A Systematic Review and Layered Framework for Privacy-by-Design in Self-Sovereign Identity Systems

TL;DR

This paper reviews Self-Sovereign Identity systems, proposing a four-layer privacy framework and a design dashboard to help navigate complex privacy design choices in SSI architectures.

Contribution

It introduces a novel four-layer privacy framework for SSI systems and a Design Assistance Dashboard to aid privacy-aware design decisions.

Findings

Mapped SSI components to privacy layers and requirements

Developed a privacy class for SSI components

Provided a tool to visualize component interdependencies

Abstract

The use of Self-Sovereign Identity (SSI) systems for digital identity management is gaining traction and interest. Countries such as Bhutan have already implemented an SSI infrastructure to manage the identity of their citizens. The EU, thanks to the revised eIDAS regulation, is opening the door for SSI vendors to develop SSI systems for the planned EU digital identity wallet. These developments, which fall within the sovereign domain, raise questions about individual privacy. The design of SSI systems is complex, often characterized by a large number of components and architectural choices because the current SSI communities differ on how to create identifiers, how to build and present credentials, and even how to design a user wallet. SSI stacks developed by different organizations provide different privacy features for different privacy needs. This paper performs a systematic mapping and review of SSI components and technologies into a novel four-layer privacy framework to address the design complexity of SSI systems. Based on this review, we provide an accompanying Design Assistance Dashboard (DAD). The DAD shows the interdependencies between SSI components in different layers, and maps these components to different privacy requirements and considerations, even providing a simple privacy class for each component.