Who do you think you are?
How the convergence of SSI and AI can give people back control over their identity
Fujitsu / April 20, 2022
Many people, and even companies, are worried about who has access to their digital ID or could even have control over it. Recent and highly-publicized data breaches in private sector companies and government organizations make them nervous. And with good reason. According to Risk Based Security's data breach report published in 2021, "The total number of records compromised in 2020 exceeded 37 billion, a 141% increase compared to 2019".
For organizations trying to manage this data, things are not straightforward. The risks of holding data can even be seen as a liability. Even when data and information are encrypted or anonymized, it may still be possible for third parties to identify users unless well-developed cybersecurity processes are part of the integrated data management systems.
With concerns on both sides, although for different reasons, a new approach to identity management is necessary. Self-Sovereign Identity (SSI) is gaining a lot of traction in this context. It means that the data subject controls who has access and how their data is being used.
Conventional ID often relies on judgment
For comparison, think about how a conventional ID works.
Imagine that you are attending a conference abroad, holding a paper certificate issued by a regional hospital in your home country, proving your immunity to a virus during a pandemic. You show the certificate to gain entry. The guard has to verify the validity of that paper certificate by analyzing its physical properties: It must look and feel genuine and valid, and then the guard can choose to accept it or not based on her judgment.
Two prominent issues pop up here. The first is that the system relies on a judgment or a ruling. How can a security desk operative be expected to know what a valid certificate looks like from any hospital in any country? The same issue would also apply to other document types — a driver's license, for example. The second issue is that the process exposes much more information about you than is needed. When we show a conventional ID to prove our age, we also divulge irrelevant details, such as our address or phone number that we would probably prefer not to share with a random individual on security duty. It directly impacts our sense of trust.
Many digital environments are still not much further ahead here, regardless of certain claims. Scanned paper-based IDs still form the basis of most digital onboarding processes.
Advantages of Distributed Ledger Technology
DLT-based (Distributed Ledger Technology) systems create a transparent record of transactions that can be validated by anyone participating in the network. While there are different approaches for Distributed Identity (DID) solutions — SSI being one — the technology can strengthen the way citizens, governments, and businesses interact by enhancing privacy and trust, reducing risk, and improving the efficiency of operations. It is something that is being implemented, tested, and trialed today.
When you give citizens and entities control of their own "digital wallet" for ID purposes, transaction accounts, financial history, medical records, consent tracking, and academic records, it means people can prove who they are, the assets they own, and their levels of education, for example.
DLT serves mostly as a communication layer between identity issuers and identity verifiers, to enable the exchange of information with security and transparency. Moreover, the decentralized nature of DLT can support horizontal scalability far beyond the limits of competing traditional technologies and architectures. This can enable large interoperable ecosystems to be formed around use-cases involving digital identities: Across businesses, across business-sectors, across communities and countries.
Back at the conference, with a DLT digital certificate, you could provide proof of an immunity certificate. The entry guard could validate it based on its digital properties and cryptographic attributes in a secure and verifiable way, as easy as scanning a QR code with a mobile app. However, the underpinning data itself is not stored on the ledger itself, only the "fingerprint" or "pointer" of the data in many cases.
This approach is not about how the certificate looks and feels or how the observer verifies it. It is about what truly is and claims to be, based on mathematically verifiable evidence. Even though the conference's systems do not directly integrate with the relevant hospital, the guard can securely verify the certificate's validity and allow entry.
How SSI fits in this picture
SSI solutions change things completely. Organizations can grant credentials with specific attributes to a holder. The holder can choose to disclose specific attributes based on the actual context. Any person or organization asking for credentials can cryptographically verify their validity to preserve the holder's privacy (by using ZKP — Zero Knowledge Proof). ZKP is a method that exposes only the relevant data given a particular context, while hiding any other data that has to be kept private or is irrelevant.
SSI is not the only model for managing digital identities but seems to be an excellent option for use in digital services, as individuals or businesses have sole ownership over the ability to control their data. Other identity management solutions require an intermediator to ensure the user is who they say they are. With SSI, identifiers do not need an intermediary.
