Feature News Technology

How Sovrin will prevent identity leakages like Equifax

self sovereign identity

The Sovrin Network is the distributed ledger technology (DLT) platform that enables users to keep control over their data. If the self-sovereign identity (SSI) project fulfills its promise when it comes to protecting personal data, it really could change the world. The code that drives Sovrin is open sourced as Hyperledger Indy, which is part of the Linux Foundation.

The hack of consumer credit reporting agency Equifax more than five years ago compromised the personal information of 148 million people. In 10 to 15 years, that sort of breach is unlikely because the honeypot databases held by credit rating agencies should no longer exist. Unless credit rating agencies adapt, SSI is a serious threat to their business. While the hack had no lasting effect on Equifax’s stock price, it’s a matter of time before investors realize the impact of SSI and why it offers consumers better protection going forward.

A credit reference, the SSI way

Currently, Equifax collects data from companies with whom you have a financial relationship. In future, your bank or mortgage company will retain that information only if they have to.

Imagine you’re applying for a car loan, and the loan company wants to know that you pay your mortgage regularly. The three parties involved are the loan company that wants to see the information, the mortgage company that has the information about your payment history and you.

The mortgage company packages the data with Zero-Knowledge encryption which allows only parts of the information to be revealed to selected parties. And you electronically sign it.

The raw data is not handed over to the loan company. Instead, they get a “proof” of the information they want to know. In this case, it might be proof that you’ve not missed a mortgage payment by more than seven days in the last five years. The loan company gets a yes / no answer to that question. They don’t know how much your mortgage is (unless you permitted that), or what the payments were.

Plus, the loan company could connect to the Sovrin network to verify that the data came from the mortgage company. It verifies the mortgage company’s public decentralized identifier (DID). All three parties will have DIDs. The company ones will be public so people can verify them. Your identity will be private. And instead of having just one identity you will have a separate one for each relationship — one for the mortgage company, one for the car loan company, one for your bank, your passport and so on.

If you had just one identity, it might be possible for different companies that hold information to collude and share information about you. So you’ll have a wallet that looks somewhat like a contacts list.

Nathan George, CTO of the Sovrin Foundation, explained to Ledger Insights that the Sovrin Network deals with personal DIDs differently to other SSI solutions. Even though you have separate DIDs for each relationship, if you expose those DIDs to other parties – like the loan company seeing your DID – that’s a problem. “Instead of just having a trust relationship they can now collude and talk about all the information. And that collapses the value of the decentralization of the system,” George explained.

So the question is if you don’t disclose your DID, how can the loan company be sure that it’s you and not someone else’s mortgage that you’re using to prove your credit rating? Much like how the loan company only received proof that you pay your mortgage regularly, the loan company will get proof that it’s you, without access to the DID itself.

All these proofs are cryptographic Zero-Knowledge Proofs.

George is quite passionate about using Zero-Knowledge Proofs for storing data both in databases and on blockchains because if the information is stolen, it isn’t that useful for a hacker. “We have a lot of data that’s cryptographically signed but doesn’t have Zero-Knowledge capability. It basically means that those databases or those blockchains become big honeypots of information that when stolen retains all of its cryptographic verification.”

A look at the network

The Sovrin network went live in September 2017.

So far, the only data stored on the network are the organization DIDs, formats for different kinds of data like a passport or a credit reference, and a link between the organizations and the formats they support. There are also revocation registries which might be used, for example, if you lost your passport and needed a replacement.

That’s not a massive amount of information given that personal identities aren’t on the blockchain. This means scalability, one of the significant public blockchain challenges, is less likely to be an issue.

Sovrin is a public permissioned blockchain, which means the network is publicly available but the hosting of nodes is permissioned. Trusted parties or “stewards” run validator nodes that allow parties to write data to the network. There are numerous big-name stewards including IBM and CISCO; several credit unions including CULedger; two U.S. law firms Perkins Coie and BakerHostetler; telecoms Swisscom and T-Labs, part of Deutsche Telekom; and airline industry IT provider SITA.

Many Sovrin projects are in the works. CULedger, the blockchain consortium for U.S. credit unions went live nine months ago with its digital identity verification system. Evernym is the company which donated the original source code for the Sovrin Network to the Sovrin Foundation. They’re working with Sovrin, IBM, Workday and ATB Financial on Job-Creds, a research project exploring using SSI for employee credentials. Canada’s British Columbia Government is working on the Verifiable Organizations Network (VON) to issue and store data about organizations, which can then be used for registrations, permits and licenses.

Does winner take all?

With all that activity, is an ICO on the cards? The Sovrin Foundation, the non-profit organization tasked with administering the network, has considered issuing a token, but there has been no official announcement. The Sovrin Network positions itself as a “global public utility”.

Who or what might challenge the Sovrin Network? One competitor is the Consensys uPort project on Ethereum.

But a bigger question is will there be one or two networks for everything? For example, Spring Labs is in the early stage of development on a similar credit-referencing project. One could also envision a network for health, passports, KYC, and qualifications. Or these could all exist on Sovrin.

Because the Sovrin Network’s underlying code is part of Hyperledger Indy, it makes it easier for sector-specific identity platforms to use the open source code and create specialist networks. Whether or not that’s desirable is debatable. One network may be more efficient. But regarding getting traction, in business, the advice is usually to focus on one sector. Only time will tell if Sovrin will be THE identity network.

Sovrin Foundation’s CTO Nathan George will give a talk entitled “Public, Permissioned and Still Decentralized” at the Hyperledger Global Forum which takes place in Basel, Switzerland on 12-15 December. Ledger Insights is a media partner, and this code will provide a 20% discount: HGF18LEDGER