Trusted Trips, Privacy, Zero Trust, and the ITN
How Can You Have a Private Yet Trusted Location under Zero Trust?
In our last couple of blogs (here and here), we utilized the example of a surveillance camera to demonstrate how the use of a Self-Sovereign Digital Twin™ (SSDT™) — a device’s globally unique, verifiable digital wallet — can solve many trust issues in the Internet of Things (IoT) ecosystem. But sometimes these IoT devices can be mobile, and either the instantaneous location or the historical trajectory using the time series of locations can be important for certain use cases. However, as the reader might imagine, the time-stamped record of a thing or person’s location may be considered private for whatever legal, business, or personal reason.
Below we will describe how the Integrated Trust Network (ITN), with its SSDT™ and DID (Decentralized Identifier) constructs, enables the decentralized management of a blockchain-backed identity, and how it can preserve privacy for immutable trusted locations and trusted trip trajectories. But first, let us establish our foundation:
What Do We Mean By Privacy?
In the United States, California’s CPRA (Consumer Privacy Rights Act), the update to CCPA (California Consumer Privacy Act), is currently the most stringent data privacy regulation and defines the data covered as, “any information that identifies, relates to, or could reasonably be linked with you or your household.” One could interpret this as any data specific to an individual and considered personal information, such as the date and time a person is at a specific location. Such data could have significant personal and/or business impacts if shared with the wrong entity.
The General Data Protection Regulation (GDPR) uses the same definition and establishes the same legal data protection framework for the member states of the European Union as CPRA does for California. The ITN is basing its definition of private data, and the handling of such data, on these two legal frameworks.
What Is Zero-Trust Framework?
A zero-trust framework is a structure that requires all users of a network to be authenticated, authorized, and continuously validated for identity attributes and appropriate privileges before being granted access, and at any time during the access session while conducting transactions.
In the US, the Biden administration issued an Executive Order mandating federal agencies to incorporate zero trust principles and adhere to NIST (National Institute of Standards and Technology) 800–207 compliance for implementation. Since zero trust implies continuous verification, techniques that allow frictionless identity protection prove to be quite valuable.
What Is a “Trusted Trip” and How Might It Be Beneficial?
Some mobility trips involve usage-based transactions (toll roads, usage-based insurance, multimodal journeys) that need to include validated and trusted location data to determine the behavior of riders accessing those types of services.
MOBI, one of the founders of ITN, defines a “trusted trip” as one “whose attributes are certified by ecosystem stakeholders in a federated network.” That means that position and time fixes are trusted by multiple parties who use such data to charge and pay for usage of a particular road, vehicle, or mode of fee-based transportation (e.g., bus, train, rental bicycle, etc.) A trusted location can default to be just one of the many time/position fixes established during a trusted trip.
How Does ITN Achieve Privacy in Such a Zero-Trust Framework?
ITN enables decentralized identity through W3C-compliant DIDs (a specific, universal form of a digital identifier). DIDs are unique identifiers that are linked to public cryptographic keys which are used to prove control over a DID. When these keys are stored on a blockchain, we end up with a distributed ledger of keys. This means there is no single point of failure in managing these keys or ensuring their authenticity, as there could be when using a centralized Certificate Authority (like ordinary PKI).
This is one thing that enables the use of a self-sovereign digital identity, or what MOBI calls an SSDT™. This is essentially a digital wallet that, like the leather one in your purse or pocket, carries different verifiable credentials, enabling you as the holder to access assorted services relative to those separate credentials. The SSDT™ holder and/or owner secures its private key and has the power to decide which other party gets access to the credentials relevant to the requested service. In short, SSDTs™ on the ITN give users unprecedented control over their own privacy.
Recall that in a zero-trust framework, not only do you need verification of identity and credentials for access to a system, but it also needs to happen continuously, not just at the start of the session. The ITN, with its distributed ledger of public keys, significantly lowers the probability that keys will become compromised, and its low friction access to that immutable ledger of keys is a compelling solution to the demands of zero-trust frameworks.
What Impacts Might Come From Using ITN in Such a Use Case?
Self-sovereign identity has always been important in society to sustain individual privacy. As more social interaction and financial transactions take place through digital means, the widespread adoption of standardized SSDTs™ will enable private transactions across many different value chains worldwide. This matters because it allows personally identifiable information to remain private, under the credential holder’s control, and ensures that future-proof digital transaction networks can be designed to comply with emerging privacy regulations across regions. Potential use case categories include battery passport, supply chain tracking, road usage charges, vehicle parking, traffic congestion management, carbon tracing, and usage-based insurance.
How Can I Learn More About ITN?
ITN is coordinated through the membership of currently three industry consortia: MOBI (mobility), MEF (telecom), and AAIS (property & casualty insurance). Together we have created a community of like-minded companies that set out to pioneer a cross-industry Web3 infrastructure for trusted, self-sovereign identity using W3C-compliant DIDs and a federated certificate authority as a global trust anchor for eCommerce and business automation. Please follow us on social media to learn more and consider joining us in creating the self-sovereign digital identity future!