key: cord-0068126-uxwjdex7
authors: Sedlmeir, Johannes; Smethurst, Reilly; Rieger, Alexander; Fridgen, Gilbert
title: Digital Identities and Verifiable Credentials
date: 2021-10-04
journal: Bus Inf Syst Eng
DOI: 10.1007/s12599-021-00722-y
sha: 8b402105f80497a8999e3d7376e116ad488b5614
doc_id: 68126
cord_uid: uxwjdex7

nan

Public institutions and companies typically employ physical credentials (such as passports, social security cards, and employee badges) to identify individuals. Individuals can choose where to store their physical credentials, and sometimes, they can decide to whom their credentials are disclosed. These familiar privileges inspired a new type of digital credential called a verifiable credential (VC). Similar to physical credentials, individuals can store their verifiable credentials in a so-called digital wallet on their mobile phone, on another edge device, or in the cloud, and they can use verifiable credentials for identification, authentication, and authorization (Sporny et al. 2019) .

Verifiable credentials and digital wallets offer a convenient, secure, and privacy-oriented alternative to current physical and digital identity management systems. A recent example -COVID-19 vaccination certificates -highlights this. The verification of paper-based vaccination certificates is often error-prone and time-consuming, especially when many certificates have to be verified in a short period of time, e.g., at a football match or when boarding a plane. Moreover, to establish a sufficient level of authenticity, paper-based vaccination certificates are typically disclosed with additional personal information and identity documents, such as a physical ID card. This requirement to disclose a considerable amount of personal information raises privacy concerns, it is inconvenient, and it increases the total verification time.

The storage of vaccination-related digital information in a centralized database enables faster and more convenient verification, yet it also raises ethical, security, and privacy concerns. Such databases can facilitate unintended profiling, they are appealing targets for hackers, and they typically limit individuals' control over the processing of their personal data (Rieger et al. 2021) . The European Union thus permits Member States' governments to directly issue EU Digital COVID Certificates to wallets that are controlled by citizens (European Commission 2021b) . Although this development is notable, EU Digital COVID Certificates cannot yet be stored in a standardized wallet alongside a broad array of documents, certificates, and credentials that can be used to prove a subject's identity (Rieger et al. 2021) . Further work remains to be done.

This is precisely what motivates the development of verifiable credentials and standardized digital wallets. In this catchword, we introduce this decentralized, interoperable approach to digital identity management. In particular, we discuss the challenges of today's centralized identity management and investigate current developments regarding verifiable credentials and digital wallets. Finally, we offer suggestions about promising areas of research into decentralized digital identities.

2 Review of the Status Quo

To create a common basis for discussion, it is important to first define the terms digital identity and subject. A digital identity is often defined as a digital reference to a person (Alamillo-Domingo 2020). It is thus something that a subject has and uses in response to requests for digital identification, authentication, or proofs of authorization. A digital identity consists of attributes that can be revoked, deleted, transferred, or exchanged, such as citizenship, institutional affiliations, and proofs of ownership (Lyons et al. 2019; Preukschat and Reed 2021) . Identity attributes are typically connected to a subject via a unique identifier within a system or domain, such as an index in a database or a social security number (Bosworth et al. 2005) .

The subject of a digital identity is often a human, but the subject can also be a legal entity, an animal, or a device, among other things. Hence discussions of digital identities should not place an exclusive emphasis on human subjects (Dietz and Pernul 2020; Fedrecheski et al. 2020; Zwitter et al. 2020) . Subjects can prove their identity attributes using credentials (Clauß and Köhntopp 2001) . A credential can be a password that demonstrates ownership of a particular identifier like an email address, or else a credential can be a verifiable document issued by a third party that specifies identity attributes like a government-issued ID card (Bosworth et al. 2005 ).

