Posts

Toward Self-Sovereign Identity

/in /by

Author: Cristian Lepore

 

1. Introduction

As many people work from home, daily activities move from the physical world to the digital one posing concerns about personally identifiable information (PII) management. This post aims to clarify the importance of designing a proper identity management system that brings control of own data.

The modern identity system can be traced back to Napoleon with the first version of the Digital Identity card that emerged to track the workforce. Fast forward to the 1960s, a magnetic stripe with data storage capabilities was embedded into a plastic card, shaping the notion of digital identity as we know it today. We later entered the digital (Internet) era in which digital identity substituted appearing in person with paper documents.

 

2. Digital Identity

There has been a significant effort in crafting the term “identity” from a legal, political, and social perspective. For example, [1] defines identity as a map to a unique set of characteristics or as “unchanging physical traits of the person that reflect someone else perceptions”. In 2016, [2] provided a relation-wise definition of identity as an instrument to collect data directly tied to a person from official credentials. This information can prove who you are.

Finally, the digital identity collects all information directly tied to PII from official credentials in a single spot. This (digital) identity may evolve interacting with people, and attributes get modified to suit these interactions.

Maintaining a digital identity does not mean being in control of our information. For example, imagine that you get into a bar for a beer. The bartender might ask you whether you are over 21 by checking your ID card. Unfortunately, that card includes even other information that represents you. If in the wrong hands, this information could jeopardize your identity. With this in mind, part of the solution is called Self-Sovereign Identity (SSI) which means giving people control of their private information. Back to our example, the idea is to provide the bartender only with the minimum amount of data to prove your age.

 

3. Identity models

A spotlight on the identity models’ evolutionary path was depicted by Christopher Allen in his blog post [3] by encompassing four models, as highlighted in [4]. We quickly pass through all of them.

Centralized
The centralized model introduced in [5] to deliver service-specific resources consists of a service provider that allocates identities and credentials to users and separately distributes them to everyone, as described in [6]. Every person needs to register with an account for each service available. In this scenario, there are two parties involved, namely 1) the service provider (SP) that provides credentials (username and password) and 2) users who wish to benefit from the service. The model is also referred to as Siloed [7] because credentials get never shared between organizations in a siloed way. The downside of this model is that the actual owner of the digital identity is the organization or institution that stores data in a central repository. If the credential gets somehow compromised, the security of the authentication mechanism is compromised as well, resulting in identity theft.

Federated
A federated model combines several siloed domains into one federation by binding the identity provider with the service provider from different siloes.
Typically, each individual is entitled to a different set of credentials for each service she registers. The operation of authentication and identification takes place inside the federation.
Like our previous model, the process of authenticating requires trust among entities (users, identity provider and service provider) and is a two-step procedure where firstly, the user authenticates herself to the identity provider. Then, an indirect access path that does not require any new authentication re-directs the user to the service provider to consume the service [6].
Federation is mostly adopted in large businesses, where single sign-on mechanisms allow a user to access multiple internal services, providing a degree of portability to a centralized identity. An example of this model is the university network, where we usually see one identity provider and many service providers, such as email, library, printing, etc… The identity provider keeps track of students’ usernames and passwords, and by logging into one service (for example, the email), students gain access to all other services.

User-centric
The term user-centric refers to the technology that ensures users control of their digital identity [8]. This paradigm shifts the focus from the service provider to the user’s perspective. The model is similar to the previous one, but with a subtle difference: there is no need to define trust among entities because the concept of trust is intrinsically decentralized. Hence, a service provider does not need to bind itself into a federation, from here the name open-trusted model. Whenever an individual tries to access a service provider, her request is forwarded to the identity provider which is in charge of authenticating the user and, in turn, releases a profile for the user to the service provider where an authorization decision is taken, based on her grants.

Self-Sovereign Identity
Most of the efforts to define SSI conducted in [9] describes Self-Sovereign Identity (SSI) as a set of rules and principles with the idea to put individuals at the center of the digital ecosystem. Most importantly, the user has control over what is disclosed to whom and how it is used. Two important principles come along with that: 1) the right to be forgotten (deleted), and 2) the right to move information to another service. SSI is part of the inevitable paradigm shift towards the decentralization of trust and enhancement of privacy in computer systems and beyond.