Due to intrinsic suspicions, human nature, and lack of trust, many people resist handing over complete control over their digital identity to centralized authorities, even health services. Take the case of someone who has had a life-changing accident. Claiming disability allowance in the UK, for example, can take up to three months and involve form filling and visits to government offices at a time when mobility is likely to be severely reduced. It can also result in social stigmatization of people in vulnerable situations. Why should an individual have to go through this? Suppose the claimant felt empowered to allow access to the relevant parts of their data. In that case, their doctor, who has already processed all their health information, can ensure the relevant claim automatically filters from the medical databases into a system that provides them with their benefit allowance.
Enhanced privacy and security with SSI lead to an increase in trust ("trust in an untrusted world") from individuals and a decrease in the risk and liabilities faced by organizations. It is a leap to a more digital world, making SSI an accelerator for digital transformation.
Towards intelligent SSI
The example demonstrates that decentralized systems need to be intelligent enough to know what data exists, what elements support a better decision, and how they can be leveraged to smooth processes to the ID owner’s advantage. It is here where technology convergence and AI come in.
AI tools can enhance user, entity, and stakeholder security. They can take advantage of blockchain and distributed ledger technology to open new avenues for accessing and learning from data without taking ownership or control of that data. It reduces the risk for the organizations involved and the stakeholders who provide the data by controlling governance rules and processes with built-in privacy-related AI functionality.
The validation, security, timestamping, and append-only nature of ledgers mean that stakeholders can expect the data to be much cleaner, more accurate, and traceable. The ethical quality of data will also be higher, and model developers and users can have increased confidence that they are following regulations. However, there can still be bias in the source data itself.
And because multi-dimensional user and entity permissions can be granted and documented—and in some cases, enforced through smart contracts—stakeholders can use this data with less risk of privacy breaches. In addition, because user data can be collected using ZKP, complex analyses requiring specific user data can be performed. The necessary information can be captured and used without accessing or possessing Personally Identifiable Information (PII).
The use of blockchain data and artifacts can also result in higher-quality analyses and outcomes. When data is clean and associated with precise metadata, the validity of the data is increased. Because each item in a data set is more trusted, errors and friction points can be reduced, leading to insights through smaller and aggregated data sets. When clean(er) data is used to train AI models, those models will be more accurate, and the predictions and decisions made by those models will also be improved. Clean-training data can also be useful in validating non-blockchain data for use in AI models.
Back to the data subject's perspective: When you know your privacy is protected beyond any reasonable doubt, you are more open to providing data for a good cause that you would hesitate about in other circumstances. With the proper protection in place, how many more people would allow medical researchers access to their medical records to hunt for cures to diseases?
Pie in the sky?
If you are one of the skeptics, the picture we are painting here is not just "high in the sky."
At Ricex, a DLT-based platform for global commodities trading, Fujitsu has combined blockchain ID control with AI analytics to create an environment where all parties can trust the participants are who and what they claim to be; that the price, quality, and availability of the commodities offered are all as claimed; and that any transaction recorded in the ledger has not been subsequently tampered with to create a false impression. Going forward, the AI component of the platform allows traders to interrogate the ledger to ask, for example, "where is the current best trade for basmati?".
So, the convergence of SSI and AI is real and happening today. Secure and privacy-preserving identities enable people to make data available for AI, that would otherwise be considered too sensitive to share. SSI identities are digital, that means programmable. They also scale well. Based on that, we can envision autonomous devices with their own identities managed by AI: Self-driving cars, for example, with their own identity, passing tolls based on subscriptions, using parking slots, and paying for charging and refueling operations for e-mobility.
As for the near future, Fujitsu envisions enhancing the distributed identity, data privacy, and consent management platform, which would open up all of the benefits described in this article on an as-a-Service basis to any player.
It is timely and necessary, as the very concept of identity is becoming ever more complex. In the context of the metaverse and new entities such as DAOs (Decentralized Autonomous Organizations) with virtual CFOs, what exactly is an ID entity?
To learn more about how Fujitsu’s Distributed Ledger Technology implementations have helped customers develop trusted business ecosystems, check out our Blockchain / DLT webpage.
He started working with DLT and Blockchain technologies in 2016, while at a start-up, with Ethereum and Hyperledger technologies. Shortly after, he was hired as Tech Lead for the “Blockchain Solution Center” of T-Systems (Deutsche Telekom Group). He was responsible for technical & operational aspects of a team that was delivering various projects, for customers in both private and public sector. In December 2019, he joined Fujitsu as Technical Lead for DLT/Blockchain in the “Digital Incubation” unit of the CTO office in Fujitsu CEE.