This episode is all about Self-Sovereign Identity (SSI), a topic that is near and dear to our hearts. Dr. Geoffrey Goodell, associate professor at UCL and research lead at The Peer Social Foundation join us to break down a difficult concept into something we can all understand.
What is Self-Sovereign Identity and how is it different from traditional identity documents?
This episode is all about Self-Sovereign Identity (SSI), a topic that is near and dear to our hearts. Dr. Geoffrey Goodell, associate professor at UCL and research lead at The Peer Social Foundation join us to break down a difficult concept into something we can all understand.
What is Self-Sovereign Identity and how is it different from traditional identity documents?
Henry : Hey everyone, it's Henry, Mike, and Chris of Decentralization Education. Decentralization Education is our short 10 to 15 minute segment where we explain technology terms and topics that we often reference during our regular podcast, The Decentralists. In this episode, we are going to talk about Self-self-Sovereign Sovereign Identity. I've heard that term an awful lot, and we've already discussed what identity is, but self-sovereign is a different take on it. I've heard that it may have fantastic promise, but I'd love to learn more. We've got Dr. Geoffrey Goodell with us today again, and we're thrilled to have him. Geoffrey is a senior research associate in the financial computing and analytics group of the Department of Computer Science at the University College of London. He is the convener of the ISO working group on foundations of blockchain and distributed ledger technologies and an academic advisor to the Belgium-based International Association of trusted Blockchain Applications and the Blockchain for Europe Association. Furthermore, Dr. Goodell is the lead researcher at the Peer Social Foundation, our nonprofit partner focused on education, research, and open-source initiatives, aiming to decentralize digital identity and access for people, business, and government. Thank you for being here, Geoffrey. Could you please tell us a little bit about Self-Sovereign Identity?
Dr. Geoffrey Goodell: Thank you, Henry. Self-Sovereign Identity is really a concept of creating decentralized identifiers for individual persons, users of the system. In a self-sovereign identity system, the users are responsible for generating their own decentralized identifiers and they essentially bind those decentralized identifiers to credentials that they decide. Potentially this can be achieved by thinking of the decentralized identifier as an empty template. Generally, it consists of a randomly generated public key or public/private key pair of which the public key becomes the identity, maybe a similar approach can be used. But ultimately this can be thought of as an empty template that can be used to bind a set of different attributes to each other.
Then when I want to reveal information about myself I can just use the decentralized identifier to reveal what's been bound to it. A benefit of this is that because I am potentially controlling what credentials get bound to that identifier, I might not necessarily need to reveal something that is linked to other aspects of my identity. So it's a tool for potentially creating unlinked identities. It's unlinked because I'm creating this empty template and then I bind credentials to it ex-post.
Henry : It seems like it's completely the opposite of the identity that we currently are so familiar with. I guess the identity that the particular websites and apps that we visit create for us, am I thinking about that in the correct fashion?
Dr. Geoffrey Goodell: It's different in the sense that the identifiers that are generally used to bootstrap an identity in these systems are usually not generated by the individual person, first of all. They are generally bound to some sort of root identity or perhaps a breeder document or something similar like a passport or a mobile phone number. That can be used to anchor this identity to some other credential that's already been established for that person. With the decentralized identity, it's a brand new identifier that the person uses and the person can take measures to ensure that the identifier itself does not reveal any information about the person and that becomes a vehicle for keeping it unlinked potentially.
