How to Convince Dad* of the Importance of Self-Sovereign Identity
* and your sister and your daughter and your best friend and your nephew a white paper from Rebooting the Web of Trust VII, Dec 2018
by Shannon Appelcline, Kenneth Bok, Lucas Parker, Peter Scott, and Matthew Wong
One of the major problems with bootstrapping self-sovereign identity is that it requires adoption by a large number of people. Pushing self-sovereign identity from the top-down is most likely to result in a technology that’s not actually used, but instead encouraging the average person to demand self-sovereign identity from the bottom-up will result in the organic development of a vibrant, well-utilized decentralized web-of-trust ecosystem.
This paper addresses that need by offering arguments to a variety of people who might be reluctant to use self sovereign identity, uninterested in its possibilities, or oblivious to the dangers of centralization. By focusing on the needs of real people, we hope to also encourage developers, engineers, and software business owners to create the apps that will address their reluctance and fulfil their needs, making self-sovereign identity a reality.
“Cogito ergo sum — I think, therefore I am.” —René Descartes
“Identity is a uniquely human concept; however modern society view this concept of identity as state-issued credentials such as driver’s license and social security cards, which suggests a person can lose his very identity if a state revokes his credentials or even if he just crosses state borders. I think, but I am not.”
The possibility of losing your identity is a serious problem in the digital world. Vloggers could lose their identities if YouTube closes their accounts, while common internet citizens like you and me could lose a big part of our life if Facebook revokes our credentials. As digital accounts become a major part of our identities, we need a paradigm that allows us to bring identity back under our control.
Self-sovereign identity seeks to be that new model, creating a paradigm shift in an increasingly data-governed world. It puts the individual in control of her identity and prioritizes her privacy. It does so by acting as the root anchor for an individual’s data stream, permitting an individual to manage, store, and control her own data and life. It could become a ubiquitous technology that affects the lives of billions on a daily basis.
This runs counter to the traditional model for online identity, designed from the perspective of the corporation and government, with the needs of the individual being secondary. In the age of "Surveillance Capitalism", personal data is typically abused by large corporations in the never-ending quest for profit, disregarding user privacy and inadequately safeguarding user data. The Equifax hack in late 2017 and the Cambridge Analytica scandal highlight the risks of large, centralized databases of personal information (i.e. honeypots of data), which present high-value targets for hackers.
But how do we convince the average person to move from the old, centralized model to the new, self-sovereign model? We think that this requires proactively fulfilling their needs. To highlight these needs, we’ve created case studies for five people who could be served by self-sovereign identity, if they were only aware of its possibilities. They are:
• Your dad, who is preparing for retirement;
• Your sister, who is a world traveller;
• Your daughter, who is a reckless social media user;
• Your best friend, who is a content creator; and
• Your nephew, who runs a convenience store.
These five people represent a spectrum of use-cases and applications, meant to portray some of the monumental possibilities of self-sovereign identity in the not-so-distant future. They are concentrated in the developed world, because we believe that is where adoption of self-sovereign identity will begin. Some of these use cases are possible now, while others will require a more fully fleshed-out web-of-trust ecosystem.
YOUR DAD IS PREPARING FOR RETIREMENT
Dad is getting ready to retire, which has him thinking more about his financial security. So much is online now! He has to use his laptop computer to pay some of his bills from his bank account, and he looks at his retirement accounts through his browser too. He has a few different logins and passwords, because the different institutions have different requirements. He keeps them written down on a yellow post-it that he hides in his desk drawer.
Recently, Dad has become paranoid about having his money stolen because his best friend got phished by someone claiming that their Microsoft Windows installation needed updating, which let the hackers install a keylogger on their computer and steal some money.
Though Dad finally traded in his flip phone for a smartphone last year, he doesn’t use it for anything but reading news stories and text messages.
“I hate having to log into so many financial accounts.”
The Problem. Dad gets annoyed at all these confusing accounts and logins and passwords. He’d like to have a single account that accesses all of his fnancial services and he’d prefer not to need a login and password for it at all.
The Solution. Using his self-sovereign identity, Dad can federate logins to various fnancial services. He accesses it using biometrics: he just looks at his smartphone’s camera, it scans his face, and then the smartphone verifes his identity to his laptop. This gives him access to all of his federated fnancial accounts without needing to type logins or passwords. An app on his laptop consolidates all of the information from the accounts and allows him to view his fnances, write checks, and free up retirement money.
“I’m afraid someone will steal my money through some sort of fake login.”
