Identity Security with Data Silos


#1

Hi everyone,

I had a question regarding Sovrin (and SSI in general) that I was hoping the community could help me answer:

Sovrin describes SSI as moving away from Business’s maintaining Identity Data Silos and solving security issues from the centralization of PII. The issue I am having with this sentiment is that PII will still be shared with businesses off-chain. Sure, you can specify the PII that the company receives, and it’s authenticity can be verified on-chain, but won’t they still maintain a centralized database with your PII?

Thanks in advance for you help!


#2

Well, yes and no.

It is true that organizations will always need to know certain things about their customers/users. Credentials and zero knowledge proofs don’t change that. However, the availability of agents that can represent their identity owners digitally changes the equation in interesting ways.

Take, for example, the shipping address that is probably associated with our names in the account info we have with an online retailer. If you know how to contact the bona fide owner of a self-sovereign identity at any time (by looking up their DID and finding the endpoint of their agent), you have the option of asking the identity owner for their address on demand, instead of storing it in your central database. Such an interaction can be automated on both sides–Amazon can ask your agent for your shipping address just before checkout, and your agent can provide an answer without you lifting a finger. What’s interesting about this is that Amazon no longer has to worry about whether your address is accurate, and you no longer have to update your profile with your new shipping address whenever it changes. The information is fetched just in time, and is always guaranteed to be accurate. And Amazon isn’t maintaining it. This means the data isn’t part of a trove that can be hacked if a nefarious actor penetrates the defenses around their big database in the sky, and that an insider threat at Amazon can’t steal it, either.

Same principle applies to storing your name. Instead of notifying a 100 organizations that you have a new last name because of a marriage or divorce, they can just ask for your last name whenever they have a legitimate need for it. And same for phone number, those silly “security question” answers like your mother’s maiden name and PIN, etc.

In addition, today organizations ask for too much information, just because they don’t know any better or because they are lazy. They may ask for a zip code on a loan application, when all they legitimately need to know is whether you live in a particular state. As Sovrin-style proving becomes well known, these mistakes will become more and more obvious, and there won’t be any excuse for them.

One of the things that can be done with verifiable credentials (or the zkp proof presentations that derive from them) is to associate terms of service: “I’m giving you, eBay, this info so I can buy a gadget on eBay, but you are legally required to delete it as soon as this interaction is complete. And your digital signature on the proof request is proof that you consented to these terms.”

I’m not claiming that the mere possibility of this new approach will cause everybody to change old habits right away, and I’m not claiming that storing PII will ever vanish. But I do think regulatory pressures (e.g., GDPR, HIPAA, etc) and the technical possibilities I’ve described above will force a gradual shift, such that good citizen orgs store far less PII than they do today, and such that patterns of data usage of PII will come with far greater accountability.