Mike : What you're saying here, Geoffrey, is if identity… because we talked about this in another session...identity is a set of attributes about me, for example. I have a passport, I have a driver's license, I have all these things. If I imagine how my identity exists right now, because I'm a Canadian, there's some Canadian government database somewhere that has all of the federal attributes that relate to me; my address, my tax number, my social insurance, my passport, those things. Then there's a provincial government database that has a bunch of information about me; my fishing license, my driver's license, my health card. What you're saying is what self-sovereign identity would give or promise in an ideal world is that I would have, say a digital identity wallet or something, where I carry my digital identity or my identity. I would be able to have a digital identity that works like a real identity. I could just show them my passport. I would not have to show them something that had a passport, birth certificate, blood type, and all these different things. So self-sovereign is this idea that I could have individual identity attributes when combined that make up who I am, but in the self-sovereign scenario, I could choose to show just one piece to somebody. Like I get pulled over by the police or I go to the store and I want to say, buy a bottle of beer. I have to prove I'm of legal age. I show them a driver's license and I could show them that they could even validate that in some way, but all they would be validating is a driver's license and the age date that's on it. They wouldn't have anything theoretically that would say here's his passport number and here’s his health card and here's all this other stuff. Is that a fair way to describe self-sovereign?
Dr. Geoffrey Goodell: I think that that's what people are using to sell the idea of self-sovereign identity. I think that that in principle that could be achieved, as you've described it. But in practice, I think that there are some challenges with that. In particular, there are challenges around how the system is used. We can imagine that if someone asks you for your passport and you have a decentralized identifier that contains nothing but your passport bound to it, then you could reveal that. If someone asks you for your age and you have a decentralized identifier with a credential indicating your date of birth on it and you could reveal that. It could work that way. But we could also very easily imagine a world in which people generate their own decentralized identifiers. But the questions that people ask for them to prove to create early binding nonetheless. Let me give you an example, suppose that you have a license to go fishing in a particular river, and that license exists in such a way that you can presumably present this license and the authorities will be able to interpret from that license whether it's valid and so on. But let's suppose that the authorities ask a simple question when they ask you to prove, reveal the fishing license and they ask you to prove that a particular passport had been used with the same decentralized identity, had been bound to the same decentralized identity as the fishing license had been. If they ask that question, then even if they're not asking you what the passport is, they might be implicitly asking you to reveal that this decentralized identifier that you've used is the only one that you've got or the official one, or I'm showing you the same face that I'm presenting to everyone else. You can ask these kinds of questions about decentralized identifiers, just as you could ask them about centralized ones. When you've done this you’ve effectively encouraged someone to have the same identifier for all of these different contexts.
Mike : Right.
Dr. Geoffrey Goodell: Because you've asked them to prove that link. So even if it's self-sovereign, if you are encouraged to early bind all of your credentials to that same DID then I might argue that the fact that it's decentralized offers you very little.
Mike : The idea is, I’m fishing, if the fisheries and oceans guy, that’s what they call them in Canada, come over and say, show me your license. I show them my fishing license. Then they say, well, now I need you to show some identity to prove that you actually are this person on this fishing license, right? Because a fishing license I fill it in myself. You go on a website, you fill in when you want a fish and what you want to fish for and you buy the right tag. There's no picture. You don't have to put anything on there in terms of a link to who I am or whatever.
Henry : There's no picture.
Mike : It is me and I've got this license and in the FAO purposes that's enough to fish, right? As far as I know, they don't have the right, necessarily, to ask you for your identity, because you have a fishing license. The way they work it is they walk up onto a boat, if there are three people on the boat and there are three rods in the water, three people better have a fishing license and a valid one. But they don't necessarily get the right to say and prove to me that you're legally in Canada using this thing. What you're saying is you could envision self-sovereignty being an excellent solution for people, because they would be able to actually have a distinct identifier that was a passport, driver's license, fishing license. But because you end up in these scenarios where you could be asked or there could be a requirement that I need to provide not only my passport number but my driver's license. Then basically now, once I've been asked to provide two pieces of information to identify me, I've now broken this self-sovereign chain because I have to link those two attributes together.
Dr. Geoffrey Goodell: To be clear, it's not just revealing your passport number or your driver's license number, but simply revealing that there is a passport or a specific driver's license that is bound to this decentralized identity. It means that you've basically forced the person to have only one official DID. Once you've done that you've basically collapsed all of the possibilities that that person could have potentially different DIDs in different contexts down to always forcing all of these attributes to be bound in one particular way. And the problem with this is that if there is ever some credential that I want not to reveal when I reveal my DID it becomes hard for me to do so because you are going to be requiring that I use the same DID that I use in all contexts.
