Self Sovereign Digital Identity

Before we explain what is self sovereign digital identity, let us first define identity, then elaborate on digital identity which inherently leads to the final form of digital identity management where each user controls their own digital identity.

  • Identity is a uniquely human concept. It is that ineffable “I” of self-consciousness.
  • We all have a Social identity – the qualities, beliefs, personality, looks and/or expressions that make us a person

But how do we proof our identity when interacting with others? Lets look at an example:

You interact with a person who claims to be John Smith and wants to do some transactions with you. John gives you his passport (or a in some countries his driver’s license) as a proof of his identity claim. You attest John’s claim by looking at the passport, determining whether that it is authentic and then comparing attributes captured in the passport with the person in front of you.

This process includes the following concepts:

  • claim – a claim that an actor would like to consider true
  • proof(s)- evidence that something is true, often based on a trusted certificate
  • attestation – verification by an independent party that a claim is true

You may now create a record in your system with a customer identifier, a copy of the passport and additional attributes such as address, date of birth by further verification either through utility bills or other formalized evidences. This record is a digital identity and represents relevant aspects of the social identity and is now the basis for your business interactions with John.

This may all sound simple and rather straight forward, but

  • Attestation is typically a manual process where unstructured data is captured and verified against the available proofs which must be collected and stored
  • Only a subset of the captured information is constant. The captured attributes may get out of sync with reality
  • The presented proofs may be faked, and the quality of the attestation depends on your skills to identify such issues
  • Wherever John wants to have additional interactions, a similar process is required leading to the creation and attestation of another digital identity
  • Whenever information changes, John must provide updates to all relevant parties
  • John has no control what happens with his data and who is accessing it

Juridical persons and things can also have a digital identity – however in this post, we will continue to only focus on natural persons and look at ways such digital identities can be managed.

Identities

Digital Identity Management started with centrally managed approaches. The authority, of such approach, that manages the digital identity data becomes the guardian and qualifies the digital identities. As networks evolved, federated approaches were adopted where multiple authorities jointly manage digital identities. User-centric identity is expanding where a user has more control over his digital identity and decides whether to share an identity from one service to another. Such sharing capability is based on standards like OpenID (2005), OpenID 2.0 (2006), OpenID Connect (2014), OAuth (2010), and FIDO (2013). It’s important to note that all these approaches are centralised but the user has more influence as to how the information is shared.

The concept behind self-sovereign digital identity is to give the user full control over his/her digital identity. It is a distributed identity management approach where a person creates a unique identifier for their digital identity, places claims and asks others in the network to perform attestation. Claims and attestations can be secured using cryptography with the public and private keys of the involved parties.

  • An actor can encrypt a claim with his private key
  • The actor can use the public key of the attestation authority to keep attestation private
  • The attestation authority can decrypt the message with its private and the users public key
  • The attestation authority can verify the presented proof and sign if using its own private key
  • The attestation is then sent securely back to the user

The user now has an attribute with a digitally secured attestation and with proof of a verified authority claim(s). Over time network of users builds up, where identities are maintained and trusted through attestation of proofs given by others in the network. Attestation authorities can be official authorities, organizations and other users. The quality of an identity in such a system depends on the quality of the involved authorities. Ideally this approach will introduce a single user-managed digital identity which can be used in the network when required and becomes the core of the genuine digital self (please see Be your digital self)

Christopher Allen has defined ten principles to ensure the user control that’s at the heart of self-sovereign identity

  1. Existence – users must have an independent existence
  2. Control – users must control their identities
  3. Access – Users must have access to their own data
  4. Transparency – Systems and algorithms must be transparent
  5. Persistence – Identities must be long-lived, ideally last forever
  6. Portability- Information and services about identity must be transportable
  7. Interoperability – Identities should be as widely usable as possible
  8. Consent – Users must agree to the use of their identity
  9. Minimalization- Disclosure of claims must be minimized
  10. Protection – the rights of users must be protected

It is important that the private keys need to be well protected as they grant full control of the digital identity.

So far, this post discusses the creation of a digital identity. In a future post we will look at how do we bridge between the real and the digital world. How can a system verify the user is who they claim to be?

