The problem

Once upon a time, we didn't think about "owning" our identity.  It's me, in this body and I carry around me with myself. Generally, religious authorities would keep a record of birth, death, marriage, but that was it. You were you because people knew you were you. If enough people said "This is Grace," I'm Grace. If I wanted, for example, to change my name to Grace, I didn't have to fill out 20 forms and go to court and get permission. If I wanted to get married, I had a big public wedding and maybe wore a different hat or dot on my forehead so people would have that data about me.

Over time, nation-state developed and they liked having power so you are now a person only if a nation-state says you are a person. Your digital identity, however, is issued by Google and Facebook. Google knows things like... how fast you swipe your phone and whether your hand is trembling. I recently had the experience of having a couple of drinks and then trying to get voice-to-text to work for me. Voice-to-text was entertaining, but after a few incidents like that, Google will be able to tell how much I've had to drink. Google could let my insurer know how often I have a drink. Google could inform "City Bike" so I can't rent a bike after a few drinks. If Google were smart they would tell Enterprise not to rent me a car in a left-side-of-the-road driving country again. (Those would be "good" things, but I'm not sure I want Google or my government to decide I should never drive in a storm after dark in Wales again.... although I definitely shouldn't.) Google or someone who steals or buys that data could create a fake digital me that could have all of my behaviors, bank accounts, what have you. 

All of this data about me, who does it belong to? Who gets to see it? We don't know, and we don't even have the right to know who is using this data and what they are using it for, but the uses are endless. 

It gets a bit deeper than that, because to some degree, maybe this isn't really data. Maybe it's part of my brain. If I am using my phone to remind me of when to take my insulin shot, or if I have dementia and using my phone in a particular way helps me maintain self-sufficiency at home, maybe this data isn't even something I "own". Maybe it's actually an extension of my body or brain. If it were taken away, I wouldn't be the person I am without it. Maybe erasing or tampering with my data is assault, rather than theft. We don't have legal definitions for this, and even in places where you have some privacy rights (GDPR in Europe), the implementation is so bad, it's useless. You just click "OK" without reading the warning, and give rights to some unknown someone to sell the data to other unknown someones who are all being listened to by the NSA.

How did it get to be this way?

When you meet a human you use your voice to introduce yourself. On the internet, there are different ways to introduce yourself and identify yourself. When Web 2 (The internet we're using) was developed, a lot of people got together and argued about the data structure for doing that. Meanwhile, the people with money and power (Google and Facebook) said, don't worry, we'll solve this problem for everyone.

Now, wherever you go, you login with Google or login with Facebook. It's easy so everybody does it and even if you know it's dangerous, what option do you have?

What is Self-Sovereign Identity?

The idea of self-sovereign identity is that I could have a kind of "identity wallet" where I keep all this information about myself. If I want to donate blood, the blood bank would send a form with the information it would like to get from me, and I could release that information to them for a limited time, for example, an hour. At the end of the donation, they would give me another piece of data that would say that I did give blood on that day in that place, that my hemoglobin count was such-and-such, etc.

All that data would be held by me, not by Google or my government, but it would be "verified" by whoever verified it. So when the blood bank looks at the credentials I sent, it could make an assessment such as "this test was performed by an unreliable source, and we don't believe that data". Because each credential is verified by a specific issuer, anyone asking for the data would be able to determine whether they think it is good or bad data.

In any case, I would always know what is happening with my data (ideally). In the ideal world, if the blood bank wanted to send my blood type to the national census for statistical purposes, I would know that they are doing that, and if the government sent that data to the World Health Organization for statistical purposes, I would know that, and perhaps I would even be given some kind of ability to decline use, or to get a bit of compensation for allowing my data to be used by those organizations. Heck, I could sell my health data to an insurance agent if I wanted to.... if it were my data and not Google's. Guess what? Today, Google is selling that information to insurance agents. That's their business model.

Holy Sh*t

I know, aren't you sorry you asked about identity?

OK, so NOW what the heck is digital identity?

Basically, and this is slightly inaccurate because it's for dummies/normal humans, digital identity contains two things:

• Unique ID code (DID) for each relationship.
• Credentials (Verifiable Credentials/VC)

The DID is a string of numbers (like a URL) that is used specifically for the interaction between you and another entity. It might seem weird, because you might say that you always have the same identifier, like "I'm Grace" but that's not the reality. The reality is that for every person you know, they have a unique set of information about you. Some people know your birthday and some know your favorite color. Some people you've lied to, and some people you haven't lied to. So this unique DID is specific to the relationship. If you had a SSID app it would issue these unique numbers every time you entered into a new relationship, and when you interacted with them again, the app would issue that same number, like a greeting "Hey, it's me again! Remember, I met you at the so-and-so event."

The VC is the data about you. It's a Verifiable Credential because the data came from somewhere. This heartbeat data came from a Fitbit or from an EEG. The source of the data is important, of course. If the bank tells you this person has a good credit rating, it's different than if I tell you they are cool about money. A VC could be self-testified, and it could be a fact verified by multiple sources, just like in the real world.

A "Digital Identity" would be the digital identifier (DID) plus the set of information (VC). So your identity in general or vis-a-vis some other entity contains an identifier and the credentials that go along with it.

What is a standard?

A standard would allow any application to understand an identity from another application. The DID would have to be a specific number of digits in a specific format, and everyone would agree to that standard. I wish it were that simple, but really it looks like this: https://www.w3.org/TR/did-core/

That's just for the DID. There are all kinds of other parts, like how should a Verifiable Credential look and a bunch of "protocols" that need to be decided upon before this is really useful for the industry. All of these things need to be decided so that one app can talk to another app, just like if I send you my IBAN or SWIFT banking number, your bank knows what that is.

Blockchain architecture is giving tech people an opportunity to create a solution for identity that would not be owned by Google and Facebook. So far, it looks a lot like before: a bunch of techies bickering about stuff nobody understands. If they stop their bickering and work together, we have a chance to own our data. It's unlikely we can restore everything that's out there so far, but we have to start where we are and hope for the best.

Addendum: Is data personal?

Data is seldom created as individual data. A group photograph is presumably the personal collective data of all the people in the group, so if one person shares it, they are sharing everyone's data. If you get a DNA test, you are also exposing information about other people's DNA. For an excellent discussion of this issue, check out RadicalXchange's Data Freedom Act..