All the talk of self-sovereign identity can come off sounding anti-company. The truth is that companies and other organizations stand to gain as much from a self-sovereign identity system as individuals. This post explains how self-sovereign identity systems solve problems for companies, using healthcare as example.
While the Internet seems to have made most everything else in our lives easier, faster, and more convenient, certain industries like healthcare and finance remain stubbornly in the 20th century.
Consider the problem of a person using their medical data. Most of us have multiple healthcare providers ranging from huge conglomerates that run hospitals and clinics to small businesses operated by doctors to retail pharmacies large and small. None of us get healthcare under a single administrative umbrella. Consequently, we leave a trail of medical data spread about the various healthcare provider's incompatible systems.
In this setup, patients can’t easily identify themselves across different administrative domains. Consequently, linking patient data is made more complicated than it otherwise would be. Interoperability of systems is nearly impossible. The result is, at best, increased costs, inefficiency, and inconvenience. At worst, people die.
The seemingly obvious solution is to create a single national patient identifier. But can you hear the howls and screams? This solution has never gained traction because of privacy concerns and fear of corporate and government control and overreach.
What if there were an end-run around a national patient ID? There is.
Self-sovereign identity is based on the premise that the best point for integrating data about a person is the person. At first the idea seems fanciful, but we've arrived at a point where self-sovereign identity is feasible.
You’d have to be living in a cave to have not heard something about Bitcoin in the past few years. But if you’re not a Bitcoin geek, you might not realize that a critical underlying piece of technology that Bitcoin introduced—and popularized—is the blockchain.
A blockchain is a revolutionary way of building a distributed ledger, and distributed ledgers have exciting possibilities for solving sticky identity problems.
Using a distributed ledger, we can create an identity system that:
- is not owned and controlled by anyone—in the same manner that the Internet is a set of protocols and some loose governance1, distributed ledgers allow us to create identity systems that are usable by everyone equally, without any single entity being able to control it.
- provides people-controlled identifiers—this is the essence of the term self-sovereign. The identity is under the control of the person using it.
- is persistent—since the identifier is under the sovereign control of the patient, it is irrevocable and long-lived, potentially for life.
- is multipurpose—the identifier used at one healthcare provider can be used at another, not to mention your financial institution, your school, and anywhere else.
- is privacy enhancing—only the parties to any given transaction can see any of the details of the transaction, including who’s involved. People choose what to reveal and to whom in exchange for the services they need. People can have multiple identifiers that correspond to a different persona.
- is trustable—the distributed ledger and its governance process, both human and algorithmic, provide a means whereby systems using the identity can instantly verify claims against third-parties when self-assertion (of the patient) is insufficient.
Healthcare providers, financial institutions, educational institutions and even governments can be part of this identity system without any of them being in charge of it. Sound impossible? It’s not, that’s how the Internet works today. Not only is it possible, it’s technically feasible right now.
The benefits of using self-sovereign identity go well beyond interoperability and include secure messaging, auditable transaction logs, and natural ways to manage consent.
How Does Self-Sovereign Identity Work?
Think about your online identities. Chances are you don’t control any of them. Someone else controls them and could, without recourse, take them away. While most people can see the problems with that scenario, they can’t imagine another way. They think, “if I want to use an online service, I need an identity from it, right?” We don’t.
There are lots of examples online right now. Have you ever used Google or Facebook to log into some other system (called a “relying party”)? Most of us have. When you log into another system with Facebook, you are using your Facebook identity to establish an account on the other system. Identities and accounts are not the same thing.
Plenty of places already see the value in reducing friction by allowing people to use an online identity from a popular identity provider (e.g. Google or Facebook).
Now imagine that the identity you used to log into a relying party didn’t come from a big company, but instead was something you created yourself on a distributed-ledger-based identity system. And further, imagine that relying parties could trust this identity because of its design. This is the core idea behind self-sovereign identity.
Any online service could use a self-sovereign identity. In fact, because of the strong guarantees around verified claims that a distributed-ledger-based identity system can provide, a self-sovereign identity is significantly more secure and trustworthy than an identity from Facebook, Google, and other social-network-based identity providers, making it usable in healthcare, finance, and other high-security applications.
Companies Need Self-Sovereign Identity
The bottom line is that companies need self-sovereign identity as much as people. Self-sovereign identity based on a distributed-ledger is good for people because it puts them in control of their data and protects their privacy.
But it's also good for companies. This is a classic win-win scenario because the same technology gives companies, governments, and other institutions an identity system they can trust, that enhances their operational capabilities, and is not their responsibility to administer. Organizations can get out of the business of being identity providers, an enticing proposition for numerous reasons. Here's a few examples:
- As companies face more and more security threats, they are coming to see personally identifying information as a liability. A self-sovereign identity system provides a means for companies to get the data they need to complete transactions without having to keep it in large collections.
- Claims that have been verified for one purpose can be reused in other contexts. For example, if my financial institution has verified my address as part of their know your customer process, that verified address could be used by my pharmacy.
The Internet got almost everyone except the telecom companies out of the long-haul networking business: throw your packets on the Internet and pick them up at their destination. Think of the efficiencies this has provided. A distributed-ledger-based identity system can do the same thing for identity.
Let’s create one, shall we?
- The Internet is governed (mostly) by protocol: the rules that describe how machines on the Internet talk to each other. These rules, determined by "rough consensus and running code," are encoded in software. There are other decisions that need to be made by humans. For example: who gets blocks of IP addresses, how they're handed out, and what top-level domains are acceptable in the domain name system. These decisions are handled by a body called ICANN. This system, while far from perfect, manages to make decisions about the interoperation of a decentralized infrastructure that allows anyone can join and participate.