 

References:

1. Abelson, H., Lessig, L., Covell, P., Gordon, S., Hochberger, A., Kovacs, J., et al.:Digital identity in cyberspace. White Paper Submitted for 6.805/Law of Cy-
berspace: Social Protocols (1998)

2. Andrieu, J.: A technology – free definition of self-sovereign identity. Rebooting theWeb of Trust III (October), 2–5 (2016)
3. Allen, C.: The path to self-sovereign identity.[online] life with alacrity blog (2016)
4. Ferdous, M.S., Chowdhury, F., Alassafi, M.O.: In search of self-sovereign identityleveraging blockchain technology. IEEE Access7, 103059–103079 (2019)
5. Jøsang, A., Fabre, J., Hay, B., Dalziel, J., Pope, S.: Trust requirements in identitymanagement. In: Proceedings of the 2005 Australasian workshop on Grid
comput-ing and e-research-Volume 44. pp. 99–108. Citeseer (2005)
6. Gruner, A., Muhle, A., Gayvoronskaya, T., Meinel, C.: A comparative analysis oftrust requirements in decentralized identity management. In:
International Confer-ence on Advanced Information Networking and Applications. pp. 200–213. Springer(2019)
7. Suriadi, S., Foo, E., Jøsang, A.: A user-centric federated single sign-on system.Journal of Network and Computer Applications32(2), 388–401 (2009)
8. El Maliki, T., Seigneur, J.M.: User-centric mobile identity management services.In: SECURWARE International Conference. Citeseer (2007)
9. Cameron, K.: The laws of identity. Microsoft Corp12, 8–11 (2005)

Solving the conflicts between data owners and data exploiters through a spectrum of quasi-property models

/in /by

The European Union keeps moving forward with its plans for a regulatory framework to guide the data economy development and foster data-driven innovations for further economic and societal growth.[1] The use of and access to data plays a key role in this context, and different actors can have different priorities. In particular, individuals and companies both have an interesting in enjoying a degree of control over the information used to fuel these data-driven innovations: individuals because the use of data related to them might affect them, and companies – and other controllers – because they might wish to generate economic and societal development by processing data.

 

This reopens and further develops a question to which no single uniform answer has been found yet: what exactly is data, whom it belongs to, and what legal relationship is there between the subject and the data? The answers to these questions are extremely relevant, in particular where the data economy has moved as far as using personal data as consideration for digital services.[2] Seeking answers from a legal perspective can be troublesome as there are different regulations, even in the European context, that provide different and, in some cases, contradictory solutions.

 

The question is particularly timely as a proposal for a Data Act should be published soon by the European Commission. While the exact content of the Data Act is still unknown as the proposal from the European Commission hasn’t been published, this piece of legislation is intended to address a considerable number of issues surrounding the data economy and the possibility of data ownership.

 

Currently, from a legal point of view, there are different notions of what data means exactly. Often, we tend to defer to the General Data Protection Regulation (GDPR- and the realm of data protection regulations to answer this where data is associated with an individual and known as ‘personal data’.[3] We can also find ‘non-personal’ data where it is not related to a natural person, as in the case of the Free Flow Regulation.[4]However, this doesn’t stop here but in upcoming legislation, such as the Data Governance Act, we can also find general wider notions for data.[5] As such, in different situations, we might be confronted by a particular regulatory framework that deals with a set of situations. Consequently, a comprehensive and systematic view is necessary to tackle this first question in a holistic manner.

 

On the questions of whom it belongs to – if it belongs as such to anybody – and what legal bond is there between them and the data, the literature has discussed different approaches, has tried for quite some time to find a balance between the interests of the involved stakeholders. When it comes to companies, the database sui generis right, trade secrets, or copyright were seen as the potential solutions for it.[6] On the other hand, the legal literature dealing with ‘ownership’ of data by individuals, while a tempting solution, [7] is besieged by the fact that personal data is also safeguarded as a fundamental right.[8] In this sense, it was pointed out that people would not own personal data but rather control access to it via the notice and consent scheme and/or the general data protection framework, including the exercise of associated data rights, even on a collective basis.[9]

 

This latter scenario, a more active data rights exercise approach, is finding an echo in recent technological developments, such as decentralized identity management systems.[10] Until now, companies acted as data controllers and oversaw every single activity related to the data processing, from the collection of the personal data until its destruction going through its usage and possible sharing. Decentralized identity management systems, such as self-sovereign identities or personal data stores, allow for further control by data subjects themselves rather than having to file a request before a data controller and wait for an answer.[11] In this sense, data controllers do not select which data are they going to collect but rather have to accommodate the data that individuals create and make available for use.

