Self-sovereign identity is not enough

https://blockworks.co/news/identity-eu-citizens-privacy-surveillance

A Trojan horse lurks outside the gates of European cyberspace. The recently signed updates to eIDAS — the EU regulation that governs online identification in the EU — threaten the online privacy of everyday citizens and make it possible to conduct state surveillance. 

Web3 identity infrastructures, blockchain and zero-knowledge technology are necessary to fight off this Trojan horse and safeguard peoples’ privacy.

The horse: Self-sovereign identities 

For privacy advocates wary of the expanding dominance of technology megaliths, eIDAS initially seemed an attractive solution. The legislation promotes Self-Sovereign Identities (SSI), a decentralized technology that gives individuals greater control over their digital identities. Under the SSI model, entities like banks, governments or social media platforms issue digital credentials, such as academic degrees, driving licenses or account log-ins.

Users maintain full control and ownership over these credentials by storing them in private, off-chain wallets. This grants them the agency to elect if and when they share these credentials with various apps and services. Not only is privacy and user control enhanced, but so too is the security and ease of online verification.

SSI represents a striking alternative to the current online identity paradigm, where users do not own their online credentials, log-ins and digital identities. Instead, users must rely on a small pool of centralized providers, such as Meta or Google, to act as intermediaries and enable access to internet services in exchange for their private activity data. 

The absence of user-owned data structures has led to information abuse scandals like that of Cambridge Analytica, and facilitated a culture of corporate surveillance. Targeted ads, which monitor and record our desires and interests, have, for instance, become a defining aspect of the online experience.

EIDAS and the roll-out of SSI will redirect the ownership of certain data-sets away from corporations. However, that doesn’t instantly place data back in the hands of users. To the contrary, Article 45 in the eIDAS legislation makes it possible for the EU to monitor the online activities of SSI wallet owners within its jurisdiction. 

If enacted, this provision would mean that both the state and Silicon Valley could monitor and analyze the online activities of users.

The hidden Greek army: Article 45

Article 45 and its consequences are difficult to intuit without cyber security expertise.

It mandates that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments. This is dangerous because whoever controls these certificates is able to monitor internet traffic, making it possible for the EU to track the activity of every SSI wallet on every EU-authorized site. 

It is highly unlikely that the ownership of these wallets will remain anonymous, because the EU itself will be distributing credentials such as digital national ID cards. These will likely have traceable numerical codes (DiDs) that can be mapped to wallets and their owners. 

As Mozilla, the maker of the Firefox web browser, elegantly puts it:

“[eIDAS] enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to.”

Over 500 leading cyber security experts, researchers and NGOs have signed an open letter calling on the EU to amend the article. However, time has run perilously short. As it stands, there is now only one vote standing in the way of eIDAS. Widely considered a formality, this vote will take place in early 2024 during the bill’s formal ratification at the European Parliament.

How to protect Troy: Web3 identity infrastructure  

So with the horse, and its attendant army waiting at the gates, what can we do to protect users from digital state surveillance? 

First, we need to scale Web3 identity infrastructures. This encompasses a range of decentralized technologies. Blockchain is needed to bring transparency and security to public-facing identity credentials. Off-chain SSI is needed for the storage of confidential credentials that users may not want to publicly publish on the blockchain. 

Read more from our opinion section: Phones and the internet aren’t blamed for terror finance. Crypto shouldn’t either.

And, in both on-chain and off-chain environments, zero-knowledge cryptography is critical for privacy. It allows users to prove certain statements are true without revealing any additional information. For instance, you could confirm that you are older than 18 without disclosing your exact date of birth. 

Together, these technologies usher in a new era of privacy and user ownership. They grant users the right to access, manage and delete information about their online activities and preferences as needed. This user-based ownership also marks a fundamental shift in the power dynamic between users and online platforms. If users no longer need to depend on platforms to use or access their identities, it is much harder for those platforms to censor users, or misuse their data. 

The impending rollout of eIDAS and Article 45 proves that decentralization cannot be delivered in a piecemeal fashion. Doing so would leave critical gaps in privacy and security, exposing users to potential surveillance and data misuse. Instead, we need a holistic implementation that encompasses not only the technological framework, but transparent regulation and an unerring emphasis on user empowerment.

SSI alone is not enough to safeguard users. It is effective only when it exists within a robust and fully decentralized ecosystem. Thankfully, advances in decentralized and Web3 identity services are developing in leaps and bounds. While there’s much to be hopeful for, legislative actions such as eIDAS remind us that vigilance and proactive measures remain essential. 

There is no room for complacency in our efforts to safeguard privacy and freedom in the digital world.



Don’t miss the next big story – join our free daily newsletter.