In today's web, digital identities are predominantly managed via service-specific user accounts that involve username-password combinations. Everyday complaints concerning the relationship between users and passwordbased authentication methods are numerous. Users struggle, for example, to manage the growing number of passwords (Novakouski 2013) , and they can fall victim to password theft schemes such as phishing, key-logging, viruses, and malware (Herley 2009 ). Furthermore, users cannot seamlessly transfer identity-related information from one of their accounts to another. Users are thus required to repeat tedious registration processes, in which they disclose ID cards, a driver's license, bank account information, and more. Federated identity management aims to mitigate some of these issues via Single Sign-On platforms that transfer identity-related information between services that are connected to the platform (Maler and Reed 2008) .

Corporate digital identity platforms are consequently built upon large centralized silos that store identity data. These silos are a predominant cause of concerns due to security weaknesses, dubious data-sharing and surveillance ethics, and compromised privacy rights (Chaum 1985; Nofer et al. 2017; van der Aalst et al. 2019; Zuboff 2019; Nayar 2012) . In August 2013, a successful hack compromised every one of Yahoo's three billion user accounts (Oath 2017) . Hacks of this nature are not just embarrassing; they are also costly (Cowley 2019; Preukschat and Reed 2021) . In June 2014, Aleksandr Kogan, a researcher from Cambridge University's Psychometrics Centre developed a personality quiz app for Facebook. Approximately 270,000 Facebook users installed the app and -unwittingly, in most cases -granted the app access to their identity data as well as their friends' identity data. The app generated a private database that contained information about 50 million Facebook users. Aleksandr Kogan sold the database to a firm named Cambridge Analytica, who then used the database to construct 30 million psychological profiles about voters (Meyer 2018) . Since the incident did not involve a hack, it is primarily an ethical problem (Aiello 2018 Government-managed digital identity platforms are affected by many of the same ethical and security problems as corporate digital identity platforms (Khera 2018; Ganesh 2018; Nayar 2012; Pahwa 2017). India's national government, for example, created a digital identity platform named Aadhaar, which uses biometric data to reduce fraud and leakage. If biometric data is stolen or compromised, it is difficult to reverse the damage (Pandya 2019). One cannot ask a third party to reset one's fingerprints, for instance, the way that one can request a password reset. Aadhaar's centralized trust model notably failed to prevent an Aadhaar enrolment center's supervisor from issuing an illegal ID for his dog (Jain 2015; Ganesh 2018). Problems also arise when Aadhaar shares citizens' data with various service providers. In 2017, for example, the Kerala State government's pension department copied information from the Aadhaar database and shared 3.5 million citizens' data without the citizens' consent. The citizens' names, addresses, telephone numbers, bank account details, Aadhaar identifier-numbers, and photographs were published to the pension service's website, which is visible to all (Tarafdar and Bose 2019) . A year later, a security expert discovered a similar flaw: a State-owned service provider named Indane copied Aadhaar data and allowed potentially anyone to access information about citizens' names, Aadhaar identifier-numbers, and bank account details (Christopher 2018; Graglia et al. 2018) .

Government-managed digital identity systems nonetheless offer some notable benefits in comparison with physical identity management systems (World Bank 2015; Clark et al. 2019 ). Estonia's and Slovenia's national governments, for example, used digitization to reduce ID-related administration costs. Estonia's national electronic identification document (eID) and X-Road data exchange layer saves an estimated two percent of Gross Domestic Product per year by reducing paper-based, ID-related transaction costs. Slovenia's Ministry of Social Affairs generates savings via a digital platform that can verify identity information across more than 50 databases. Despite its flaws, the Aadhaar system eliminates many fake and duplicate beneficiaries of government programs, which results in significant savings (World Bank 2018b). Private companies in India also benefit from the Aadhaar system. Aadhaar reduced an Indian firm's typical customer onboarding cost from 1500 rupees to 10 rupees (World Bank 2018a).

