This paper aims to address the research gap in ethical design frameworks for self-sovereign identity (SSI) solutions. We present a case study of value sensitive design (VSD) conceptual investigation applied in the context of SSI-based solutions for the sharing of medical credentials uNLock. We evaluate the applicability and quality of VSD application on the basis of 5 criteria. We validate these findings by comparing the results of the original report with the studies presenting empirically informed insights from the deployment of SSI solutions for the presentation of medical credentials. We identify a problem of “value branching” particular to SSI solutions that can lead to the overinflation of the set of relevant values. We outline the affordances and limitations of the conceptual VSD investigation in our case study. We further reflect on the limits of general SSI principles and argue that the ethical design of SSI solutions always requires context-specific evaluative frameworks.
Similar content being viewed by others
The problem of ethical issues in identity management solutions is an underdeveloped topic, and yet, one of the most critical concerns in our increasingly digitalised societie.Footnote 1 Identity management solutions are embedded in a variety of social contexts and serve as crucial components for a wide range of systems and infrastructures. Most studies on moral issues in these specific contexts, however, narrowly focus on private data management. It can be argued, though, that while moral issues of private data management are at the heart of identity management solutions, they do not cover the whole spectrum of relevant concerns.
The events that followed the COVID-19 pandemic, the deployment of contact tracing apps and vaccination passports, have brought to the forefront such problems as individual autonomy, fairness, and power imbalances in the context of identity management solutions. Some of the more disturbing developments have highlighted how easily such systems could be re-purposed into the tools of social control.Footnote 2 It became obvious that the integration of identity management solutions with access control systems easily results in uncontrollable function creep, moral hazards, and erosion of fundamental human rights (Dennis et al., 2022).
The same events, however, have also demonstrated the problem of moral overload faced by engineers, developers, and researchers working on identity management solutions. Different stages of the pandemic have created contexts where individuals and institutions had compelling moral reasons to consider all tools at their disposal without a clear understanding of the potential consequences. While we can hope that there will be no repetition of a crisis on a similar scale, it is also clear that the implementation of identity management solutions is rife with moral hazards that require systematic understanding and comprehensive theoretical frameworks. Identity management solutions are critical infrastructures in our highly digitalised society, and the design and implementation of these systems have far-reaching societal and ethical consequences.
Self-sovereign identity (SSI) presents particular interest here as an approach to the design of technological architectures for identity management informed by social and ethical considerations. At the same time, SSI is still an open set of engineering standards, rather than a comprehensive socio-technical theoretical framework. The technological affordances of the SSI approach regarding trust, security, and privacy guarantees are relatively well understood. In contrast, socio-ethical aspects of SSI design and implementations, at the moment, are formulated as high-level considerations at best. A particular research gap here is the lack of comprehensive ethical design frameworks that could guide the development of SSI solutions.
This paper aims to address this research gap by providing insights into the application of value sensitive design (VSD) methods for SSI application development. VSD is a robust, well-developed methodology for the elucidation of values, identification of moral concerns, and resolution of moral issues associated with technological solutions. It has been suggested before that the VSD methodological framework can be a particularly promising approach in the context of identity management solutions for privacy (Friedman et al., 2013, van den Hoven, 2013) and SSI-based solutions in particular (Dennis et al., 2022; Toth et al., 2020).
To the best of our knowledge, the findings of the original report presented in this paper provide a first study on the application of the VSD framework for the design of an SSI solution. This report has emerged from the work of an industry/academia consortium collaboration in the Netherlands working on the development of a privacy-preserving system for the sharing of medical data, based on self-sovereign identity (SSI) design (Ishmaev et al., 2020).
The uNLock consortium was an initiative of the Dutch Blockchain Coalition (DBC), Universiteit Leiden, Rabobank, TNO, Deloitte, Ledger Leopard, CMS, and Stichting RINIS established in April 2020. The uNLock solution was an SSI-based application that has been built during the COVID-19 pandemic to provide a tool for Dutch healthcare facilities to determine if a person is compliant with the entry requirements of the facility on the basis of a negative COVID-19 test. The healthcare application context was partially considered in hope that such an application embedded in existing professional norms for healthcare employees would introduce fewer novel ethical risks.
The report (referred to as “uNLock report” in the text) was delivered by an independent ethics work group, comprised of the authors of this paper.Footnote 3 The goal of this report was to develop an ethical assessment for the design and use of such a system in the specific context of credentials for personnel in healthcare facilities using the tools and methodology of VSD.
