Staying in control with self-sovereign identities
Self-sovereign identities (SSI) are digital identities that are managed in a decentralized manner. This technology allows users to self-manage their digital identities without depending on third-party providers to store and centrally manage the data. Bosch Research is part of the IDunion consortium initiated by the German Federal Ministry of Economics. Policymakers and industry are working together to establish an open digital ecosystem for decentralized identity management so that people, companies and machines can interact safely and reliably in the Internet of Things based on artificial intelligence (AIoT). Already today, companies can use SSI for their corporate identity and master data management.
Challenges for digital identities
In the analog world, anyone who wants to prove or confirm their identity usually pulls out their ID card. When going to the authorities, visiting the bank or checking into a hotel, we can confirm our identity this way. After presentation, the ID card usually goes back into the wallet, which means we retain control over our data. Anyone who moves around on the Internet, whether shopping online, consulting with a bank or in contact with the administration, identifies themselves digitally. This takes place via different procedures such as Postident, video identification or entering our data in online forms. When placing an order online, replying to an e-mail or using social media accounts, users leave behind data that the provider stores and manages. “What sounds convenient, however, can be a security risk, because we are not only presenting our data, but it is being stored,” says Nik Scharmann, Project Director “Economy of Things” at Bosch.
The user does not keep this digital identity in his wallet. In most cases, users have no control over what happens to the data and who can view it. Even those who log into websites or apps with their social media accounts are revealing more about themselves than they might like. With every login, information is stored on what it was used for and when. What applies to private individuals also applies to companies: Data exchange between business partners usually takes place via third-party providers who store the information. A trustworthy and reliable system is needed so that individuals, companies and machines can interact and network digitally and securely. The future solution: Self-sovereign identities.
Maintaining data sovereignty in AIoT with SSI
The aim of the network IDunion is the user-friendly, secure, economical and data-protection-compliant use of identity data. For this purpose, a digital infrastructure is being created that enables the transmission of data and is compatible with other global networks. The infrastructure is characterized by its decentralized structure. The participants of the system can use several providers. “We need to create a digital identity system that does not require centralized databases and is operated in a distributed manner by many participants,” says Nik Scharmann. The Economy of Things team is developing software based on SSI technology as part of the network.
Nik explains the principle of the system in a simplified way: “At the heart of the software is a digital wallet. It’s stored on mobile devices, so the data is always at your fingertips.” Every participant in the ecosystem – human, company, machine – has such an e-wallet in which they can collect their proofs of identity, certificates or other verifiable information about their person, function or service. They thus control the most current identity data at all times. But where does the digital evidence come from? It is issued by authorities, institutions, companies or even individuals – trustworthy issuers of proofs of identity. The third role in this digital ecosystem is played by the verifier, the person who needs or wants to verify the digital identity when interacting with the holder. The bottom line: The holder chooses whether to allow the verifier to access the evidence in his e-wallet each time it is requested. For inspection purposes, because he keeps all the information with him in his digital wallet.
One of the fascinating aspects of SSI technology, says Nik Scharmann, is that it can grow organically, creating interactions that are currently not even being envisioned. Because basically, anyone could issue an identity, access authorization or even a certificate to anyone. For example, “I might give my neighbor a permit to access my garage or certify that he can use my car,” Nik says. The neighbor would then store this evidence in his e-wallet. As long as the garage door or the car are equipped with software and are part of the digital ecosystem, they could act as verifiers in this case, to which the neighbor as holder would allow the retrieval of the digital identities.
Issuer, holder, verifier: The function of digital wallets
Security of SSI through blockchain
A server that is controlled by a third party, as is the case with logins or passport proofs by means of video identification, does not exist with SSI technology. With SSI, all public identifiers of an identity can be stored on a blockchain, which is operated in a decentralized manner by many independent servers, which better protects against tampering by individuals. Identities can be created in any quantity – encrypted and pseudonymized. SSI technology connects people, businesses and machines and breaks down barriers in digital interaction. Instead of having to re-identify themselves for every action – buying a train ticket, driving a rental car, checking into a hotel – users pull out their digital wallet, allow access and master all the stages of their journey without unnecessarily handing over data. SSI allows selective disclosure of identity attributes, i.e. data owners can choose which data they are willing to share under specific circumstances. By leveraging cryptography it can be still be proven, that the selective representation is truly pointing to the right identity.
“The system is able to cross quite a lot of domain boundaries, which the current systems can’t even map,” says Nik Scharmann. The SSI technology also reduces the release of information to a necessary minimum. For example, when renting a vehicle, the insurance policy is usually dependent on the driver being over 26 years of age. Through SSI, renters could prove that they are of the required age by, for example, having the ID office confirm this statement. The actual age, however, would not be known to the car rental company as a verifier. Similarly, a holder could stipulate that the rental company will be told the billing address, but personal information about title, gender, and phone number will not be provided. Thus, SSI also provides protection against discrimination in digital transactions.
