A Few Observations from the Internet Identity Workshop XXVII

Last week the FPR team attended the 27th Internet Identity Workshop (IIW) at the Computer History Museum in Mountain View, California. IIW is a participatory “un-conference” that convenes twice a year to discuss a wide range of issues related to digital identity. In recent years the focus has moved towards self-sovereign identity, the subject of FPR’s most recent paper, published on October 18th. IIW gave FPR a great opportunity to discuss the content of our paper with some of the world’s leading digital identity experts and learn more about digital identity in general. Below are a few lessons and observations from the conference.

• Many misconceptions about SSI remain, even in the digital identity community. These misconceptions were discussed in a session called “Seven Myths of SSI” led by Timothy Ruff of Evernym and Rouven Heck of uPort. Several of these were clearly attributable to the term “self-sovereign,” which unfortunately connotes a form of identity totally independent from government authority. As was pointed out repeatedly throughout the conference, this is not at all the case. The goal of SSI is to provide infrastructure for the distribution of trusted information. The issuers of that information, including governments, remain as trusted authorities in SSI systems, and the cryptographic signatures involved give the verifiers of credentials greater trust in their authenticity. Though everyone agreed that SSI is not self-attested identity, there was no consensus on whether it should be renamed to avoid further confusion and, if so, what it should be called. One proposal was to call it “multi-source identity,” arguing that in order to be self-sovereign an ID solution has to allow the ID holder to have credentials from multiple sources. Many in the room disagreed. An alternative name proposed in a different session, “trusted data,” was appealing for its simplicity but possibly too vague. Elsewhere, in a Q&A about the Sovrin architecture, an engineer from Evernym was asked about the difference between “claims” and “credentials.” His response was that the two terms had been used interchangeably in the past but that only “credentials” would be used going forward. SSI is a nascent field, and it is important for the community to continue working towards not only common technical standards but common terminology to make it more accessible.

• SSI delivers more than just privacy: SSI is often described as a system for keeping personal data private. But in addition to minimizing the risk that personal data will be exposed, it adds an important new element: in order to use personal data as a credential the user must prove that it was issued to them. This means that even if a bad actor is able to discover personal information they are unlikely to be able to do anything with it. In the Sovrin architecture this is accomplished through the use of a “blinded link secret” (BLS). A BLS is a secret key stored on the user’s device that is used (without being shared with the other party) to prove that a credential is not only valid but was issued to that specific user. This is important in the Sovrin architecture because a unique identity number (DID) is used for every relationship, meaning that there is no single number that a credential can be issued to. However a few issues with this feature were raised. One was that a user could share their BLS with another user, who could then use a credential that was not issued to them. The other is that the BLS is issued to a single wallet/phone, creating a new key management issue. In order to be sure that the credential was being used by the original holder, it would be necessary to tie the individual to their device and/or credential with biometrics.

• SSI can help users retain personal control of their data; it is unclear what impact this would have on big data analytics: Several sessions and projects concentrated on the potential for SSI to let individuals take back control of their personal data. But there are many important uses for aggregated data, from medical research to training machine learning algorithms. An SSI-driven world could result in the creation of a new, participatory data economy, but it is not clear what the value proposition would be for the average person. Data is exponentially more valuable when aggregated, and any given person’s data might not be worth enough on its own for them to want to take an active role in managing its sale. A number of solutions were proposed to address different parts of this problem. One of the most interesting of these was the idea of allowing users to create their own policies governing the use of their data that would be presented automatically to any would-be data aggregators they interact with online. In a reversal of the end-user terms of service model, this would create “terms of access” to the users’ data. The user might allow data to be collected only to provide better service in that single interaction, or stipulate that it only be sold for scientific research, or allow it to be used for targeted advertising provided it is deleted after a set period of time.

• It is not enough to create an ecosystem of open standards; there must be an economic incentive at work to prevent the SSI market from centralizing over time. There has been a clear trend over the lifetime of the internet for technologies (for example email) that were conceived as decentralized, open standards to consolidate over time into monolithic, centralized platforms. For the average user it became far more convenient to use Gmail than to host a personal email server. There has to be a plan for this as SSI reaches a mainstream audience.

bit.ly/FPRCMIIW