This paper analyzes the findings of the original uNLock report to provide insights on the application of the VSD methodology in the context of the design and development of an SSI solution. The scope of this research paper is limited to the evaluation of the VSD methodology application, and it does not aim to provide a moral-philosophical assessment of the SSI technological approach as such. Nor does this paper aim to provide an ethical analysis of “COVID-19 passports” or “vaccine certificates.” We strongly agree though, that the VSD application should not be divorced from the moral-philosophical grounding and that the VSD process should make explicit use of an ethical theory (Jacobs & Huldtgren, 2021). VSD methodology is often used to identify factors facilitating or hampering social acceptance of technology rather than for the evaluation of ethical acceptability (Van de Kaa et al., 2020). Naive or uncritical application of VSD tools as a vehicle for social acceptance risks contributing to the performativity theatre exacerbating moral risks rather than alleviating them (Dennis et al., 2022; Milan et al., 2021).Footnote 4
This paper presents the findings of the original uNLock report in order to demonstrate the applicability of the VSD methodology in the context of an SSI solution. We aim to answer the following key research question: Can VSD conceptual investigation provide a basis for the robust ethical design framework for SSI solutions? In order to answer this question, we evaluate the quality of the VSD application in this use case on the basis of 5 criteria suggested by Winkler and Spiekermann (2021). We validate these findings by comparing the results of the original report with studies that were carried out at later stages of the pandemic presenting empirical insights from the deployment of SSI solutions for the presentation of medical credentials.
The paper is structured as follows.
Section 2 “Research Background” provides a comprehensive analysis of the research background relevant to the problem of ethical issue identification in the context of SSI solutions. While there is an abundance of existing literature on ethical issues of solutions for medical credentials, these studies do not explicitly consider the design of SSI architectures (Brown et al., 2021; Voo et al., 2022; Kofler & Baylis, 2020; Milan et al., 2021). The available research on SSI-specific solutions, at the moment, is mostly focused on high-level technological tradeoffs, with a focus on privacy and security guarantees (Halpin, 2020; Karopoulos et al., 2021).
Section 3 “Applying VSD to an SSI-based credentials app” provides an overview of the findings and methodology of the original report. We present a case description of the original uNlock report and present key findings on the application of VSD conceptual investigation in the context of SSI. We provide a rationale for the choice of VSD and present key findings on the identification of stakeholders, values, and translation of SSI in the context-specific use case.
Section 4 “Evaluation of VSD methods” looks into the findings of the original report and translates these results into the context of generic SSI architecture. Using the 5 criteria suggested by Winkler and Spiekermann (2021), we evaluate the results of the VSD methodology application. These criteria are (1) identification of direct and indirect stakeholders, (2) identification and conceptualization of values, (3) understanding of value harms and benefits, (4) development of mitigation strategies for value tensions, and (5) presentation of technical measures to address values. Corresponding subsections discuss findings presented in the previous section in relation to criteria 1–4.
Section 5 “Validation and Discussion” validates the findings of the original report, specifically the identified values, harms, and benefits, against the empirically informed studies analyzed in Section 2. We suggest that the comparison of the original report findings, based on a priori conceptual analysis, against empirically informed studies, provides a valuable assessment of the efficacy of the VSD conceptual analysis. We also discuss the capacities and limitations of the SSI approach to mitigate value harms in these application contexts.
We conclude with the main findings and reflections on the limits of the conceptual VSD investigation.
2 Research Background
At the time of the proposal of the uNLock solution and commissioning of the “Ethics Work Group” report in the winter and spring of 2020, there were no ready implementations of similar systems and no empirically informed studies on the design of such solutions. During the year 2020 of the running COVID-19 pandemic, an interest in digital medical credentials, such as results of a COVID-19 test, dramatically increased due to search for a public safety strategy.
By the spring of 2020, multiple governments have signalled interest in the development of solutions for the presentation of digital COVID-19 certificates that could be used to curb the spread of the pandemic and provide an alternative to blanket lockdowns. The earliest publication addressing these aspects is Kofler and Baylis (2020), published in May 2020. The authors lay out ten arguments against the implementation of COVID-19 immunity passports for social-wide access control to work, travel, and social events. Together with practical concerns regarding the lack of scientific evidence on the immunity against COVID-19, Kofler and Baylis outline distinctive moral concerns regarding privacy, fairness, discrimination, social division, and health.
Brown et al. (2021) provide a response to critical arguments against such solutions. They argue that such solutions provide the only viable alternative to blanket lockdowns restricting freedom of movement and other civil liberties. Furthermore, they speculate that ethical issues presented by immunity passports are less problematic than those presented by lockdowns.
The topic of ethical issues associated with COVID-19 immunity passport was addressed by WHO Ethics and COVID-19 Working Group (Voo et al., 2022). This publication examines the ethical concerns of immunity passports that are related to equity, stigma, and unintended harm. Voo et al. state that the benefits and harms of immunity passports must be assessed to determine whether the implementation of immunity passport policies may be considered ethical.
