Skip to main content

Self-sovereign identity: what is it and how does is protect personal data?

30.07.2021
Niels van Dijk
Opinion

What are the technical characteristics, possibilities, and challenges of self-sovereign identity? Discover it in this opinion piece by guest author Niels van Dijk from SURF, the collaborative organisation for ICT in the Dutch education and research field.

Technical exploration Ledger-based self-sovereign identity
With self-sovereign identity (SSI), users own their data - instead of the educational institutions or the governments, who generate or store the users' data, for example. Users themselves determine which data they share and with whom. 

Users are in control of their data
Self-sovereign identity (SSI) is a new concept in which users are the owners of their personal data and determine which information they share and with whom. They collect their profile information (e.g. date of birth, diplomas obtained) from multiple authoritative sources (providers, e.g. the Personal Records Database (BRP) in one digital wallet. They can selectively share this profile information with a recipient (service). This makes the SSI model very attractive from the point of view of privacy and data protection.

Current situation causes limitations and hassle
The current model for an authentication and authorisation infrastructure (AAI) within research and education is based on a federated identity. The institution (identity provider) creates and manages the user's identity. This means, however, that the identity provider (the educational institution) determines how and where the identity may be used.

By definition, this leads to restrictions and hassles: end users must maintain an increasing number of different identities and go through time-consuming processes to prove that they are who they say they are. Furthermore, services have to incur additional costs to reliably re-establish identity and profile information.

Wallet as central proxy
The only scalable way to combine profile information from multiple sources is via a central proxy. But this brings new challenges around availability, security and data protection. By using the end user wallet as a kind of proxy that aggregates all personal data, the SSI model can help avoid many of these problems.

Privacy and data well protected
The SSI model is very attractive from a privacy and data protection point of view. Users have direct control over the release of their personal data. Also, unlike with federated identity, the data exchange does not take place directly between the provider and the recipient, but via the end user's wallet. As a result, a provider cannot see, for example, which services the user logs into, at what time, how often, etc.

Implementation via ledger

The SSI model presents a number of challenges. The most important is that trust must be built up between recipients and providers. To achieve this, SSI introduces the concept of a verifiable data registry, which is typically implemented via a distributed ledger or blockchain. This immutable registry contains all transactions, but not the personal data itself, so that each new transaction is verifiable.

Exploration into the applicability of self-sovereign identity

We examined the (technical) features, standards and implementation of an SSI solution using a blockchain-based verifiable data registry. We also assessed the maturity and usability of a blockchain-based solution by deploying and testing it with other components in the AAI ecosystem, in accordance with use cases we collected.

Conclusions are positive

In general, SSI's privacy-preserving nature, end-user control over the sharing of personal data, and trust model align well with the public values typical of education and research. The platform we used (based on Hyperledger Indy) allowed us to successfully execute all use cases. The platform fulfils the promises of SSI: it is privacy-preserving, scalable and secure. However, the user interaction and interfaces are the weakest part of the ecosystem and will need a lot of attention.

About the author

Niels van Dijk is a Trust and Identity expert at SURF, the Dutch National Research and Educational Network. He typically works on the forefront of new service development and is a keen innovator who takes a holistic view on creating novel services. In recent years, Niels was instrumental in the inception and creation of services like SURFconext, SURF Research Access Management, eduTEAMs and InAcademia. Niels is also heavily involved in the international activities of SURF. Next to actively participation in community and standards development groups like REFEDs and W3C, he leads the Trust and Identity Incubator in the pan-European GÉANT project.

This article was originally published by SURF. Access the original here

Self-sovereign identity: what is it and how does is protect personal data?
Image credit:
(c) 2021, SURF

For questions and comments, please visit our forum on Futurium.