 

This difference in the existing approaches for answering our initial question shows that there might be tensions between the involved stakeholders as their rights on the same object are different and, in some cases, expressing contradictory concerns. it is unclear how rights transfer between the involved parties should operate. To achieve a balance between different positions, it has been suggested the adoption of a quasi-property model, with a different grounding on a particular right depending on the scholar analyzed.[12]Through it, it would be possible to adopt a practical and hands-on solution to the issue of data ownership and, consequently, bridge the different positions mentioned above. Exploring whether or not this approach is compatible with the GDPR or not shall be one of the main challenges for the LeADS project.

 

As mentioned, the European regulatory framework is currently in flux and attempting to tackle the new future economic developments sustainably in the long run. There are currently different proposals undergoing discussion at a different level that deals with the uneasy question of what exactly is (personal) data from a legal point of view in a unified manner and try to find an answer to the question of ‘what is data ownership?’, which forms one of the main research crossroads for the LeADS project, as well as with other research questions that form up its core.

 

Authors: Prof. dr. Paul de Hert, Prof. dr. Gloria González Fuster, Andrés Chomczyk Penedo

 

[1] ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data’ (European Commission 2020) COM(2020) 66 final.

[2] Carrie Gates and Peter Matthews, ‘Data Is the New Currency’, Proceedings of the 2014 New Security Paradigms Workshop(Association for Computing Machinery 2014) <https://doi.org/10.1145/2683467.2683477> accessed 1 April 2021.

[3] Art. 4(1) GDPR: ‘(…) any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (…)’.

[4] Art. 3(1) Free Flow Regulation: ‘(…) means data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679; (…)’.

[5] Art. 2(1) DGA: ‘(…) means any digital representation of acts, facts or information and any

compilation of such acts, facts or information, including in the form of sound, visual

or audiovisual recording; (…)’.

[6] Gianclaudio Malgieri, ‘“Ownership” of Customer (Big) Data in the European Union: Quasi-Property as Comparative Solution?’ (Social Science Research Network 2016) SSRN Scholarly Paper ID 2916079 <https://papers.ssrn.com/abstract=2916079> accessed 15 July 2021.

[7] Ignacio Cofone, ‘Beyond Data Ownership’ (Social Science Research Network 2020) SSRN Scholarly Paper ID 3564480 <https://papers.ssrn.com/abstract=3564480> accessed 1 April 2021; Václav Janeček, ‘Ownership of Personal Data in the Internet of Things’ (2018) 34 Computer Law & Security Review 1039; Patrik Hummel, Matthias Braun and Peter Dabrock, ‘Own Data? Ethical Reflections on Data Ownership’ [2020] Philosophy & Technology <http://link.springer.com/10.1007/s13347-020-00404-9> accessed 1 April 2021.

[8] Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer Science & Business 2014).

[9] Nestor Duch-Brown, Bertin Martens and Frank Mueller-Langer, ‘The Economics of Ownership, Access and Trade in Digital Data’ (European Commision, Joint Research Centre 2017) JRC Digital Economy Working Paper 2017–01 <https://www.ssrn.com/abstract=2914144> accessed 1 April 2021; Tommaso Fia, ‘An Alternative to Data Ownership: Managing Access to Non-Personal Data through the Commons’ [2020] Global Jurist <https://www.degruyter.com/document/doi/10.1515/gj-2020-0034/html> accessed 1 April 2021.

[10] Christopher Allen, ‘The Path to Self-Sovereign Identity’ (Life With Alacrity, 25 April 2016) <http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html> accessed 27 June 2019.

[11] Andrés Chomczyk Penedo, ‘Self-Sovereign Identity Systems and European Data Protection Regulations: An Analysis of Roles and Responsibilities’ (Gesellschaft für Informatik 2021) <https://dl.gi.de/bitstream/handle/20.500.12116/36505/proceedings-08.pdf?sequence=1&isAllowed=y>.

[12] Malgieri (n 6).