The chimera of control: Self-sovereign identity, data control, and user perceptions

Abstract

This paper analyses the claim that Self-Sovereign Identity technology (SSI) gives users greater control over their data and identity than established digital identity systems, and studies empirically how users view this claim and its impact on adoption decisions. We argue that the claim is objectively false. SSI does not offer users greater control over their data, though in combination with laws like the GDPR, certain add-on features to SSI might have mildly privacy-/control-enhancing effects. Absent GDPR-like laws, however, SSI threatens to turn into a “disclosure machine” where users are forced to give up more data than they would likely have (or be able to) with extant identity solutions. SSI attempts to solve political-institutional problems through technology/architecture, but cannot eliminate the power imbalances at the heart of users’ lack of control. Presented with an SSI system, we find that most users do not seem to intuitively conclude that it gives them “control” over their data. A minority does however reach this conclusion, and for these people it seems to be an important factor driving adoption decisions.

References

1. Allen, C. (2016). The path to self-sovereign identity. https://github.com/WebOfTrustInfo/self-sovereign-identity/blob/master/ThePathToSelf-SovereignIdentity.md
2. Bazarhanova, A., Lindman, J., Magnusson, J., Nilsson, A., & Chou, E. (2019). Blockchain-based electronic identification: Cross-country comparison of six design choices. In Proceedings of the 27th European Conference on Information Systems (ECIS). https://aisel.aisnet.org/ecis2019_rp/79
3. Cheesman, M., & Slavin, A. (2021). Self-sovereign identity and forced migration: Slippery terms and the refugee data apparatus. In E. E. Korkmaz (Ed.), Digital identity, virtual borders and social media (pp. 10–32). Edward Elgar Publishing. https://doi.org/10.4337/9781789909159.00006 DOI: https://doi.org/10.4337/9781789909159.00006
4. Christl, W., & Spiekermann, S. (2016). Networks of control: A report on corporate surveillance, digital tracking, big data & privacy. Facultas. https://crackedlabs.org/dl/Christl_Spiekermann_Networks_Of_Control.pdf
5. Clifford, D., & Ausloos, J. (2017). Data protection and the role of fairness (CiTiP Working Paper). KU Leuven Centre for IT & IP Law. DOI: https://doi.org/10.2139/ssrn.3013139
6. Deutscher Sparkassen- und Giroverband, Bundesverband deutscher Banken, Bundesverband Deutscher Volksbanken und Raiffeisenbanken, Commerzbank, Deutsche Bank, & ING Deutschland. (2021). Gemeinsames Positionspapier: Selbstsouveräne Identitäten (SSI).
7. Doesburg, J. (2023). Measures against over-asking in SSI and the Yivi ecosystem [Master's thesis, Radboud University].
8. Dunphy, P., & Petitcolas, F. A. P. (2018). A first look at identity management schemes on the blockchain. IEEE Security & Privacy, 16(4), 20–29. https://doi.org/10.1109/MSP.2018.3111247 DOI: https://doi.org/10.1109/MSP.2018.3111247
9. Echikson, W. (2020). Europe's digital identification opportunity. The Centre for European Policy Studies (CEPS).
10. Epicenter.Works. (2022). eIDAS policy paper. https://epicenter.works/content/eidas-policy-analysis-english
11. Gonzalez Fuster, G., & Gellert, R. (2012). The fundamental right of data protection in the European Union: In search of an uncharted right. International Review of Law, Computers & Technology, 26(1), 73–82. DOI: https://doi.org/10.1080/13600869.2012.646798
12. Heeger, V. (2020, May 25). Digitale Identitäten: Zehn Ökosysteme für Deutschland. Tagesspiegel Background. https://background.tagesspiegel.de/digitalisierung/digitale-identitaeten-zehn-oekosysteme-fuer-deutschland-1
13. Hempel, G., & Anke, J. (2023). Privacy management mit self-sovereign identity: Potentiale zur Erhöhung der informellen Selbstbestimmung [Manuscript submitted for publication]. DOI: https://doi.org/10.5771/9783748938743-399
14. Kubach, M., Schunck, C. H., Sellung, R., & Roßnagel, H. (2020). Self-sovereign and decentralized identity as the future of identity management? In Open identity summit 2020 (pp. 35–47). Gesellschaft für Informatik e.V. https://doi.org/10.18420/ois2020_03
15. Lazaro, C., & Le Métayer, D. (2015). Control over personal data: True remedy or fairy tale? SCRIPTed, 12(1), 3–34. https://doi.org/10.2966/scrip.120115.3 DOI: https://doi.org/10.2966/scrip.120115.3
16. Lim, J. (2020). Self-sovereign identity: The harmonising of digital identity solutions through distributed ledger technology [Master's thesis, University of Twente]. https://essay.utwente.nl/81862/
