Identity Solutions for the Internet: Part 2
This article is the second part of Development of Identity Solutions for the Internet. If you want to read how the internet has evolved in managing identities and which problems arose, you may go back to the first half.
New Approaches on Digital Identities
Web3 can be seen as the next evolution of the internet and defines a more decentralized way of handling data. The transformation incorporates fair and equal relationships between users and services. One part of the evolution is using blockchain networks as the underlying infrastructure. A blockchain, in this context, can be described as a public network of computers connected and run by individuals around the globe. A blockchain operates without the need for servers controlled by a centralized entity. This technology is both secure and immutable through complex cryptography, making it nearly impossible to falsify the information being written or change the stored data. It is the digital equivalent of etching in stone, enabling users to truly own information and allowing that information to represent something of value.
Unlike the transition from Web1 to Web2, where software engineers made improvements to enable interaction, the new Web3 era tackles the fundamental backend technology. The current internet consists of copies of data for everything we do and transfer. We leave long traces of data originating from various devices and submitted to multiple service providers that store the information on servers they control. That data isn’t verifiable or in our possession. It doesn’t have a fingerprint or a signature, and we don’t carry it with us. The great advantage of blockchain is that it enables users to sign, transmit, and verify data between individuals and organizations without giving them ownership. Actions on the blockchain refer to an actual address of an account that you own, not just a device connected to a service provider. Through blockchain accounts, multiple parties can request and verify the same data about a person without actually needing to be entrusted with that data. The goal of decentralized networks is to give the power of data back to the people.
The advanced security provided by cryptography allows us to abandon the inadequate protection offered by centralized servers, allowing for a safer, user-centric technology. Instead of username and password, public and private keys are used within a digital wallet. Everything a user does on the network is transferred back to their wallet address. Public keys represent a human fingerprint. It identifies you, and you leave traces of it where you go. A private key represents your handwritten signature. You decide when it’s used, and it verifies who you are.
Individuals in the physical world share relationships. They do not belong to anyone. They exist in the collective consciousness of those sharing the connection. In the Web2 digital world, there is no technology to emulate that independent consciousness that enables sovereignty. Companies and services connect the data and facilitate the relationship between individuals. At most, users can only gain more rights to access certain data functionalities that represent them. Complying with regulations and checking up on the integrity of personal data is a lot of work for both the user and the service. With blockchain, users can verify other participants’ data independently simply by providing their verifiable credentials via decentralized identifiers. With the help of cryptographic procedures like zero-knowledge proofs, we could even prove offline user data without revealing it directly.
Peer-to-peer blockchains also introduce a more resilient and secure network. Instead of a company running a server, individuals simultaneously run the software and verify the information. Such networks can lower companies’ system administration and IT security costs because users hold their identity data independently.
When running decentralized applications on top of blockchains, there is a huge trend to make source code public so everyone can adopt and build with it. Transparency comes from raising the trust participants have in the software. Open-source is especially important for public blockchain networks because its governance depends entirely on the accepted protocol consensus, and everyone should have the right to verify its code.
Like ownership in the real world, blockchain brings more responsibility to the user. Therefore, more user-friendly concepts need to develop over time for a seamless transition into blockchain tech. As Alex Preukschat and Drummond Reed describe, the idea of Self-Sovereign Identity (SSI) is “the best overall analogy. It’s how we prove our identity in the real world: by getting our wallets out and showing the credentials we have obtained from other trusted parties.” The difference with decentralized digital identities is, we are doing that with digital wallets, digital certificates, and digital connections.”
There are three prominent roles within the network: an issuer, a verifier, and the actual user. As in the real world, the user owns the wallet and requests a credential from the issuer. After the request is fulfilled, the issuer signs the certificate on the blockchain that refers to the user’s wallet address, providing proof that the new identity-related data is authentic. The holder can now use services that need those credentials. For instance, they could use a passport before a trade. The verifier, in this case, the exchange provider, will request the newly acquired credential and verify the issuer’s signature before the deal is transacted.
As already mentioned, blockchain technology offers the exchange of digital values by using signatures from one wallet to another. Still, it also allows for programs to be integrated on top of the blockchain network. Values exchanged can be anything, from fungible cryptocurrency to non-fungible credentials, artworks, documents, and so on. Some examples use cases that can further explain the potential are:
- For e-commerce, user registration and payment could be made directly through the SSI, evading passwords and accounts. All receipts could be handed out as credentials and written into the blockchain.