Conclusion

As the world becomes hyperconnected (please see “No ‘OFF’ Switch“), digital identity and security will continuously gain importance. As there will be, in the foreseeable future, no worldwide authority to manage digital identities, the world will converge towards a self-sovereign identity system where users own their data and various actors perform attestation in a mutual way. The system, in its nature, follows paradigms of earlier times where trust was the result of a social network. The introduction of Digital changes the proximity requirements allowing applicability of such system on a global scale.

References:

No “OFF” switch

IMG_6644
Hyperconnectivity or “the sharp increase in the interconnectedness of people, organisations and objects that has resulted from three consecutive waves of technology innovation: the internet, mobile technology, and internet of things (IOT).” By 2020, according to the world economic forum, there will be 50 billion networked devices. This level of connectivity will have profound social, political, and economic consequences, and increasingly form part of our everyday lives, from the transportation that we drive to the food that we consume, to our jobs and the governance system we live in.
The challenge in hyperconnectivity is that by definition it transcends geographic borders. Data sovereignty and different rules on data privacy and taxation are becoming more prevalent. Will we be able to truly switch off/disconnect, or maintain distinct credential(s) in both online and offline worlds?
With further extension to hyperconnectivity people will find it harder to disconnect themselves, switch off or reveal distinct aspects of their credential(s) in different situations. We are heading towards an increasingly networked state where boundaries between online-offline, work-social are blurred with the merge of different spheres of contextually identifying credentials. This is becoming to be increasingly important due to the transformative consequences of social and technological changes.
Social digital ecosystem(s) differs from traditional communications technologies allowing users to create,share, consume and collaborate in instantaneous mediums. Governance of online credential(s) will become increasingly important and will bring out issues of ownership and privacy.
Rules of governing the dominion of digital information are dramatically different to those of offline possession. For example an image posted online could be retained or used by othersin ways that is not allowed or intended by the original author.
Hyperconnectivity is often synonymous with the loss of anonymity and a threat to privacy. The willingness of individuals to disclose information in exchange for access to services combined with the financial value to be gained from exploiting customer data mean that individuals cede control over what happens to their data. Even of individuals of limited to no online presence may be identified online, e.g. tagging in uploaded photos or movies. Therefore  individuals may no longer be the primary creators of their own online credential(s).
Identitifying credential(s) will change significantly as online credential(s) are becoming part of the many overlapping attributes held by individuals. Context is crucial in understanding an individual. An individual may have multiple effigy(s) simultaneously. At times, in some places, one digital self or another would be utilised depending upon context. An individual’s sense sense of self are affected to a greater extent by their ecosystem such as the events, community, family, and friends and not due to big events or global trends. Understanding the context and which effigy is most relevant  is crucial to predicting behaviour.
Hyperconnectivity represents a step change. The world is now a highly connected environment where its citizens are globally networked individuals. Events taking part anywhere in the world leads to real and immediate impact(s) elsewhere. Hyperconnected individuals have been provided an efficient and powerful means of communication but equally miscommunication can take place.
In the increasingly hyper connected ecosystem(s), identifying attributes are resources that can have personal, phychological, social, and commercial value. Trust is fundamental to relationships between citizens, between people and commercial organisations, and between citizens and the state. Ethical issues will become more complex and relevant as varying credential(s) come into conflict. A need to maintain balance between privacy, freedom and protection will become a key priority as we progress into the hyperconnected future.

