In an article published on July 5, 2018, Gartner shares with us two avenues that he believes will meet the challenges of the GDPR: personification and self-sovereign identity.
He defines personification as “the delivery and optimization of relevant digital experiences based on an individual’s assumed membership in a customer segment and their immediate circumstances rather than their personal identity. “. It therefore aims to know an individual as closely as possible without having to identify him personally.
The concept of self-sovereign identity (SSI) is, for its part, more complicated to define. This new form of digital identity, based on Blockchain technology, gives individuals better control over their personal data, while facilitating their interactions with organizations. It is necessary to explain this concept in order to understand the impact and possibilities of self-sovereign identity.
The evolution of digital identity
In order to clarify the concept of self-sovereign identity, let’s start by reviewing the history of digital identity.
The first form of digital identity is represented by the “silo model”. Organizations grant access to each individual to use their services. The individual must create an account for each of them, thus multiplying their identities, making them difficult to follow and providing a complex user experience.
A second form of digital identity then appeared, represented by the “federated model”. In this model, a trusted third party, an identity authenticator, allows identification with other affiliated organizations. The main example is the Microsoft Passport which allows users, through a single sign-on, to access the services of all websites affiliated with Microsoft.
The third form of digital identity is represented by the “user-centric model”. In this model, the trusted third party makes it possible to identify oneself with other organizations, without the latter being affiliated. This model appears through the “Connect with Facebook” or “Connect with Google” invitations. These trusted third parties centralize digital identities, and are their guarantors.
Self-sovereign identity is the latest model of digital identity. It was born from the desire to offer individuals the possibility of controlling and protecting their digital identity. Gartner explains to us that it consists of “using the distributed ledger architecture of the Blockchain to allow consumers to administer their own identity and their preferences in terms of consent in a portable manner across all the platforms they are interested in.” .
Securing the “identity wallet” thanks to the Blockchain
The concept of self-sovereign identity is based on the creation of a personal digital “identity portfolio”. Individuals can define different declarations on their identity, have them validated, and share them as they wish.
Let’s see a concrete example of the use of the self-sovereign identity. Mr. Martin created his secure digital “identity wallet” on a Blockchain. He integrates into his portfolio a set of statements concerning him, for example, the information on his identity card: name, first name, date of birth, etc. He also includes a scan of his identity card which will serve as proof.
Mr. Martin then transmits his statements and their evidence to a competent authority. The latter validates the declarations of Mr. Martin, owner of such an “identity wallet”, and sends him the signed certifications corresponding to all the information on his identity card. In the future, when Mr. Martin wants to prove justifiable information with his identity card, he will only have to authorize access to the corresponding certification.
If, for example, Mr. Martin wants to buy alcohol, he will have to prove that he is over 18 years old. The classic solution would be to show your identity card to the seller. However, this method would reveal information that is not necessary: his name, address, or date of birth. By using his “identity wallet”, he could only authorize access to the “I am over 18” certification validated by the appropriate authority.
The “Identity Wallet” in practice
Self-sovereign identity at the service of the GDPR
The concept of self-sovereign identity has many advantages for data controllers.
1. It first of all makes it possible to certify the consent of individuals on the use of their personal data since the authorizations granted are traced in the blockchain. Requests for authorizations to access personal data may be accompanied by all the information necessary to obtain the agreement. In addition, it provides access to truthful and up-to-date data. Indeed, the bearer of the “identity wallet” gives access to a certification which is, by the properties of the Blockchain, tamper-proof. If a certified statement becomes false, the responsible authority can issue a public message on the Blockchain invalidating the certification concerned.
2. The principle of self-sovereign identity also presents a workaround to issues related to the data lifecycle. In this digital identity model, the user gives organizations a permanent right of consultation. Following this authorization, the latter can then access the useful data whenever necessary without having to store them, as long as the user does not revoke the right of consultation.
3. From the point of view of individuals, self-sovereign identity facilitates the application and respect of fundamental rights. Indeed, we can take the example of the rights of access and rectification. As individuals own their “identity wallet”, they know exactly what information it contains and who has access to it. They can update these statements at any time. For the rights of information, erasure or opposition, individuals have the possibility thanks to the SSI to accept or refuse access to their personal data. Once access has been granted, they can revoke this authorization at any time. All these decisions are tracked on the Blockchain, and fraudulent use of personal data can therefore be easily proven.
In short, the advantages of self-sovereign identity are therefore numerous, both for organizations wanting to use personal data without risking being sanctioned by the GDPR, but also for individuals, who benefit from simple control. on their data.
Several models of self-sovereign identities are currently growing in parallel. At a time when the use of personal data represents both an obvious opportunity and a certain risk, the emergence of a decentralized identity management network will make it possible, as Gartner announces, to meet, or even exceed, the challenges of GDPR.
(Photo credit: Shutterstock)