Unless it really is.
There’s a brilliant series of promotional videos called “Will it blend?” set in a 70s-style game show, where the host takes various items and asks “Will it blend?” before sticking them into a blender. Ipads, snow skis, golf clubs, even super glue and silly putty have been blended into oblivion, with often surprising results that viewers get to see repeated in slow motion (and which I find highly entertaining).
After seeing a raft of identity startups over the last couple of years, I’m now tempted to start a similar series called “Is it self-sovereign?” Haven’t figured out the blender part though…
I’ve lost track of new identity startups, there are simply too many. Blockchain is the driving force behind the surge, of course, and ICOs. Take a piece of identity information, hash it, stick it on a blockchain (which is actually a bad idea, and non-GDPR-compliant) and… voila! Identity is solved, along with a fast new means of funding the venture. Big problem, straightforward solution, white-hot new field of technology, quick fundraising.
I get it. And I actually don’t mind the competition; the more companies in the space, the more attention it brings to the exciting new possibilities of solving the current problems of identity. And I’m flattered to see, on a good number of occasions, that these new startups are adopting the concepts, terminology, code, and in some cases even the exact diagrams that we have pioneered with Sovrin. I just heard about two other projects which also use the phrase “global public utility” for identity, which our very own Drummond Reed originated.
One concept and term we did not pioneer, however, but have fully embraced, and that I feel particularly strongly about, is “self-sovereign identity” (SSI for short). It is one that should be used more carefully than it has been, because I believe SSI can (and will) change just about every online interaction for the better, and even improve offline verifications. Misuse of the label will only confuse folks, weaken its perception, and consequently slow the adoption of this awesome new technology.
Since there is no authority to appeal to for the proper use of the term SSI, it’s logical to stick with the literal meaning of the words. The words “self” and “identity” have baggage enough, but for the purpose of this piece let’s use their most common meanings — “self” is a person and “identity” is how you identify them — which leaves us to defining “sovereign.”
“Sovereign” means the king of the hill, the top of the heap, the final arbiter. A country is sovereign when it doesn’t have to answer to another country. Kings are often called sovereigns because they have full and final authority.
So what does it mean for a person to be the “sovereign” ruler, owner, and final arbiter over their identity?
We’ve come up with a number of tests of true self-sovereignty, which are still accurate, but if I had to choose only one test it would be this:
Does the identity service depend on a single, proprietary provider, or can you fire them and move your credentials and relationships to a different provider?
Digital identity requires the use of technology, so if you don’t have the means or interest to become your own provider of that technology — and most of us do not — you’ll need to engage the services of a provider. If you cannot fire that service provider and move to another one, while keeping all your credentials and relationships, then your digital identity is not self-sovereign, even if it uses some form of blockchain technology.
If you leave Facebook, you lose your friends. Leave Twitter, you lose your followers. Leave XYZ identity service, you lose your credentials or your ability to express them. If those services were truly self-sovereign, your friends, followers, and credentials would be yours, fully portable between service providers.
In, Sovrin we call these service providers “agencies,” and what makes Sovrin truly self-sovereign is that these agencies must support portability. Which means they must compete for your loyalty.
This test alone renders probably 98% of identity services as not being self-sovereign. And if government can step in and limit or take your service away (unlikely in some places, more likely in others), one could argue that it technically isn’t self-sovereign even if you have portability between service providers, which leads to the interesting topic of which aspects of a self-sovereign identity can be truly self-sovereign and which cannot — the subject of a future post.
For now, I invite readers to recognize in the marketplace when vendors are incorrectly using the term self-sovereign to imply benefits that really do not exist.
True self-sovereignty is hard. It is hard not only technically but also from a business standpoint, as the service provider must be willing to become vulnerable to being fired by their customers and left behind if they do not perform. Providing tools to help someone manage a truly self-sovereign identity must be a meritocracy, where loyalty is earned, not forced. Otherwise, it wouldn’t be self-sovereign, would it?
Let the meritocracy begin.