olly - Fotolia

Self-sovereign identity on the block – ideal or no deal?

There’s a rumour out there in the IT and business world that blockchains could be the magic elixir when it comes to users’ full control and power over their own digital identities. But is that really so?

Brexit or not, the upcoming EU regulation GDPR (General Data Protection Regulation) will certainly affect every country in the world. With global online communication and transactions, there are no geographical or political borders.

From May 2018 onwards, this regulation requires every company and public authority doing business in the EU to deal with personal information responsibly and store data securely without any risk of abuse – more than ever before.

Users of online services today have no choice but to trust the suppliers, even if such parties gain a lot of revenue out of their customers’ data. In most online relationships, the suppliers are the owners of all the data entered into their systems by the consumers. They can therefore freely decide how to exploit or to which third parties they sell them. They can also decide where the data is stored, but this might soon change.

It is not enough just to set up rules, however. The regulators also have to efficiently control how they are put into practice by service providers and, if needed, punish violations with harsh penalties. This is definitely not going to be an easy task in the long run.

Trust has always been a central element in business relationships. However, suppliers will soon have to offer extra proof that they deserve trust. The mathematical consensus algorithms of decentralised blockchains might help them in this aim. Everyone, even private persons, can deploy them relatively easily, and no trusted intermediate parties between customers and suppliers are needed any more.

To interact, the parties on all sides could just type in what is needed of their own data – not more, not less – and completely withdraw it at any time.

There are exciting projects in this context, such as Evernym, which tries to establish an open source platform for sovereign identities, or Microsoft Azure’s blockchain initiatives. There are nonetheless still huge challenges to be solved to make these visions work, touching on questions of standards and the adoption of big online service providers.

Probably the greatest challenge is to decipher whether the person on the other side of the chain is really who they say they are. How can you trust their ID? Could Dr Jekyll not in reality be Mr Hyde?

With blockchains, we know a transaction has taken place. But how can we be sure who carried it out? To be really sure, the person on the other side has to disclose so many personal details that it would no longer be suitable to speak of a self-sovereign identity.

Self-sovereignty, so to speak, does not work with trustworthy attributes because they allow easy identification. Alternatively, we would need to fall back on trusted intermediaries. This, however, would at best be user-centric, but in no way self-determined. For now, blockchains alone can solve neither identification nor authentication challenges.

Smart contracts as valuable supplement

A valuable supplement to decentralised, distributed ledgers, such as blockchains in the identity context, would be smart contracts. You could use a blockchain and smart contracts for agreements of parties about which attribute (not the value) they have shared with which party for which purpose and period of time.

This would allow for a much better use of this information, and could also prevent identity theft if, for example, only the age was revealed instead of the exact birth date. Combined with a standard to access that information, such a solution would be fairly straightforward to implement and a foundation pillar of life management platforms.

A blockchained contractual basis could therefore bring a clear win-win to all involved parties. Individuals might be able to better protect their data autonomously by restricting and controlling use. They would have to divulge only the most necessary facts, under the principle of minimal disclosure, and could omit information that could be cross-correlated with other data, such as location information or online shopping searches.

Read more about blockchain

Suppliers or service providers might be able to get more information for limited use. That might allow them to sell targeted adverts at a far higher price, instead of the massive “divergence loss” they suffer today with their adverts. It would also be easier to handle than today’s “right to be forgotten”. In the case of a data breach, they are likely be able to limit the damage and save immense costs. Providers would therefore hardly lose anything by giving away the control over their customers’ data.

No single solution in sight

We should not be too optimistic yet that there will ever be a single identity solution on a broader scale, especially when it comes to self-sovereignty. Human identities and their individual contexts are simply too complex to be depicted in one system. Also, there will always be a dispute between national law-making and the transboundary character of blockchains and the digital sphere.

Should there ever be such a solution, it would, first of all, need to be easy to use. The most commercially successful online services boast high usability. The easier they are to access, the faster users give up privacy considerations. Sovereign-identity solutions would therefore have to be structured just as simply to be of interest to everyday users on a large scale. Sovereign-identity applications would otherwise lead a very solitary life.

Martin Kuppinger is founder and principal analyst at KuppingerCole.

Read more on Privacy and data protection