On sovereignty and identity

Self-Sovereign Identity is a hot mix of politics and technology.

SSI embodies a false intuition about ownership of data. It’s perfectly fine as a self-help slogan to suggest people “own” their digital identity, like they should “own their health” or “own their career”. Of course we should take more interest in these things and strive to participate in them. But this metaphorical Nietzschean ownership cannot be taken literally.

The late great Kim Cameron — the author of the Laws of Identity and one of the most respected leaders in our field — once said that self-sovereignty reminded him of “hillbillies on a survivalist kick” (ID2020 Summit New York City, September 2018).

There are positives. The SSI movement is associated with some powerful building blocks, all based on public key cryptography. Some are new and some are very old. but have been given an energetic new spin.

It’s great to be focusing again on private key media, pluralities of key pairs managed in data wallets, and verifiable credentials aka digital certificates. This is an important prelude to the internet of things, where autonomous agents will be using embedded keys in networked devices.

But SSI romanticises identifiers.

It conflates externally issued identifiers with personally expressed identity.

We’ve been using public key cryptography for over 25 years to manage identifiers, to bind the provenance of credentials to people and their digital actions. The technology is sublime in closed but nevertheless globally scalable systems like the GSM mobile phone system and EMV chip and PIN payment smartcards.

There has been a yearning at the same time to give people a digital presence that mirrors, or even might eventually supersede, their real-world social standing.

SSI is political. About 10 years ago we were in the middle of some enormous public-private federations, such as the US National Strategy for Trusted Identities in Cyberspace (NSTIC) and GOV.UK Verify, with grand plans to reuse our identity across healthcare and education and banking and government. The grand free-market federations all failed.

And then, just as awareness and anger was mounting around surveillance capitalism, Bitcoin blockchain came along.

It dawned on us that it’s possible to take control of money, and get more done without government or business, so naturally there was also a sense that we might control our own identities — and with that, control our data.

This sentiment sadly overcooks just how much control anyone can have over data in open systems.

Most data about us is created behind our backs. There’s nothing you can do directly to stop others referring to you, indexing you, identifying you, tracking you. The only way to stop that is to regulate it.

Self-sovereignty is a rallying call. It centres digital identity on the individual. Of course, analogue “real world” personal identity is, well, personal, but digital identity is different. Your many and varied digital identities are mostly about what other parties assert about you (so that in practice they can deal with you unambiguously). This is so different from traditional identity that I frankly find the compound term digital identity to be misleading; people see the “identity” part and can’t help but relate it to the singular personal identity they are intimately familiar with.

The Self-sovereign identity movement seeks to regain our agency in the face of terrible exploitation by digital superpowers. SSI and cryptocurrency are cut from the same cloth. (I have another blog coming soon about the shared political and technological roots of Bitcoin, decentralised identifiers, DIDs, and non-fungible tokens, NFTs).

Yet digital identity takes shape out of relationships. It is never about one person in isolation. Indeed, in some philosophical traditions such as Ubuntu, personal identity too is thought to be formed entirely from the community.

The parties who rely on data about identity — businesses, service providers and governments — have sovereignty too. We’ve known for many years in digital identity that the most successful programs have these so-called “relying parties” at the table alongside end users, because in practice it’s the relying party that carries most of the risk when identification goes wrong.

Historically, in most cases, relying parties or their representatives literally wrote the rules for identification. Commercially sustainable digital credentialing will need a two-sided market, where the separate economic interests of the end-user credential holders and those that rely on those credentials are aligned, and everyone is levied an appropriate fee at the appropriate time.

Most big digital identity federations have failed because they tried to make relying parties change how they do identification, and therefore change how they manage risk. This change would have imposed enormous and unaccounted switching costs.

Self-sovereign identity makes exactly the same mistake. There is little incentive and negative cost-benefit for most businesses to adopt someone else’s idea of who a customer is.

Now, much of the SSI movement has evolved to understand this. I don’t know anyone who advocates for purely self-asserted identity anymore. The agenda has shifted from who to what. We have the technical tools to convey provenance, and to preserve context and relationships when we digitise credentials.

Most work in verifiable credentials now accommodates third-party sources of truth — at least institutional third-party issuers. As the SSI leader Phil Windley says, “there’s no artifact called an ‘identity'” in the SSI ecosystem.

And yet for some reason the movement and the whole industry hangs on to “identity”, knowing deep down, it’s a misnomer.