Contract For The Web: SSI’s Role in “Fixing the Internet”

Today, World Wide Web inventor Tim Berners-Lee published the “Contract For The Web” – a set of guiding principles for governments, companies, and citizens designed to ‘fix the Internet.’

It states: 

The Contract for the Web was created by representatives from over 80 organizations, representing governments, companies and civil society, and sets out commitments to guide digital policy agendas. To achieve the Contract’s goals, governments, companies, civil society and individuals must commit to sustained policy development, advocacy, and implementation of the Contract text.

The contract combines three broad components – business, legal, and technical. It is essentially a high-level governance framework that underlines good behaviors and recommends a number of principles that describe how those behaviors should be implemented.

It sets policy goals for governments (e.g., access to broadband should be available for 90% of citizens by 2030) and recommends frameworks to achieve these goals (e.g., shared infrastructure and open access rules). It also has specific support for groups that are “systematically excluded” from effective Internet access, as well as keeping all of the Internet available all the time. The contract also states that “illegal content” should be removed in ways that are consistent with human rights law, which is likely to be problematic due to different countries’ interpretation of such laws.

While the whole proposal is worth a read, there are a few sections that provide a not-so-subtle nod to self-sovereign identity (SSI) and the core principles that we and others in the SSI movement have aligned around:

On data portability and privacy

Of key interest to the SSI movement is Principle 3, which is a call to “respect and protect people’s fundamental online privacy and data rights” so that everyone can “use the internet freely, safely, and without fear.”

This section primarily focuses on the effective implementation of data protection regulations. Much of the content is familiar to anyone who has read the European GDPR, such as the rights of access, rectification, and erasure. 

Significantly, the right to data portability is repeated throughout the Contract For The Web, which brings self-sovereign identity’s notion of an open digital credentials standard to the fore. Enabling an open standardized way for organizations and governments give people their data allows individuals to use their data more effectively, securely, and privately, while maintaining greater control over what they share and who they share it with.

The implementation of the principles described will require technology that permits consented data provision, minimal disclosure of only the data required to execute transactions, and the ability to keep a record of data shared so consent can be retracted or deletion requested. This capability is built into the open standard technology that Evernym and others are building to provide self-sovereign identity for everyone.

On data security

Principle 3 regarding government respect for people’s privacy requires that “government demand for access to private communications …do not require service providers or data processors to weaken or undermine the security of their products and services.” Clear and simple laws are needed, and the implication is that such laws would provide government access but under rigorous controls. 

In the SSI world, direct and secure peer-to-peer communications are the default, as enabled by the new Decentralized Identifier (DID) standard. Such peer-to-peer communications have no back-door, and there are no intermediaries between the two peers that can be “plugged into.” This means that it is not possible to vacuum up all digital interactions in an entire country. Therefore, implementation of “back-doors” is not really possible. No nation-scale monitoring of all communications will be feasible. 

This is great for privacy, but introduces concerns about how to catch bad actors. Based on the principles in the Contract, governments will have to rely on legal means implemented at the peer-level (e.g., if they want to see what I am talking to my bank about, they will have to get legal access to my communications from either me or my bank, just like they have to with a search warrant in the physical world). The legal protections implied by this approach are consistent with the principles of the Contract.

On user control

Principle 5, which addresses the role of companies, includes the need to give consumers control over their privacy and data rights. This includes both data portability and providing “control panels where users can manage their data and privacy options in a quick and easily accessible place.” We’ve already seen some of the implications of the GDPR in the incessant cookie pop-ups that accompany web sites, with options that allow you to select processing and handling of your data. 

With self-sovereign identity, you will have a record of every exchange with each of your connections/relationships that is available all the time via your own digital wallet. This capability could be extended so the many “consent dashboards” envisaged in the Contract are instead consolidated and reside with you in your digital wallet, under your control, rather than being differently implemented at every website you visit.

It should be perfectly possible for you to say to an organization “On 25th November 2019, I shared my name and address with you. Here’s cryptographic proof I did that. I’d like you to delete that now please.” Should the organization not then delete that information, you have proof that: a) you sent the information in the first place and b) that you requested its deletion. This puts significant power into the hands of people to register and record their preferences, independently of the organizations they are dealing with. This is particularly powerful as it means that companies cannot get away with denying that they received your information or your instructions.

The Contract is fairly light on enabling people to confirm that they are dealing with legitimate companies and not fake organizations. SSI enables companies to have verifiable identities, just like people can. Being able to trace back data, statements, accounts, certifications, and so on, to valid organizations will go a long way in encouraging the behaviors that the Contract seeks to promote. Being able to confirm that a news article was written by a legitimate and qualified journalist working at a legitimate news organization could go a long way towards establishing accountability for fake news, for example.

On interoperability

By contrast, the Contract is very clear on the promotion of interoperable open-source technologies. Section 3 of Principle 6 (again directly addressing the role of companies) confirms the strong advocacy of such open values, which are also enshrined in the way that SSI has been designed. The two main protocols of SSI—Decentralized Identifiers and Verifiable Credentials—are full royalty-free interoperable open standards being developed at the World Wide Web Consortium (W3C) to the benefit of everyone. Similarly, the code that underpins much of the sophisticated cryptography and data exchange mechanisms that make SSI work has been open-sourced, with Evernym as a leading contributor.

On participation

Addressing the role of citizens, Principles 7, 8 and 9 of the Contract encourage everyone to participate as “active citizens of the Web.” Opposing the “weaponization” of the web by nation-states or other entities is a strong but effective warning of what will happen if we sit back and allow the current direction to continue.

People have lacked the tools to enable them to be effective in this regard. This is particularly the case with digital identity, where our digital representations are not owned or managed by us, but by organizations and governments that may not have our best interests at heart. Our digital selves can be turned off, deleted, without our consent at any time.

The basic principle of self-sovereign identity is to reverse this, and give us all the ability to manage and control our digital identities. Only when we are able to do so will we be able to take advantage of the full benefits of the Contract For The Web.