Online identity in 2040 — Scenario building with self-sovereign identity
This blog-post focuses on four different online identity scenarios while highlighting the importance of the adoption of self-sovereign identity solutions. It also provides the reader with an overview of the status-quo before diving deeper into the topic.
The history of online identity. Where do we come from?
In the early 2000’s companies increasingly offered their products and services online and therefore created the need for organizing access for consumers to their internal systems. IAM — Identity access management became part of every online business.
Def: IAM is the discipline that enables the right individuals to access the right resources at the right times for the right reasons.
Uncontrolled growth in IAM solutions adapted to the specific needs of a legal entity. These were not scalable and had no integrations for similar systems. First, we had siloed identity, then federated identity, now user-centric identity. Growth in cyber-attacks and regulatory requirement has considerably augmented the adoption of consumer IAM solutions among organizations. However, solutions will further increase in complexity due to IoT, cloud computing, increased global internet usage and a multitude of regulatory approaches like the GDPR and CCPA.
What’s the status quo of online identity?
Currently, a log-in with WEB2 works like this:
Access = Email + password (+ 2FA)
A person’s online identity is split among a multitude of companies and organizations, which store their personal data on centralized databases. These honeypots are very attractive and lucrative targets for hackers, which expose this sensitive data in the darknet.
While some countries have excellent access to e-government services like Estonia or Denmark, which tops the e-government development index from the UN, that’s not the case for all developed countries. The limited interoperability between gov. service infrastructures again leads to siloed identity solutions within a supra-national environment like the EU as we currently observe with different eIDAS implementations by different member states.
Identity standardization is missing on all fronts — you can’t simply share a KYC (know your costumer) verification, which you and the banks need to do all over again. On top of that surveillance capitalists offer convenient log-in while violating so many of our rights. To conclude we can say that the current form of IAM costs companies billions while the lack of an identity infrastructure costs our society trillions and something even more valuable: Our privacy, democratic values, and our human dignity.
As an average internet user in a western society you have six options for your authentication management:
- Same password — extremely risky
- Different passwords without PW-manager — confusing AF
- Single sign-on via surveillance capitalists — please don’t
- Use a password manager — best option, still cumbersome
- Bio-metrics like fingerprint — convenient, but not always possible
- Special hardware devices for increased security — inconvenient
Missing verifiability leads to lack of trust in the online world:
Besides the login problem from a user perspective, we also search for a good solution to verify information on the internet. Once we can easily verify that a piece of information comes from source XYZ we can decide on an individual level if we want to allocate trust to this source.
Examples of missing verifiability:
Products without FDA approval get sold as “FDA compliant” (Food and drug administration, USA)
Opportunity of impersonation leads to a rise in identity fraud
Credential fraud like fake diplomas are an ongoing issue.
Lack of standardized proof of identity (KYC) hinders business relations.
Face News and Deep fakes increasingly manipulate public opinions.
Scenario Building with online identity
Now that we laid out the basic backgrounds and issues of online identity in 2020 we can go a step further and do a scenario building for identity in 2040.
We create four different scenarios, identify necessary technology developments, risks and chances and evaluate if the given scenario is realistic. We also use a spider chart to illustrate the five most important aspects of an identity management system for all cases.
The primary source for the scenario building is the German whitepaper of the scenario building done by the esatus AG, a German IAM specialized company and pioneer in the SSI community. Please note that this is not a 1–1 translation. I simplified certain aspects and also added aspects, which aren’t mentioned in the document provided by the esatus AG.
Scenario building: An informed guess by analyzing future events by considering alternative possible outcomes.
Here we take four different scenarios of identity management into consideration:
1. Mega-corporations (MCs)
2. Total government surveillance
3. Identity-chaos
4. Self-sovereign identity
1. Mega-corporations (MCs):
A few powerful companies manage all identities and their access to online services. Whether you want to move to a new flat, get a new job, purchase products online, or enter into a business building — All of it is controlled by a small amount of mega-corporations.
How did we get there?
With increasing reliance on AI-based decision making, surveillance companies with massive amounts of personal data were able to push smaller players out of the market via a commercial integration of vertical and horizontal activities. As a one-stop-service, they satisfy all the needs of the market and provide a super convenient solution to the masses. Over time they took more and more activities normally covered by the government, which has lost control over these powerful mega-corporations.
What technology is behind it?
With increasing staff and user numbers, MCs were forced to automate IAM processes like authorization management. Over time the market increasingly used the services provided by the MCs for the handling of private, public and business-related activities, further establishing their dominant position. Due to technical interoperability and trust between MCs one account is enough to gain access to all services. The storage and transfer of user data is based on cloud infrastructure, which is run by the MCs.
