international expert groups and think tanks, was part of the Dutch Blockchain Coalition’s SSI initiative, and is a member of the technical working group NEN/ISO.

    Jacoba is Advisory Board member of ID-Next, the independent European think tank on identity, and Advisory Board member for the EU ESSIF-lab on SSI. She holds a master’s degree from Leiden University in classics (Greek,Latin, Hebrew) but retrained to become an IT professional.

    She recently moved on from corporate life and now focuses on strategic advisory assignments alongside speaking engagements and teaching masterclasses.

     October 20, 2020