Optimal master data management thanks to SSI
SSI is just picking up speed in Germany, driven by the emergence of European data spaces, for example in Gaia-X. Digital identities also figure prominently on the German government’s agenda. The IDunion network started its second project phase on 1 April 2021, which is scheduled for three years. During this period, more than 40 pilot applications of SSI technology will be implemented. Bosch is participating with its Economy of Things team. Industry expert Werner Folkendt and his team are developing an internationally deployable SSI application that is already having a practical benefit for companies: in corporate identity and master data management. Until now, companies have maintained information on products, services, customers or suppliers in their own IT systems and managed the master data of all suppliers (more than 100,000 at Bosch) themselves.
Their own master data must also be maintained in customer portals. In order to achieve a high level of data quality, a great deal of effort is required for data maintenance – which in turn generates high costs. In addition to the master data, there are certificates or other company identity features that companies must present to customers, for example. “With an SSI solution, the master data is based directly on electronic evidence (e.g. excerpt from the commercial register, or bank cards) from accredited issuers and each legal entity can decide which data is automatically accessible to whom and is thus sovereign of its data at all times,” says Werner Folkendt.
Secure and confident: Company identity and master data management with SSI
Company data and certificates are not stored centrally, but are exchanged or retrieved between business partners as needed.
Efficiency in data exchange
Manual verification of data such as supplier certificates is no longer necessary. SSI technology creates a digital infrastructure for automated updating.
Companies can always see who is requesting the data and who has access to it.
Global standards such as W3C as well as open source releases of standard components enable the interaction of different IT systems as well as the participation of every actor.
Master data management with SSI ensures data quality and data sovereignty
Werner and his team are working to develop a corporate agent software equivalent to a digital certificate wallet that represents each legal entity to the outside world. Each legal entity has a DID, a decentralized, self-managed ID number. Behind this are the company identity documents. “A corporate identity card is similar to a digital ID card for companies and is used as a digital business card,” says Werner. If required, it can be presented to business partners together with other electronic IDs such as bank cards or tax numbers.
This is done digitally: The company agent software of the own company sends the data to the agent software of the partner companies. The SSI technology offers secure connection channels for the exchange of data, as they are transmitted encrypted and cryptographically secured. It uses a blockchain for collaboration among participants. Saving the data at third-party providers is no longer necessary. The company agent software also doesn’t store the data of the business partners. But it remembers the exchanged DID, allowing data to be updated and communicated and queried at the touch of a button. As a result, the master data is always up to date. There is no need for regular manual maintenance or inspection. This saves costs and makes it less prone to errors.
Economic benefits equivalent to GDP in 2030 that digital identities could unlock per country in mature economies. Source: MGI study “Digital identification - A key to inclusive growth”; IHS Markit
The effort required by companies for master data management with SSI is low, because they do not necessarily need their own agent software to manage or exchange data and certificates in a decentralized manner. For Bosch’s many legal entities and, where applicable, smaller companies, the Bosch team is developing solutions in which a service provider takes over the operation of the corporate agent software. The principle remains the same: The company still has data sovereignty, only the transfer takes place externally via the secure provider. “What excites me about SSI is the innovation part and the possibility to then develop a business from the innovation,” says Werner Folkendt. In the IDunion network, he appreciates the community of partners and the non-profit nature. In the course of this year, a European cooperative will be established out of the publicly funded IDunion project. “The cooperative will run the data network but will be open to all participants, so it won't form a cartel or exclude anyone,” Werner said.
This is important in order to build up confidence in the project and the technology among industry and politics in order to make the network larger and more efficient through the participation of many companies and also states. The members of IDunion are already developing and testing applications of SSI technology in the fields of education, e-commerce, mobility, e-government, e-health, finance, identity & access management and industry/IoT. An overarching pilot project started in April 2021: contactless hotel check-in. “In the short term, SSI is about cost savings,” says Werner Folkendt. In the longer term, however, the technology offers opportunities for new product business. This requires trust and vision. “But if you start small, set up the necessary infrastructure and have a lot of participants, it will go quickly,” Werner says.
Using digital identity securely: This is where SSI could be used
The electronic proof of identity is currently being tested in a pilot project of the German Federal Government. For this, the check-in process at the hotel for business travelers is represented with the wallet. Bosch is one of four companies to provide the digital employee ID card, which employees can use to identify themselves as business travelers, including the associated billing addresses. Participating hotels serve as verifiers who verify identity at check-in.