Concerns about centralized digital identity platformsmanaged either by companies or governments -are not new. In 2005, Microsoft's Chief Identity Architect, Kim Cameron fretted, ''If we do nothing, we will face rapidly proliferating episodes of theft and deception that will cumulatively erode public trust in the Internet''. Researchers began to focus on attribute-based access control systems that enable the authentication of natural persons based on a public key infrastructure (PKI) (Backes et al. 2005; Lioy et al. 2006) . In spite of their technical advantages, these solutions failed to achieve mainstream adoption (Kubach et al. 2020; Novakouski 2013) .

In 2013, Timothy Ruff and Jason Law founded Evernym in response to this ''growing digital identity crisis'' (Andrade-Walz 2019). Evernym's staff later created the international, non-profit Sovrin Foundation and donated code to Linux's Hyperledger Aries and Indy projects. Over the last few years, many similar projects have emerged in response to concerns about centralized platforms. Table 1 summarizes the broad array of identified problems and proposed, decentralized solutions.

Decentralized digital identity projects typically employ verifiable credentials and digital wallets. Their popularization can be traced to a 2017 proposal by Andrew Tobin and Drummond Reed from Evernym and Sovrin. According to the proposal, users of verifiable credentials and digital wallets do not have to purchase and carry specialized security hardware such as NFC smart-cards, encrypted USB wallets, or a Google Titan Security Key. Tobin and Reed's proposal also does away with the need for identity data silos and password-based authentication, and it increases subjects' control over the disclosure and exchange of their data. The scope of Tobin and Reed's proposal is intentionally broader than the FIDO2 Project that focuses on password-free authentication; and since interoperability is crucial to Tobin and Reed's proposal, it is also distinct from domain-specific login apps (Ehrlich et al. 2021; Tobin and Reed 2017) .

In 2019, the World Wide Web Consortium (W3C) issued a formal Recommendation of verifiable credentials. The W3C defined verifiable credentials as digital documents issued with digital signatures. Asymmetric (public/ private key) cryptography protects the digital signatures from corruption. For enhanced privacy, zero-knowledge proofs can additionally be used to reveal only the minimum of information required in an interaction. This feature is called selective disclosure or minimal disclosure (Sporny et al. 2019 ). Some information required by verifiable credentials is meant to be public, such as credential schemas or the revocation status of particular credentials (Tobin 2018) . This public information can be stored on a blockchain like Hyperledger Indy or by a X.509 certificate authority (Chadwick 2020) .

The storage of verifiable credentials in digital wallets is fundamentally different from the storage of individuals' identity information in large, government-managed databases (like India's Aadhaar) or in monetized data silos owned by Big Tech companies (like Alphabet, Amazon, Apple, Facebook, and Microsoft). Many decentralized identity projects also make use of decentralized identifiers (DIDs). DIDs are references to information about a subject's public keys and associated metadata. DIDs enable end-to-end encrypted communication without the need for a third party. DIDs can be permanent and public, which is useful for public institutions. Alternatively, they can be temporary and private, which helps individuals resist third parties' attempts to track their online interactions and correlate their identity information .

Cryptographic key pairs are also stored in digital wallets, together with verifiable credentials. Information derived from verifiable credentials can be released from a digital wallet in response to requests from various service providers, even if an Internet connection is not available (e.g., via Bluetooth or NFC). This requires secure and standardized, bi-lateral communication. The W3C is currently developing a new protocol, named DIDComm, for this purpose ).

Support for verifiable credentials and digital wallets is growing, especially in Europe and North America. There are a few notable examples. Canadian public authorities created the Verifiable Organizations Network (VON); the European Union established the European Self-Sovereign Identity Framework (ESSIF), which utilizes the European Blockchain Service Infrastructure (EBSI); Germany's Federal Chancellery initiated a decentralized digital identity project; and the Linux Foundation established the Trust over IP Stacks.