What risks and chances exist?
Due to the centralization of identity sources the creation of new user accounts isn’t required anymore. The solution offered by MCs is well received by individuals and businesses alike. However, the “one-stop service” handling all interactions also represents a single point of failure, stifles innovation and forces society to further adapt their solutions. In this scenario, the state would fate into oblivion and wouldn’t be able to confront the MCs on a meaningful level. For the individual, a refusal to use the services provided by the MCs would lead to social isolation.
How realistic is the scenario today?
Surveillance capitalists already offer user sign-in integrations for other services (single sign-on). The cloud service of Amazon (AWS) is already observing overwhelming growth numbers and is generating substantial profits for the company. Hence, several companies already try to establish a single user-account with increasing access to private, business and public services.
Total government surveillance:
Every individual and technical device is recorded in a government database including metadata, real-life connections, and constant location tracking. Manuel authentication isn’t required anymore due to the omnipresent and connected surveillance system.
When entering a public building or your employer’s office your face is captured granting or denying you access to the facilities. Passwords and access cards a thing of the past, just like queuing up on a point of sale. Cameras are always there to follow your movements and automatically billing your account once you take a product from the shelve.
How did we get there?
Increasing terror attacks and polarisation of political views lead to constant riots, protests, and violence. “Privacy is a necessary sacrifice for protection and security.” was a common government mantra, which people eventually shared instead of prioritizing data protection and privacy.
Which technical developments are behind the scenario?
Machine learning algorithms in combination with bulk surveillance and facial recognition systems. In private areas, biometric identification means are used to access digital services. Every citizen has a unique ID, which is used to allocate a score the individual as obeying or political dissident. Any efforts to circumvent or fool the system are fruitless since the systems will always have the upper hand. Since business surveillance is coupled with the government system an authentication on your workplace isn’t necessary anymore. The system can reliably determine the identity of a person.
What risks and chances illustrates the scenario?
With reliable identification via automated systems, a state can effectively incentivize certain behavior and punish unwanted activities. This leads to fewer riots and violence for the price of privacy and free speech. Furthermore, this solution is very convenient for individuals since the authentication is automated and doesn’t require any additional input like login-credentials or ID cards from the person in the public sector. However, power blackouts and security vulnerability can have far-reaching consequences.
How realistic is this scenario today?
Unfortunately, it’s almost reality. China’s “social-credit scoring” is the most powerful surveillance apparatus in existence enabling multiple aspects of the above-mentioned scenario. But China isn’t alone in this endeavor. London has one surveillance camera for every 14 people, meaning there were 627,707 cameras in London alone in 2019 according to CCTV.cu.uk. While not yet able to relate the footage to a person within a register the capabilities would be there. The NSA also has plenty of data available via surveillance capitalists in the USA. While adoption of the Califonia consumer privacy Act — CCPA offers more protection from businesses spying on people the government agencies would be able to setup a working system given the political will. With amazon’s go stores shopping with automatic facial recognition-based payment is also reality with in western society.
Identity-chaos:
The government and citizens lost control of their digital and real identities. Anonymity and throw-away-identities are the norm.
Day in and out a user randomly generates new a new user name — just to throw it away on the next day. But why the drive of anonymization? Too high is the risk to be a victim to identity-fraud by exposing your real identity to the online world. Everybody knows somebody who already experienced the unpleasant feeling of losing control of one’s own identity. Social media posts in your name, random product orders and ransom attacks, which steal and encrypt your data and demanding cryptocurrencies to get access again. All consequences of exposing your real identity to the internet. What’s even worse? The government can’t do anything about it. This identity chaos is transferred into the real world and freelancers replaced employees.
How did we get there?
With increasing digitalization, the real and digital world melted. The problem is that we failed to establish frameworks for online identity while attackers increasingly infiltrated security systems. The main targets were centralized databases of businesses and governments alike, which contained a trove of personal data — honeypots, lucrative targets for hackers. Users distrusted these practices but also were overwhelmed by the management of their login credentials effectively creating a toxic mixture leading to chaos.
Which technical developments are behind that?
Regardless of the size of a business entity — everybody wanted you to sign-up for their service before actually being able to use it. However, the security of this data was neglected leading to countless accounts being exposed to the darknet. Criminal organizations increasingly turned into data brokers squeezing out as much money from illegal data collection as possible. Government agencies were unable to cope with the issue, since once exposed to the internet it’s impossible to get your data back. Anonymity was the only option left.
Which risks and chances are associated with the scenario?
