12
Nov
2019

Staying True to SSI Principles: Our Concerns about GADI

Last Thursday evening, during an internal summit meeting, a group of Evernym employees gathered to discuss why they work here—to articulate precisely what makes us so passionate about building a global self-sovereign identity (SSI) ecosystem.

It was a highly memorable meeting because the more we talked about our “why,” the more the passion surfaced. Empowering individuals and organizations to connect, share credentials, and build trust using completely decentralized and privacy-respecting infrastructure—where literally everyone can be the center of their own web of trust—is incredibly motivating. And incredibly impactful for the future of the Internet.

It also highlighted some of our deepest-seated convictions as a company—for example that:

  • We must build-in not only decentralized infrastructure but decentralized governance from the start
  • We must architect core Privacy-by-Design features, such as selective disclosure and zero-knowledge proof credentials, as the default
  • It must be based on open standards so that an individual’s self-sovereign identity data is never locked in—it must always be portable across digital wallets, devices, operating systems, etc.

For us, this is the very meaning of the term “self-sovereign identity.” It’s also why we’ve been such a strong contributor to open standards and open source code for SSI, as well as to the Sovrin Foundation and the Sovrin Governance Framework, where several of these requirements are enshrined in the Core Principles.

When we finished our Thursday night meeting, we had no idea that less than 12 hours later, we’d see a clear challenge to these principles with the announcement of GADI, the Global Association for Digital Identity from the DID Alliance.

While appearing to march under the banner of self-sovereign or “decentralized identity,” several aspects of the press release and the DID Alliance website are strikingly opposed to the very essence of what decentralized identity is all about. We want to call out these concerns, not as a criticism of GADI or the DID Alliance, but as a way to encourage dialog on how the industry can move forward with a framework for identity that’s truly decentralized and accessible for all.

1. Decentralized identity cannot be delivered with a centralized authority

Our first concern is that the very role of GADI steps beyond governance (which we need for decentralized identity) and into that of a central authority or registry (which cannot co-exist with a truly decentralized identity system.)

We can start with this quote from the GADI press release:

“Think of GADI as the ICANN of personal identity,” says GADI visionary and DID Alliance co-founder Ramesh Kesanupalli.

ICANN is regarded by most in the SSI world as the diametric opposite of decentralization. It is a highly centralized organization that controls a highly useful, but also highly centralized addressing system for the Internet.

Next is this quote, also from Mr. Kesanupalli:

“ICANN enables a global internet where every address is unique and authentic. Similarly, GADI will assure verifiable, authorized identity for every individual on the globe, whether online or in physical world applications.”

Can you spot the problem? GADI, which is supposed to be about decentralized identity, will ensure that an identity is authorized for every individual on the globe.

Just as ICANN is in charge of distributing domain names, so too would GADI be in charge of distributing identities on a global scale. It would essentially mean that someone has to give permission: “You can have this identity” or “No, you cannot have this identity.”

That is not decentralized, self-sovereign identity. In fact it is directly contradictory to the first principle of self-sovereign identity. To quote from the Core Principles of the Sovrin Governance Framework (emphasis added):

​2.1​ Self-Sovereignty

Individuals are endowed with and possess an inalienable right to be Identity Owners with the ability to permanently control one or more Self-Sovereign Identities without reliance on any external administrative authority.

It is clear from the DID Alliance website that Mr. Kesanupalli did not misspeak. GADI is, in fact, a business alliance operated by a set of authorized “Digital Address Providers.” Following is a snapshot of text from the “What We Do” page of the DID Alliance website:

"In this model, data is not collected or duplicated, but rather associated with a digital address that is issued by an authorized entity and managed by Digital Address Providers (DAP)."

This paragraph is the very definition of a federated identity system. It appears to miss the point of a Decentralized Identifier (and a Verifiable Credential). To quote from the first two sentences of the W3C Decentralized Identifier 1.0 specification (emphasis added):

Decentralized identifiers (DIDs) are a new type of identifier for verifiable, decentralized digital identity. These new identifiers are designed to enable the controller of a DID to prove control over it and to be implemented independently of any centralized registry, identity provider, or certificate authority.

2. The individual is not in control of their data

Our next concern has to do with the notion of control. We believe the individual (the “identity holder”) should be sovereign over her identity data—that is, that their data lives with them and they (and they alone) can control how and with whom it is shared.

Looking at the same “What We Do” page, we see a different story:

"A standardized API will allow issuers anywhere in the world to create a unique digital address for users, if they do not have one, or publish the data connectivity to a digital address that has already been created."

In other words, we see individuals relegated to a passive role. Instead of being at the center of their data (as is the vision of SSI), the GADI model does not require consent for organizations to create and assign digital identity data to individuals without their participation.

We also run into the issue of data ‘ownership’ and regulatory compliance. With true SSI, data is held by its owner, in a secure digital wallet. With the GADI model, data is federated at service providers, not decentralized with individuals. It’s a matter of taking data that was previously held in several disparate silos and replacing it with one big silo. We still have the core issues of privacy and security that come with a centralized database; but now, they’re even more significant as it only takes breaching a single server or a set of federated servers for all of our personal information to be exposed.

3. Privacy is at risk

But most disturbing is this concluding text from the “What We Do” page:

"GADI will ensure that users cannot create multiple digital addresses."

In other words, individuals are permitted to have one “identity” under the GADI model.

Contrast this with the following quote from the Introduction to the W3C Decentralized Identifiers 1.0 specification, which encourages multiple digital addresses (DIDs):

Following the dictums of Privacy by Design, any entity may have as many DIDs as necessary (and corresponding DID documents and service endpoints), to respect the entity’s desired separation of identities, personas, and contexts (in the everyday sense of these words).

There’s a clear difference on policy, but why does it matter if we have one identity or multiple identities?

The answer comes down, once again, to privacy and security.

While having one digital address might be very convenient, it makes the game all-or-nothing. If you use the same address for all of your interactions, you risk leaving behind virtual breadcrumbs that can be used to correlate your address and back-in to your legal identity. Yes, the address will be usable, but privacy is put at risk (especially as the rise of quantum computing makes identifying patterns easier).

With multiple addresses or DIDs, you can put your eggs in different baskets. Instead of leaving behind one long trail of breadcrumbs, you’ll have hundreds of trails, each containing a fraction of the data used for pattern recognition and correlation.

In other words, regardless of how it is positioned, what GADI is proposing is actually antithetical to “user privacy.”

Evernym believes strongly in accountability. But accountability does not need to be the enemy of privacy. Rather, it means the hard problem of accountability needs to be solved in SSI architecture by the privacy-respecting, peer-to-peer exchange of verifiable credentials—and without the need for any of the centralized identity service providers that GADI is proposing.

 

In Conclusion

In order to reach its true potential as a vehicle for Internet-scale security, privacy and trust, decentralized identity needs to be… decentralized. And self-sovereign identity needs to be… self-sovereign. Together they define a set of principles and an architecture that, like the Internet itself, must be designed, standardized implemented, and protected for the good of all of us.

This is what Evernym is all about, and we intend to stay true to that mission no matter what.

With that said, we agree with the ultimate goal of organizations like the DID Alliance to solve the hard problems of digital trust infrastructure, and we believe this type of cross-sector collaboration will propel SSI forward. So we encourage dialog on what decentralized identity really means and how we can best establish the technical infrastructure, open standards, and governance needed to provide it in a way that works for everyone, everywhere.

Midy Reusable Identity