Privacy gets too little emphasis from some participants in the decentralized identity movement. They claim to value confidential interactions, yet advocate that individuals create public decentralized identifiers (DIDs) on the blockchain (ignoring legal warnings about DIDs being PII). They are okay with “phone home” verifications of credentials and revocation and capabilities. They think that selective disclosure is a minor feature, correlation is inevitable, zero-knowledge proofs are for corner cases, and accountability requires strong identification. They imagine that privacy can be added eventually after the adoption is strong. This, they say, is pragmatic.
Is it pragmatic for a surgeon to wash her hands after the operation because she was in a hurry before?
Sometimes delay invites disaster. Hygiene — in medicine and security and privacy — is an example. You don’t add it after the fact when you get around to it.
So I nodded my head when I recently read some security- and privacy-oriented criticism of the DID + verifiable credential ecosystem. The critics are not wrong to be concerned. However, they may not realize how deeply Evernym has pondered these issues, and how far along we are in addressing them. See our detailed response here.
The Electronic Frontier Foundation is known worldwide as a torchbearer on issues of personal privacy and freedom. They have articulated five ideals that they’d like to see pervading all tech:
- Free Expression
- Access to Knowledge
Evernym believes in these ideals. We always have. And we want to be on the record about it.
That’s why we recently made a public pledge to these ideals and proudly support the Electronic Frontier Alliance.
But we’ve done more than just sign a pledge. Evernym has put its money where its mouth is. We’ve been investing in serious security- and privacy-respecting hygiene for years. Some concrete examples include:
- Contributing to the privacy language to the VC spec.
- Donating the world’s first ZKP-oriented verifiable credential implementation to open source.
- Figuring out how to do revocation without phoning home to an issuer.
- Writing the first and only verifiable credentials threat model.
- Contributing the design and much of the early implementation to the BBS+ signature approach that represents the next evolution of that ZKP tech.
- Publishing two techniques for achieving one-person-one-vote semantics without sacrificing privacy.
- Publicly exploring how to combine biometrics with privacy in a way that preserves the benefits of both.
- Describing how escrow and verifiable encryption can be used to provide provisional anonymity.
- Exploring how to resolve the seemingly impossible tension between government-enforced accountability and personal privacy (see our post on “opt-in accountability”).
- Socializing the concept of active discovery, so people can be discovered on their own terms instead of being indexed by crawlers.
- Discovering a way to issue credentials in the cloud, without the cloud knowing the data it’s signing.
We invite you to ponder what matters to your organization — today’s pressing needs but also the long-term health of relationships with customers, employees, and stakeholders. Then compare your answers to those of SSI providers you encounter. If you probe beneath the surface, you might be surprised at the surgeons who propose to wash their hands later…
For smart organizations, security and privacy can be a competitive advantage. Yes, at Evernym we are pragmatic. We ship, document, support, and scale products that enable production use cases in multiple verticals, all around the world. We offer products and services to help our customers roll out solutions quickly and with minimum expense. But we’re also a safe pair of hands who won’t soften our stance on core principles. Isn’t that the kind of surgeon you want on your team?
We invite you to join us in our pledge to build SSI solutions rooted in security and privacy.