Canada's Verifiable Organizations Network uses verifiable credentials to issue digital licenses, permits, and registrations to legal entities (Bouma and Robert 2021) . The network's credentials can be stored in wallets that are compatible with Hyperledger Aries. The network is currently supported by the provincial governments of British Columbia and Ontario as well as the federal government of Canada (Jordan 2018) . The European Blockchain Services Infrastructure uses verifiable credentials to issue official documents from public institutions, such as digital diplomas and social security passes (European Commission 2020). Germany's Federal Chancellery initiated a decentralized digital identity project in 2021 that is based on verifiable credentials and Aries-compatible wallets. The Chancellery's project uses verifiable credentials to issue a digital version of Germany's physical eID card plus company travel documents, so that hotels in Germany can implement fast and secure, digital check-in processes without requiring a hardware eID card reader (Federal German Government 2021).

The Trust over IP Foundation seeks to align various decentralized digital identity projects. It issues global compatibility guidelines for Hyperledger Aries and Indy, verifiable credentials, and closely related technologies. Trust over IP was established in May 2020 by the Linux Foundation, following initial efforts from the provincial government of British Columbia, esatus, Evernym, IBM, Kiva, and Mastercard (Dizme et al. 2020) . Trust over IP aims to compose ''the digital trust layer that was missing in the original design of the Internet'' -trust that is required for global, digital identification (Linux Foundation 2020).

As a counterpoint to the support for verifiable credentials and digital wallets, there is resistance from incumbents. A notable case is the W3C Verifiable Claims Task Force, which began work in November 2015. The following year, the Task Force proposed the formation of a W3C Verifiable Claims Working Group, which is able to issue an official Recommendation. (A Task Force is not.) Approval for the formation of a Working Group requires a vote of the W3C's full membership. Many W3C members voted against the Verifiable Claims Working Group, so the proposal almost failed (Reed 2018) . A public email, written by Michael Champion from Microsoft, highlighted the political nature of the dispute. Champion asserted that the W3C's role is to observe industry developments, not to lead. According to him, the proposed Verifiable Claims Working Group could not ''decree a solution that will succeed by force of W3C's authority''. Champion acknowledged the similar arguments raised in public by Chris Wilson from Google and Tantek Ç elik from the Mozilla Corporation (Champion 2016) .

Mozilla reiterated its opposition in August 2020 when it argued that California's Assembly Bill Number 2004, ''Medical test results: verification credentials'', should be rejected, for it ''dictates one particular technical approach'' -the use of W3C verifiable credentials to communicate COVID-19 test results (Riley 2020). The Electronic Frontier Foundation and the American Civil Liberties Union also issued criticism of the bill. California's Governor, Gavin Newsom, vetoed the bill on 25 September 2020. As for Microsoft, they later contributed to industry developments and launched version 1.0 of their Identity Overlay Network (ION) in March 2021. ION uses verifiable credentials and a blockchain-agnostic ''sidetree'' protocol as a PKI.

Self-Sovereign Identity (SSI) is a contested name that is often used to promote various decentralized digital identity projects (Preukschat and Reed 2021; Chadwick 2020; Cheesman 2020; Halpin 2020; Kubach et al. 2020 ). The Sovrin Foundation recently defined SSI as a set of community-sourced ethical principles that pertain to digital identities, privacy rights, and personal information (Sovrin Foundation 2020). SSI's ethical principles typically assert that individuals should not cede a disproportionate amount of control to centralized digital identity providers like Big Tech companies or governments (Allen 2016; Spiekermann and Korunovska 2017) .

Companies like esatus, Evernym, and Trinsic use the name SSI to market decentralized digital identity solutions that involve verifiable credentials, Aries-compatible wallets, and a blockchain-based PKI; but other companies use the same name to market solutions that do not necessarily involve any of these things (Gasteiger 2021; Kubach et al. 2020; Kuperberg 2020) . Table 2 briefly illustrates SSI's ambiguity and lack of commonality.