This scenario would lead to a total collapse of economies and states, while the power vacuums would further increase criminal activities. However, anonymity still has its rightful place for journalists, vulnerable minorities, political dissidents and the average porn-viewer.
How realistic is the scenario today?
The average user already owns 7,6 social media channels with countless more logins for other online services. The password management is a curse and blessing alike. While governments try to enforce a reliable IAM, companies struggle to keep up with the fast pace of technology. The problems are omnipresent and only technology giants and especially surveillance capitalist understand this problem and capitalize on this trend.
But who are you now with no physical identity record and online presence? Probably a refugee from one or multiple of the other scenarios.
Self-sovereign identity 2.0:
With the help of the established blockchain technology and a self-custody wallet for identity usage, people were able to get back their data sovereignty. Authentication works via small devices that you carry around like a ring, your smartphone or an implant. The wallet contains several identity proofs, which can be shown to verifiers like employers, doctors or public services. Every user manages one’s own personal data and can decide on an individual level, which data should be shared with another entity. Furthermore, a user can always monitor and manage 3rd-party-access to their data and revoke these access rights at any time.
How did we get there?
With increasing cyber-attacks and data breaches of personal data, public awareness of the problem increased over time. People demanded more secure solutions to manage their own identity and protect their freedom, privacy, and free speech. Governments actively supported the development of identity frameworks and provided their citizens with fitting legal frameworks. Businesses embraced the new technology standard since it offered new business opportunities and reduced operational costs. Huge efforts were made to educate the public about the importance of the topic.
What technical developments are behind SSI?
While being around for decades SSI really caught traction with the proliferation of blockchain technology. These decentralized data-sets enabled a shared single truth among all participants to register decentralized identifiers (DIDs) for legal entities. For users DIDs preserved privacy rights by being unique for every connection and only pointing to further information on encrypted decentralized storage. The blockchain networks are either run by business- or government consortia with a permissioned “proof of authority” approach or by the public with a more permissionless adapted proof of stake consensus. Due to the standardization of DIDs, verified credentials (VCs) and other components a user can easily switch from one network to another. Additional privacy implementations like Zero-knowledge-proofs (ZKPs) enable the proof of certain information without revealing the actual information, further increasing the level of privacy. Self-custody wallets are the central point for identity management including finance, certifications, educational degrees, proof of citizenship, membership status, etc. Due to open source collaborations and a multitude of wallet providers users can trust these applications, which mitigate manipulation and fraud while preserving civil rights and individuality.
Which risks and chances exist?
Due to the decentralization of critical infrastructure attackers are not able to shut down the system, while simultaneously offering protection from manipulation and identity-fraud. Businesses and government agencies can choose fitting platforms and implementations for their needs while further automating service processes. The average citizen is happy because SSI not only gave back much-needed rights but also facilitates trusted relationships in the online world. However, data autonomy for individuals also comes with a lot of responsibilities, which requires massive educational commitment. Furthermore, a hundred percent secure system can’t be achieved, leaving room for constant attacks by criminals.
How realistic is the scenario today?
While already being tested by pioneers like the citizens of Zug, the Sovrin Foundation and many Startups, the technology isn’t ready for prime time. Too many factors need further work to represent a holistic framework. However, standardization via the World wide web consortium (W3C) and active participation of government agencies like the European Commission within the European self-sovereign framework (eSSIF) illustrate the increasing momentum of SSI.
SSI in a nutshell:
“In simple terms, verifiable credentials (VCs) are data about us that have been digitally ‘watermarked,’ so that (a) anyone can verify the data, and (b) the data can never be forged or tampered with. This means that people can now present any type of digital information, and it can be instantly checked as genuine.” Evernym
Hence, I can present a verified proof of my university degree (the VC) to a potential employer. He can see, which university signed the document and decide if he trusts the issuer. The employer can’t easily copy this credential since he is missing information to represent the presentation of the VC as his own, effectively preventing people from simply copying VCs.
Self-sovereign identity is currently the only identity option, which simultaneously makes business sense, is user-centric and respects privacy rights and human dignity as a whole by implementing security and privacy by design principles.
My personal take? I hope we will see a flourishing market for self-custody identity wallet providers with finance and community integrations to the WEB3 blockchain world as well as multiple government services via plattforms like eSSIF. BTW: Both of which are currently using Ethereum. Dapps are live on the ethereum mainnet and government initiatives use permissioned ethereum enterprise implementations as well as hyperledger as stated on the eSSIF stakeholder meeting. Obviously it’s not done yet. So we are all early birds!
Join the SSI community and together we build a better future!
If you are new to SSI you can start with my 9 min video about it :)
