I cannot make a year-end summary without touching on one of the major identity buzzword acronyms: Self Sovereign Identity (SSI). The core idea behind SSI is to remove the central authorities which currently issue your electronic identity credentials. People are worried about centralizing, both for surveillance but also because the authority has the power to revoke the identity. And of course, the unregulated tech companies such as the “GAFAs” – (Google Apple Facebook Amazon) and others are thriving on our personal data. And unfortunately, there is a tendency for governments to advocate for collecting personal data. With SSI, the pendulum is swinging to the complete opposite side, where there is no central authority. The premise of SSI is that I create my own key pair and connect all my information to this. In addition, I can use the magic of Zero Knowledge Proofs (ZKP- look it up, it is really fascinating) to remain 100% anonymous.
My main concern with these initiatives is that they are too technology focused and forget humans in the equation. Back in the 90ies, PGP - Pretty Good Privacy was introduced. I created my own keypairs, which I could use to sign and encrypt documents. And then PGPWOT - PGP Web Of Trust appeared. The idea behind this was if Bob trusts Alice, and Alice trusts John, then Bob should be able to trust John. The problem was that this put too much responsibility on the user.
I am not the only one who has lost access to encrypted data because I lost my PGP private key. And I should’ve known better. People are used to having somebody to call when they run into problems (everybody uses the «I forgot my password» function on a regular basis), but with today’s encryption algorithms, there are no back doors. Nobody to call if you lose access. And no, it is not sufficient to say that you can set up guardians for your keys. Most people do not take backup, even though it is possible.
Another issue is anonymity. If you ask most people, they would agree that everything you do should not be tracked, including in cyberspace. However, most people would also agree that if you are a criminal, it should be allowed to track you, which is what we do with wiretapping, based on a court order. True anonymity for you also means true anonymity for the bad guys. In general, if you do not follow the rules or regulations, it must be able to hold you accountable.
I am a strong believer that we need trusted entities to help us manage our digital lives, as we also do in physical life. (I like to believe that even anarchists have somebody they trust). I like to call these trusted entities IC - Identity Custodians. Personally, I would be happy to have my bank as my IC. Others would have the government. There could be a notary, your insurance company or there could even be private companies which would specialize in this area. Each person should be able to choose. And switch, just as you can switch bank accounts.
In summary, we are becoming more digital. Service providers are looking at the complete digital identity journey in order to offer new and better services for existing and prospective customers. In the Nordics, our digital lives are more pervasive in accessing private and public services more than our physical lives, yet it does not replace the ability in accessing physical support when needed.
Anyone who has ever known a human being for any length of time knows this. They forget passwords and credentials and do not create backups. New technology that relies on fallible people to keep credentials safe, such as with SSI, comes with undeniable risks.
John Erik Setsaas
VP of Identity and Innovation at Signicat
January 01 2020