Naming things is hard. Names that mean one thing when first conceived have the alarming habit of acquiring different connotations as time passes, mostly unexpected and unwanted.
I should know. Twenty years ago, I started my first company in the identity field. It was called Edentity. Back in those happy days, it was easy to acquire the necessary domain names and trademarks. But then we slowly realized that the word ‘identity’ meant different things to different people, and discussions about definitions took forever. Twice shy, we chose a clunky working title for Edentity’s successor, expecting that it would be changed before any public launch. But Personal Information Brokerage Development Ltd is still with us, now known (mercifully) by its initials, PIB-d.
Which brings me to the main point of this post: the term “Self-Sovereign Identity”, or SSI. It’s a lovely image: the individual standing tall in cyber space, controlling how she is known to all comers. But it too is prone to misinterpretation.
First it’s not really about identity. It’s about trustworthy personal data. Start with the idea of a secure and anonymous relationship over a network, a little like – in real life – an individual approaching an organization who knows nothing about them. Then, depending on the context, the individual might be asked to share any number of types of personal data: a ticket to board a train; a qualification when applying for a job; proof-of-age when purchasing alcohol; a Covid immune certificate when seeking access to a building; a passport when opening a new bank account; or just a gift voucher when subscribing to a music streaming service.
Proof of legal identity – such as a passport, or an ID card – is not needed in many of the use cases. Indeed, were an organization to ask for such proof, it might well be breaking the data protection principle of data minimization. To repeat, it’s about many different kinds of data: legal identity is only of them, and – if the system is well designed – little different in kind to the others.
The second key point is that identity works at two different levels. There’s identity in real life, often formalized by a passport or identity card. And then there are network identifiers, i.e. the means by which one party recognizes another over networks, say an email address over the internet; a phone number when making calls; an account number and sort code if making a payment; or even a social network identifier.
If the individual uses the same network identifier time and time again, when interacting with different organizations, then it can be used by those organizations to link their records without the individual’s control, or even consent. The result is potential for the abuse of privacy, as practised by some large social networks and by spam merchants.
No one would normally call an email address, or a bank account number, part of someone’s identity. Yet they are certainly personal data. It would be good to build digital infrastructure without the need for such multi-party identifiers, making it more difficult for bad actors to link records without consent and so abuse privacy. This too is a feature of the SSI thinking.
So Self Sovereign Identity (SSI) or User Control of trustworthy personal Data (UCD) ? It doesn’t matter very much. We could call the approach a banana, as long as we are all talking about the same thing. But I know which I think creates understanding more quickly.