EXPERT PANEL: Decentralized/Self-sovereign identity

For our latest Expert Panel our specialists from Signicat, GBG and Nuggets address one of the currently most hotly debated topics – decentralized, or self-sovereign identity. This is a topic we will be covering in more depth on the ID Bulletin in the near future, so please to share your views in the comments section below.

Handing over control of their data comes with risks

“Decentralised identity means that no single authority controls a person’s data, enabling self-sovereign identity which hands control of data over to the individual. The user would then—in theory—be in control of which information they want to share and with whom. But there are major challenges with this approach.

We know from experience that people cannot be trusted to remember security details and keep them safe, and rarely make backups, so handing over control of their data comes with risks. Custodians will be needed for data recovery, which means an identity authority of some sort will still be necessary. Private key escrow would mean demand even more trusted providers. Without a government, financial services provider, or other trusted entity acting as a custodian of identity, it’s far from clear who would perform this role, or why they would do it. People want to be able to contact someone if there is a problem—they cannot be entirely self-sovereign.

Identity on the blockchain or using Distributed Ledger Technology (DLT) is often mooted as a solution to decentralised identity, but DLT itself does not provide the trust necessary—it only shows that data has not been amended, making auditing far easier.

Ultimately, with decentralised identity a trust framework is still vital so that, when a piece of information is received, someone can answer the question “How can I trust this?” Decentralised data does not make this problem any easier.”

John Erik 2017-04-b

Author: John Erik Setsaas, Identity Architect at Signicat

Achieving mass user-adoption is the biggest challenge

There’s a lot of buzz around decentralised identity. Giving consumers control of their identity information is really exciting, and anything that involves blockchain will attract interest. However, there is a long way to go before that promise becomes a reality for most of us.

Blockchain specifically is perfect for cryptocurrency or transaction ledgers, but there are certain requirements for identity (i.e. key management or off-chain components) which mean the technology may well play a supporting role, rather than be the “silver bullet” solution for identity.

Being a member of the UK’s GOV.Verify federated identity scheme (which is not blockchain based) has taught us that achieving mass user-adoption – consumers, businesses, regulators and governments – is the biggest challenge. It’s only when all of those players are confident and willing to make the change that the technology will deliver its behaviour-changing potential.”

Mick Hegarty GBG

Author: Mick Hegarty, Managing Director at GBG

Entrusting custodians with sensitive information is no longer safe

“Decentralised identity (also called the self-sovereign identity) is hugely important, perhaps more so than most realise. Individuals from all walks of life are hindered by the current iterations of (most often, government-issued) identity – whether not having access to it in the developing world, or being at constant risk of fraud as third-party businesses hold copies.

The concept has been discussed for decades, although the technology has never quite been there. But the advent of blockchain has finally made it a possibility. The proliferation of data breaches has made it clear that entrusting custodians with sensitive information is no longer safe.

By decentralising identities, we can create a system that seems intuitive – one where individuals, and individuals alone, are in control of their own data. Such a system would integrate digital identity with other services such as identity verification and payment in order to make transactions seamless — while still allowing individuals final say on who gets access.

Companies seeking to comply with the ever-increasing regulatory scrutiny surrounding the handling and storage of data (take GDPR, for instance) are likely to welcome this new technology, as it would mean that their liabilities are vastly diminished. It isn’t a zero-sum game – it’s hard to envision any losers from the embracing of decentralised identities (with the exception, perhaps, companies tasked with KYC verifications or data harvesters). Similarly, insofar as pitfalls, these are dwarfed in comparison to the downsides of the existing centralised data silos, containing huge amounts of information valuable to malicious actors.

I’d go so far as to say the self-sovereign identity is a necessity in the digital era. It’s time to eradicate dangerous practices that are systemic to the current infrastructure, so as to ensure greater privacy and security for individuals and corporate entities alike.

Alastair Johston - Nuggets

Author: CEO of Nuggets, Alastair Johnson