Heather Dahl is the CEO of Sovrin, one of the leading self-sovereign identity solutions. In this podcast we discuss how identity has evolved from the offline world, to the limitations of it being online in the internet and finally to the opportunities it brings in a blockchain world.
What is blockchain?
Heather Dahl looks at blockchain as one of the technologies tools that we have today. From her perspective we should ask ourselves – are you seeking a solution that provides a decentralised network, meaning that you’re running a large number of diverse validators or nodes around the world that are run by different organisations that are censorship resistant, that helped build redundancy? Is that something you want that provides governance where no one organisation or company or government runs that network? If that’s something you want, blockchain technology brings that decentralised, diverse set of nodes to run a blockchain solution.
From an identity standpoint is do you need interoperability with your identity? If you only need an identity for your sole company’s purposes then you don’t need a blockchain. However, if you’re building an identity, that needs to be interoperable with other systems then you need a blockchain based identity system like Sovrin. This allows issuers to write schemas and credential definitions and revocation on publicly available decentralised global network that everyone can access.
Heather likes to think of blockchain as an immutable ledger where her customers, users or clients are in control of their data and information.
What is Sovrin?
Heather Dahl is the CEO and Executive Director of the Sovrin Foundation. ‘Sovrin’ most commonly refers to the Sovrin Network, a public service utility enabling self-sovereign identity on the Internet. The Sovrin Network is decentralized, meaning individuals can collect, hold, and choose which identity credentials —such as a driver’s license or employment credential—without relying on individual siloed databases that manage the access to those credentials.
Sovrin is an open source project that offers the tools and libraries to create private and secure data management solutions that then run on Sovrin’s identity network.
Sovrin is now a global network for decentralised identity in six continents. In the past year they have launched the Sovrin Alliance to provide education and training programme for their community and those interested in decentralised identity. In partnership with Hard Yaka, Sovrin has launched a self sovereign identity incubator out of San Francisco. Sovrin also recently won the award for “Greatest Social Impact” by One World Identity.
The internet has failed in providing an identify solution
The web is abound with news regarding breaches of privacy, personal data being sold, cybercrimes and much more. The common factor around all these issues is identity. Heather believes that we don’t have a data management problem, we have an identity problem as all pieces of data are connected to some form of identity. These issues stem from when the internet was created as a network of machines. The identity protocols weren’t designed for people they were designed to identify machines. Heather gives the example of how email addresses are structured, where you’re at a workplace (firstname.lastname@example.org) or at a university or at a technology provider (eg. email@example.com) which provides you with a free email so that they can take your information.
Identify was thus created in a very fractured manner that isn’t fully interoperable. As the internet grew websites and services who provided us with identities didn’t do in a manner with the users’ best interest but in a manner where they could profit, exploit and share. It is this internet lack of identity infrastructure that’s resulted in a fractured experience that’s insecure, fails to protect its users privacy and prone to criminals hacking into it.
This lack of identity structure leads to people being deprived of their rights that they enjoy in the physical world. It has failed because identity doesn’t scale in a cost effective way. It has failed, because the identity solutions out there created privacy problems with serious correlation issues. And lastly, a lot of these identities don’t provide consent, we’re just given the identity and we have just have to accept it, because we need an identity to operate in the digital world. Or once we get it, we don’t have the ability to consent to further agreements as we use that identity along the way.
Offline identify vs internet identity
Heather explains the differences between offline identity vs internet identity in confirming ones right to access a service. She gives the example of when an individual goes to a bar to buy an alcoholic beverage. The bar will not contact the State of Maryland to confirm the individual whether or not they are over 21. Nor will they call the State of Maryland every time the individual goes to buy a beer at the bar. It’s because there’s trust that when the individual pulls out their driver’s license the bar doesn’t have to confirm whether or not the state did issue that driver’s license to the individual.
With the internet you have what’s called the “phone home problem”. When we try to share identities on the internet they don’t trust it and thus there is an online verification with the providers of that identity to confirm its authenticity. That phone home problem leaves a trail. Whilst in the offline world the state of Maryland has no clue how often one goes into a bar to order drinks, there’s a sense of privacy that allows the user to prove themselves for a trustworthy interaction without having someone or an organisation following every single step of their day. That’s what self-sovereign identity offers people in their digital lives is a way to replicate that offline identity that we use every day.
Difference between self-sovereign ID and blockchain based identity?
A blockchain based identity is an identity that is written in a private ledger that is decentralised for your organisation and where that identity is only used going to be used within that private ecosystem. Self-sovereign identity is when you want to use that identity outside of that walled garden. It allows organisations who are issuing an identity, it allows them to connect that identity to a public lookup credential. This allows the holder of that identity to be able to present that identity elsewhere without the phone home problem.
This allows other organisations to verify that the credential that has been issued is both accurate and it hasn’t been revoked on a ledger. That means they don’t have to go back to the database that issued the identity as it is on the public ledger which they can look up the schema, the credential definition and whether it’s on a revocation registration and that’s all done in a privacy preserving way.
Self-sovereignty, allows organisations to issue credentials that can be used elsewhere in a privacy preserving way. It allows a holder of that credential to present their identity for services, or other relationships that they want to engage in, in the digital world without having to disclose it to the organisation who issued the identity. It also allows verifiers, those who are accepting the identity, to be able to ensure that the identities valid based on whether they trust organisations, they can verify it all in a privacy preserving way and not to have to connect back to the original issuer. It allows a completely interoperable global system where any organisation person or thing can use that credential to gather services, to engage in digital relationships with organisations, entities or other things, and do that in a privacy preserving way.