At the moment of publication of this paper, a substantive body of knowledge on ethical issues associated with COVID-19 immunity passports is available (de Figuerido, 2021; Milan et al., 2021; Gstrein, 2021; Sharma et al., 2022; Dennis et al., 2022). We observe, however, that in contrast to general research on the ethics of immunity passports, there is a noticeable deficit of studies focusing on ethically relevant issues specific to SSI-based solutions. This observation relates to a more general deficit of research regarding ethical issues associated with the implementation of SSI solutions, even though many developments in this field are ethically motivated (Prekuschat & Reed, 2021).
From the perspective of VSD research, there is also a noticeable absence of studies on the application of VSD methods in the context of identity management solutions in general. We only identified one study employing a method of stakeholder value identification similar to VSD. Briggs and Thomas (2015) provide the results of a workshop aimed at the identification of common values between minority groups in the context of UK proposals on identity management. To the best of our knowledge, there are no studies either on the application of VSD methods in the context of SSI solutions.
Nevertheless, we identify several relevant studies providing insights into the identification of ethical issues and value frameworks that present interest in the context of this paper. Two of these studies (Abramson et al., 2020; Lacity & Carmel, 2022) look into the deployment of SSI solutions in a very similar use context: presentation and sharing of credentials for the employees of healthcare facilities.
Abramson et al. (2020) present the findings of a workshop on the exploration of SSI solutions for sharing and presentation of professional credentials for employees of healthcare organizations. They created a set of SSI design principles by inviting a group of stakeholders to identify benefits and harms in a workshop setting. In addition to this exercise, Abramson et al. created a list of design principles that they distilled from a literature investigation and input provided by stakeholders. To create a value hierarchy, stakeholders were asked to rank eight design principles from the most valued principle to the lowest valued principle for technologies that enable clinical passports. The ethical investigation conducted by Abramson et al. is similar to the conceptual investigation proposed by the VSD methodology. However, Abramson et al. do not mention the usage of VSD or explicitly follow the process proposed by VSD.
Lacity and Carmel (2022) present a white paper on the implementation and management of an SSI project based on a case study at the UK National Health Service (NHS). The case study of the report is a digital staff passport to verify health professionals’ qualifications and credentials, based on the Sovrin network. While the report does not address any ethical concerns specifically, it contains a number of insights on relevant stakeholder values. Based on insights from the use of the solution by NHS, Lacity and Carmel identify a number of benefits to the healthcare facilities and employees. They provide a cautious but optimistic assessment regarding the maturity of SSI standards and related technological solutions on the basis of the analyzed use case.
Wilford et al. (2021) provide a broad overview of ethical issues associated with blockchain-based solutions for digital vaccine passports. While this study does not explicitly consider an SSI approach, it is relevant, given that the highlighted systems involve similar technological components. The authors critically review several such solutions including the COVID-19 Credentials Initiative (CCI), International Air Transport Association’s (IATA) Travel Pass Initiative, IBM’s Digital Health Pass, and EU Digital COVID Certificate. Wilford et al. outline a number of ethical concerns specific to this technological context, with a primary focus on privacy. They argue that the complexity of the resulting solutions cannot be addressed satisfactorily by the proposed regulatory frameworks, creating risks of opaque surveillance structures.
Halpin (2020) provides a more detailed low-level analysis regarding the use of SSI standards such as decentralized identifiers (DID) and verifiable credentials (VC) for COVID-19 immunity passport solutions. He highlights various limitations of such standards in the context of privacy and security guarantees for the users, with a focus on attacks that can undermine cryptographic components, data unlinkability, and integrity of credentials. Halpin also argues against the suggestions that ensuring security and privacy in such solutions can make them ethically acceptable. He points out that risks of the erosion of fundamental human rights presented by ubiquitous identity checks can make such solutions morally problematic regardless of underlying technological architectures.
Karopoulos et al. (2021) provide a comprehensive survey on various solutions for digital COVID-19 certificates, analyzing relevant academic work, national proposals and initiatives, and available smartphone apps. They highlight several key initiatives including The WHO smart vaccination certificate (SVC), The International Air Transport Association (IATA) Travel Pass Initiative, COVID-19 Credentials Initiative (CCI), EU Digital COVID Certificate (EUDCC), CommonPass, AOKpass, and several others. Karopoulos et al. highlight that nine of the identified schemes leverage blockchain technology or a similar PKI solution. They give an overview of key functional characteristics with a more detailed focus on the privacy and security guarantees of the proposed solutions.