Digital Engagement

IMG_6614
Current digital offerings provide generic experiences and if there are forms of personalized  content, it often suggests content or offers that are inappropriate or simply uninteresting. This is because brands attempted to provide personalisation without considering clients’ social identity, personality, underlying motivations and contextually relations.  Digital makes this tangible for personalisation. What makes it even more challenging is the scale and velocity of the digital ecosystem(s) that makes it hard for businesses to understand what are the value-driven service offerings and to whom they are serving to. Although a few may begin to create rich online experiences building on emotional value-based connection with targeted personas, many are still leveraging outmoded approaches of segmentation and category targeting.
Understanding of the target client must be at the core of every great brand. In order to nurture, service, and retain client loyalty, the understanding of the clients must permeate throughout the whole organisation.
Drawing on decades of research models to understand and predict human behavior, one leading model known as “Big5” also known as “OCEAN” which represents: openness, conscientiousness, extraversion, agreeableness, and neuroticism. The intent is to assign a percentage score of each of these attributes to any individuals, thereby being able to develop the persona and the analytic insights.
It is vital to note that personalisation capabilities are about aligning the right product or service to the right client at the right time and situation. Business must take into account the different personalities of their clients in order to ensure personified experience. Context is king.
Failing to understand what makes people engross  and comfortable with a particular brand or message tends to leave businesses competing in price which is ultimately a race to the bottom. The challenge of achieving this level of understanding requires businesses to continuously give up on margins as they try other means of attracting clients (e.g fee discount)..
It is evident that the missing link of clients’digital journey has been developing client understanding. Discerning the personality traits of  clients and the motivation behind their digital behavior (“He is online even if he is offline”) is the key to a more personalized and relevant client journey promoting the overall brand experience. Investing in personalisation to encompass the entire client journey ensures greater client loyalty and integrating into the digital ecosystem of people who genuinely like the product(s), service(s) and/or brand.
The challenge is to understand the journey to achieve such personalisation especially in the digital ecosystem where clients’ are unknown, anonymous or inaccurate digital persona(s) are associated to an individual interacting via various digital mediums. The essence to achieve personalisation requires trust to be established or else you will never uncover and understand the true client ( see “Be your digital self …”). Personalisation must consider context with the appropriate timing.
Adoption to new technology and mediums along with new data sets are required in real-time and at massive scale in order for businesses to attain insightful information on the personalities and behavior of clients. This enables genuine personalisation in every aspects from service to product offerings..

Be your digital self …

We all have at least one digital self, something representing us to engage in the technological world. Initially this may just be information about us and related data. But at some point, in time this digital footprint will learn and adopt our behaviors and become active.
We may have multiple digital selves – genuine and facades. The genuine self is the one which learns directly from our behaviors and mirrors our social identity. The facades are tailored for specific situations or may try to protect the genuine self.
The genuine digital self will become a mirror of you – most likely knowing more about you than you do yourself.
Is the genuine digital self a legal subject or just acting on behalf? Our genuine digital self will be able to act much faster considering more information than we can – if allowed. We must consider the level of responsibility and accountability on our physical self for what it does. Should this begin with a form of parent child relation and to evolve becoming a legal subject over time.  This evolved relationship enables the digital citizen to grow and learn over time to become of full legal age at some point.
Ethical standards for digital selves will become increasingly important – humans have ethical basic patterns which are inherited and part of the DNA. Before digital selves become widely adopted and increasing active, digital self will require such standards.
We will, as part of the evolution, need to revisit our standards of privacy. Are we able to pause our digital self and what would be the impact and disruption to our digital ecosystem?  Digital self-editing may sound funny but may soon become a serious issue when others detect discrepancies and lead to distrust. Observed digital selves – you observed by others – can be used to validate information or complement it. So, you need to become more yourself – which for most people is not a big issue.
We need to evolve our perspective of what we treat and define as sensitive information during this journey. Fundamental attributes such as name, birth date or social security number will be increasingly hard to protect. So, we will need to change the way how we see personal information during this journey. Many legacy constructs like credit card numbers are not suitable for the digital age and must be replaced – this is the essence of the ‘digital transformation’.
Obviously, the digital self needs to be well secured and protected. This includes integrity, availability and confidentiality. Initially you will be responsible to keep your true digital self secure. But at some point, this will change and your digital self starts to protect you – two evolutionary states of digital self defense.
Links:

November on FINthinkers

leaves-57427_1280
November 2017 was the first month for the FINthinkers blog. Below is a short summary of what covered so far
Change
Our blog started with Change is inevitable looking at diverse types of change ranging from evolution to revolution. We also touched on Conway’s Law which states that organizations designing systems are constrained to produce designs which are copies of the communication structures of these organizations. Following Conway’s law companies need to change the organization to create the systems required to stay relevant in the new normal. In Next stop – FinTechGiants ? we look at the available dimensions to outperform others and at the relevant structures which each company has. Many companies seem to apply a Tur Tur strategy to change looking giant from far away but very small if one gets closely.
Client Experience and Brand
Noisy Channel(s) to Channel-less highlights the need to think from the client’s perspective. No client talks about channels but we all like to have seamless and ubiquitous experience to reach the desired outcomes. So brand’s digital behaviour becomes vital when services are transparent in a digitally augmented world.
Security
Homomorphic Encryption started a series of posts on security and related topics.
We hope that the posts inspired you to think about the topics. The nest posts will follow soon … thanks for reading.