Zero knowledge proof and self-sovereign ID
Zero knowledge proof (ZKP) are a cryptographic technique that allows users to share information without relinquishing their security and/or privacy. So, what they do is they use cryptography to provide a proof statement from the holder to the verify without revealing any additional information that’s not required. Heather gives the example that if she wants to buy an adult beverage from a bar, they don’t need to know where she lives. They don’t need to know her height or weight or her eye colour. They don’t even know need to know her exact age. All they need to know is that she is 21 years or older. ZKP is a technology that allows Heather to share that she is 21 years old or older without revealing anything else of her identity.
For ZKPs to be usable the verifier has to believe the statements are true and that the results of the proof is accurate. The verifier has to know that the holder hasn’t altered the information. Because sometimes in the real world, for example, college kids may alter their driver’s licence in order to buy adult beverages. What Sovrin removes is the ability to make that alteration because it is on the blockchain, on the immutable ledger. If allow organisations to accept credentials to verify information knowing that they are absolutely accurate because of the blockchain ledger.
Different types of identities
When we talk about identity we are not talking just about individuals. Identity can be applied to organisations, machines, IoT devices and data sets can have identities. Files, jpegs, stocks, anything can have identities. A chair can have an identity and the components of a chair can have an identity. Everything in the digital world has an identity at some point in it.
Each of those identities, whether it is the leg of that chair or a piece of data can be self-sovereign. And where it becomes important is that a laptop has an identity and within it, it can have an identity of what it contains. And why is that important? A company goes to recycle that laptop, they can scan the identity of it, and they know exactly what it contains and how to recycle the particular pieces.
Self-sovereign ID’s impact on enterprises ability to store and mine data
Enterprises collect and hoard personal data. In a self-sovereign world those organisations ability to hold on to the data will be determined by the user. What does this mean to organisation’s ability to build their business models if their ability to interrogate data sets is potentially hampered?
Heather’s response to that question is do enterprises and organisations really need to store old data that may not be accurate. They need to assess the data that they need and what shelf life it has.
Self-sovereign identity provides enterprises with accurate information at the time of the transaction. Self-sovereign identity and ZKPs allows enterprises to uses blockchain to make sure that the data they collect is accurate at the time of a transaction or when it is need. Any extra information not relevant to that transaction that isn’t necessary doesn’t need to be hoarded as it can create a security issue for that company.
And that’s where something like sovereigns, you are knowledge proofs. Self sovereign identity allows you to use the blockchain to make sure it is accurate at the time that you need it in any extra information. You don’t need to afford it, because that just creates a security issue for you.
How can enterprises engage with self-sovereign identities?
Some of the earliest adopters of Sovrin are from the financial industry. CULedger is a credit union service organisation that focuses on delivering innovative applications to credit unions through its DLT platform.
Their flagship product, MyCUID is a DLT built platform that enables credit unions to detect and prevent call centre fraud, enables self-sovereign identity for members, and will run on the Sovrin Network.
You can download a wallet with your MYCUID. What it does is it allows the user to prove who they are, their address that they have an accountant, a credit union, and the credit union has gone through that KYC. Where this becomes important is within an ecosystem. If that user was to move to another location and open up an account with another credit union, it saves the whole KYC to be done all over again simply by sharing their MYCUID with the new credit union. So for KYC, as long as there’s trust between the financial institutions, it is a very cost effective way of reducing KYC costs.
GDPR & self-sovereign IDs
The challenge is that when GDPR was initially conceived, blockchain and self-sovereign IDs where still pie in the sky kind of ideas without any real traction. However, Heather believes that what Sovrin has created is what the original authors of GDPR had in mind.
Her goal, along with the entire blockchain community is working with the European Union, the European Commission, the parliament, the regulatory bodies, in figuring out how GDPR applies to blockchain technology. Heather doesn’t think that anyone has the exact answer on how GDPR applies to blockchain. But she thinks that many in the blockchain community are highly new motivated to work with those regulators and figuring out how to apply the intention of GDPR, to the blockchain technology that exists today.
Self-sovereign IDs, AIs and Web 3.0
Self-sovereign IDs exist in agents and agents are applications, software managers, and digital wallets. We can set the controls, so that we can decide, every time something happens, then you can share my identity, or every time I go to purchase something on this website you can share my shipping address. There is going to be ways where we will engage our digital lives, and we’ve preset how we want our information to be shared. And we never have to look back because it just happens. And that is the web 3.0 world today. So, if I tell my refrigerator, every time I run out of milk, order it and have it shipped here, it just doesn’t. And I no longer have to be involved in that transaction chain anymore.
Importance of diversity for innovation at Sovrin
At a recent conference, Heather talked about the important of diversity for innovation at Sovrin. When Heather talks about diversity, she talks about including people who don’t have the backgrounds, skill set, experiences, views that you have. Diversity means bringing in ideas that you never expected. And ideas and perspectives you never expected never come in perfect packages the way you want them. Heather advises everyone to take a look at who’s on the outside, who is not in your inner circle, who was not included? What experiences do you lack, take a chance on someone who doesn’t come from the traditional world of technology, and bring those people in because they’re going to bring ideas that are representative of the populations of the people that you want to include to have use of your technology.