The future of digital identity must be self-sovereign and decentralized | Opinion

It’s hard to define the precise point at which humanity crossed the Rubicon to become digital citizens. (Was it broadband? Smartphones? AI?) All we know for certain is that we are, to all intents and purposes, more digital than we are physical. Our bodies are still flesh and blood, but our minds — where we create art, music, and verse — now reside in the cloud.

As a result, when we talk about digital identity, what we are effectively talking about is ourselves. In the 21st century, you are, to all intents and purposes, the product of the digital breadcrumbs you leave scattered across the web.

Give a man or woman a digital identity, and you give them the means to work, learn, and earn. Take that hall pass away, and you effectively banish them from civilized society. We need only look to China, where getting caught riding without a motorcycle helmet causes your social credit score to drop, impacting your ability to work and travel.

That’s not to suggest that digital identity is inherently dystopian: like all technologies, it is benign. It’s humans who determine whether it’s used as a force for good or bad, to provide access or to restrict it, which is why it’s critical that digital ID serves its owner and not the other way around. Unfortunately, due to fundamental flaws in their architecture, centralized identity systems are incapable of doing this, which is why they’re destined to be replaced by better tech.

The problem with centralization

Centralized ID systems concentrate sensitive data, including biometrics, credentials, financial information, and behavioral history. The more we do online, and the more our lives — from healthcare to education — are digitized, the larger this trove of data becomes. As the weight of all this information grows, so do the incentives for third parties to illicitly access it.

As the disparate digital services we use become interconnected, we will reach a stage where one digital identity can do everything from signing into social media to booking a doctor’s appointment. This transformation will make our lives more convenient. But it will also make them more precarious. Because when all data flows through a single hub, attackers need only compromise one system to access everything. 

All it takes is a sophisticated hacker or a malevolent government for this information to end up in the wrong hands. The outcome could be deplatforming. It could mean exclusion from core services due to “wrongthink.” Or it could mean your credit card details are being auctioned to the highest bidder on the darknet. But it doesn’t have to be this way.

We have the technology at our disposal to build a future in which our data doesn’t have to be piled high in central silos — because it never left our possession in the first place. This calls for shunning centralization in favor of self-sovereign solutions.

Self-sovereignty as a service

Self-Sovereign Identity, or SSI, reverses the power dynamic by giving control back to the individual. It’s your identity, and you own it. But crucially, this doesn’t entail any additional friction from your perspective: you don’t have to master complex technology or assume responsibility for storing your data on a home computer; it’s all encrypted and saved on a distributed ledger with an access key that only you can use.

Trust is maintained cryptographically, with the individual in control of their own access and permissions, while the compromise of one credential issuer doesn’t compromise the identities of every user. This setup doesn’t just benefit users, either: it also means that governments, universities, and institutions can issue credentials but don’t have to store them. 

SSI works because it combines distributed storage inherent to blockchain, which means no more centralized databases stuffed with sensitive information, combined with cryptographic technology that allows the underlying data to be viewed only by authorized entities. Privacy implementations such as Garbled Circuits, as used by COTI, and zero-knowledge proofs allow the validity of the information to be verified without revealing its contents. You don’t need to broadcast your date of birth or passport scan over the internet, in other words, to prove that you’re old enough to order alcohol.

Decentralized ID enables trust while eliminating single points of failure.

Why not now?

If SSI is so good, you may be wondering why it isn’t implemented everywhere. What’s keeping credential issuers from taking the SSI pill? The primary reason for this is that this requires radical change to the way businesses think about data and user access. And change is hard: it’s why the internet is still stuck with password verification, despite its inherent weaknesses having been widely known for years.

The technology is ready, then, but the awareness of its capabilities — and a willingness to implement them — is still not widespread. This will happen, but it will take time; it took more than a decade, after all, for blockchain technology to become widely understood and trusted. Given that SSI is an additional layer built upon this, it will require acclimatization from users and credential issuers alike.

But make no mistake, decentralized identity is the inevitable future of digital ID. With every new database hack and data-harvesting scandal, the case for implementing it only grows stronger. Users require the absolute assurance of confidential verification in the knowledge that companies requesting personal data are verifying only what is necessary, as opposed to collecting vast, retainable profiles. Businesses, meanwhile, must be relieved of the burden of storing all this data while adhering to standards such as GDPR.

Not everything on the internet has to be decentralized. But the way we connect to the platforms and services we rely on every day must be and will be. It’s the only way to create a secure web that works for everyone.