As the world has become more globalized and digitized, the concept of identity has become ever more complex. In its most rudimentary form, identity starts with a name. As societies developed, they added more attributes as a means of establishing trust. Registers of births, deaths, and marriages and official lists of companies formed the earliest official identity databases.  

Now, our identities have gathered other attributes - social security and tax identification numbers, or company registration. Identities also used to provide us with the means of living our day-to-day lives - to cross international borders using a passport, or obtain a driver's license to operate a vehicle. 

The development of these identities and other types of databases also introduced an additional facet. To access a database, someone needs to authenticate that they're allowed to access it. From this requirement, the concept of the access control list (ACL) developed. It assigns individuals or entities with a set of permissions attached to any given file or data. 

As technology has evolved, the ACL model has sustained. Our everyday lives translate into the usernames and passwords that we use to identify ourselves on millions of websites and online services. 

How Online Identity Became the Preserve of Big Tech

One of the most important developments of recent decades has been the discovery and application of public-key cryptography, which provides a means of securing public networks. 

However, for public keys infrastructure (PKI) systems to offer any meaningful security, they have to be linked to an identity. Therefore, trusted third parties known as certificate authorities were established to generate public keys mapped to a user. As PKI became applied to the worldwide web, it enabled an explosion in e-commerce, which prevails to this day. 

This dependence on centralized trusted third parties has continued as tech giants, namely Facebook and Google, have enabled single-sign-on services based on their user's credentials. While this makes for an easier user experience, negating the need to maintain dozens or even hundreds of passwords, it's created a perilous situation for user privacy. Companies have an unprecedented degree of control over our digital identities. We now live with the knowledge that our data is commoditized and sold to the highest bidder. 

Enter the Cypherpunks

The cypherpunk movement evolved out of growing concern over internet centralization and the sacrifice of data privacy. Bitcoin, pioneered by the legendary yet anonymous Satoshi Nakamoto, introduced blockchain to the world. For the first time, it provided a way for individuals to exchange value, trustlessly, and without intermediaries. 

Once the power of blockchain became evident, the idea of self-sovereign identity was born. By putting digital identity held on a blockchain, public key cryptography enables an individual to choose with whom they share their data. Furthermore, it's not owned or controlled by any centralized entity. 

However, while the potential of blockchain is vast, the idea of entities being able to transact with total anonymity, choosing never to disclose their identity under any circumstances, is anathema to the way that modern business systems operate. With a few notable exceptions, governments are united in their commitment to combat financial crime and money laundering. 

Therefore, if blockchain is ever to realize its true potential, there needs to be a self-sovereign identity solution that reclaims user privacy, but not anonymity at any price. 

Solving the Tradeoff 

Early in 2021, a new platform called Concordium will launch its mainnet. It's aimed at enterprise adoption, offering features such as high throughput low transaction fees, designed to be attractive to businesses. However, Concordium's unique selling point is that it claims to solve the impasse between privacy and anonymity. Within its technology stack is an identity layer that allows users to transact without identifying themselves each time while offering an assurance of regulatory compliance. 

To use Concordium, an individual or entity must undergo a standard identity check with an external provider. The provider stores the identity data itself off-chain but uploads a zero-knowledge proof. Once the user creates their account, these proofs demonstrate that the individual has had their identity verified. 

If a legal authority issues an order to identify the individual at any time, then another third party called an anonymity revoker can instruct the identity provider to hand over the relevant ID documentation to the authority. Neither of these third parties can act in isolation to identify any user, offering businesses and individuals an assurance of privacy in their everyday transactions when using the Concordium platform. 

Practical Applications

Although Concordium has yet to launch on mainnet, there are several use cases where this kind of privacy-preserving identity solution would be valuable. For example, envisage a peer-to-peer car sharing marketplace where individuals could rent vehicles from one another. 

The person renting the car could verify via Concordium that the individual holds a legally valid driving license but without the driver having to hand over a copy of their license. However, if it turns out that the driver incurred a speeding ticket or jumped a red light while driving the car, the police could issue an instruction to identify the driver. 

Users can also generate zero-knowledge proofs of particular attributes such as location, age, or even creditworthiness. Currently, individuals and entities have to disclose a vast amount of sensitive financial data if they want to apply for a loan or other lines of credit. Their Concordium ID could contain this kind of data, assuring lenders that a borrower can repay their loan without considering the credit history. 

Similarly, merchants could sell goods and services knowing that they aren't breaking the law, verifying buyer attributes without needing an ID check. 

Nobody ever set out to break the digital identity model. However, the current state of affairs, where anonymity and privacy are pitched as mutually exclusive to the principles of regulatory compliance and legitimacy, simply isn't sustainable. A self-sovereign digital identity solution that finds the middle ground is sorely needed.