A Tapestry Credential System for Land Administration: Making it Work Through Self-Sovereign Identity

So what are the characteristics of an identity system for land administration, one that would make it as easy as possible to create tapestry credentials to establish property claims, interact with the land registry, and access land-related financial services?

• It must be easy to establish unique, trustworthy identities for people and things.
• It must allow people to remotely assert facts about themselves and their property.
• It must be designed to maximise user privacy and control.
• It must allow maximum flexibility to create, share, and verify credentials.

We propose that an emerging type of digital identity system, called self-sovereign identity, can operationalize these four requirements.

In the following subsections, we explain:

• Why a solution emerging from the identity space is appropriate for land administration;
• What self-sovereign identity is, and how it differs from the form of digital identity most of us are familiar with; and
• How a self-sovereign identity-based system could allow people to use tapestry credentials in order to document their property rights.

How do we create a system that satisfies the four criteria above? The answer may come from the digital identity community, which has long been grappling with the problem of allowing large numbers of people to assert information about themselves in a trustworthy and inclusive way.

Perhaps it is unsurprising that a concept developed for identity can offer a solution for property rights. That’s because, at its most basic, property rights documentation is the documentation of identity: the identity of the property holder (the “who”); the identity of the property itself (the “where”); and the relational identity between the property and its holder (the “what”).

Answering the first question—who?—depends almost exclusively on having an appropriate identity system. While every person, by virtue of their existence, has a unique personal identity, whether that person has identity documentation—and whether that documentation is trusted—is a different story.

The second question—“where is the property?”—can also be understood in terms of identity. Land and buildings are quite similar to people in that they have a unique identity that is represented in a system by means of attributes. The main difference is in the type of attributes. Real or immovable, property is identifiable by its location in addition to other distinguishing characteristics.

The final question is the what. What sort of right does a specific person have in a specific property? This question can be thought of in terms of the relational identity between the person and the property.

More than a single technology, self-sovereign identity is a new paradigm for designing digital identity systems. SSI abides by a set of core principles introduced by Christopher Allen, who coined the term in his seminal essay, “The Path to Self-Sovereign Identity.”¹

SSI is designed to make identity in the digital world function more like identity in the physical world, in which every person has a unique and persistent identity which is represented to others by means of both their physical attributes and a collection of credentials attested to by various external sources of authority. These credentials are stored and controlled by the identity holder—typically in a digital wallet—and presented to different people for different reasons at the identity holder’s discretion. The person to whom the credential is presented verifies it without checking with the issuer of the credential. Crucially, the identity holder controls what information to present based on the environment, trust level, and type of interaction. Moreover, their fundamental identity persists even though the credentials by which it is represented may change over time. While credentials can expire or be revoked by their issuers, there is no central authority with the power to revoke a user’s identity. The leading SSI solutions leverage blockchain to provide users with a persistent and secure digital identity that cannot be revoked, altered, or accessed without their explicit permission.

A key component of SSI is the verifiable credential standard.² A verifiable credential is a tamper-resistant, privacy-preserving, and digitally signed credential with clear authorship and provided by a known and trusted entity. The identity holder can use their verifiable credentials to access many different systems and services without a third party tracking the services the identity holder uses.

For example: Bob wants to open a bank account, and the bank asks for Bob’s proof of address as part of its due diligence process. Bob does not have a formal address, however he does have a mobile phone. Bob asks his telecom company to issue him a location history as a verifiable credential that he can present to the bank (and to whoever else may need it in the future). Bob stores this location history credential in his digital wallet, along with various other credentials, and the bank can request access to this credential to verify Bob’s address.

In this example, the verifiable credential is provided by a known and trusted entity (the telecom), digitally signed by the telecom, and stored by Bob in a tamper-resistant location—his digital wallet.