The European Blockchain Partnership, the European IDunion consortium, the Spanish Alastria Network, and Germany's Federal Chancellery use the name SSI to promote citizens' control over their identity data. Informal, web-based commentaries likewise associate SSI with individuals' data property rights and privacy ethics (Reed and Sabadello 2019; Windley 2020; Preukschat and Reed 2021; Sabadello 2021) . It is worth noting that, within formal contexts, sovereignty is typically discussed in relation to governance and State powers, not individuals' identities or individuals' property rights (Reijers et al. 2018; Foucault 1978) .

SSI is sometimes associated with controversial politics and hyperbole (Graglia et al. 2018 Giannopoulou and Wang 2021; Cheesman 2020) . In the United States, for instance, the political concept of selfsovereignty is embraced by ''sovereign citizens'' -individuals that refuse to acknowledge any government authority whatsoever (MacNab 2012; Ruff 2018; Haas 2016) . Hence the following statement issued by Kim Cameron from Microsoft: ''Self-Sovereign Identity makes me think of hillbillies on a survivalist kick'' (Cameron 2018) . The online Sovereign Individual movement also has an affinity with SSI. The movement significantly contributes to demand for decentralized digital identity solutions (Preukschat and Reed 2021) . To understand what motivates the Sovereign Individual movement, Alex Preukschat and Drummond Reed from Evernym recommended a book called The Sovereign Individual: How to Survive and Thrive During the Collapse of the Welfare State. Preukschat and Reed (2021) describe the book's authors as ''prescient about the [online] decentralization movement'', even though the type of decentralization promoted by The Sovereign Individual is avowedly antidemocratic and ''apocalyptic'' (Davidson and Rees-Mogg 1997; O'Connell 2018) . It is yet to be determined if SSI's association with controversial politics and hyperbole will affect its adoption (Welling 2018; Bouma and Doerk 2020) .

Decentralized digital identity -based on verifiable credentials and standardized digital wallets -is a rapidly evolving topic. Its implications are especially relevant to incumbent services that rely on the collection of personal information and usage data. Decentralized digital identity Table 3 lists potential avenues and exemplary research questions. A first avenue for research is the assessment of worthwhile applications for verifiable credentials and digital wallets. In general, verifiable credentials and digital wallets are appropriate if: (a) the fast, machine-verifiable exchange of identity-related information is desired without the direct interaction of issuers and verifiers, (b) centralized identity management systems present privacy and security concerns, and (c) centralized identity management systems fail to achieve adoption among a diverse array of stakeholders due to a lack of trust or a fear of concentrated market power. The latter topic is strikingly similar to established research about the adoption of blockchain technology (Pedersen et al. 2019) . The application of digital identities should be considered beyond natural persons to also include organizations and smart devices (Fedrecheski et al. 2020) .

Since decentralized digital identity management has the potential to affect business models that collect identity information and usage data, research can assess and investigate the consequences. How will companies that collect usage data adjust to the prospective adoption of decentralized digital identities? Can regulation prevent service providers from requesting more information from users than they require? How will decentralized digital identities affect data-driven platform strategies (De Reuver et al. 2018 ) and personalized advertisements (De Keyzer et al. 2015) ?

Innovation in digital identity management is also important to consider when designing and managing business processes (Klarl et al. 2009; Mendling et al. 2020) . Verifiable credentials and digital wallets can potentially disrupt e-commerce registration and on-boarding processes. An order on an e-commerce website could be completed, for example, by a user who has not previously registered with the website but who does have a digital wallet. The user could scan a single QR code to confirm the disclosure of identity information stored in verifiable credentials, such as their address, their age, or their credit card details. The European IDunion consortium explores these opportunities, with the aim to reduce customer lock-in effects that benefit large platforms like Amazon, Uber, and Airbnb.

A third promising avenue for research is the nexus of verifiable credentials, digital wallets, and blockchain technology. As noted, many decentralized digital identity How can worthwhile applications for decentralized digital identities be classified?

Implications of decentralized digital identities How will decentralized digital identities affect strategies and business models that are driven by user profiles?

How will decentralized digital identities affect the management of business processes?

