O’Neill’s Weapons of Math destruction, Zuboff’s Surveillance Capitalism, and Véliz’ recent Privacy is Power: these may have made it onto your summer reading list. And for good reason: wherever there is new technology, there is also concern for the respect of our European values. Find out how EBSI is leveraging blockchain technology in a privacy-preserving way by working together with those who can benefit and are affected the most, and why we believe that innovation should give people more control over their data – not less.

Our lessons on innovation – the EBSI experience

In the last years, the EBSI project has been applying Self-Sovereign technologies based on W3C’s popular and industry-accepted open standards. We have done so following a use-case/value-oriented approach, and with concern for the protection of people’s privacy.

Our experience has shown that the first risk faced by digital transformation projects is to ignore legitimate concerns of their stakeholders. The increasing concerns for privacy and ethics in the digital realm require the EBSI project to invest time and resources in the careful and detailed understanding of the risks these technologies (may) create to our privacy. The objective of minimizing the risks to our privacy led EBSI to adopt an inclusive and collaborative design approach, based on listening to the voices of as many stakeholders as possible.  In other words, EBSI’s experience confirms that not cutting corners and listening to stakeholders’ concerns early in the process is the best way to maximise the value of Self-Sovereign technologies and ensure that they contribute to a better and more privacy-preserving digital society.

Self-Sovereign Information Sharing: a new mainstream social practice

EBSI aims to facilitate verification of information while keeping us in control of our data and safeguarding our privacy. The EBSI team strongly believes that Self-Sovereign Information Sharing, where citizens stay in control of their information by choosing what and when to disclose it, has the potential to become a new mainstream everyday social practice. Soon, Digital Wallets will not only be very convenient applications for European citizens to easily store our useful documents (e.g. diploma, proof of address, etc) - they also simplify, accelerate, and improve verification processes, either online or in person. For this to be possible, EBSI is designing a privacy-preserving digital ecosystem based on Self-Sovereign principles and technologies:

• Documents need to be expressed and formatted according to standards such as W3C’s Verifiable Credentials so that data not only becomes shareable but also easy to verify.
• Another important element is the use of identifiers which are also under individuals’ control and do not lead to track and tracing risks for people. Unlike classical identifiers issued by government authorities or other identity providers, W3C Decentralised Identifiers (or DIDs) are self-issued and Citizens can create and manage as many DIDs as needed via their Digital Wallets.
• Furthermore, Blockchain is a powerful technology to facilitate secure and distributed access to information about the Issuers of these documents (Universities, Central or Local Authorities, etc.), thus avoiding the creation of new centralised registers which are essentially an intermediary of transactions.

Privacy is a fundamental objective of Self-Sovereign technologies

At EBSI we combine the best of top-down and bottom-up approaches: we work with leading experts from the SSI field and from the public sector from across Europe (top-down) and, to avoid the echo chamber effect/ confirmation bias, we also involve civil society when testing and piloting our work (bottom-up ). Like this, we ensure that EBSI’s specifications will contribute to Europe’s digital society and respect people’s privacy when navigating and sharing information online. The objective of Self-Sovereign technologies is to avoid oversharing and the creation of more “cookies” that monitor us in the background. EBSI’s goal is therefore to promote the creation of a secure and privacy-preserving ecosystem of Self-Sovereign applications and services in Europe that benefit citizens when in their Member State or abroad as well as the public and private sectors. This means that EBSI promotes cross-border information sharing and verification that eliminate digital barriers to the mobility of European citizens when studying, working or moving abroad in a self-sovereign and privacy-preserving way. This will not be the only way that information will be shared online but an additional way.

Avoiding lock-in and providing choice to Citizens is a safeguard to their privacy

As part of our ethos of giving people both choice and control, we at EBSI do not want to undercut or replace the open market. This is why EBSI believes that an open and market-friendly approach to third-party applications is the best way to grow and diversify the self-sovereign ecosystem, instead of developing applications ourselves. By letting users choose on the open market, citizens avoid vendor lock-in. 

EBSI is working with providers of Digital Wallets from different European countries to ensure that Europe’s tech sector can contribute to and benefit from the future SSI ecosystem respecting GDPR. EBSI has put in place a conformance testing service to verify that Digital Wallets follow EBSI specifications and recommendations. A market approach also means that wallets will have a clear incentive to be respectful of privacy guidelines, as citizens will have choice instead of being locked-in into a single Digital Wallet.

Privacy by design is not enough: we must learn by piloting in the real world with real users

The real-life pilots carried out by EBSI in the education domain by more than 18 universities from 15 countries is another example of how we are looking to privacy from an analytical and practical perspective:

• First, EBSI’s specifications were drafted according to GDPR’s privacy-by design principle;
• Second, EBSI carried out a detailed data protection assessment of the Diploma Use-Case;
• Finally, EBSI’s specifications were subject to real-life testing by Universities issuing Diplomas as verifiable education credentials to wallets held by students. These documents were then shared by the students with verifiers from the European education ecosystem and from the private sector.

As a result of these pilots:

• EBSI further improved its profile of W3C’s Decentralised Identifiers (DIDs) to safeguard our privacy. DIDs are created by citizens and the associated crypto keys are only stored on the citizen’s wallet. This approach avoids the creation of EU-wide persistent identifiers which could be used, like website cookies, as tools for track and tracing;
• W3C’s Verifiable Credentials are becoming widely accepted and as their user base grows in Europe and beyond, investing in this standard and  sharing best practices on privacy across initiatives is the more future-proof approach to create a privacy-preserving ecosystem;
• Blockchain technology can be used in a privacy-respecting way. In EBSI, Blockchain is used to ensure that Issuers of Verifiable Credentials can be trusted. On one hand, this means that Digital Wallets hold our data/documents –as opposed to storing them on the blockchain-, but it also means that information about the Issuers can be stored in a fully distributed way without centralisation of information (single point of failure). This also provides auditability benefits.

EBSI learned that more work is required when it comes to revocation of information. For example, verifiers should not be given indiscriminate access to the status (valid, revoked, etc) of our documents. This is the subject of a study EBSI are conducting, the conclusions of which we will share in a future blog post. Protecting Privacy is a matter of strong collaboration

Our experience shows that privacy is a collaborative effort that requires a lot of attention and investment. It is not only about looking into specifications and their alignment with GDPR, but also about the journey of the User. Citizens want privacy, but not at the expense of usability. Privacy must be practical and convenient, even if several iterations may be required to ensure a fully working solution for the citizen.

EBSI enables design for privacy

Want to know more? Here is some further reading: 

• Our blog post on Self Sovereign Information Sharing
• EBSI Explained, our series on Verifiable Credentials as leveraged by EBSI to create a self-sovereign information ecosystem
• Our EBSI Verifiable Credentials Playbook, where you can discover our specifications
• EBSI’s Demo Day, where we piloted with real users to understand the challenges of implementing a verifiable credentials exchange ecosystem