Our literature analysis supports the significance and novelty of the main research question of this paper. The survey of relevant studies makes it clear that the development and implementation of solutions for the presentation of medical credentials are rife with ethical issues. The related body of studies on technological architectures for such solutions also highlights a significant interest in SSI standards and solutions. However, there is also a noticeable research gap in research methods for the identification and mitigation of ethical issues in this specific technological context.
3 Applying VSD in the Case of SSI-Based Credential App
3.1 Case Study of the Original uNlock Report
uNLock is an application that has been proposed in 2020 during the COVID-19 pandemic to provide a tool for Dutch healthcare facilities to determine if a person is compliant with the entry requirements of the facility. uNLock is premised on a situation in which COVID-19 tests for the healthcare sector are widely available. The schematic high-level architecture of the uNLock app is given in Fig. 1.
Once a person has been tested, she or he receives a unique credential of that test result that can be saved in the uNLock application on a smartphone. As soon as this person wants to enter a healthcare institution, the desk clerk requests the person to scan a unique barcode provided by the institution. The visitor can then read the access policy on her/his smartphone and receive a notification whether her/his COVID-19 test results are in compliance with the access policy of this particular healthcare institution. After that, the visitor can decide to show the cryptographically signed proof of compliance with the access policy to the desk clerk, whereby the digital proof’s authenticity and validity are checked.
3.2 Methodology of the Original Report
The approach used in the study is based on the value sensitive design approach (Friedman et al., 2017). Value sensitive design (VSD) is “a theoretically grounded approach to the design of technology that accounts for human values in a principled and comprehensive manner throughout the design process” (Friedman et al., 2013, p.56). VSD supports a design of technological innovations that not only takes into account the instrumental aspects such as functionality, reliability, and ease of use but also the moral values of individuals and societies.
VSD has been applied in many cases over the past 25 years. Winkler and Spiekermann (2021) identified 113 papers discussing VSD projects in the period from 1996 to 2016 (only 17 of which applied all three perspectives). It has been argued that VSD methodological framework can be a fruitful approach in the context of identity management solutions for privacy (Friedman et al., 2013, van den Hoven, 2013). Both maturity of general VSD methods and demonstrable applicability in the design of solutions for the management of private data has informed our choice of methodology in the original report.
The comprehensive VSD approach places much emphasis on the fact that not only the values of direct stakeholders must be considered, i.e., the users of technological innovation, but also the values of indirect stakeholders who may be impacted by the innovation—even though they do not interact with it themselves. At the conceptual level, the relevant stakeholders and values are identified and defined, based on existing literature and knowledge. At the empirical level, the actual perception of these values by the various types of stakeholders is studied by employing methods such as interviews, focus groups, or experiments, leading to further elaboration of the values into norms. At the technical level, the values and norms are translated into technical design. The three perspectives are iteratively employed. They are meant to inform each other rather than be engaged in as separate, strictly sequential activities.
In line with the value sensitive design approach (Friedman & Hendry, 2019), we started with a conceptual investigation. We took a broad inclusive interpretation of values as suggested by Friedman et al. (2013) referring to what persons or groups consider important in life, circumscribed by the set of specific values with ethical import to system design. As the separation of the investigations is a conceptual tool, meant to appreciate interactional aspects of design, different investigations should not result in separate tracks within the project.
Thus, a resulting conceptual framework is a tool that not only is meant to inform the design of the system but that should be updated and refined in an iterative manner throughout the later stages of empirical and technical investigations, including broader engagement with stakeholders and a feedback cycle of the uNLock system technological development. In order to ensure that all ethical and social issues will be addressed in the value sensitive design, detailed insights and information regarding the uNLock application and the stakeholders are required in the conceptual investigation.
We have performed the conceptual investigation in the following three steps:
Step 1: defining and mapping the stakeholders of the uNLock solution, their interests, benefits, and harms.
Step 2: translating interests, benefits, and harms into values and norms
Step 3: harmonizing the uNLock value set with existing research on values and norms of SSI
3.3 Findings of the Original Report
3.3.1 Defining and Mapping the Stakeholders of the uNLock Solution, Their Interests, Benefits, and Harms
Based on the information on the application that we gathered from the partners of the uNLock consortium (internal reports and online meetings with the partner responsible for market analysis, use-case analysis, and app development), we performed a stakeholder analysis to identify the main stakeholders of the uNLock solution. We first analyzed the main goal of the uNLock application, which was defined by the consortium as “to provide verified proof of COVID-19 test results.” The direct stakeholders—the direct users of the uNLock application—were identified. At the next step, the indirect stakeholders—the group or persons and institutions that are affected by the use of the uNLock application without using it—were identified.