Decentralized digital identities and blockchain How does the use of blockchain affect decentralized digital identity projects?

How do decentralized digital identity projects influence the development of blockchain technologies?

Regulation of decentralized digital identities How can decentralized digital identity systems balance privacy and transparency requirements?

How will decentralized digital identities affect eGovernment services?

Governance of decentralized digital identity systems How does the governance of decentralized digital identity systems differ from centralized systems? How can governance become aligned across different decentralized digital identity systems?

How can governance frameworks accommodate machine-to-machine interactions?

Design choices for decentralized digital identity systems

How do different design choices affect the capabilities of decentralized digital identity systems?

How do competing design choices affect the adoption of decentralized digital identities?

How does the association with SSI principles affect decentralized digital identity projects?

How do legal frameworks and cultural values affect the adoption of decentralized digital identity systems?

How do decentralized digital identities affect organizational practices? projects use Hyperledger Indy or Ethereum-based blockchains like Hyperledger Besu to register information that needs to be publicly available. While a close association with blockchain may have helped the incubation of decentralized digital identity projects (Mühle et al. 2018) , the long-term effects of this association are less clear. Hence we believe there are opportunities for research regarding the relationship between decentralized digital identity projects and blockchain development communities.

If blockchain is used with care and diligence, decentralized digital identity systems can ensure a high level of privacy. This is especially true if sensitive personal data is exchanged bi-laterally and selectively. A high level of privacy, however, introduces its own set of challenges, especially if privacy complicates the work of law enforcement authorities (Federal Office for Migration and Refugees 2021). Decentralized digital identity systems must therefore balance privacy and transparency requirements, which creates further opportunities for research, especially in the area of eGovernment services . Decentralized digital identity systems might allow citizens to better control the collection and exchange of their personal data by public authorities; but since public authorities in Europe and North America are typically bound by strict laws that regulate their data-processing activities, adding citizen consent as a mandatory second lawful basis may complicate cooperation and communication between authorities in certain cases (Federal Office for Migration and Refugees 2021).

Research to date has addressed the governance of blockchains more than the governance of decentralized digital identity systems. It remains to be seen how the governance of decentralized identity systems differs from today's centralized alternatives, and how governance can be aligned between different systems and across national borders. We expect many similarities but also a few key differences when the governance of decentralized digital identity systems is compared to the governance of blockchain-based systems. Moreover, governance frameworks should incorporate digital identities for machines, since verifiable credentials can be used to identify and authenticate devices that belong to an individual or a business (Fedrecheski et al. 2020) . Verifiable credentials can also be issued to sensors that feed data to smart contracts in order to authenticate the data and prove that the sensors were made by a trusted manufacturer. This may help address the ''oracle problem'' that is familiar to blockchain researchers (Swan 2015) .

The consequences of different design options for decentralized digital identity systems are yet to be properly assessed. Such assessments should not only take into account the perspectives of participating organizations but also those of regulators and users. It is yet to be determined if the adoption incentives are sufficient for wallets that are designed to store only identity-related information. If not, then wallets might need to additionally store central bank digital currencies and/or crypto-assets. Other designspecific examples include different privacy options for verifiable credentials (Hardman 2019) as well as different resolution methods for decentralized identifiers (in combination with their corresponding PKI options) . Interesting research questions emerge from the competing design choices made by different projects. It remains to be seen, for example, if the German Federal Chancellery's use of the Hyperledger Aries/Indy stack can be reconciled with the use of Hyperledger Besu by the European Blockchain Services Infrastructure and the Spanish Alastria Network.

Finally, there are multiple opportunities for socio-technical research into decentralized digital identity systems (Pinch and Bijker 1984; Sahay and Robey 1996; Bryant 2006) . Socio-technical researchers can study, in particular, the effects of legal frameworks, cultural values, and privacy debates on the adoption and use of decentralized digital identity systems (Leidner and Kayworth 2006;  O'Hara 2018; Fry and Renieris 2020); they can examine the different problem diagnoses that decentralized digital identity solutions are expected to address (Williams and Hummelbrunner 2010; Checkland and Poulter 2020) ; and they can explore the crucial relations between the various governance structures and technical designs (Zwitter et al. 2020) . It is also worth examining if a proximity to SSIrelated controversies affects decentralized digital identity projects (Ghent University 2020).

