Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Transitioning to self-sovereign identity

(Alberto Crespo)

The discussion evolved around several core topics regarding ID management and trust issues between individuals, organizations and the government. There is a need to define properly what Identity means and which are the factors that define how it can be used, profited from and then what are the threats relating to it.

In SSI there is need to have an app, a device.

Everyone is currently connected to several networks, offering several fractions of their own ID over multiple devices.

We must make it usable for people of different ages: problem of reliance on smartphone for elderly people, mechanisms of recovery

Decentralized infrastructure and local device synchronization: we need backups. Where off-chain data is stored: close to citizen for efficiency, same country due to regulatory issues.

SSI is about devolution of power (from companies, government) towards individuals. Individuals should be in control of their own data, where is it being stored, what is being used for, why shouldn’t they profit from it if someone else is gaining while analyzing that same data?

Fundamental question of what an identity is: classically it is critical for reliable identity provisioning to link to reliable source, currently birth and civil registers.

Difference between shallow-identity and identity based on interactions, between slow-evolving data and rapid evolving data. Need to differentiate identity that emerges from trail of data from identity given by e.g. government. A point can be made that we show fractions of our ID by being linked to different devices. There is a different set of data being stored in the morning for example on the way to work, in comparison to the one stored on the work device in comparison then to another device used at home in the evening. All these different parts of the same individual may differ in behavior. Where are the boundaries?

Is being online the only thing that is relevant as opposed to authorizing what your online access is being used for?

Ecosystem: Assets, entitlements, liabilities, contracts… all linked to identity.

Key aspect is linking of identities, or attributes under control of the individual.

A token economy to carry value of data is possible solution. Individuals can think of selling data first time, but it’s not really something that can be controlled after that. Once the data has been sold once to one potent buyer what they will do with it is out of the individual’s power anymore.

Discussion of the trust issue: Facebook vs Google! Facebook’s reluctance to share what the data is used for and how has caused them a great deal of loss in terms of trust in their customers. Google on the other hand seems to offer the user the at least surface feeling of being in control of the data they are sharing - signing the GDPR compliant regulations.

Reputation is key for individuals to assess trust in receiver of the data.

Decoupling data from views of data. Latest project from Tim Berners Lee is an interesting approach.

Make it very clear to normal user that it is a trust connection that they make: certain parties will see data once the connection is made and this comes with trust in that the relying party will behave properly.

If there is proper utility and incentive (can be monetary, can be security, can be convenience), SSI will be adopted by end-users, but the incentives need to be established.

Discussion: use of trustless approaches vs need of trusted parties for anchoring trust when keys are generated