ReCheck Contributes to INATBA’s Position Paper on Decentralised Identity

Facebook
Twitter
LinkedIn

Our CEO, Emiliyan Enev who actively takes part in the INATBA Identity Working Group is one of the contributors to INATBA official Position Paper on Decentralised Identities. Here are some of the highlights of the text, focusing on the benefits of adopting the concept of self-sovereign identity and the challenges to make it completely functional and widespread.

Decentralised Identity: What is the Future?

Self-sovereign identity (SSI) is a new approach to digital identity that is based on the principle that individuals should be in control of their digital identity and all its associated data. SSI has the potential to solve some of the biggest digitization challenges that we face today.

The great value of SSI is that it allows returning ownership of digital identities back to the individuals in a way that they can control the core functions of that digital identity. The change in how digital identities are managed will lead to a shift in the way society experiences its “digitised life”.

SSI can be used for almost all online processes, from simple authentication requests (e.g., service log in), to requests such as filling out forms digitally. Furthermore, as it is built on open standards and specifications, SSI holds the potential to be interoperable.

What are the benefits of SSI for the business?

Increase Data Quality and Interoperability: SSI aims to dismantle fragmented data silos by making data directly accessible to its associated users. Thus, service providers can directly interact with users to obtain relevant data.
Automate Processes: Many processes are not sufficiently digitised and the lack of interoperability between systems makes the progressive automation of processes much unfeasible. SSI can change that by making identity attributes available in a digital format that can be reused in different contexts.
Security and Fraud Prevention: SSI has strong security properties due to its usage of cryptography, (signatures and digital identifiers), which makes fraud and counterfeiting practically impossible.
Save Costs: SSI can significantly improve the efficiency and effectiveness of processes while reducing operational costs related to data processing and data verification. Users can streamline onboarding and authorisation processes due to the individual being able to provide verifiable identity attributes needed for authorisation such as diplomas, qualifications, or clearance levels for example.
Privacy and Compliance by Design: As users are put in control of data, SSI is indeed designed in the spirit of current data protection laws.
Encourage Innovation: SSI enables people and organisations to exchange all kinds of data in a way that the risk for data leak and the breach is mitigated and no party can prevail over the other, or lose its competitive edge in that matter.

Areas of work and challenges

Interoperability and Standards

In the concept of SSI, interoperability means that users can benefit from SSI in a vendor and technology-agnostic way. Technologies and programs should be interchangeable and compete based solely on their merit. That is why the industry requires agnostic SSI vendor and technology use – at least within the scope of relevant standards such as Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs). Ultimately, users should choose what technologies they use – blockchain, DID-Methods, VC/proof formats, protocols for data transfer, and encryption.

Interoperability will provide end-users freedom of choice and it is also a necessity for SSI itself. Without interoperability, many of the challenges in digital identity management that can be solved by SSI lose their effectiveness.
Solving the interoperability challenge means enabling various solutions and applications to interoperate and use different lower-level technologies.

A consensus must be reached regarding which SSI building blocks are to be standardised and thus be made interoperable by default. Standardisation must be achieved via open standards and active collaboration among stakeholders rather than by market domination, even if the dominant approach was open source.

Governance

Governance in the concept of SSI, is the set of rules that defines how trust between any two peers is established and maintained in the digital landscape. An overall Governance Framework will define business, legal and technical policies that satisfy each stakeholder’s needs in the identity ecosystem. These policies are foundational in establishing trust in the ecosystem, which aims to bind cryptographic assurance at the machine level with human trust at business, legal, and social levels.

Digital identity is not solely a technological block. The governance decisions and legal accountability are also essential elements in establishing the trust that underpins the identity ecosystems where SSI can exist.

For SSI to further advance, ecosystem partners must adopt Governance and Technology Frameworks that meet their needs and provide the digital identity trust that the internet generally lacks.

Government authorities should provide services and laws that enable the issuance of trusted digital attributes to the highest identity assurance levels. This will allow for authentication that meets the highest levels of authenticator assurance.

Security

When dealing with digital identity, data security is of key importance. A loss of confidentiality, accessibility, and integrity can have severe consequences for the ecosystem: data breaches weaken trust; not being able to provide parts of identity can hinder essential transactions, such as bank transactions from being performed; and a lack of integrity could result in identity theft or fraud.

The following recommendations can help vendors, manufacturers, users and the ecosystem improve security in the system:

  • Regulators should encourage the certification of products, services and processes against existing cybersecurity certification schemes and support the consolidation of standards.
  • Relevant agencies should update their guidelines, considering all new protocols and algorithms proposed as de facto standards in decentralised identity ecosystems.
  • SSI implementers should follow best practices when using cryptography technologies, favouring thoroughly tested algorithms and protocol implementations.
  • Vendors, manufacturers and users should promote the deployment of public repositories that have disclosed vulnerabilities, best practices for security in place and designated methods to mitigate common security risks.

Privacy and Data Protection

The current centralised data infrastructure is responsible for a growing number of privacy and security scandals, leading to weakened trust in centralised identity providers. As individuals’ awareness and value of privacy increases, governments and businesses are starting to value the great capabilities that SSI offers – its increased privacy and data protection levels and user control.

As part of SSI’s design, users are put in control of data, which conforms to current data protection regulations. In the EU, GDPR regulates users’ data rights. However, not every approach to SSI, particularly not every blockchain design, is in compliance with the existing laws, especially regarding certain rights established by the GDPR, such as the right to be forgotten.

Another major obstacle is cross-border data sharing, which is made extremely difficult due to different jurisdictions and standards concerning country-specific privacy and data protection.

Privacy and data protection, and the anonymisation of data are key aspects of the GDPR personal data framework. It must be clarified whether the cryptographic standards used in SSI protocols are sufficient for data to be considered anonymous. If not, official bodies will need to provide guidance on the technical and operational measures required to reduce possible user profiling.

Ultimately, data protection and privacy standards must remain strong and protected from corruption. SSI enables the digitisation and usage of an even greater amount of personal data and – if unchecked – may cause severe harm as far as citizens’ privacy and autonomy are concerned.