Verifiable credentials and standardized digital wallets offer a convenient, secure, and privacy-oriented alternative to both physical means of identification and centralized digital identity platforms. Governmental support for verifiable credentials and digital wallets is particularly strong in Canada and Germany, yet the future outlook is difficult to predict. To be successful, decentralized digital identity projects need to gain more traction and establish interoperability via a common governance framework (Wagner et al. 2020; Lundy 2019) . What is required is ''guidance within a legal architecture'' (Fry and Renieris 2020) . More specifically, verifiable credentials and blockchain-based PKI must be recognized as compliant with identity-related regulation, such as the European Union's Electronic Identification, Authentication and Trust Services Regulation (Alamillo-Domingo 2020; The Council of the European Union 2014). The legally binding ID_Alastria model (developed in Spain), the German government's support of several Hyperledger Aries/Indy-based projects, and the European Self-Sovereign Identity Framework are significant early steps. The next major steps will perhaps follow the European Commission's recent announcement about European Digital Identity wallets (European Commission 2021a).

Decentralized digital identity management can expect to face continued resistance from incumbents. Some experts expect ''wallet wars'' not just for payments but also for digital identities, similar to the competition between browsers or mobile operating systems (Reed 2020 ). Apple, for example, recently announced their aim to integrate a wallet app that can store a digital driver's license in the next version of their mobile operating system, iOS 15 (Business Insider 2021).

Research can play an important role in the prospective shift towards decentralized digital identities. Research is required to investigate the actual impact of decentralized digital identities on enterprises, individuals, and societies; it can help design suitable solutions; and it can determine if the adoption incentives for recent, decentralized digital identity solutions are superior to those of past, attributebased PKI solutions.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons. org/licenses/by/4.0/.

What data scandal? Facebook's stock notches an all time high, shrugging off user privacy woes

SSI eIDAS legal report: how eIDAS can legally support digital identity and trustworthy DLT-based transactions in the digital single market

The path to self-sovereign identity

Anonymous yet accountable access control

Entities, identities, identifiers and credentials -what does it all mean?

Self-sovereign identity

Thinking informatically: a new understanding of information, communication, and technology. Edwin Mellen, Lewiston Business Insider (2021) Apple is finding more ways to keep you glued to the iPhone with iOS 15

The laws of identity

Let's find a more accurate term than selfsovereign identity

Why I do NOT need DIDs or a DLT for VCs and SSI

Re: Support for verifiable claims

Security without identification: transaction systems to make big brother obsolete

Soft systems methodology

Self-sovereignty for refugees? The contested horizons of digital identity

Security experts say need to secure Aadhaar ecosystem, warn about third party leaks

Identity management and its support of multilateral security

Equifax to pay at least \$650 million in largest-ever data breach settlement

The sovereign individual: how to survive and thrive during the collapse of the welfare state

Is this for me? How consumers respond to personalized advertising on social network sites

The digital platform: a research agenda

Digital twin: empowering enterprises towards a system-of-systems approach

Position statement toward EBSI

Self-sovereign Identity als Grundlage für universell einsetzbare digitale Identitäten

European blockchain service infrastructure

European Commission (2021a) Commission proposes a trusted and secure digital identity for all Europeans

European Commission (2021b) COVID-19: Digital green certificates

New pilot project launched

Federal Office for Migration and Refugees (2021) Digitization of certification processes in the asylum procedure by means of digital identities

Self-sovereign identity for IoT environments: a perspective

Part five: right of death and power over life, the history of sexuality

Challenges and opportunities of blockchain-based platformization of digital identities in the public sector

