The Myth Of Control in Self-Sovereign Identity; January 2022
Before we can understand what `controlling one's identity` could mean, we need to establish what such an `identity` could be that would then be controlled. Within the context of SSI, people have different ideas.
The ineffable `I`. Allen starts by saying that "Identity is a uniquely human concept. It is that ineffable `I` of self-consciousness, something that is understood worldwide by every person living in every culture". Similar understandings are common in legal, humanitarian and other contexts. A related view is taken by eSSIF-Lab, saying that your identity consists of what everyone (including yourself) knows about you; they use the term `partial identity` to refer to all knowledge that a specific party (e.g.: you) has about you.
Bitstrings (keys, usernames). In technologically oriented contexts `identity` may refer to single digital bit strings. For example, OpenID 1.0 had URLs as one's identity, and in various blockchain-related contexts public keys are considered identities. Also, usernames (or email addresses) are often referred to as one's identity (which one may use to log into systems, such as webservers).
Passports, credentials and the like. In government or business contexts, `identity` is often understood to be things like passports, driving licenses, social security cards, banking cards and other physical objects that contain attributes of individuals. We can perhaps extend this to digital artifacts that contain attribute sets, as in verifiable credentials, X.509 attribute certificates and the like. I've heard people say that showing or proving one's identity means: presenting such a (digital) document.
Data (attributes). The case can be made that the artifact that bears or envelopes data about a person is not part of that person's identity, but that the identity consists of the data itself (the `payload` within the `envelope`). This is in line with the formal definition by Pfitzmann and Hansen, who define identity as a subset of attribute values of an individual person which sufficiently identifies that person within any set of persons. They define `complete identity` as the union of all identities, and `partial identity` as a subset of a complete identity that represents a person in a specific context or role.
Who controls an identity obviously depends on what you take identity to be. Allen's "ineffable `I`", that `deep self` notion, is hardly something you can actually control. Looking at myself I think that my `I` is more the product of the events I have lived through and survived, than anything I have created myself. Also, I do not see convincing evidence that - in general - it is any different for anyone else.
Controlling a passport (or similar) is limited to using it (storing/showing it), guarding it (against loss or theft), destructing it, or handing it over to someone else who can then control it. The same is true for usernames and cryptographic keys, except that you can also generate/choose them, the equivalent of which you cannot do for passports. Using a username typically requires you to use a server (usually called an Identity Provider) that is not under your control, which is not the case with cryptographic keys or passports.
Controlling (identity) data typically means what e.g. the Good Health Pass Blueprint says: "Individuals SHOULD control their own data: what they share, with whom, when and for what purpose".
What's the big deal?
When I hear people say "I want/need to control my identity" (sometimes even: "my SSI") or something similar, this often seems to imply they think they get to decide what attributes about them must appear in a credential (passport, certificate), that others (the issuers) will sign that, they can subsequently use it all over the place, and verifiers will only use the data if they have consent, and automatically refrain from using that data for any other purpose, or sharing it with others. If all that were the case, they would certainly be `in control`.
To me, that is wishful thinking. It seems to me that gathering information, processing it and expressing one's opinions are capabilities that people naturally have that others cannot control - at best they may influence the use of these capabilities. True, most people are quite susceptible to such influences, and there's lots of knowledge about how to effectively influence others. Nevertheless, recent protests in Myanmar and Hong Kong have shown (and many more similar historical examples exist) that people are also capable of withstanding such `influencers`, even if it means they get imprisoned (or executed). Such examples also show that presenting these capabilities as `rights`, e.g. as in articles 9-10 of the European Convention of Human Rights, is more to remind governments (and others) of the futility of any efforts to control these capabilities than anything else.
How to proceed from here?
I think it is a good idea to realize and recognize that our universe is filled with entities that have these capabilities of ingesting information, processing it, storing it, perhaps also forgetting it, losing it or destroying it, and expressing (communicating) it. Following the eSSIF-Lab terminology, I will call such entities `parties`, typical examples of which are people and organizations.
I also think it is a good idea to consistently realize that every party is autonomous (sovereign over itself) in wielding these capabilities, using its knowledge to make sense of its (sensory and inferential) experiences, to learn (change), and to act - decide and behave - in its own particular, subjective, autonomous, `self-sovereign` and sometimes also peculiar way.
Finally, I think it is helpful to continually and consistently distinguish between these self-sovereign `parties` (and the information- or knowledge-realms associated with each of them), and entities that use this knowledge as they actually do things (`actors`), as explained further in a mental model on Parties, Actors and Actions.
In my view, SSI is all about recognizing the autonomy of parties and their capabilities for acquiring, processing, storing and emitting data, regardless of the form that takes. To me, that's what decentralization is about. It implies that there are limits to what a party can and cannot control, and by inference, what Allen's second principle can and cannot mean.