- In the finance sector, citizens could use any bank service on the fly, eliminating bureaucracy and submission of the same forms. If both parties support SSI interfaces, they can exchange their required credentials and even use multi-signature for essential documents and high-value transactions.
- Health documents could also be shared instantaneously, providing consent for medical procedures. There could also be lifetime histories of medical records on the blockchain, verifiable and ready to share with other providers.
- While traveling, individuals can document boarding passes and checkpoints to verify places visited in the past. Even tickets for airlines, hotels, trains, or music could be automatically connected to someone’s wallet, as well as any reward programs or digital content associated with those tickets.
- As the last example, different interpretations of SSI could be used to fully digitalize grade certificates, transcripts, or student IDs across schools and universities.
Downsides
Like in the real world, both sides will always show their verifiable credentials to ensure instances are the ones they claim to be. As expected, users could manage every example directly from the smartphone, fully self-sovereign, but only if all participants accept one ledger system. The adoption of decentralized solutions is always tied to network effects. Getting most services to use one SSI standard could be an obstacle. Another obstacle is the availability of internet access. Data cannot be verified offline, especially for passports. New approaches to internet availability, like satellite meshes, could solve this and make the internet accessible to every corner of the world. Such a solution is currently in an early release from Starlink.
Another problem is scalability. Fully decentralized blockchains suffer from limited throughput and very high utilization, resulting in increased operating costs. Eventually, we could solve this with complex cross-chain technologies or split different branches into separate networks. The final problem is managing keys for wallets, which are the single point of failure but are needed to operate the SSI software. The solution to this topic will be solved by a new software approach within the next section.
Contract-Based Accounting
In the future, users could freely manage a lot of digital information about themselves. Still, there are several issues with the current system of using private keys to secure that information. Only one private key can belong to one account. If a private key is missing, assets held within the account can only be recovered by one specific backup phrase. The dilemma puts extreme importance on attaching an address to a person or device during the blockchain onboarding process. No one should ever base their whole identity on one password, nor should they do it with their assets. Also, regular blockchain accounts can not store data on their key’s address, meaning no one knows about the persona behind it until they reveal themselves. There needs to be proper accounting to organize all verifiable identity credentials, which is why traditional key-based accounts on the blockchain are transitioning to more advanced implementations.
We talked before about running applications on top of the blockchain. The functionality of these applications, combined with wallet keys on the user side, can enable user profiles that make identity solutions much easier to maintain. Users could store additional information and connect multiple keys and devices to the same account. Having exchangeable keys is valuable to users because they can now have backups to access their digital identities.
Blockchains based on the Ethereum Virtual Machine have programmable instances called Smart Contracts, which users can execute by sending a transaction from a wallet. Through these smart contracts, fully manageable identity ecosystems could develop. All devices or wallets connected to one account can speak as one combined identity. With the addition of a key manager, individuals can even give permissions to control identity data to multiple devices, individuals, or services.
This single contract account can then manage digital assets like regular key-based addresses. Blockchain pioneers discussed the initial idea of contract-based accounting within the early days of the Ethereum blockchain in 2014. However, they dropped it because of the early smart contract functionality’s complexity and black swan potential.
In 2017, identity was first standardized as ERC725 on the Ethereum blockchain and further developed by Fabian Vogelsteller. Because of the utilization of the Ethereum blockchain, it would be too expensive to realize contract-based accounting nowadays. As the energy consumed by our computers costs money, operators running the blockchain want to be compensated for the computation power. Complex contracts generate a lot of transactions, which increases demand on the blockchain and results in costly fees. Not even grand scaling schemes like sharding can provide the throughput needed for managing every human being or device’s identity on one blockchain.
With those problems in mind, the LUKSO project was founded in 2018. The project’s primary goal is to create a new smart contract standards ecosystem that makes public user accounts possible for the creative economy persona. LUKSO is adopting profile structures known from social media into the blockchain world, while offering ease of use on top of the blockchain. It differs from personal identities often included in SSI and creates public accounts with easy onboarding and extended asset management functionalities. Users can freely add personal information to their profile, gain reputation, add credentials, assets, and many other types of information. With the profile’s functionality, even external applications could be attached to store data in their connected vaults. The structure could be perceived as a light identity management system and a new era of self-sovereign platforms. Such standards bring decentralized login mechanisms and usability to the crypto space and open the doors for a variety of attached software solutions, like social media, marketplaces, and the metaverse.
