Three models of digital identity implemented by states in recent decades.
By Lucas Jolías, Ana Castro y Jesús Cepeda
We are talking about Centralized Identity when a single organism or administrative authority issues and manages the digital identity of its citizens. It is a top-down model with well-defined hierarchies where a single organization has the authority to grant digital identities. Unfortunately, handing over control of digital identity to a centralized authority suffers from the same problems caused by state authorities in the physical world: users are locked into a single authority that can deny their identity or even confirm a false identity. Centralization inherently gives power to centralized entities, not citizens. Users rely solely on this authority to validate their identity, and the information associated with that ID depends entirely on the central authority. Additionally, the citizen has no control over what type of data is shared and with whom (how do I know when an organization shares my information with another?). This type of model is problematic in federal countries with multiple levels of government, which are equally legitimate (nation, provinces or states, and municipalities). As digital services grow, it is natural for power to accumulate between different hierarchies and for identities to multiply even more. This forces users to manage dozens of identities in dozens of different organizations, without control over any of them. Let's think about citizens who have different identities to operate with local governments, provinces, decentralized organizations, or the national administration. The clearest example of a centralized ID model worldwide is India.
The following model is a digital identity managed by various organizations in a federated manner: a many-to-many identity management scheme. Each entity provides a service that verifies a citizen's identity based on different parameters or input data. This results in the digital information of citizens being distributed across multiple identity providers, rather than centralized in a single provider. These authentication providers are scattered and disconnected, and require a particular request and handling for their use and disposition. There are different systems in both the public and private sectors that perform different authentication processes. Each defines and generates independent authentication procedures. In this model, organizations usually group together and, by establishing agreements, share a unique identifier for each user. This type of identity simplifies the relationship between the citizen and the state, but their identity and associated information ultimately depend on each state authority and the coordination and interoperability of the parties. This makes it difficult to integrate services that are not provided by the state or any of those federated organizations. Additionally, the user has no control over what, how, and with whom their information is shared.
The shift from centralized identity to federated identity was marked by improvements in user experience, but ultimately, identity control remains in the hands of state organizations, although in some cases, a certain level of user consent is respected regarding how and with whom to share an identity. It was an important step towards true user identity control. However, to take the next step, citizen autonomy is required. This is the guiding principle of Decentralized Identity, a term naturally associated with distributed technologies such as blockchain. Not only is a user-centered design sought, but it requires users to be the rulers of their own identity. In recent years, Decentralized Identity has gained international relevance, largely due to the refugee crisis that has plagued Europe. This humanitarian crisis has resulted in many people lacking a recognized identity due to their forced migration, and Decentralized Identity has the potential to solve these authentication and verification problems without the need to rely on the identity issuer, even removing any censorship power from the issuer over the individual. If Decentralized Identity was becoming relevant a few years ago, in light of the COVID-19 crises, its importance has skyrocketed.
That the citizen is sovereign over their identity implies that they have total control
over the management and presentation of their person (composed of data and attributes) to third parties. That is, once the identity issuers provide the person with an identification credential, it becomes the property of the citizen, and they have the power to share and use it to identify themselves and demonstrate their attributes. This is why " (...) Self-Sovereign Identity allows people to interact in the digital world with the same freedom and trust capacity as in the physical world," according to Sovrin. In this model, no identity or service provider can manage a citizen's credentials. Likewise, those who need to verify the validity of the credentials and attributes presented by the owner do so in a decentralized way, without the need to rely on the issuer's databases for that credential. Let's say, a secure peer-to-peer digital channel is established between the ID issuer, the owner, and the verifier. When credentials are exchanged, not even the provider of the sovereign identity system knows what is being exchanged. The issuance of credentials becomes simpler and faster. Additionally, the identification owner chooses which attributes of their identity they want to show and always has control over the relationship with identification verifiers (knowing what data is shared). By deciding which attributes to show discretely, the individual regains their ability to protect other data that is not necessary or required by the verifier. An example of this is when we need to demonstrate that we are of legal age to enter a place, but we also show our full name, date of birth, and even our home address. With a Decentralized Digital Identity, this would no longer happen.
There are two fundamental elements to implement Decentralized Identity:
Decentralized information records: each identity or service provider, when issuing a credential to a person, leaves all necessary cryptographic proofs to verify that digital credential on a public decentralized network. This way, any entity that needs to verify the identifiers or attributes presented by the data owner can do so against the decentralized record, without interacting with the issuer of the digital credential.
Wallets: are portable personal repositories in which a person can carry and manage all their digital identifiers, data, tokens, and credentials that have been granted to them. Through these digital wallets, all personal information is under the control of the owner, who can also decide selectively what information to share and with whom.
The public decentralized registry provides traceability and transparency to the transactions that are recorded on it, since it has the particularity of being immutable. Modifications or updates to the previously recorded information (such as a change in the status of a digital credential, for example, from active to revoked) are electronically signed by the entity that modifies it and also recorded in the decentralized registry, so there will always be a record of its alteration. This allows anyone with whom the person shares their verifiable credentials to track and verify the credential in the public registry in real time. On the other hand, the digital credentials or assets belonging to each person are available both in their digital wallet and on the decentralized network, always under their control as electronic signature is required to manage them.