Based on this distinction, we composed an overview of stakeholders. Next, based on the known roles of stakeholders in this use case, we described the interests of the stakeholders in the solution and identified the benefits and harms that the stakeholders could expect from the uNLock solution. Table 2 (Appendix) shows the elaboration of the stakeholder roles in the context of the application. Identification of the stakeholders was done by distinguishing not only direct and indirect stakeholders but also explicitly acknowledging the values of the consortium partners (values’ source analysis).
3.3.2 Translating Interests, Benefits, and Harms into Values and Norms
We translated the benefits and harms from step 1 into underlying values. Values and their definitions can be broad and too abstract for instrumentalization in a specific context, such as needed for the formulation of design requirements. Furthermore, an overly abstract definition of values risks ignoring or obscuring relevant social, economic, and cultural differences. Thus, the second step of our conceptual investigation was to provide conceptualizations of identified values in the context of the uNLock solution. Identification of values was performed through philosophical analysis (van de Poel, 2013) and value source analysis (Friedman et al., 2017), based on uNLock app project proposal provided by the members of uNLock consortium (high-level system design).
We identified 29 values and sub-values. The list of identified values with corresponding conceptualisations is presented in Table 3 (Appendix). Identified values were conceptualised for clarity and translated into norms specific to the application context.Footnote 5 We took care not only to look at the uNLock solution in a narrow technological sense but to also take the social context into account, as well as the interaction between the two (co-evolve technology and social structure).
3.3.3 Harmonizing the uNLock Value Set with Existing Research on Values and Norms of SSI
In order to identify ethically salient features of the SSI approach in this context, we have analyzed the 10 principles of self-sovereign identity (Allen, 2017) by Allen. These principles were mapped to the list of identified values (Table 1).
4 Evaluation of the VSD Methods
The findings of the uNLock report are interesting in the context of the VSD methodology as the only available study at the moment that aimed at the explicit application of VSD methods for the design of an SSI-based solution. To evaluate the results of this report, we adopted the five criteria suggested by Winkler and Spiekermann (2021), for the assessment of VSD application outcomes. These criteria are (1) identification of direct and indirect stakeholders, (2) identification and conceptualization of values, (3) understanding of value harms and benefits, (4) development of mitigation strategies for value tensions, and (5) presentation of technical measures to address values. We argue that by using conceptual methods of VSD in the context of generic SSI architecture, we can address 4 out of 5 criteria. The following four subsections present findings of the original report in corresponding four categories.
4.1 Stakeholder Analysis
Identification of stakeholders is usually considered to be an initial stage of the VSD method aiming at systematical analysis of individuals and groups that are expected to be affected by the investigated technology. The traditional distinction involves direct stakeholders who do interact or will interact with technology directly and indirect stakeholders who will not directly interact with the technology but can nonetheless be affected by the deployment. As Friedman et al. (2017) argues, effective identification of all affected stakeholders necessarily requires broad inclusion of not only individuals, but also groups, institutions, and societies. At the same time, Winkler and Spiekermann (2021) point out that the identification of stakeholders can be particularly challenging as a broad definition of stakeholder groups can undermine value sensitivity.
In the context of SSI solutions, the set of direct stakeholders to a certain degree is defined by the architecture and the data flow of the SSI method for sharing and the presentation of the credentials (Fig. 1). Typical direct stakeholders in a generic SSI data flow include a credential holder, an issuer of the credentials (issuer), and verifier of the credentials (verifier). However, particular roles of the direct stakeholders can vary between specific contexts of applications and define role-specific values, benefits, and harms.
The specific context of the original uNlock report has identified specific roles of direct stakeholders in the analysis (Table 2 in the Appendix). These roles include employees of healthcare facilities as credential holders, managing organizations of healthcare facilities as verifiers, COVID-19 testing providers as issuers, members of uNlock consortium as infrastructure providers, and patients of the healthcare facilities.Footnote 6
Identification of indirect stakeholders in the scope of the uNLock report was based on a conceptual analysis informed by considerations on the integration of the proposed solution in the broader social and regulatory frameworks. We have identified non-users (individuals/organizations), professional unions, government agencies (excluding direct supervisory authorities), regulators, and wider society as indirect stakeholders most likely to be affected by the deployment of the uNlock solution.
4.2 Identification of Values
As presented in Section 3.2., broad definition of values, as suggested by Friedman and Hendry (2019), was taken as an operational definition in the uNlock report. Friedman et al. (2017) suggests that it is also important to distinguish between different sources of values in order to identify divergence and alignment between different stakeholders. Three suggested sources of values include (1) explicitly supported project values referring to an agreed-upon set of values that guide the design process of system development. (2) Designer values refer to the personal and professional values brought in by the designer of technology. (3) Stakeholder values refer to the values of different stakeholder groups.
