Skip to content Skip to footer

Bootstrapping Self-Sovereign Identity

I firmly believe that Self-Sovereign Identity is the future – that is to say: if and only if we can get it off the ground, by pulling at our boots.1The picture comes from the fairytale of the Baron Münchausen – even if Wikipedia tells me that in the original story by  Rudolf Erich Raspe the Baron pulls himself (and his horse) out of a swamp by his hair (specifically, his pigtail), not by his bootstraps. And that is a big challenge!


Self-Sovereign Identity is a utopian alternative to the current way to deal with personal data making up digital identities, first proposed and coined by Christopher Allen.2Christopher Allen,The Path to Self-Sovereign Identity. Life With Alacrity, 25 April 2016,   Allen introduces ten principles, that can be read as requirements for this utopian alternative. The good news is that we now (seem to) have the technologies available to implement self-sovereign identity, involving things like zero-knowledge proofs, peer-to-peer exchange of information, apps, cloud applications, asymmetric cryptography, attestations, and a verifiable data registry. The technology is very complicated to understand, even at a functional level. Moreover, it is not fully developed yet, there is not yet a common standard, a common understanding, and some crucial issues are not yet solved in a final way. Among those is the important question of governance, that can be seen as the top level of the so-called SSI stack.3Alex Preukschat & Drummond Reed, Self-Sovereign Identity, Decentralized Digital identity and Verifiable Credentials, Manning Publications 2020, p. 95.

However, technology is not all there is. Peter Olsthoorn in his recent PhD-thesis points out that if we want to change the way personal data is used and exchanged, in addition to technology, we need to look at markets and law.4Peter Olsthoorn, Baas over eigen data: Zelfbeschikking in bescherming van persoonsgegevens, PhD thesis, Vrije Universiteit Amsterdam, 23 september 2021 It is the interplay between these three fields that determines if, in the future, we can give individuals (like: data-subjects, citizens, consumers, employees, you and me) true control over their personal data – as described by the traditional ideal of informational privacy.5Alan Westin, Privacy and Freedom. New York, Atheneum, 1967.


Now, business models are built around the exchange of personal data. Many services on the internet are “free”, where we “pay” with our personal data, namely the data of how we use these services.6Thibault Schrepel, Why you are not paying with your data, Concurrentialiste, Journal of Antitrust Law, 10 december 2019, These data are auctioned off in Real Time Bidding mechanisms, that determine which adds we see. Search algorithms, social media and recommendation systems decide the information we have access to, thereby to some extent possibly undermining our autonomy and free will. Changing the mechanisms of supply and demand of personal data means that new business models need to be invented. And of course, the big tech that profits from the currents business models will resist any change that challenges their current positions of power.

Apart from that, there is the chicken egg story, the network effect: you already need many participants to convince new participants. So how do you get these first participants? How do you get your plan off the ground? In the past there have been a number of project and initiatives, that suffered from and failed because of this problem.7Peter Olsthoorn, Baas over eigen data: Zelfbeschikking in bescherming van persoonsgegevens, PhD thesis, Vrije Universiteit Amsterdam, 23 september 2021, pp. 197-267.


Obviously there is regulation in place governing the use of personal data, the well-known General Data Protection Regulation. Even if many of the current business models involving the exchange of personal data can be argued to violate the GDPR, so far not much has happened to change them.8Information Commissioner’s Office, Update Report Into Adtech And Real Time Bidding (2019), at   Compliance with and enforcement of the GDPR are notoriously difficult. Even if data subjects have a number of explicit rights, there are high barriers for them to really enforce these rights and challenge the current harmful practices.9The Privacy Collective, Oracle and Salesforce taken to court in the Netherlands over GDPR infringement

Even if SSI can be seen as implementing the very ideals of data protection regulation, it is not yet clear how the rules of the GDPR would apply to SSI. One of the challenging questions is who would qualify as the controller.10Andrés Chomczyk Penedo, “Self-sovereign identity systems and European data protection regulations: an analysis of roles and responsibilities.” Open Identity Summit 2021. Online available at Another unsolved issue is whether or not an anonymous public key (serving as an address) qualifies as personal data.

Maybe law can solve the problem of the network effect: if there is regulation in place mandating SSI in some contexts, and if government agencies themselves use and support SSI in their dealings with citizens’ personal data, that may change the game.

Let’s do this

So things are happening, work is being done, experiments are carried out. At a European level, there is the eSSIF-Lab,11 and the proposal of a framework for a European Digital Identity which will be available to all EU citizens, residents, and businesses in the EU.12Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (SEC(2021) 228 final) – (SWD(2021) 124 final) – (SWD(2021) 125 final). See also Here in the Netherlands, work is being done on the development of a shared vision on Self-Sovereign Identity,13Tim Speelman, Visiedocument Dutch Self-Sovereignty Identity Framework, that may be used as a basis for technical solutions, ideas for business-models and regulatory initiatives.

We need to work on this, and we need to work on this together, with all the different disciplines (tech, economy and law, possibly more?) involved. We need lawyers who understand the technology, and who see why the current way of exchange of personal data needs to be changed. ALTI takes up this challenge, both in research and in teaching. Let’s do this!

Leave a comment

Subscribe to our newsletter

Amsterdam Law & Technology Institute
VU Faculty of Law
De Boelelaan 1077 Amsterdam