What Just Happened
On June 3, 2021 a significant thing happened for SSI (self-sovereign identity): The European Union announced a plan for an EU-wide digital wallet that would support drivers licenses, tax filings, opening bank accounts, prescriptions, academic achievements, seamless travel experiences and proving one’s age to enter a nightclub, among many other possibilities.*
This is easily the biggest thing to ever happen to SSI, and arguably the biggest thing to ever happen to identity, digital or otherwise.
If you’ve been watching the SSI space during the last five years, the list of use cases that came with the announcement should sound familiar to you. The announcement doesn’t name SSI or VCs (verifiable credentials) specifically, but our industry’s fingerprints were all over it. Some telltale signs:
- Use of the term “wallet” in a platform-agnostic manner: It was clear that the wallet will be user-controlled and vendor-agnostic; it won’t be locked to Apple, Google, Facebook or other tech giants. To accomplish this requires “protocols, not platforms.” Controlling one’s digital ‘stuff’ is the essence of SSI, its starting point; it’s why it’s called ‘self-sovereign’ in the first place.
- The list of use cases: The same ones we’ve been touting SSI is capable of for years. That’s not a coincidence. Certainly, they’ve been watching the space and coveting this list of SSI-unique capabilities amidst all the problems endemic to current digital identity infrastructure.
- Selective disclosure: The unique, privacy-enhancing ability in SSI for a Holder to dynamically reveal only what they want to, and nothing more.
- Online or offline: Another capability SSI and VCs provide uniquely well.
- The timing: This comes right as SSI/VC pilots are proliferating, in industry after industry all over the globe. It was only a matter of time before the government jumped on board in a more serious way.
The most important aspect of this announcement, in my view, was that it is decidedly issue-hold-verify. W3C VCs aren’t mentioned. Neither is SSI. However… Regardless of the technology this wallet ultimately begins with (still TBD), its purpose is to enable EU citizens to carry around digital things that are broadly useful in healthcare, finance, gov’t, academia, travel and even in the nightclub scene. That, my friends, is issue-hold-verify. That is the essence of SSI.
And the specific use cases mentioned are anything but trivial, they are high-trust. It’d be one thing if the EU were adopting issue-hold-verify for lottery tickets. This is not that. This is serious, and it will affect most European citizens just about every day of their lives.
Why This Is So Big For SSI
So why is this particular announcement the biggest ever for SSI? Broad government adoption for important, high-trust use cases.
Everyone in identity knows that the king of the hill in credentials has always been government, from passports to driver’s licenses to birth certificates; no others come close to their importance or impact. So when governments announce that they’ll be adopting the issue-hold-verify model of SSI, it is an adoption victory of the grandest magnitude. The only thing bigger would be adoption by more governments than these 27, and if the global effects of the EU’s GDPR are any indicator, that is inevitable.
A Protocol, Not a Platform
More subtle but just as profound, was the implication of a move away from platforms and toward protocols. There will not be some unique new EU identity; instead, each of the 27 member states must recognize each other’s digital attestations. That’s a protocol, not a platform.
The proposed approach consists of a “Toolbox” of highly interoperable standards and protocols, and notably missing are any references to blockchain or distributed ledgers. This is important because until recently SSI was thought to require blockchain (it doesn’t), but any given blockchain is just another type of platform, fighting for adoption against all the others. The EU Toolbox must be interoperable across all trust domains within the 27 member states, and platforms of any kind inhibit that goal.
The Need for Interop Will Drive Standards
The whole reason the emerging W3C standard for verifiable credentials exists is interoperability. Without the need for interop, everyone could just do their own thing like they do today (one reason we have so many usernames and passwords). The SSI community has for years been working on interop standards, you can’t have SSI without it, and that progress can now benefit this EU effort.
Even if the starting point for the EU wallet is something other than the W3C VC specification that the SSI community now favors, I predict that the increasing need for wallet and credential interoperability will ultimately take things where they need to go: broad, global alignment around standardized protocols, one way or another, like HTTP for identity.
Turning the Tables on Facebook and Google
Included in the article was a direct reference to using the EU wallet for SSO (single sign-on), without mentioning it by name:
“Vestager said people would be able to use their EU digital wallets to access Google or Facebook instead of their ‘platform-specific’ accounts.”
And from their Q&A:
“certain private services” will “be obliged to recognize the European Digital Identity.”
Put those two points together, and it appears that the EU would require Google and Facebook to accept ID presented from this new wallet in place of their own means of authentication. I believe this is stunning if it doesn’t get walked back… the idea that the likes of Google and Facebook being forced by regulators to authenticate users with credentials not issued by Google or Facebook, is precisely the opposite of the SSO business they’ve been trying to build; Google and Facebook want you to use their credentials to log into other places, not the other way around. Talk about turning the tables!
And that is precisely the right approach to be taking. Bravo!
SSI Is Coming, Now Sooner Rather Than Later
After nearly a decade of working on SSI, I’ve concluded that the lynchpin capability underlying the whole concept is one thing: the ability to instantly authenticate data in an ecosystem other than where it was issued. How fitting that SSI will find its first serious foothold in the EU, an ecosystem of ecosystems, each needing to authenticate data from the other.
As those of us in the space have hoped, expected, and predicted, SSI is coming on a broad scale, and now we know where its ascendance will truly begin… in the EU.