All these sources were included in the analysis of the uNlock report. The core set of values was primarily identified through the process of analysis of stakeholders’ interests. This set was extended by the explicitly supported project values that were defined by the core 10 principles of the SSI approach translated into corresponding values. The professional values of the uNlock consortium members in this context overlap with the values of infrastructure providers as a stakeholder group. Values of the report authors in that case also overlap with stakeholder values but also served as critical reflexive points and anchors for the moral-theoretical grounding of the investigation.
We observed that many of the identified values present a hierarchical taxonomy, where there are certain values such as trust, privacy, well-being, and autonomy branch into different conceptualisations, with distinctively different semantics. One reason for such branching is that conceptualisation of values is contingent on attribution to different stakeholders. E.g., conceptualisation of autonomy is different from the autonomy of the credential holder to use the solution in a particular way and the autonomy of the verifier to establish verification policies consistent with organizational norms. The second reason is the inherently broad meaning of label terms, such as privacy and trust, branching into different conceptualisations if considered in technical, legal, and ethical meanings. Furthermore, label values attributed to the same stakeholder can branch into specific interpretations such as autonomy of identity as a more general ethical principle and employee autonomy as a context/role-specific value.
Such value branching requires careful attention in the context of SSI architectures, given that there is no uniform interdisciplinary conceptual framework. Current work on the standardization of SSI terminology largely focuses on the level of data models and as such is limited to technical terminology.Footnote 7 Work on the integration of this terminology in regulatory frameworks is still in the early stages.Footnote 8 However, the lack of attention to this conceptual branching can lead not only to the failure to identify relevant values but also to the failure to identify harms and benefits. For example, as we show in the following sections, the autonomy of a credential holder can come into conflict with the organizational autonomy of a verifier.
The uNLock report aimed to address this shortcoming through the adoption of a broad set of working definitions for value conceptualisations (Friedman et al., 2017). It is clear, however, that the application of the VSD methodology in the SSI context could greatly benefit from such a hierarchical taxonomy of values, supporting VSD practitioners to accurately navigate between general label terms of values and conceptualisations varying between stakeholder-specific and field-specific interpretations.Footnote 9
Value hierarchy has been previously proposed in the context of VSD as a tool for the translation of general value conceptualisations into application-specific norms and technical specifications (van de Poel, 2013; Umbrello & van de Poel, 2021). Our observation on the branching of values is different from these studies in one important aspect. van de Poel (2013) distinguishes specification of values from conceptualisation arguing that the latter often does not require detailed knowledge of the domain in which the value is applied. And in the case of competing conceptualisations, we can choose conceptualisations that are more adequate on the basis of general philosophical analysis.
In our experience, the problem of value hierarchy occurs already at the stage of value conceptualisation, where there are no clear criteria available on why some conceptualisations are more adequate than others. For one, choosing certain value conceptualisations over others carries a risk of replacing stakeholder values with designer values. Secondly, it carries a risk of ignoring certain value conflicts and tensions that can be revealed at the level of context-specific conceptualisations.
We argue that the observed issue is a particular case of a broader problem in applied ethics of technology. Namely, the need for the articulation and formulation of specific adequate conceptions of general notions (and articulating criteria of adequacy) become problematic in their application in new contexts (Van den Hoven, 2010). van den Hoven suggests that the semantic expansion of general concepts in specific contexts can be grasped by the Rawlsian distinction between general concepts and their specific instantiations as conceptions. Here, we consider label values as general operational definitions of general concepts and sub values that can be derived from label values through stakeholder attribution and discipline-specific definitions as conceptions.Footnote 10
4.3 Value Harms and Benefits
In VSD approaches, identification of harms and benefits to stakeholders can be performed both on the basis of empirical investigation and conceptual investigations drawing on analytic investigation and philosophical arguments. The uNLock report, limited to conceptual investigation, has focused on the identification of harms and benefits of technology through the means of applied ethical analysis. We have established a list of all potential benefits including arguments from the initial consortium proposal on the development of the uNlock application and considered the implementation of an SSI-based solution in the proposed specific use context.
We found out that the identification of stakeholders’ harms and benefits and the identification of values are most fruitful when these tools are seen as a series of iterative feedback loops. Initial identification of benefits that could be derived from the technological architecture and use context has provided new insights into values attributable to different stakeholders. These insights in turn have helped to locate relevant ethical considerations grounded in moral theoretical analysis that have helped to identify corresponding harms. Such an analysis performed in a series of iterative updates was used to inform the final list of values (Table 3) as well as corresponding harms and benefits.
