What is 'decentralised ID/data'?
In the identity world, new services are appearing that enable individuals to have
a) better visibility of where their personal data is, who they have shared it with, and
b) control over the data, with tools that help them effect their GDPR data rights to data portability, accuracy, deletion, consent/revocation etc.
Some countries already have these services, and these features are not reliant on one delivery model, but can be features provided by centralised, federated and 'decentralised' ID models.
I've been trying to delve beyond the hype for 'decentralised ID/data', and find some of the marketing buzz words in the new world of ID to be not particularly helpful for getting users and corporates to understand it.
Blockchain suffered from marketing hype; it was meant to save the world, and didn't. AI is also going through this phase in the hype cycle. It would be good to avoid the inflicting the same perception problems on decentralised ID, of promise vs reality, by better explaining the benefits that decentralised ID can bring, and some of the new risks.
Promise:
1) Own and control your data
2) Remove the data silos
3) Better privacy
领英推è
4) Better security
Reality:
1) Data ownership - data is shared and created in any relationship, and both parties have rights and obligations over the data. 'Ownership' isn't a great concept for data, which is usually duplicated rather than transferred.
Control is a good thing, but isn't specific to SSI data models - service providers should be giving better control to data subjects to meet their GDPR obligations, regardless of tech used. 'Visibility and control' is perhaps a better term than 'own and control'.
2) Data silos - these will remain in place; organisations that have personal data today will still have it tomorrow.
New ID models mean that organisations need to collect less data, and should be doing that anyway to meet data minimisation principles (but don't). This will take a long time to change. The 'silo' nature of data (lack of interoperability) will also change with open data schemes, but again this will take a long time. Digital wallets for storing personal data are becoming widely available. This needs to avoid creating a new data silo around the individual, by enabling open data standards so that the individual can move data to/from where they want it to go.
3) Better privacy - personal data shouldn't be stored on a blockchain (if used for SSI), but some ID services do this - making data less private, and permanently available. On 'selective disclosure'; the ability to choose what attributes to share enables data minimisation, and should be enabled regardless of underlying data model.
4) Better security - if personal data is stored off-chain (as it should be), then security is the same as a centralised or federated model; with the same challenges of encryption and securing the perimeter. For the user, if data is only stored on device, the security model needs to consider protecting digital wallets that could have someone's life data stored; what happens if the device is stolen whilst unlocked? A better model is to store consent to get the data, and assemble data in real-time from trusted sources, at point of need, with strong authentication. A wallet is then something that stores consent rather than all of the data, and therefore lessens the impact of compromise. Recent moves from Revolut and Apple to better protect apps and data if the phone is stolen should be more widely adopted. Having more of your data on your phone is great for making life more convenient, but this shouldn't be at the expense of compromising on security. And account/data recovery from the cloud also needs to be secure; how is this designed so that it isn't a new data silo?
Centralisation/decentralisation is just a matter of perspective; is the data focus on the organisation, or the data subject?
Decentralised ID makes ID services more customer-centric, which is a good thing - but the risks need to be better understood & mitigated to make sure that new ID services are safe, and deliver on the promises made.
Principal Consultant - Digital Identity: Strategy, Product Development, and Implementation
9 个月Good article Adrian. I completely agree that "ownership" of data is misleading - decentralisation can provide greater agency for the data subject; with greater transparency on them to know the what, why, who and when. Control and choice are subjective - you don't get much of either when filing your taxes. Blockchain when it comes to identity is more useful for Venture Capital than Verifiable Credentials - though at least the idea of storing personal data on chain is largely in the past. As for data storage - we don't stuff all our paperwork in our wallet when we go out. Digital wallets should store the data we need, and link to that which we currently don't - whether that's pointers to other systems or personal data stores is down to implementation based on needs; security and recovery are a must however done.
Chief Product Officer OneID?
9 个月Excellent piece Adrian. Knowledge about me, whether my name, where I live, my likes (or dislikes), my achievements or my business relationships are stored in many places. It is impossible to receive a delivery of goods without the supplier, their logistics partner and delivery company knowing my name, where I live and what I have purchased. In regulated businesses it is a legal requirement to know much more about me. When I consent to enter into a relationship with them I share my data and they are then required to store it and in fact add more information to it. A payment card has my name on but is owned by the issuer and my details are linked to the account they create. If I achieve a qualification, the record of it is linked to me, but not owned by me but the examination board. SSI models are great from an ideological point of view but that’s not how the world works. Wallets are good for carrying things with you that you may need but as you say can easily be lost. Consent in every aspect is the key.
Strategic Advisor & Founder | Innovation and Transformation | Digital, Data, Tech, AI and Talent Leader | Organisational Growth | Data Trust, Ethics GRC Expertise | Data IQ 100 | AI Co-Author |
9 个月Great insights thank you Adrian Field