A few years ago, Christopher Allen wrote one of the few early foundational articles on Self-sovereign identity. In his article, he laid down ten principles that any SSI(Self-sovereign identity) based identity system must follow. Years later, when SSI is indeed a reality, we go back to these guiding principles, wherefrom the journey started:
Users must have an independent existence.
Be it you, me, or even an IoT device, all of us can use Self-sovereign identity, irrespective of geographical location, race, government, etc. The only condition is to exist in the real world and possess an identity. This identity can be anything that describes us, our name, age, etc. For a non-living entity, it could be the device ID. SSI facilitates the management of the identity already existing in the real world.
Users must control their identities.
Individuals must have ultimate authority over their identities. Users can share, update, or even hide information at their convenience. That being said, organizations or governments can make claims about the user, but they do not form the person's complete and only identity.
For example, the government issues a voter card to your wallet. Neither the government not anyone else can change any data on your voter card. And as with a physical card, you can choose how to use it. Once the credential is in the user's wallet, it belongs solely to the user.
Simply put, you are the owner of your data, and you choose when, where, and how you share your data.
Users must have access to their own data.
Access takes two meanings here, one for you and the other for anyone wanting to use your data. You have access to all data about you.
Hypothetically speaking, even if you were to sell your data, no one could restrict your access to your data (not even the government), irrespective of the consequences.
For example, a food delivery company wants your geographical location and age to show relevant eateries and bars in your area. The only way for the company to access your data is to get explicit permission from you.
Systems and algorithms must be transparent.
Self-sovereign identity is a fairly transparent system based on open protocol standards and available for everyone to review. This doesn't mean that your data is available for everyone to see. On the contrary, it ensures that your data is guarded and the system follows the best practices. This ensures that any updates or changes to the system are updated and publicly available comprehensibly.
Identities must be long-lived.
Although you cannot change claims made by different entities about you, you can choose which claims are helpful for you and form your identity. The point is, claims and identity are disjoint from each other. While identity remains for a long time, claims might change over time.
This does sound a bit confusing. What do I mean by forming your own identity? Let's look at an example.
Say you want to apply for a job. Possibly, your company does not require all your personal identity documents (or attributes such as gender, place of birth, father's name, and so on) but more of your professional documents (certificates, degrees). This forms a part of your overall identity, a mix of personal and professional identity. You can choose not to share any irrelevant data from your general identity.
Years later, you earn another degree. This would change your educational qualifications (or claims about your highest level of education), but your general identity remains.
Information and services about identity must be transportable.
User identity cannot be restricted to a single platform or an identity provider. Even if you were to move from Delhi to London, your identity would remain with you. Your claims remain intact. Irrespective of geographical location or government, you hold and control your identity.
Identities should be as widely usable as possible.
SSI is not just limited to issuing and sharing ID cards. SSI can support multiple use cases and allow organizations to use and build on the system as per their needs.
Some scenarios might be:
If you need to apply for an insurance claim, a credential shared by the hospital to your digital wallet would be acceptable. Not only would it be easier for the insurance company to verify your claim, but it would also be much more convenient for you and the hospital.
Similarly, a degree issued by your college to your wallet can be shared with a company during a job application.
SSI ensures efficient communication both inside and outside the organization.
Users must agree to the use of their identity.
The process of expressing consent must be deliberate and well-understood by the user.
Organizations require your explicit consent to use your data, which can only be used as requested. If this data were to be used for any other purpose, they would require your consent again.
Let's look at the previously discussed food delivery example. If this company were to use your data for any other purpose, say, to share your age with the restaurants, they would require your permission again. Moreover, they cannot have any hidden clauses; the process must be transparent.
Disclosure of claims must be minimized.
A minimal amount of personal data must be disclosed to accomplish the task. If only your name is required, you don't need to share your age. Credentials are no longer rigid; you can choose what to include and what not to include before sharing it with anyone.
The rights of users must be protected.
No matter what the situation, a Self-sovereign identity is committed to putting your privacy before anything else. It is designed to prevent any tampering or monitoring.
Trential believes in this philosophy.