4.4 Mitigation Strategies for Value Tensions
The original report being limited to the conceptual stage of VSD investigation did not produce a comprehensive set of mitigation strategies for value tensions. In a multi-stage VSD process, the development of such strategies is relegated to later stages of an investigation when empirical insights can be translated into technological solutions addressing identified value tensions. However, in the context of the uNlock report, the known constraints and affordances of the SSI approach have made it possible to outline potential design directions capable of facilitating, protecting, or upholding certain values. Interestingly enough, some of the SSI principles were identified as adverse to certain values.
We achieved these insights through the translation of the 10 key SSI principles into use-case-specific norms and consequent mapping to identified stakeholder values. This helped to distinguish which values potentially could be facilitated (protected) by SSI principles and values that must be addressed outside the scope of the SSI approach (Section 3.3.3.; Table 2).Footnote 11 Here, we elaborate on the interpretation of these principles in the context of the original report and highlight the potential capacity of these principles to address specific value tensions.
We have found that mapping the SSI principles to the list of identified values in this specific use case can provide a number of insights. For one, this exercise helps to reveal that the general SSI framework aims to address a significant number of stakeholder values, namely, broad label values of autonomy, control, agency, transparency, trust, privacy, and security. Secondly, the translation of these general principles into application-specific norms highlights an extended number of relevant values that can be considered within the SSI design framework: dignity, fairness, and inclusion. And interestingly enough, one of the key principles of SSI was found to be in adverse relation to privacy and dignity when translated in the context of the specific use case.
At the same time, this analysis also reveals the limits of the SSI approach as many of the identified values are left outside the scope of the ten key principles. Values such as solidarity, well-being, welfare, freedom of movement, stakeholder power, individual and organizational reputation, accessibility, organizational responsibility, and efficiency do not reveal an immediate connection to general or application-specific SSI principles. This does not necessarily suggest that these values cannot be addressed within the limits of socio-technical SSI principles. However, it shows that the scope of the original SSI principles is mostly sharing and presentation of private data.
These findings are also not surprising given that SSI principles are aimed at the mitigation of value conflicts pertaining to identity management, data sovereignty, and private data flows, but not at the value conflicts associated with access control solutions. The literature analysis provided in Section 2, however, demonstrates that identity management solutions are often conflated with access control solutions. Such conflation is problematic, leading to the obfuscation of relevant values and value conflicts. We argue that the clear distinction between project values, designer values, and stakeholder values is a necessary minimum requirement for the prevention of such obfuscation at the early stages of design.
Such identification is necessary but not sufficient to make accurate judgments about whether the SSI approach can satisfactorily facilitate or protect all or most key values in the specific use case. This question can not be answered without empirical investigation providing accurate semantics to values in different contexts (stakeholder-specific, field-specific, application-specific). Furthermore, the technological stage of investigation is necessary to consider what tools at the disposal of designers can satisfactorily address arising value tensions.
5 Validation and Discussion
These findings present an example case study of VSD method application at the early stages of the design for SSI solution. A comprehensive VSD approach aims to refine and validate conceptual findings through the empirical investigation and analysis of technical solutions. In the ideal case, this validation should be performed on the basis of the same solution or application at the later stages of design and deployment (Friedman et al., 2017). In the case of the uNlock application, such validation is not available given that this particular solution was not deployed in production.
However, validation of the conceptual findings can also be performed on the basis of the research of relevant technological solutions (Friedman et al., 2002).Footnote 12 In the context of this paper, we take advantage of the fact that several studies on similar solutions based on the SSI approach became available after the study of the original report. This has allowed us to analyze different use cases and compare findings on values provided by the conceptual investigation, with the findings on values informed by empirical research and experiences from implemented solutions. We choose to focus on the value findings of the original report (Table 3) for two reasons. Findings on similar lists of stakeholders only would be trivial. Identification of stakeholder-specific harms and benefits, on the other hand, is not feasible, given the variation between high-level and low-level analysis in relevant studies.
We have chosen five relevant studies from the literature analysis provided in Section 2 for validation of our findings. The choice of these studies was based both on the scope of the studies, SSI solutions for medical credentials, and presentation of value-identifying results in some form (Abramson et al., 2020; Halpin, 2020; Wilford et al., 2021, Karopulos et al., 2021; Lacity & Carmel, 2022). The study of Mithani et al. (2022) was omitted from the validation analysis, given the very brief and high-level character of the presented findings.
We performed a manual analysis of these five studies to identify mentions and discussions corresponding to the label values of the original uNLock report presented in Table 4 (Appendix). We have considered values as consistent with our findings, in two cases: first, straightforward correspondence between general concepts (marked “x” in the table), e.g., “privacy” and “privacy”; second, if identified conceptions of values could be mapped to the conceptualisations of values (Table 3) in a relatively direct manner, e.g., “voluntary use” and “individual agency.” Such mapping can be open to interpretation, but we argue that narrow technological and application contexts here allow for more or less reliable identification of consistency (or inconsistency).
