Article

We Already Know Who You Are: The Need for Self-Sovereign Identity

// June 18, 2024

Name. Date of Birth. Address. Telephone Number. Email Address. Comment down below so we can see them. What’s wrong? Don’t want to write these on a public forum? Would you not tell them to a stranger on the street?  Yet this is the info any given app or online service you use daily holds about you. And that’s just the start of it.

What about where you are at any given time? Who would you give that to? A select few maybe - and not even your loved ones all the time. Many of the apps you use on your phone know this about you, as well as your phone itself. Your medical records? They’re there, on a server - maybe even currently being put out to tender to a data broker, depending on where you live. Social Security? National Insurance? Tax records? You may be more than happy for the government to have them on file. But how do they keep them, who has oversight, and what is it being used for?

The Creeping Commodification of You

We have accepted this faustian bargain over the last few decades because the majority recognise how the online services we use make life easier. What we never accepted was our own commodification. At first, we gave our data willingly, naive in the grand social tech utopia we were creating through our sidekick devices. 

Now, we see it wrenched from us at every turn, a demanded toll, one that legislation like GDPR doesn’t restrict, but rather makes more bureaucratically enabled and sweepingly enforced. Do you really know what you’re accepting on all of these websites? Yes, yes to all. Yes, we’d like a cookie. We’re just scared of what poison might be in it.

Our online identity is torn then across a thousand services, a thousand vector points of attack. By this point, if someone really wanted to find out, through a digital fingerprint, your name, date of birth, address, telephone number and email address, they could. The data is there, traded among a thousand merchants, protected by ineffective safeguards. They could either buy it or steal it, with servers breached by now with regularity. If they wanted to dig deeper, find out where you are right now, most of the things you’ve ever done online, the services you used, when you used them, your messages - they could with a bit of know-how and enough resources. Someone like the government, or a determined individual. 

Authoritarian Paradise

The point is clear. Your identity online is by now basically compromised. The more that your online identity fuses with your daily life and activity, the more your privacy has effectively been lost. Add AI and its data indexing abilities into the mix, and you have a real problem on your hands. Microsoft AI is already effectively wanting to record your machine and all its activity by this point. Not just your search terms, but what you typed to get to those search terms. Your personal diary maybe. Perhaps in the future a police car could read your licence plate and ask its Cop-GPT partner what it knows about you - have it fish with the digital fingerprints it has. Oh, you said you’re angry in an email, you’ve had a couple of recent speeding tickets, and three years ago you asked a search box about alcohol addiction? Get ready to be pulled over, guns blazing. 

They can find out anything they want, while the reverse is strangely not true. Sometimes, you can’t even prove it's you to them. How can they know you’re not a scammer? After all, your identity isn’t very safeguarded, right - anyone could be using it.

Why Self-Sovereign Identity Matters

This is where self-sovereign identity comes in. Self-sovereign identity is a way of using cryptographic apparatus to create ways that you can confirm who you are and your right (or lack of) to access a given online service without having to sacrifice either your personal identity, your privacy or your data in the exchange. Like the rudimentary way Cicada 3301 couldn’t be imitated because no one could produce the same cryptographic hash they provided with their messages. Through this, you could be notified every time part of the data packets that pertain to you are exchanged by third parties, a record of that transaction, where the data is, and you could even take a cut of the proceeds, or at least an awareness of it happening. 

Blockchain is arcane to most, but its transparency makes it perfect for this type of accounting. Once appropriate interfaces are developed, it’ll be easy to see a shorthand overview of all the data commodification that’s happening to you, and the tokens or value you are due as a result of their use. At no cost except gas for using the given network, and considerable profit if you allow your data to be used freely. 

Getting paid for your data is only the least important tip of this iceberg. Most importantly, you have control, and the ability to revoke access easily to any given harvester. You can prevent an AI or third party copying it to their servers by anonymizing your identity at source - or should we say Source. Without revealing who you are, you can prove that you are eligible for any given service, with your identity and privacy remaining safe. You can prove you’ve paid tax when applying for a mortgage without having to show your tax returns. You could prove you were over 18 without giving away your age. You could prove you’re a legal resident of a country without having to give your address. You could prove you went to Yale. And so on and so forth. One cryptographic proof could, in theory and with enough support infrastructure, contain all this information. You take back self-custody of your identity, like you took back self-custody of your money with Bitcoin all those years ago.

How Self-Sovereign Identity Works

Key mechanisms to achieve self-sovereign identity include DIDs, such as that used by Source Network’s Secrets Management Engine to ensure appropriate secrets management. Organizations can use self-sovereign identifiers to bequeath access to the freelancers, contractors and new hires to specific parts of the data they need to get their job done, without expensive or difficult oversight. These verifiable credentials can be managed on-chain using zk-proofs, which can be suitable for rote identification - but is computationally costly at scale, and impractical for ever-changing databases. In future, DefraDB will let developers use zk-analytics on all their off-chain data and query the database to their heart’s content on large datasets, before then producing cryptographic proof on the source and sanctity of the data with minimal protocol interaction. 

Fully homomorphic encryption lets computations be performed on encrypted data without decrypting it, but for on-chain data it’s slow. A privacy wallet seeking to store KYC data along with private keys locally, for example, could not even put KYC information effectively on-chain at reasonable cost and speed, especially because the data can change over time. Yet by building databases from scratch using cryptographic primitives, DefraDB allows for the secure processing and sharing of identity-related data off-chain.  Alongside infrastructure for withdrawable consent and control interfaces that are currently being built, you have the structures necessary to heal much of the damage done to our online Edens.

They Don’t Need to Know Who You Are

Self-sovereign identity is key for giving data back to the people, and not just so we can profit from it. As we take flight in our evolution into techno-sapien, and meld ever closer with the digital demesnes and virtual vineyards of online life, we need a way to better protect our identity, our privacy, and ultimately our freedom. We are only a short hop, skip and jump away from total authoritarian oversight of our lives - and it may be to a corporation, not a government. Egalitarian control of data and identity means an egalitarian society, where everyone has a right to access digital realms without it costing everything they have, and everything they are.

Dive Deeper

// December 23, 2024

Distributing Data in Every Sector: Tools to Change the World

// December 17, 2024

Blockchain Doesn’t Mean Decentralization, Distributed Data Does

Stay up to date with latest from Source.

Unsubscribe any time. Privacy Policy