Furthermore, because the location credential is cryptographically signed by the issuer, the bank doesn’t need to contact the telecom to verify the information; checking the credential against the telecom’s public key is proof enough. The public key is a string of bits that is mathematically linked to a corresponding string of bits called a private key. Data that is encrypted with one key can only be decrypted with the other. As the names suggest, private keys are kept secret while public keys are accessible to everyone. The verifier can use the telecom’s public key to mathematically prove that the credential was signed by the private key known only to the telecom. Similarly, the verifier can check that the credential was issued to Bob and is being presented by Bob.

Cryptographic techniques called “zero-knowledge proofs” (ZKPs) can be used to prove possession of a credential without actually revealing the credential itself, which helps to preserve the privacy of sensitive information. For example, Bob can present a proof of address derived from his location data without sharing the location data itself.

Although the concepts behind SSI have existed for decades, actual implementation was technically infeasible until recently. The arrival of blockchain and the advancement of biometrics have brought SSI from concept to reality. Blockchain enables decentralization of the public key infrastructure. This allows anyone with access to a smartphone to create a digital identity that cannot be revoked by a centralized authority, and to issue and verify credentials. Biometry can be used to establish a unique core identity and to guarantee that, when data is accessed or shared, the real identity holder is the one doing so.

At the beginning of section three, we introduced four requirements for an identity system to support the use of tapestry credentials. Now, having introduced SSI, we can explore in greater detail how its features align with those requirements.

Establishing Unique, Trustworthy Identities for People and Things

In a world where smartphone penetration is increasing rapidly,⁴ SSI is becoming an accessible way for people to obtain unique digital identities. The administrative form of a government-issued personal ID is often a number that serves as a unique identifier and a combination of characteristics, such as name, address, age, etc. Each of these characteristics requires some form of evidence in order to be recorded for identification purposes, and there are necessarily a limited number of trusted supporting credentials that the identity issuer can accept. In the total absence of supporting credentials, identity can be established through a social process in which members of a community identify one another in a relational way before an identity is issued.

SSI reverses this process, allowing people to establish a digital identity and build a relational ID around it. People are able to create their own unique identities on enrollment and build credentials from multiple sources around that identity over time. If a person has a valid state-issued identity document, the appropriate government agency can reissue that document digitally as a verifiable credential. That verifiable credential is a very useful thing to have, as it provides a robust digital identity for future interactions. In the absence of a state-issued identity document, SSI provides a way to build a progressively more trustworthy identity. The identities are trustworthy because their attributes and interactions are cryptographically verifiable.

SSIs can also be generated for objects, including properties and sensors that need to share the data they collect in a secure format. For a land administration system to make use of an ever-increasing amount of sensor-derived data, we have to know and trust the identities of the sensors themselves. The vast majority of entities sharing information on computer networks will be “Internet of Things” devices—sensors connected to the internet that collect and share data. All of these devices will need digital identities to keep track of these data flows. For our purposes, an internet-connected sensor needs a public/private key pair that it can use to authenticate to other devices with which it interacts and to sign data that it generates.⁵ In the short term, SSI can enable verifiable location proofs from peer-to-peer communication between devices.

In the more distant future, more data will also be generated by devices attached to properties in the form of things like thermostats, smart locks, and utility meters. In that case, the property itself would have an identity to gather and manage this data.

Allowing People to Remotely Assert Facts About Themselves and Their Property in a Way that is Trusted by Administrative Agencies

A government agency trying to verify information must answer two questions: What is the identity of the person making the claim, and what is the origin of the evidence supporting the claim? In other words, the verifier must be able to tie all of the credential data to a single, legal person, and believe that the data is legitimate.

SSI helps the government answer the first question with the help of biometrics, which allow intrinsic characteristics of the individual to be extended into the digital world. When we go in person to renew a driver’s license or to have a document notarized, we are undergoing a series of implicit identity checks that may not be obvious. The first and most important of these is biometric. Human beings are exceptionally sophisticated “sensors” when it comes to recognizing other living humans and their physical features. This check is accompanied by the submission of documents and, taken together, these checks furnish proof of identity. An SSI-based system must be able to replicate this in-person biometric check. Luckily, as smartphones incorporate increasingly sophisticated biometric sensors, like fingerprint readers and facial recognition software, this is becoming an increasingly easy problem to solve.