The Problem. Dad is especially vulnerable to phishing attacks, in which someone obtains access to his financial account by pretending to represent the financial institution. He lives in constant fear of losing his nest egg: he is concerned that it is impossible to tell the difference between a legitimate representative and a scammer.
The Solution. Because Dad logs in using his smartphone and face recognition, there is no way for him to accidentally log in to a fake portal. The application will take him to the correct site.
“If I get my identity stolen, I’m screwed.”
The Problem. Dad has heard a lot about the ravages of identity theft: attackers stole names, phone numbers, and addresses from Home Depot and stole reams of identity information from Equifax. Dad is afraid that the thieves could use this information to steal his money at his financial institutions or to take out credit or loans in his name.
The Solution. This sort of breach would be less likely in a world of self-sovereign identity because users can safeguard their information under their self-sovereign identity, preventing it from entering large honeypots of personally identifiable information (PII). But, even if a breach were to expose Dad’s information, it wouldn’t affect his access to financial institutions: the PII wouldn’t give access to his accounts without validation from his smartphone; if someone tried to take out a new loan using his PII, the bank or credit bureau would reach out to Dad for verification. Thus, in the world of self-sovereign identity, PII is less valuable and its use is more tightly under Dad’s control.
YOUR SISTER IS A WORLD TRAVELLER
Sis works with Médecins Sans Frontières offering humanitarian assistance. This brings her to dozens of countries, some of which have non-western values. Sometimes she’s been targeted by the authorities, which has put her in jeopardy. She also has occasionally needed to seek treatment in these countries due to the problems that a varying diet causes for her diabetes.
“I’m afraid of losing my passport.”
The Problem. Sis was once forced to leave her passport behind when she had to fee a city: she was afraid to return to her lodgings due to the local authority’s disagreement with MSF. This terrified her, because a passport is expected to be in a traveler’s possession when they are traveling in a foreign country. This left her unable to easily leave the country, which she now felt was hostile to her presence. Replacing her passport was both time consuming and logistically challenging. She is horrified by the idea of repeating this experience.
The Solution. Sis has a digital passport stored on a hardware device that acts as a data store. She keeps it attached to her keychain. She can unlock and transmit her passport data using her thumbprint. If she loses her physical passport, she has this backup. Authorities in some countries may accept it themselves, but otherwise, she can use it anywhere to establish her identity to the local embassy by logging into her government’s online platform.
“I don’t want the police looking at my passport if they stop me.”
The Problem. Due to her country of origin, Sis experienced harassment from the police when they were reviewing her passport. She also endured extensive interviews because of the countries she has visited.
The Solution. When Sis enters a country, the border agents issue digital documents (a verifiable credential) approving her legal status in the country for a certain span of time. She adds this to her self-sovereign identity’s data store. When she is stopped by the police, she uses her hardware device to selectively disclose only her name and the credential issued by the border agents. The police now know who she is and what her status is; they don’t need to know about her country of origin or past travels. The border agents have already verified that information, so she doesn’t need to give it to the municipal authorities.
“I worry that I don’t have all of my health records with me.”
The Problem. Sis has type 1 diabetes and has to ensure her sugar levels remain stable. If she were to have a medical emergency while traveling, she needs the doctors to know the details of her condition, including her current medications and allergies, without having to carry a sheaf of documents.
The Solution. Sis keeps her medical records on her hardware device. Using her self-sovereign identity, she can protect the information or share it when necessary. In addition, the encoded, digital nature of her medical records makes it easy to translate into different languages.
YOUR DAUGHTER IS A RECKLESS SOCIAL MEDIA USER
Daughter has spent her life publishing pictures, tweeting, and posting on social media services such as Facebook and Snapchat. Now that she is going for job interviews, she realizes that all of her photos of holidays and parties and all of her tweets are a bit more public than she would like.
“I don’t want to show my employer everything.”
The Problem. Daughter is going for a job interview soon and has heard rumors of employers making hiring decisions based on social media profles. She is concerned over which of her images and tweets will turn up if they access her social media profles.
The Solution. With self-sovereign identity, Daughter has granular control over who sees what in her social media feeds. When she gives access to potential employers, she gives access to feeds that selectively disclose specifc tags.
“I’ve put something online that I can’t take back.”
The Problem. Daughter’s photo blog features a picture of her in front of a popular storefront very near her home. This photo went viral over the weekend, which brought a huge amount of attention to her online presence. Shortly afterward, she got a creepy email from someone mentioning the store she was at and the city it’s in; she’s afraid she accidentally revealed too much about herself.
The Solution. Daughter’s self-sovereign identity is on her mobile phone, and it signs every picture she takes and stores that signature as part of the image f