17. Liu, Y., He, D., Obaidat, M. S., Kumar, N., Khan, M. K., & Raymond Choo, K.-K. (2020). Blockchain-based identity management systems: A review. Journal of Network and Computer Applications, 166, Article 102731. https://doi.org/10.1016/j.jnca.2020.102731 DOI: https://doi.org/10.1016/j.jnca.2020.102731
18. Martin, N., & Metzger, F. M. (2023). What determines the acceptance of facial recognition-based digital identity technology? Evidence from a multi-country survey [Manuscript submitted for publication]. Journal of Innovation Management.
19. Martínez, X., Alonso, J., City of Aarhus, Gijón City Council, Ertzaintza, Municipality of Peshtera, City of Reykjavik, UnionCamere, & InfoCamere. (2023a). D2.10 Implementation of basic system V2. https://www.impulse-h2020.eu/public-deliverables/
20. Martínez, X., Cuenca, A., Loureiro, J., Núnez, I., Markos, G., Bianchini, A., Nanclares, J. A. A., Dai, K., & Jimenez, A. (2022). D5.1 IMPULSE technology block V1. https://www.impulse-h2020.eu/public-deliverables/
21. Martínez, X., Loureiro, J., Núnez, I., Markos, G., Bianchini, A., Nanclares, J. A. A., & Dai, K. (2023b). D5.2 IMPULSE technology block V2. https://www.impulse-h2020.eu/public-deliverables/
22. Martínez, X., Rodriguez, J., & Loureiro, J. (2022). D5.4 IMPULSE wallet V2.
23. Microsoft Sway. (n.d.). Blockbuster collaboration [Interview with H. Haddad]. https://sway.office.com/03wqpaSpBpokJ3ZR?ref=Link
24. Mühle, A., Grüner, A., Gayvoronskaya, T., & Meinel, C. (2018). A survey on essential components of a self-sovereign identity. Computer Science Review, 30, 80–86. https://doi.org/10.1016/j.cosrev.2018.10.002 DOI: https://doi.org/10.1016/j.cosrev.2018.10.002
25. PricewaterhouseCoopers (PWC). (2021). Der Online-Ausweis auf dem Smartphone und die digitale Brieftasche.
26. Richter, D., & Anke, J. (2021). Exploring potential impacts of self-sovereign identity on smart service systems. Business Information Systems, 1(1), 105–116. https://doi.org/10.52825/bis.v1i.68 DOI: https://doi.org/10.52825/bis.v1i.68
27. Schardong, F., & Custódio, R. (2022). Self-sovereign identity: A systematic review, mapping and taxonomy. Sensors, 22(15), Article 5641. https://doi.org/10.3390/s22155641 DOI: https://doi.org/10.3390/s22155641
28. Schorlemer, J. von. (2022, January 18). Selbstbestimmte digitale Identitäten sind der Grundbaustein für eine digitale Wirtschaft. bpö – blog politische ökonomie. https://www.blog-bpoe.com/2022/01/18/schorlemer/
29. Sedlmeir, J., Smethurst, R., Rieger, A., & Fridgen, G. (2021). Digital identities and verifiable credentials. Business & Information Systems Engineering, 63(5), 603–613. https://doi.org/10.1007/s12599-021-00722-y DOI: https://doi.org/10.1007/s12599-021-00722-y
30. Spiekermann, S., & Korunovska, J. (2017). Towards a value theory for personal data. Journal of Information Technology, 32(1), 62–84. https://doi.org/10.1057/jit.2016.4 DOI: https://doi.org/10.1057/jit.2016.4
31. Strüker, J., Urbach, N., Lautenschlager, J., & Ruhland, N. (2021). Self-sovereign identity: Foundations, applications, and potentials of portable digital identities. Fraunhofer-Institut für Angewandte Informationstechnik FIT.
32. Veil, W. (2018). The GDPR: The emperor's new clothes - On the structural shortcomings of both the old and the new data protection law. Neue Zeitschrift für Verwaltungsrecht, 37(10), 686–696.
33. Vogiatzoglou, P., & Valcke, P. (2022). Two decades of Article 8 CFR: A critical exploration of the fundamental right to personal data protection in EU law. In P. Valcke & P. Vogiatzoglou (Eds.), Research handbook on EU data protection law (pp. 11–37). Edward Elgar Publishing. https://doi.org/10.4337/9781800371682.00010 DOI: https://doi.org/10.4337/9781800371682.00010
34. W3C World Wide Web Consortium. (2022). Decentralized identifiers (DIDs) v1.0: Core architecture, data model, and representations (W3C Recommendation). https://www.w3.org/TR/did-core/
35. W3C World Wide Web Consortium. (2024). Verifiable credentials data model v2.0 (W3C Candidate Recommendation Draft). https://www.w3.org/TR/vc-data-model-2.0/
36. Wang, F., & De Filippi, P. (2020). Self-sovereign identity in a globalized world: Credentials-based identity systems as a driver for economic inclusion. Frontiers in Blockchain, 2, Article 28. https://doi.org/10.3389/fbloc.2019.00028 DOI: https://doi.org/10.3389/fbloc.2019.00028
37. Zwitter, A. J., Gstrein, O. J., & Yap, E. (2020). Digital identity and the blockchain: Universal identity management and the concept of the "self-sovereign" individual. Frontiers in Blockchain, 3, Article 26. https://doi.org/10.3389/fbloc.2020.00026 DOI: https://doi.org/10.3389/fbloc.2020.00026