Within the digital identification circles, self-sovereign identity has become a trend. This new paradigm puts the user first and gives them more control over their personal information.
Identity data and third-party credentials can now be stored, shared, and authenticated in a secure and privacy-preserving manner thanks to tech innovations. Unfortunately, some identification models split users' identities throughout the Internet, resulting in inefficient data silos and a cluttered user experience.
That’s why the Cybernews team invited Jose San Juan, the CSO of GATACA, self-sovereign identity technology, to discuss how the technology has connected, educated, and empowered users to take control of their data, the future of blockchain, and the issues that come along with it.
How did GATACA originate? What has the journey been like?
GATACA was born at MIT in 2017 as an academic research project with the aim of reducing the risk of doing business online. The fundamental hypothesis of the research led by Irene Hernández, CEO of GATACA, pointed to Internet authentication architectures as a root cause of security cyber attacks aimed at identity fraud.
Having realized decentralized architectures could solve this challenge, it’s then that the research project is transformed into a self-sovereign identity (SSI) technology startup venture. Before joining GATACA, the concept of SSI was completely foreign and seemed quite impossible. Yet, as soon as I joined the team and began designing the foundation of a decentralized identity system and how it could benefit every party in the ecosystem, I realized the immense potential this technology had to disrupt the world, for the better. This is when the real work started as our team faced a non-existent market with no standards or regulations. We have come a long way in this challenging yet promising journey to become one of the most advanced SSI providers globally. Our technology has been able to build a complete SSI technology stack: users are powered with a digital ID wallet (GATACA Wallet) so they can have password-less, hyper-secure, and privacy-preserving access to digital services, while issuers and service providers leverage credential issuance and single-sign-on authentication tools. Today we face an emerging market made up of regulators, standardization bodies, and competitors all working towards the solidification of this technology.
Can you tell us a little bit about what you do? What is self-sovereign identity?
Self-sovereign identity is a new authentication paradigm that promises to give users back control over their data. It consists of enabling the end-user to be the holder of all the attributes that make up his digital identity: email, phone, date of birth, address, etc. These take up the form of verifiable credentials which are digitized, cryptographically signed versions of a user’s original identity documents. In centralized models, users give up their data every time they sign up for a service. In decentralized sovereign models, users choose which data to share, and who to share it with, and hold the power to revoke access to it at any time. This causes a radical inversion from a world in which a user has a siloed and dispersed digital identity in each of the services he uses to one in which he holds one single, globally recognized identity enabling access to all services worldwide. I am convinced that this is the simplest and the correct way for the world to work, and we should see this in the next 10 years. SSI applications weren’t possible in the past until two major technological breakthroughs: powerful mobile devices, with secure storage and biometric capabilities for the secure storing of the credentials, and blockchain technologies to enable the decentralization of trust for different entities. As CSO, I’m responsible for defining security requirements and designing our products to ensure that all users and clients are safe while using our platform. Our principles of privacy, security and user experience are always top-of-mind.
Since digital identity is a relatively new technology, people still tend to have some misconceptions and myths regarding it. Which ones do you notice most often?
I guess people have built their conceptions of digital identity from their past experiences. That causes different perceptions: most people don’t understand the difference, and, more importantly, the link between the digital and the real persona. As a result, they don’t understand why they need to be identified on some digital services, and why they need to have a profile. Other people instead approach this by hiding behind multiple anonymous, usually fake, profiles. I think the only common ground is that all of them get the feeling that they are being profiled, not knowing exactly how it is being done, and have no control over their privacy.
How do you think the recent global events affected your field of work? Were there any new features added to your platform?
I think any company working even remotely in anything linked to cybersecurity must double the caution in the current geopolitical context. Cyber attacks and threats are multiplying, as are the technical and security requirements from any company that might be interested in GATACA’s products. Our team is constantly adapting and working to support new standards and cryptographic suites to be up-to-date with the state of the art. For example, in the European Union, the new eIDAS regulation for digital identity is expected to be released this year and we are already working to ensure compatibility. Additionally, from the customer’s side, we’ve experienced an increase in requests for a SaaS version of our tech stack. This is why GATACA is currently in the process of launching a SaaS product with increased functionality and flexibility while maintaining our government-grade security and privacy principles. Our goal is to provide a secured environment to reduce the efforts for protection on the client-side.
In your opinion, what security issues can arise in the near future as digital identity becomes a significant part of our lives?
In a world where more and more services will be digitally accessible, I think that identity fraud will become an even greater threat than it is now because users will have more aspects of their lives digitally exposed. Since companies deal with these issues daily, they tend to be more aware of the identity fraud threat than the regular user. As a result, the user becomes the weakest link in the system which triggers massive social engineering attacks targeting the end-users. Attacks that even with a very small success rate and fooling only the least experienced users could cause enough damage. From my point of view, any technology that helps reduce identity fraud will be highly requested soon, and all of us who are building products around it must keep it a major priority.
What actions can average individuals take to protect their identity online?
My best recommendation would be to learn and understand how identity works. I find there are lots of security recommendations that, if perceived incorrectly, actually make the situation worse. For instance, password rotation policies tend to cause users to make a more predictable password pattern or to store the password somewhere insecure. But thinking of processes like banking authentication factors (passwords, pins, SMS or in-App OTPs, biometry, coordinate cards), when the user doesn’t understand why (or when) he needs to perform an authentication step, he tends just to blindly provide the information he is requested trusting the application (while probably wishing to himself: “please, work”). This is exploited by social engineering attacks. The user doesn’t make the distinction and may provide his authentication credentials easily.
What predictions do you have for the future of blockchain technology?
I have always been quite skeptical of blockchain technology, maybe a bit too much for someone building a solution over it. I must admit that blockchain technology has become more than a future dream for decentralization enthusiasts, it’s the present and protagonist of the world we live in, and I don’t see its fame shrinking anytime soon. But while it has been too often used to create hype or speculation in the past, now is when its true utility will be witnessed as new use cases emerge. The most useful and disruptive blockchain use cases, such as SSI and decentralized finance, give users autonomy, flexibility, and access to new opportunities in the social and financial realm, and provide tangible solutions that couldn’t be implemented in the same conditions without a blockchain. I see governments.
What other aspects of our daily lives do you hope to see enhanced by innovations in technology in the next few years?
The presence of technology in our daily lives has grown incredibly in the last few years. In the past, most advances focused on unlocking the immense possibilities of the entertainment sector. Since the pandemic, the utility of technology and its capacity to unlock value in other sectors has risen. Teleworking has been tested as a suitable reality in lots of sectors, e-government services have been made more widely available, and remote education has improved. While the digitalization of these activities still has a long way to go, the reality of where they currently stand was unthinkable two years ago. I think that all the flaws of the current system, as well as the technological needs of the common citizen, have been exposed in the past years. And I am sure those needs will be fulfilled soon.
I hope that the innovations will transparently blend into our daily lives, the digital world and the real one are more connected than ever.
Would you like to share what’s next for GATACA?
For the past 4 years, GATACA has focused the majority of its efforts on building an interoperable, secure, and user-friendly product for the European region. We not only plan to continue to focus on the needs of our clients and regulatory, as well as standardization demands from the market but to take our SSI tech to the next level.
In addition to launching our SaaS version, our roadmap includes building a cloud-based Identity Hub to maximize user privacy and security by completely removing the storage of credentials in smartphones, among other functionalities, further reducing the chances of cyberattacks aimed at identity fraud. GATACA’s SSI technology is already being implemented in key public and private institutions across Europe, and we hope to continue delivering value to our clients and impact new sectors as our company continues to grow.