Biometrics can be used in a variety of ways, and this is reflected in the diverse approaches taken by current SSI platforms. Biometric profiles can be used to generate a person’s identifier in the system, which allows them to recover their account if they lose access to it. In some platforms, such profiles can also be used to prevent a single user from creating multiple accounts. Most commonly, biometrics are used to access and control the digital wallet on a person’s phone.

In answer to the second question, once there is a biometric tie between the SSI wallet and the wallet holder, there is a need to tie the credentials in the wallet to the wallet holder’s core identity. SSI platforms allow credentials to be linked cryptographically to the wallet holder’s core identity so that they cannot be used by anyone else.

Maximizing User Privacy and Control

A drawback of the tapestry credential model is that it relies on a large trove of personal data, which in aggregate is much more revealing than a small number of monument credentials. As citizens begin to collect and deploy tapestry credentials, they would therefore want assurances that they alone control who sees which pieces of data and when.

One important way in which SSI can help to ensure user privacy is by allowing different identifiers to be used for different relationships to prevent observers from being able to piece together information about the user. For example, an identity holder would use one identifier with the bank, a different one with their phone provider, and a third with the land agency. However, all credentials gathered through these interactions are linked to the user’s core identity in such a way that they can be verified when used in new relationships.

This is in stark contrast to other popular forms of digital identity, which are often designed to collect as much information about the user as can be extracted from that person’s activities. In fact, it can be difficult for the identity holder to prevent it from happening. A Facebook profile, for example, can fairly be defined as a digital identity consisting of all of the data Facebook has attached to that user profile, much of it without the user’s knowledge or consent. SSI is a way to collect many data points from multiple sources around a single identity while still under the data subject’s control.

Verifiers can request whatever credentials they need from a user, but they cannot see them unless that person consents to share them. In addition, a user can share only the relevant part of a credential to minimize the exposure of personal information. When a physical ID card is presented, it allows the verifier to see the subjects name, address, date of birth, etc. With SSI, it is possible to mask sensitive information that is not necessary for the transaction taking place, such as the gender of the claimant.

A user’s identity data is stored securely on their smartphone and/or in the cloud. In addition, self-sovereign identities can’t be revoked by any external authority and are designed to persist as long as the holders want to retain them.

Maximizing Flexibility to Create, Share, and Verify Credentials

A tapestry credential system hinges on the ability to gather pieces of evidence from the greatest possible number of sources, while at the same time trusting this evidence to be legitimate. Because every participant in an SSI network can issue and verify credentials, there is tremendous flexibility to build an identity based on social validation. In other words, trust can be derived from a wide network of interactions rather than the authority of a single entity like a government.

In order for this data to function as a credential, it must be trustworthy in two respects. First, the data must have integrity, meaning that it can be proven that it has not been altered in any way. Second, the data must have a verifiable origin, or provenance. This is accomplished through the use of digital signatures, which can be checked to verify that the data was issued by the right authority to the person presenting it as a credential. Digital signatures create a chain of custody for information. In order to turn phone location data into a credential, for example, a mobile service provider must have an ID with which it can sign a location claim, and the phone user to whom it is issued must countersign it. Verifiable credentials will usually come from trusted sources, but everyone with an SSI has a key pair that they can use to sign credentials, and their public key can be looked up to verify the signature. In many cases, this will not be useful because the individuals won’t be trusted to vouch for certain kinds of valuable information in the way that a bank or telecom company can. However, with respect to land claims, the ability for ordinary people to make assertions in such a secure and auditable format can certainly be useful. Neighbors with verified addresses could sign off on a property claim.

From the perspective of a government agency that needs to verify property claims, such a system provides access to many new forms of trustworthy evidence. The agency’s role is to decide what combination of credentials is sufficient to establish a claim, request them, and verify them. Once a property right has been recognized, it can itself be issued to the property holder as a verifiable credential, which in turn can be used to apply for a loan, hook up to utilities, or provide a proof of address—just like in a traditional property documentation system.