 

Digital Tur Tur

Be aware of signs of Mr. Tur Tur

Let me begin with a German children’s novel written by Michael Ende. Lummerland is the home to Jim Button and Luke the engine driver. On one of their adventures Luke and Jim gain a new friend, the giant Mr. Tur Tur. He is an apparent giant and only appears giant in size from far away but is normal when being close.

The apparent giant is of course an allegory – one that often comes to my mind when having discussions or reading about digital transformation. Many of the declared digitization strategies seem like Mr. Tur Tur in nature. The way things are presented and promoted as part of digital transformation initiatives seem impressive from a distance – labs established, digital officers nominated, technology declared to be multi speed, problems to be solved via agile and innovation formalized. But upon looking closer, not so much has really changed.

Digitization is about rethinking value propositions from the core based on digital paradigms with the clients in focus. The generated revenues reflect the result of excellent value propositions. These value propositions must fit not just into any but into the client’s networked world. Digitisation necessitates the redefinition of the core value propositions and transformation of the business model. A high degree of automation and digital assets are qualities of such a model, but a high automation of processes or the replacement of paper with web forms do not imply successful digitisation.

Many value propositions will become ubiquitous as they happen behind the scenes transparently integrated to create the outcomes desired by the client. This will happen though the integration of interfaces to services into user journeys or skills into client’s personal smart assistants. Highly scalable and continuously available interfaces, also known as, APIs are key building blocks to enabling these impending capabilities.

To brace the digitisation journey, a company must encompass all dimensions of skills, organization and technology (see Next stop – FinTechGiants ?). To date only a few incumbent companies have approached the challenge and adopted its fundamental way. Rule of thumb indicates that incomes erode by 50% while a dominating player emerges during the digital transformation of an industry. The question for digital laggards becomes how long they can sustain against the trend in the market – trying to catch up does not work. Agility and scalability are imperative and key to survive in the digital world – qualities that must be regained or even re-learned by many organizations.

Look out and be aware of signs of Mr. Tur Tur in your environment. Digitisation requires fundamental changes and cannot be achieved incrementally – underestimating them or creating a perception through marketing campaigns will impede and be detrimental to your business.

Importance of a brand’s digital behaviour

glasses-2861368_1280

 

As the digital landscape and mediums expands, the ways people experience and expectation of a brand’s digital behaviour have significant grown higher and become more complex.
Brand is the holistic sum of customers’ experiences, composed of visual, tonal and behavioral brand components, many of which are shaped through interactive mediums. The complexity of the digital landscape introduces the challenges of overcoming digital distrust and must be preserve by fostering digital engagement, showing empathy, and working with transparency and authenticity.
The emotional impact of a brand is the strongest and most reliable assets. A brand must radiate their core emotions on every digital platform at any touchpoint
Constant brand value reassessments by staying relevant requires keeping your digital behaviour up to date. Understand through assessing customer behavior and moving fast and being smart about every decision regardless minor or big.
Digital behaviours differs between generations (Millenials, Gen Xers and Boomers) and a brand needs to clearly understand its customers ( or intended customers) and its value proposition. For example millenials have the highest social networking penetration of any generation and they account for most in consuming digital content through various mediums ( eg digital video)
Change is the new constant is also relevant in the digital behaviours of customers. The dynamic rate of change will significantly increase and the need to monitor and understand the different becomes very important in a time dependent manner.
This introduces the shift from persona profiling to behavioural segmentation. Persona behavioural segmentation focuses lesss on who the individual is and more of his/her distinct actions in regards to the product or service. The need to correlate the emotional aspects become signifcantly important. Knowing whether a particular product or service becomes more relevant due a strong emotional impact. Or are consumers posting emotional responses that shows the receptiveness to a certain brand offering? Does it relate to certain moment(s)?
Persona profiling base on simplistic and static demographic data points are no longer sufficient and are poor predictors of actual persona behavior. The goal should be to get rid of generalised segmentation and replace it with data enabling hyper-personalised products and services offerings in order to maintain the relevance of a brand’s digital behaviour.