Unlike centralized Web2 systems, services can even eliminate data loss or downtime with blockchain networks if their nodes are adequately decentralized. Personal identities could, at some point, be linked to universal public profiles as hybrid SSI solutions while only gaining access to personal off-chain data via on-chain logins. With the ERC1056 standard, the Ethereum ecosystem already has its solution for personal off-chain SSI data, linking public keys from users to utilize identity references.
Guidelines for Decentralized Development
The pressing question is this: how do we define the ethics and principles by which we can assess software services operating with user data and identity information. The GI, an IT representative in Germany, offers prefabricated guidelines by which standard software should be developed and evaluated. The GI is the largest German non-profit professional society that has promoted computer technology. It has 20,000 members and counts as a member of the Council of the European Societies for computer science. The guidelines have been designed so that professional ethics or moral conflicts are objects of joint reflection. The instructions are intended to guide designing, creating, operating, or using IT systems. Because of the user data-related topic, the guidelines are linked to the SSI context.
The programmed software should be designed and legally verified by people who possess current and comprehensive expertise. Within the blockchain space, programmers should have deep knowledge about the network and governance they build on, as well as their smart contracts. At the same time, constructive criticism is needed, which is amplified through the high transparency within Web3. For the exchange of information, quality communication skills are necessary to evaluate solutions, communicate them to others, and simplify them to an abstract level. Continuous training should be required on this topic, especially for new decentralized identifiers and verifiable credentials. Developers also need legal competence when working with tokens or user data within the blockchain space.
Developers have to adhere to the ethical principles of data protection. Ideally, they should build their applications not just within but on those principles. Ethics also covers how the software is instantiated and brought to the user base. As already told in the last chapter, total transparency, such as open-source code, is mandatory when identifying solutions that claim to be self-sovereign. Users must have the right to prove and modify their digital identity software. Use case possibilities for the identity owner increase as this right is given. We can draw an analogy to the real world of social behavior. Within a modern democratic government, citizens, as individual human beings, can rely or demand on their rights and human dignity. Anyone can express freely, and the political opinions of the majority become the primary focus when developing future governmental plans. To relish everyone’s rights and eliminate upcoming problems, citizens must work as a union to provide and establish futures that reflect brightly. This approach also reduces the risk of exploitation from corporations so that individuals can move on in life with fewer boundaries. Projects should build our digital systems to reflect what we seek in the natural world: empowered individuals who form strong relationships while remaining fully independent.
Current State of SSI and Outlook
The significant advantage of Web3, with its user-centered approach, is its representation of human-like interaction between digital software services. When connected to blockchain networks, SSI can unfold its true potential. They are more fail-safe, decentralized, and act as a store of values.
That being said, user-centered identity management comes at the cost of not being so fast, cheap and scalable as centralized services. Creating complex systems on SSI-based components requires a lot of transactions and network effects for adoption. Identity standards have not found significant adoption yet. Nick Poulden first released a fully functional prototype of the ERC 725 identity standard on Ethereum in 2018. Seeing the technical concepts brought to life was a huge success, and multiple blockchains are trying to integrate such login functionality into production.
SSI is understood as the new hype in different areas for the development industry: strictly personal identifiers, public profiling, or hybrid variants. Many research facilities are working on various concepts and protocols for citizenships, student organization, financing, travel, new social media, and much more.
The key will be interoperability, which is difficult to determine because standardization must come first. Organizations like W3C are trying to standardize identities with all possible functions across industries. While this will be the final goal, the process will likely take a long time for large tech companies to develop and agree upon one finalized solution and backend technology. Projects like LUKSO take a more lightweight approach by bringing public profiles directly to market and building an ecosystem of contract standards. Various businesses outside the creative economy could adapt, expand or dock onto their standards to make mainstream decentralized services a reality for the younger generation.
Mass adoption will most likely be gradual because existing solutions are convenient and currently functional to use. A downside is that the full-fledged SSI technology needs to be brought to the issuers across all industries, mainly governmental and older establishments.
It will require great new products and ease of use to change the industry. Overall, we are just facing the start of a new era of how digital relationships are managed. Let’s buckle up and watch along.
