The decentralized identity paradigm disrupts traditional identity and access management ecosystems and requires a more democratic collaboration and competition among several identity and credential issuers. Dr. Michele Nati from IOTA Foundation will elaborate on this challenge in his Combined Session Making SSI accessible: IOTA technology, solutions and projects on Thursday, May 12, at the European Identity and Cloud Conference 2022.
To give you a sneak preview of what to expect, we asked Michele some questions about his presentation.
First of all, just a very quick intro to SSI, SSI is Self-Sovereign Identity. So this means that people are the owner of their own identity, so they can create their identity, which is basically an identifier. And they can control where these identities share. So but identity in itself is not enough, identity is meaning when to our identity, we attach attributes and these attributes come from so-called credential issuance. And so those that can issue this attribute in form of verified information, information that can be verified. Again, is this done in a self-sovereign way means that the user, that the subject can control who gets access to this account with these credentials. Especially in healthcare, this is very important because healthcare is now a collection of information spread everywhere, to my doctor, my GP, my dentist, the emergency room, when I have to go to the hospital, and so on and so forth. All of this is very, very difficult to recombine together. So they need a unique identity that represents me that can be the aggregator of all of this information. All of these pieces of information are basically different attributes, a different credential that belongs to my identity. So with the SSI, we really have now the power to make a much more coherent story. This story is about the health of a person, about different kinds of pieces of information about a person and access to them. Access that is controlled by the individual. And this is not only in my country because if I move and I go to another country, and the identity comes with me, it's self-sovereign. I don't need to register again with another health system in another country. That country, with my self-sovereign identity, can find this information about my GP, my dentist, and so on and so forth. So there are two advantages, much more and better-controlled flow of information that I always oversee as a patient, but as a user of health systems in different ways and forms, and of course saving of cost and better care for me because when it's possible to give you the right service for the right information about my health, all of it would be beneficial for me and also saving for whoever I have to provide this is health service that doesn't need to have the step of every time to go and finding the information to provide you the better service. So all of this will change very much and bring a lot of new, let's say, ways of delivering health care in different countries and across countries.
Well, that's a very good point. So yeah, there are two dimensions. One, it's again, like you said, my information, information about me with the subject health information. And that's very well controlled and defined with self-sovereign identity. But it's true that most of the information comes also from the device that I'm wearing, either for medical prescription or for pleasure. So if I wear a smart garment that can collect additional information about my health, lifestyle, how healthy and how much physical activity I do, this can be also information that will be useful to link as additional, maybe nonqualified credential. But still, credentials come from a trusted source like the provider of the service, of the monitoring device that can be solved by this device with an identity that then this linked in a unique way to me and to my identity and all the information again that's linked as a part of my profile, that would be beneficial. But there are also other devices like I am prescribed by the doctor to wear some insulin pump or so on and so forth for my condition and all of these devices need to be traced in that supply chain. So I need to be sure that I get the right device. I get the device that it's not creating a threat for me because these devices now are all connected, devices that can be also the target of some threat, some attack. So every device that all along the supply chain, has one identity, and this identity is used to collect information about how good is this device, how much this firmware is updated, how much that manufacturer gives me assurance that what I'm wearing, it's certified and a safety device so this doesn't endanger my health but improve and give me more information and give me a safe way to manage my health so all of this will be needed. So that's one of the reasons to stop all this sort of criticism that we see that is told about an IoT device. So an IoT device that is well-identified along the supply chain with a self-sovereign identity that the user at some point when they register to get the device, can control it, can collect all the information that the device carries with it, and then share and then verify. That's also the value in the health ecosystem for self-sovereign identity.
GDPR compliance is very important. The major topic to consider when you talk about self-sovereign identity. On the one side, self-sovereign identity, it's probably the best expression of GDPR and data protection where the user is empowered to control and protect his own data. But GDPR and SSI have also a few other things that have to align because as SSI if you want to go back very quickly to the technology behind SSI, it's only possible thanks to blockchain so the concept emerged in the blockchain. So and the idea of having a blockchain where people or manufacturers for the use of a health care device in this context that they produce, store a unique identity on the ledger. This allowed to basically when presented information that this identity collects in terms of verifiable credential attributes either for me or my device for a third party or line party. This information can be verified immediately. So there is no need to complex integration that requires a centralized setup there where information is stored about the device, about the patient, and so on and so forth, which can also bring at least an attack from a GDPR point of view this information can be accessed. It can be stolen and can create a single point of failure denial of service attack. So when we remove all of this with blockchain, it is possible then to verify this information immediately because the identity is written in the ledger, and by verifying the identity, basically by issuing that credential from the ledger, I can verify the authenticity of this convention, this attribute about me or my device. But we need to be careful that the only information is on the ledger is an identity. So because otherwise, with the GDPR we'll face issues about personal data being on the ledger, being stored on a blockchain, and this will conflict with, let's say, GDPR, let's say, rights like that could be forgotten. Need to guarantee that user that his data can be updated, erased, and so on and so forth. We'll conflict with that. This system can be the sign-in that GDPR compliant way where credentials sit off-chain, sits in that user wallet, a wallet the user control maybe as running on his mobile phone, stored on his mobile phone with his credentials that can automatically be presented when a party requests and verified using the blockchain. So this is the way we have to implement GDPR compliance in SSI systems, putting a lot of emphasis on where the information would actually store beyond the identity identifier and create a secure, and from a user experience point of view as well, easy to use wallet for storing credentials.
Probably coming back quickly to the previous question. We are doing this actually, all of this, thinking and all of these designing GDPR compliant SSI solutions for people, identities and attributes, and their device in the medical sector, is part of our product. We are currently involved as part of the work we do with the IOTA foundation at the European level, which is called Second. And we are actually targeting working with the health institutions, research and medical device companies, and so on and so forth. Part of this large project that started this year, will run for the next three years with a pilot in a different domain for, let's say, safe assistance of people in case of emergency. So ambulance will know information about you immediately by accessing information from your digital wallet without delay, or any further assistance to you. So these are a few of the projects we are discussing and will work on with European partners. But we are not the only one on that, this is specific to the target innovation that the European Commission is funding and supporting. But of course, the European Commission is going further, establishing guidelines and requirements on how this crucial element of SSI and managing of identity, GDPR compliant, need to be developed, which is the European Digital Identity Wallet. So that's at the European level, we are also looking at, we are also trying to create a digital wallet that every user will have, will be issued by the Member States or an appointed issuer of the digital identity wallet by the Member States, and they will have to comply to different requirements. The original requirement in terms of security of the credentials stored on their mobile phone device, so that every person has its own identity and attributes within every time, everywhere it goes can present to [...] services how these can be securely stored. How can these securely be presented to a third party that can be first authenticated before we share information? All of this, it's part of what we follow very closely and for which we are also working with the IOTA foundation and other academic partners and experts in security that are helping us to design a wallet that will be new compliant thoughts in that domain. So are these are the two things that we are doing in different public projects.