Digital identity must be self-sovereign and decentralized

It is difficult to define the precise point at which humanity crossed the Rubicon to become digital citizens. (Was it broadband? Smartphones? AI?) The only thing we know for sure is that we are, in every way, more digital than physical. Our bodies are still flesh and blood, but our minds – where we create art, music and verse – are now in the cloud.

As a result, when we talk about digital identity, we are really talking about ourselves. In the 21st century, you are in every respect the product of the digital breadcrumbs you leave scattered across the internet.

Give a man or woman a digital identity and you give them the tools to work, learn and earn money. Take away those halls, and you effectively banish them from civilized society. We only have to look at China, where being caught riding without a motorcycle helmet drops your social credit score, impacting your ability to work and travel.

That is not to say that digital identity is inherently dystopian: like all technologies, it is benign. It is people who determine whether it is used as a force for good or evil, to grant access or to limit it. Therefore, it is crucial that digital ID serves the owner and not the other way around. Unfortunately, centralized identity systems are unable to do this due to fundamental flaws in their architecture, which is why they are destined to be replaced by better technology.

The problem with centralization

Centralized ID systems concentrate sensitive data, including biometrics, login credentials, financial information and behavioral history. The more we do online and the more our lives – from healthcare to education – become digitalized, the greater this wealth of data becomes. As the weight of all this information increases, so do the incentives for third parties to access it illegally.

As the disparate digital services we use become connected, we will reach a stage where one digital identity can do everything from logging into social media to booking a doctor’s appointment. This transformation will make our lives easier. But it will also make them more insecure. Because when all data flows through a single hub, attackers only need to compromise one system to gain access to everything.

All it would take is a sophisticated hacker or a rogue government for this information to end up in the wrong hands. The result could be deplatforming. It could mean exclusion from core services due to ‘wrong thinking’. Or it could mean your credit card information is auctioned off to the highest bidder on the darknet. But it doesn’t have to be this way.

We have the technology at our disposal to build a future where our data doesn’t have to be piled high in central silos – because it never left our possession. This calls for eschewing centralization in favor of self-sovereign solutions.

Self-sovereignty as a service

Self-Sovereign Identity, or SSI, reverses the power dynamic by returning control to the individual. It is your identity, and you own it. But crucially, from your perspective, this doesn’t add any additional friction: you don’t have to master complex technology or take on the responsibility of storing your data on a home computer; it’s all encrypted and stored on a distributed ledger with an access key that only you can use.

Trust is maintained cryptographically, with the individual in control of their own access and permissions, while the compromise of one lender does not compromise the identity of every user. This setup is not only beneficial for users: it also means that governments, universities and institutions can issue login details, but do not have to store them.

SSI works because it combines distributed storage inherent to blockchain, which means no more centralized databases filled with sensitive information, combined with cryptographic technology that allows the underlying data to be viewed only by authorized entities. Privacy implementations such as Garbled Circuits, as used by COTI, and zero-knowledge proofs make it possible to verify the validity of the information without revealing its contents. You don’t have to broadcast your date of birth or passport scan over the Internet, in other words, to prove that you are old enough to order alcohol.

Decentralized ID enables trust and eliminates single points of failure.

Why not now?

If SSI is so good, you might wonder why it isn’t implemented everywhere. What’s stopping lenders from taking the SSI pill? The main reason for this is that this requires a radical change in the way companies think about data and user access. And change is hard: that’s why the Internet is still stuck with password authentication, even though its inherent weaknesses have been well known for years.

So the technology is ready, but awareness of its possibilities – and the willingness to implement it – is still not widespread. This will happen, but it will take time; After all, it took more than a decade for blockchain technology to become widely understood and trusted. Since SSI is an additional layer built on top of this, it will require acclimatization from both users and lenders.

But make no mistake: decentralized identity is the inevitable future of digital ID. With every new database hack and data harvesting scandal, the case for its implementation only becomes stronger. Users need the absolute assurance of confidential authentication, knowing that companies requesting personal data are only verifying what is necessary, rather than collecting massive, stored profiles. Companies, meanwhile, need to be relieved of the burden of storing all this data while adhering to standards such as GDPR.

Not everything on the internet has to be decentralized. But the way we connect to the platforms and services we rely on every day must and will be this way. It’s the only way to create a secure internet that works for everyone.