You mentioned something else that was interesting, which was this notion of non-transferability, this idea that you could be anyone. I might go as far as to suggest that the challenge with digital identities, in general, is that if you have a digital identity that is read and interpreted by computers, then it must not be of this non-transferrable sort. If you are to remain private and the reason for this is that the information that is used to make the identity non-transferrable is ultimately going to be used to link the credentials to each other. I think that Henry mentioned biometrics or the picture on the passport as a tool for verifying identity. In the human context, the picture on the passport is really simple. I can reveal to you a fishing license that contains my name but doesn't have a picture and I can reveal a passport that has my name and a picture. The human operator can look at both and say ‘Okay well, you have this name and this fishing license has this name and both are valid. So I think it's great.’ That works in a human context because we have a human operator who has certain properties that computers don't. A human operator can forget things, computers don't forget things. Everything that gets read by a computer, I can't verify that it hasn't been stored and saved and potentially used against my interests, whereas humans generally don't do that. Humans also can exercise moral judgment. They know if they're being asked to search for information or reveal information about the persons that they are interacting with. They can choose morally, if we're being moral realists here, we can choose not to report individual persons if doing so would constitute some kind of invasion of privacy and so on. Moreover, humans also have the ability to act upon being given instructions that might be contrary to their moral beliefs. If someone orders a human to correlate data and break people's privacy, the human will say ‘Hey, this is a problem. I know that all of these 30 people have been given the same instruction. So I'm going to leak it to Wiki Leaks, and I'm going to say that it could have been any of us and then I'm off scotch free’, whereas computers don't have that level of agency.
We have a challenge here with this requirement of non-transferability. Fortunately, most credentials don't actually need to be non-transferrable in order to be useful. Take, for example, money. Money is certainly transferable it's certainly useful. I can't get that cup of coffee from your shop unless I present you with this money. But some credentials, unfortunately, it turns out that people often want them not to be transferable, such for example, border crossings and so on. I would argue that there is a limited set of true cases for which we want credentials to not be transferable. And for those cases, we ultimately want there to be humans in the loop, in general. If we do really need that kind of assurance like a border crossing and we decide as a society that we want to keep records of these sorts of things, then we can do so. But in the case of someone asking me for a ticket to a sporting event and asking for that not to be transferable in the technical, physical sense, rather than simply in the legal sense, we start creating these kinds of problems. This can be used to build profiles of persons of individual person's behaviours.
Henry : Interesting. So it seems like we have indeed determined that self-sovereign identity is an improvement, but it's not perfect.
Mike : There’s work to do clearly, Henry. That's a good thing because it keeps people like us in business.
Henry : Absolutely.
Dr. Geoffrey Goodell: I would say that it's not so much that it's not perfect as that it's not a complete solution. It's a building block. It's a necessary building block because ultimately I need to know that the identifier that's used for my identity is not revealing certain information about me. The only way to know for sure is for me to generate it myself, which is to say, to have a self-sovereign identity. That's not to say that others might not be able to provide an identifier for me that doesn't reveal any information that they could. I just can't prove it. But what really matters is how it's used. We must be sure that we don't attempt to use mechanisms to build non-transferability into systems for which non-transferability can be achieved by policy instead. I think that we're, we're allowing the perfect to be the enemy of the good in situations where higher assurance actually hurts people more than it helps.
Henry : Wow, that's a good way of putting it. Thank you very much, Dr. Goodell, Mike. Another really interesting episode of Decentralization Education.
Mike : Definitely.
Mike : Thank goodness we've got SSI as the foundation for Manyone. So I think we're on a good foot.
Mike : We're starting in the right place.
Henry : Absolutely. Thank you very much, guys.
Dr. Geoffrey Goodell: Thank you, Henry.
Mike : Thank you, Henry.