What is a strong online identity? A strong online identity can be defined as a combination of identification, authentication technologies along with personal identity data store capabilities which enables a strong and resilient correlation of digital identities to a physical person, entity or organisation, thus enabling trusted interaction and communication between individuals and organisations. Strong online identities with full user identity sovereignty can be considered as providing a subset functionality that a fully-fledged Life Management Platform would provide.
While this definition immediately brings social networks and social authentication to mind, such as Google, Facebook and Linkedin to name the most popular, the concept of data sovereignty further strengthens the concept of strong online identities and eliminates these popular services as potential contenders. The principle of data sovereignty can be summed up by the foundational belief that individuals and organisations should be the ultimate owners and have total control of their personal information.
As with any definition of sovereignty today, sovereignty and custodianship are often treated separately. For example, a patient might have a legally-defined sovereignty of over their bodies in as far as their freedom to choose which medical treatments to undergo is concerned, yet once under treatment, the custodianship of their bodies to a large degree falls under the responsibility of the medical professionals performing the medical treatment.
How does the above example apply to strong online identities? Let’s take the revised EU General Data Protection Regulation (GDPR2) as an example. The GDPR2 provides the legal principle of personal information sovereignty, and then proceeds to define the custodianship responsibilities of all organisations which store and/or process this personal data.
While the social networking giants will assure users that they remain in control (sovereign) of their personal information, and that they will not misuse this personal information (custodianship), users must simply trust that these statements are true. The upcoming GDPR2 provides ulterior legal protection in regards to personal information, but again this comes down to how effective the EU and its member states will be at enforcing this regulation.
So how can a sovereign, strong online identity solution or vendor provide proof of trustworthiness rather than simple assurances of trust? The goal of many blockchain-based identity solutions is to allow an individual or organisation better control over the custodianship of their digital identity, by using consensus algorithms to provide mathematical proof of custodianship, as well as eliminate – as much as possible – centralised, trusted third parties.
Ultimately these projects aim to eliminate the distinction between sovereignty and custodianship. These are ambitious goals and arguably more to be considered as ideals or design standards than non-negotiable requirements. This is due to the difficulty of entirely doing away with trust in third parties in favour of fully decentralised systems based on consensus algorithms.
How can the individual become the sovereign over her/his identity and why is that of growing importance?
The concerns that have driven the upcoming GDPR2 have been noted for some time now by technologists and customers. These are largely due to the recognition that most personal online identity information is not actually owned by the users themselves. The internet giants today own and control most of this information, and this is cause for privacy and security concerns. One’s personal identity information is only as safe third party custodian is.
Which forms exist today?
An interesting initiative is ID3 (ID cubed), a non-profit which aims to establish new trust frameworks and digital ecosystems in order to enable the use of sovereign online identities. Evernym is a project which uses its own permissioned blockchain to create an open source sovereign identity platform. Microsoft Azure’s blockchain initiatives also are focusing on using blockchains to provide sovereign identity, along with humanitarian ambitions to assist the problem of under-identification in the developing world.
While these are all great initiatives, there are still a number of challenges which tend to plague all emerging technologies and mostly come down to standardisation and adoption. Also, given how complex and multi-faceted the digital identity dilemma is, so far there is no single solution that can meet all the requirements of a strong digital identity store whilst also remaining fully user-sovereign.
What does the future look like?
It is highly unlikely we will ever see a single identity solution, even if it is completely user-controlled. This is simply down to the complexity of human identity and contexts, as well as the conflict between national legislation and the international nature of the online world. For example, many national governments today have online digital identity services for access to government services, and it is highly unlikely that in the near future we will see these national schemes integrate with say, blockchain-based solutions which primarily focus on decentralised social login replacements and secure digital communication between individuals.
Yet it remains highly likely that we will see a proliferation of competing standards and approaches to strong online identification and authentication/authorisation. The determinant success factor will be usability and adoption by mainstream online services. Usability has been the key success factor of the internet giants, and we have signed away our privacy to many of these organisations simply due to how easy it is to use their services. Unless sovereign alternatives to online identity can provide similar ease of use as well as convince popular services to integrate with them, their use will remain limited to technology-savvy power users, not the public at large.