Sovrin highlights the risks of commingling data in digital identity guardianship
Sovrin has outlined some of the risks involved at the intersection of Self Sovereign Identity (SSI) and guardianship, highlighting potential areas where issues could arise such as in the commingling of data.
The organization is well known in the digital ID community for its popular MainNet Hyperledger Indy identity ledger.
Guardianship, for the purposes of this whitepaper, is where one party has responsibility for another, for example, a baby or young child in the care of its mother, or a severely disabled person with a carer, incapable of making their own decisions
Though the paper argues that guardianship is “essential for SSI to be inclusive,” as dependents are inherently vulnerable, it argues certain steps may need to be taken to prevent some risks, saying things can “easily get messy” when it comes to guardianship.
It explored how issues around guardianship might manifest in fields as diverse as social work, humanitarian aid, finance, healthcare, law, government, and the Internet of Things (IoT).
Impersonation and commingling of identity data is a key risk outlined.
For example, a guardian may pretend to be the dependent without the dependent’s knowledge to qualify for a discount when making online purchases or when taking out a loan, or for other purposes related to their own benefit.
Potential mitigations suggested for this include having a “clear distinction” in the original Guardianship Arrangement outlining the scope of the guardian’s rights and duties and clearly outlining the limitations.
Other potential mitigations included using a trusted third party for authorization or making it a requirement that it always made clear which party is acting.
Another One of the risks outlined is “recentralization,” where power moves back to a guardian, which contrasts with how SSI is meant to “be inherently decentralized and moves power to the edge to eliminate single points of failure” according to Sovrin.
The paper suggested migrating this risk by outlawing “bulk load” processes, in which entire populations are pushed into guardianship without their consent.
Sovrin argues that there is a possibility that organizations or governments could “try to act as their customers’ or citizens’ guardians instead of as their peers and delegates.”
Another more technical set of challenges outlined by the report are risks at the moment of transition, for example when a change of caregiver is needed, which the paper argued would leave some “digitally stranded.”
Mitigations suggested by the report included the use of “biometrics, QR codes, embedded or supporting technologies, and low technology / no technology solutions to support the SSI user experience” as well as implementing an “SSI architecture with an end-to-end process framework that includes online and offline processes.”
Sovrin regularly publishes on the risks and opportunities within the digital identity space, in January 2022 was pointed out in an ENISA report looking at how different national ID systems have been implemented around the world, and looked at their applicability within the EU.
This post was updated at 9:06am Eastern on June 13, 2023 to clarify that ENISA, not Sovrin, published the report on national ID systems.
Article Topics
data protection | digital identity | guardianship | self-sovereign identity | Sovrin Foundation
Comments