SSI? what we really need is full data portability

Data and discrimination: Fintech, biometrics and identity in India

Gasteiger D (2021) Building a digital society that inspires! Procivis AG

EBSI social assessment report

Self-sovereign identity

The nail finds a hammer: self-sovereign identity, design principles, and property rights in the developing world

Ryan bundy declares himself an 'idiot' not subject to US courts

Vision: a critique of immunity passports and W3C decentralized identifiers

Categorizing verifiable credentials

So long, and no thanks for the externalities: the rational rejection of security advice by users

Sovereignty, privacy, and ethics in blockchainbased identity management systems

Digital trust: How the OrgBook enables the digital economy

Dissent on Aadhaar: Big data meets big brother

Identity management in business process modelling: a model-driven approach

Selfsovereign and decentralized identity as the future of identity management? In: Open identity summit 2020

Blockchain-based identity management: a survey from the enterprise and ecosystem perspective

A review of culture in information systems research: toward a theory of information technology culture conflict

Linux Foundation (2020) Cross-industry coalition advances digital trust standards

PKI past, present and future

No such thing as decentralised governance

Blockchain and digital identity

The venn of identity: options and issues in federated identity management

FTC probing facebook over data use by Cambridge Analytica

Building a complementary agenda for business process management and digital innovation

The Cambridge Analytica scandal

A survey on essential components of a self-sovereign identity

2012) i sing the body biometric: surveillance and biological citizenship

User-centric identity management: a future vision for IdM

Yahoo provides notice to additional users affected by previously disclosed 2013 data theft

Why Silicon Valley billionaires are prepping for the apocalypse in New Zealand

Privacy: essentially contested, a family resemblance concept

You can't make citizens safer by making them more vulnerable: aadhaar does exactly that

Nuances of Aadhaar: India's digital identity, identification system and ID

A ten-step decision path to determine when to use blockchain technologies

The social construction of facts and artefacts: or how the sociology of science and the sociology of technology might benefit each other

Why the internet is missing an identity layer -and why SSI can finally provide one

Self-sovereign identity: Who will own the wallet of the future?

The DID report 1: The first official W3C DID working group meeting (Japan)

Decentralized identifiers (dids) v1.0: Core architecture, data model, and representations

The privacy challenge in the race for digital vaccination certificates. Med Riley C (2020) By embracing blockchain, a California bill takes the wrong step forward

Seven myths of self-sovereign identity

Organizational context, social interpretation, and the implementation and consequences of geographic information systems

Decentralization: an incomplete ambition

Sovrin Foundation (2020) The principles of SSI

Self-sovereign identity: proving power over legal entities

Towards a value theory for personal data

Verifiable credentials data model 1.0: Expressing verifiable information on the web

Blockchain: Blueprint for a new Economy

Systems theoretic process analysis of information security: the case of Aadhaar

Regulation (EU) no 910/2014 of the European Parliament and of the Council of 23 july 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

Sovrin: What goes on the ledger?

The inevitable rise of self-sovereign identity: a white paper from the Sovrin foundation

Big digital platforms: growth, impact, and challenges

Decentralised identity: What's at stake?

Digital identity: a misunderstood building block of our society

Soft systems methodology

Identification for development: cross-practice initiative

Private-Sector-Economic-Impacts-from-Identification-Systems.pdf

Public-Sector-Savings-and-Revenue-from-Identification-Systems-Opportunities-and-Constraints.pdf

E (2020) Digital identity and the blockchain: Universal identity management and the concept of the self-sovereign individual

Acknowledgements We thank Jasmin Huber for compiling an identity management bibliography; we thank Alexandre Amard, Tamara Roth, and our anonymous reviewer for their valuable feedback; and we gratefully acknowledge the Luxembourg National Research Fund (FNR) and PayPal for their support of the PEARL project ''P17/IS/13342933/PayPal-FNR/Chair in DFS/Gilbert Fridgen''.