28.02.2021

Self Sovereign Identity: the Regulatory Environment

A chat with: Giuseppe Mariani, Chief Operating Officer at Intesa

In this increasingly interconnected world, digital services are bound to increase exponentially over the next few years, along with the companies offering them, and the people using them. The speed and frequency with which we share our personal data with entities in the private and public sector, often without a second thought, is growing as well. We are, consequently, losing control over who has access to information on us. A very topical and sensitive issue. Those in the field of digital innovation and security are now rightfully focusing on it.

The “Self Sovereign Identity” (SSI) digital-identity model may provide a lasting solution to the often spurtive and indiscriminate sharing of our personal information. How might this innovation become incorporated into Italian and European regulations?

We asked Giuseppe Mariani, Chief Operating Officer with Intesa (IBM Group).

What is the current state of the art of Self Sovereign Identity in Italy and in the world?

The innovative potential offered by a widespread use of these options becomes clear when we consider the characteristics of Distributed Ledger Technology as applied to digital identities, and when we look at specific applications of this digital-identity model.
Keep in mind that in today’s high-tech world, people are completely interconnected. They share their personal information at unprecedented speeds. This will likely continue as 5G, IOT, open banking, and other innovations continue to be implemented.
The Self Sovereign Identity model represents an extraordinary opportunity to design innovative modalities for managing our information. This in turn represents savings in terms of time and expense, along with other advantages associated with decentralising and automating certain operational phases.
By the same token, in order for this scenario to take shape in the real world, the environment itself needs to mature in terms of governance, interoperability, scalability, and regulation, thereby creating an organic and stable framework in which to promote DLT and digital identity.

How might SSI be integrated into the Italian and European regulatory framework?

An important starting point that bears mentioning in this context is Regulation no. 910/2014 of the European Parliament and Council regarding electronic identification and fiduciary services for electronic transactions in the internal market (known as “eIDAS”), which dates back to 23 July 2014. That regulation introduced the fundamental principle of electronic identification: it must be available, secure, and reliable throughout the internal market and in the member states. The regulation identifies electronic identification as “the process through which one uses personal identifiers in an electronic format”, with its purpose being to provide a legal framework predicated on “technological neutrality”, whilst at the same time ensuring a standard level of reliability across the European Union.
This has opened the door to some important opportunities to use Self Sovereign Identity models, such as current options to use eIDAS nodes to issue an assertion based on verifiable credentials, and the option to use notified (in Italy, SPID and CID) eIDAS electronic identifiers and qualified certificates (or seals) to issue verifiable credentials.

What is the EU doing to streamline the adoption of SSI?

The EU is basically working on two fronts:
The first is the EU EBSI (European Blockchain Services Infrastructure) working group, which identified four scenarios in which it can be used, one of which is European Self Sovereign Identity. The launch of the European Self Sovereign Identity framework (eSSIF) dates back to 2019, and is set to be implemented between 2021-2022, with the goal of:
– Facilitating cross-border interactions through the use of SSI models;
– Making SSI initiatives developed on a national level inter-operable;
– Constructing an identity layer on EBSI;
– Safeguarding European democratic principles whilst implementing the SSI models.
The second is the eIDAS amended directive. Beginning in July of 2020, the Commission launched a public-comment period on the updated regulations on electronic identification, and fiduciary services for electronic transactions in the internal market (the eIDAS Regulation). The updates aim to improve efficacy, whilst extending the benefits into the private sector, and promoting reliable digital identifies for all Europeans. The ultimate goal is to create a secure and interoperable European digital identity.
Taken together, these initiatives will pave the way for this identity-management model to be implemented.

Is the SSI model GDPR-compliant? Are there any issues?

Since GDPR is focused on the protection of data-subject personal data, those rights definitely align with the Self Sovereign Identity model because it likewise vests individuals/users with total control over their information.
Additionally, both GDPR and SSI aim to ensure the free circulation of personal data within the single market, establishing (“by design”) a specific level of trust and independence for its transactions.
Finally, some of the GDPR’s founding principles, including access control, data portability, and minimisation, are completely in line with the key elements of SSI, further bolstering the positive user-centric viewpoint typical to this identity model.

What are the main advantages of this digital-identity model, and how does it interact with the SPID identity?

SSI is predicated on certain key principles, including control (individuals must be able to control their data, and have the option to update them, or hide them), access (individuals must have access to all data relating to their identity), transparency (systems and algorithms used to administer and manage digital identities must be open and transparent), data portability (information and services on an identity must be transportable and shall not be kept by one third party alone), consent (individuals must consent to the use of their identity), minimisation (information disclosure must be strictly tailored to the need).
The SSI model should not be viewed as an alternative to SPID. The relationship between this identity model compared to the federated ones (as SPID could be in Italy) may lead to interesting synergies that allow for SPID-type fiduciary services to be used to optimise the development of an SSI ecosystem.

What is the timeframe for seeing the first tangible implementations of an SSI model? Are any applications already available?

There are a number of variables to take into account when you are talking about identity management. Both in Italy and in the rest of Europe, regulators have without a doubt homed in on this issue. There are major investments by the national and supra-national authorities planned in the digital sphere. According to the latest report out of the Milan Polytechnic’s Digital Identity Observatory, there are, in fact, a host of SSI and Decentralized ID projects under development in both the public and private sector. In the period running from January 2016 to May 2020 alone, there were about 60 active projects (of which 59 were blockchain-based and one which was not). Of these 60, 37% are focussed on issues of general identity, and 33% on authentication issues. Finance and the public administration are two of the segments we would cite where these projects are being applied.
In terms of the type of design most frequently cited, and which might be deemed at this point to be at an advanced pilot stage, we can name two key areas: disclosing one’s identity to access public services, and disclosing one’s identity and information which is financial in nature (for example, one’s risk profile) with a financial institution.
It is within this second category that CeTIF’s O-KYC project is taking shape, which sees Intesa playing a part as project coordinator and developer.

You might be interested