A few years ago, Christopher Allen wrote one of the few early foundational articles on Self sovereign identity. In his article, he laid down 10 principles that any SSI(Self-sovereign identity) based identity system must follow. Years later, when SSI is indeed a reality, we go back to these guiding principles, wherefrom the journey started:
Users must have an independent existence.
Be it you, me or even an IoT device, all of us can use Self-sovereign identity, irrespective of geographical location, race, government etc. The only condition is to exist in the real world and possess an identity. For us, this identity can be anything that describes us, our name, age, etc. For a non-living entity, it could be the device ID. SSI simply facilitates management of the identity which already exists in the real world.
Users must control their identities.
Individuals must have ultimate authority over their identities. The user can share, update or even hide information at their convenience. That being said, organizations or governments can definitely make claims about the user, but they do not form the complete and the only identity the person has.
Say, for example, the government issues a voter card to your wallet. Neither the government, not anyone else can change any data on your voter card. And as with a physical card, you can choose how to use it. Once the credential is in the user's wallet, it belongs solely to the user.
Simply put, you are the owner of your data, and you choose when, where and how you share your data.
Users must have access to their own data.
Access takes two meanings here, one for you and the other for any person wanting to use your data. You have access to all data about you.
Hypothetically speaking, even if you were to sell your data, no one could restrict your access to your data (not even the government), irrespective of the consequences.
Now say, for example, a food delivery company wants your geographical location and age to show relevant eateries and bars in your area. The only way for the company to access your data is to get explicit permission from you.
Systems and algorithms must be transparent.
Self-sovereign identity is a fairly transparent system based on open protocol standards and available for everyone to review. This doesn't mean that your data is available for everyone to see. On the contrary, it ensures that your data is guarded and the system follows the best practices. This ensures that any updates or changes to the system are updated and publicly available in a comprehensible manner.
Identities must be long-lived.
Although you cannot change claims made by different entities about you, you can choose which claims are helpful for you and form your identity. Point being, claims and identity are disjoint from each other. While identity remains for a long time, claims might change over time.
This does sound a bit confusing. What do I mean by forming your own identity? Let's look at an example.
Say you want to apply for a job. Possibly, your company does not require all your personal identity documents (or attributes such as gender, place of birth, father's name and so on), but more of your professional documents (certificates, degrees). This forms a part of your overall identity, a mix of both personal and professional identity. You can choose to not share any irrelevant data from your general identity.
Years later, you earn another degree. This would change your educational qualifications (or claims about your highest level of education), but your general identity remains.
Information and services about identity must be transportable.
User identity cannot be restricted to a single platform or an identity provider. Even if you were to move from Delhi to London, your identity remains with you. Your claims remain intact. Irrespective of geographical location or government, you hold and control your identity.
Identities should be as widely usable as possible.
SSI is not just limited to issuing and sharing ID cards. SSI can support multiple use cases and allow organizations to use and build on the system as per their needs.
Some scenarios might be:
If you need to apply for an insurance claim, a credential shared by the hospital to your digital wallet would very well be acceptable. Not only would it be easier for the insurance company to verify your claim, but it would also be much more convenient for you and the hospital.
Similarly, a degree issued by your college to your wallet can be shared with a company during a job application.
SSI ensures efficient communication both inside and outside the organization.
Users must agree to the use of their identity.
The process of expressing consent must be deliberate and well-understood by the user.
Organizations require your explicit consent to use your data, which can further only be used as requested. If this data were to be used for any other purpose, they would require your consent again.
Let's look at the previously discussed food delivery example. If this company were to use your data for any other purpose, say, to share your age with the restaurants, they would require your permission again. Moreover, they cannot have any hidden clauses; the process must be transparent.
Disclosure of claims must be minimized.
Minimal amount of personal data must be disclosed to accomplish the task at hand. If only your name is required, there is no need for you to share your age. Credentials are no longer rigid; you can choose what to include and what not to include before sharing it with anyone
The rights of users must be protected.
No matter what the situation, a Self-sovereign identity is committed to putting your privacy before anything else. It is designed so as to prevent any tampering or monitoring.