Research into Self Sovereign Identity together with Fontys
In March 2020, Novum completed an investigation into the application of Blockchain technology in the context of the SVB. During this research, we were already on the trail of Self Sovereign Identity technology (SSI) as a potentially relevant technology for further research.
Also in the IV strategy of the SVB In the chapter on innovation, attention is paid to SSI. In this respect, SSI could offer an opportunity to give citizens more control over their own data.
In summary, the assignment was to conduct an exploratory study into SSI technology and its applicability within the context of the SVB. Within that research we were specifically looking for answers to the following questions:
- What is Self Sovereign Identity (SSI)?
- Within which processes of the SVB can SSI be applied?
- Is SSI technically usable and stable enough within the context of the SVB?
The Approach and Results
The assignment for conducting the research was assigned to 3 students of the ICT & Business degree program at Fontys University of Applied Sciences. They carried out their assignment by conducting a literature study and interviews with experts in the field of SSI and digital identity.
What is Self Sovereign Identity (SSI)?
Self Sovereign Identity (hereinafter referred to as: SSI) is a collective name for standards and facilities that make it possible for individuals to determine for themselves who receives which (personal) data. The recipient of that data can have certainty about the correctness of the data. SSI is not a single technology but rather a system made up of 7 building blocks:
- Verifiable Credentials (VC): The digital equivalent of a physical piece of information (such as your date of birth) in your passport.
- Digital Wallets: The digital equivalent of the physical wallet for storing a VC on any modern device: smartphone, laptop, etc.
- Issuers, holders & verifiers: The three roles of the 'trust triangle'
- the issuer organization or person issuing the data,
- the holder organization or person who stores data in the digital wallet
- the verifier organization or person verifying data when the data is shown by the holder.
- Digital Agents: Apps and software modules that enable the holder to use the digital wallet to acquire and present VCs, manage connections and securely communicate and exchange VCs with other digital agents.
- Decentralized Identifiers (DID): A new type of digital address used for messaging between digital agents. This message traffic is decentralized, so there is no central authority.
- Blockchain: Blockchain is a distributed, cryptographically protected database that can serve as a source for DIDs and public keys.
- Governance Framework: Business, legal and technical rules for using SSI infrastructure.
Within which processes of the SVB is SSI applicable and of added value?
When the SVB is going to deploy SSI, it must be considered from which role the SVB does that. Issuers, holders or verifiers. Depending on which role the SVB assumes, something can be said about the added value.
SVB as issuer
If the SVB takes on the role of issuer, this means that it issues verifiable credentials to a citizen (holder) so that they can prove a certain claim with the verifiable credential with another party (verifier). Examples of processes within the SVB to which this applies are the TPW-A1 statement. This allows an employee of a company abroad to prove that the employer pays social security contributions in the Netherlands. Now this is done by means of a statement on paper that can be replaced by a digital proof by using SSI.
The advantage of SSI technology compared to a paper document is that the SVB as issuer can make the verifiable credential, in this case the A1 statement, unilaterally invalid/unusable after it has been issued. With paper documents, this is a lot more difficult.
SSI enables new forms of service
During the research it emerged that SSI can make new forms of service possible for citizens that are currently not seen as a core task of the SVB, but could provide added value for citizens. An example of this could be, for example, that the SVB issues a verifiable credential with which a citizen can prove that this AOW is entitled. This claim could be used to get discounts on a museum or public transport within the municipality where someone lives. For example, think of the city pass in Amsterdam. The big advantage is that the municipality and the party that gives the discount have a high degree of certainty that someone is really entitled to AOW without us as the SVB having to open up our AOW administration or share it with these parties.
SVB as holder
The study did not find a situation in which it would be logical for the SVB to assume the role of holder. In almost all cases, the citizen is the holder of a verifiable credential.
SVB as verifier
In almost all schemes that the SVB implements, it can assume the role of verifier (checker of data). This does not mean that SSI is of added value in all schemes. Take the AOW, for example. If you were to base this arrangement on SSI technology, this means that the citizen himself would first have to collect a verifiable credential from the municipality, which can then be used to prove to the SVB that the citizen has reached the state pension age. From a user's perspective, this is many times more cumbersome than the current system, in which the SVB itself checks this data directly at the source (BRP).
Where SSI and the role of verifier is of added value for the SVB, is in regulations where the citizen has to demonstrate/prove something to the SVB without the SVB having or would like to have direct access to the original source systems. Consider, for example, the CSE and asbestos regulations in which a citizen must be able to demonstrate a certain indication for a disease to the SVB. This could possibly also be of added value for the PGB.
Is SSI already usable and stable enough within the context of the SVB?
The short answer to this question is no. The current state of SSI technology is not yet developed enough to be directly usable in the context of the SVB. As indicated in the introduction, SSI consists of 7 different components. Some of these are already quite well developed and standardized such as decentralized identifiers that have a W3c standard. But there are other components that still need to be developed further before the SVB can adopt SSI on a large scale. In particular, the following points should be considered.
- No governance framework, or not yet developed far enough.
What is characteristic of SSI is the trust relationship between three parties: issuer, holder and verifier. These three parties must all use an equal standard of SSI in order to work together. To achieve this, a governance framework is needed in which this standard is developed and managed. In other words, if the SVB is going to issue a verifiable credential that proves that the citizen is entitled to AOW, then it must be compatible with the citizen's wallet in order to be able to store it. And the wallet must again be compatible with the verification system of the verifier (museum, municipality). And all parties must have confidence in the whole.
- Not a widely accepted / commonly used wallet
Another major challenge is that if the SVB wants to issue credentials in the role of issuer or verify as a verifier, the citizen must have an SSI wallet containing these verifiable credentials. At the moment it is not yet the case that many citizens have such a wallet. It is true that the European Commission has indicated that this should come for every European.
One solution to getting started with SSI earlier, before the above challenges are solved, is to take ownership of the entire chain. What is meant by this is that, for example, the SVB develops the system for issuing the verifiable credential (issuer), the wallet (holder) and the system for checking the credential (verifier).
The problem with this is that on a more principled level this goes against the concept of 'self-management', because in this way a system would be developed again in which one party can determine everything. The challenge is therefore to create ownership with different parties about a service for the citizen that can be performed on the basis of SSI, whereby some of these parties will only have the costs and not the benefits.
The research shows that the SVB should not start in the short term with the large-scale deployment and support of SSI technology. It has been shown that SSI technology can in theory be of added value for the SVB and the customers of the SVB in some places.
The advice is therefore to further investigate this technology in the coming period by means of proof of concepts and pilots. The focus should be on actually validating the added value for the customer, governance frameworks, adoption of wallets and organizing ownership overall, together with other parties.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?