We identified 8 label values to be consistent with the findings of relevant studies: accessibility, autonomy (credential holder), dignity, fairness, efficiency, privacy, security, and trust. Each of these values is explicitly mentioned and discussed in at least 4 out of 5 studies. We found further 5 label values to be somewhat consistent with the findings in relevant studies: autonomy of identity, freedom of movement, health, individual agency, and transparency. Each of these values was highlighted in at least 3 out of 5 studies.Footnote 13
Particular interest present also presents values highlighted in several studies but not identified in the uNLock report. Most notable here are values such as decentralization, scalability, ease of use, and standardization. We attribute some of these omissions to the focus of the report on the identification of explicitly morally salient values in the specific use case.Footnote 14 Other omissions, however, indicate limitations of conceptual investigation, as the identification of certain project values and stakeholder values is premised on the identification of specific engineering parameters. This is particularly evident in the context of privacy requirements, which can only be meaningfully conceptualised in a very specific context.
A number of values presented in the original report were not identified or only briefly mentioned in the relevant studies. Some of these omissions can be explained through the contextual variations between label values and sub-values, e.g., variation of “trust” conceptions. Some of the omissions, however, can not be explained by these variations, notably, values such as dignity, inclusion, solidarity, and institutional responsibility.
These results of course remain open to interpretation, given the limited number of relevant studies. However, four of these studies present a meta-analysis of multiple solutions, thus extending the scope of the comparison. We suggest that while these findings do not present validation of the used VSD methods in a strong sense, they highlight certain convergence between the results of the conceptual findings and empirically informed studies in similar use cases.
These results are also consistent with the approach to the validation of conceptual findings suggested by Friedman et al. (2002). The main difference is a longitudinal measurement in the study of Friedman et al. (2002), performed over the course of 5 years. However, given the observation of the shortened R&D cycles in the context of the COVID-19 pandemic (Dennis et al., 2022), we do not consider the shorter period of observation of a factor that could undermine these results.
We have presented a case study of VSD conceptual investigation applied in the context of SSI-based solutions for the sharing of medical credentials. In order to evaluate the adequacy of these methods as components of an ethical design framework, we analyzed the findings of the original uNLock report. We adopted the five criteria framework for the assessment of the VSD application proposed by Winkler and Spiekermann (2021). We evaluated the findings of the uNLock report on the basis of these criteria and demonstrated that the conceptual stage of investigation of the VSD approach can provide a robust tool for the identification of stakeholders, relevant values, and value harms/benefits and outline some strategies for the mitigation of value tensions.
To validate these findings and assess the adequacy of the VSD application, we performed a comprehensive analysis of relevant studies on the implementation of SSI solutions for sharing of medical credentials. We have chosen five studies that are (1) relevant in the technological and application contexts, (2) present in some explicit findings on the identification and explication of associated values, and (3) are empirically informed. We found that the findings of a conceptual VSD analysis regarding the identification of values are consistent with the findings from studies based on the analysis of technological design and stakeholder workshops.
We also presented some findings on the methodology of VSD application in the context of SSI solutions. The complex socio-technical nature of identity management systems in general and SSI solutions, in particular, necessitates the adoption of a broad interdisciplinary conceptual framework. This can create difficulties for VSD practitioners in the process of value identification, where it complicates a choice between competing value conceptualisations. We identified this problem as “value branching” and argue that the adoption of a hierarchical semantic structure for value conceptualisations can be helpful to address this issue.
Finally, with the help of the results of the conceptual VSD analysis, we identified some potential affordances and limitations of general SSI principles as a means of addressing value tensions. In order to do so, we translated the 10 key principles of SSI into application-specific norms and mapped these norms to the list of identified values. We found that while value harms related to personal data control can be sufficiently grasped within this framework, certain values are left out of scope. Most notably, value harms and moral risks pertaining to the access/control functionality of the proposed solution are largely left out of the scope of SSI principles. Furthermore, some of these principles applied in the context of credentials sharing for access control can undermine ethical and stakeholder values.
Our study shows that conceptual VSD investigation can be used as a robust tool for ethical SSI design. Through the identification of stakeholders, relevant values, and value harms/benefits, conceptual investigation can inform further stages of the design process, helping to establish the feasibility and moral desirability of particular design choices at early stages. Our observations also demonstrate that the conceptual investigation cannot be considered sufficient without empirical and technological investigations. First, the articulation of criteria of adequacy and relevance of different value conceptions in SSI cannot be done without empirical and technological stages of VSD investigation. Second, the results of the validation of conceptual findings demonstrate that the identification of certain project values and stakeholder values is premised on the identification of specific engineering parameters.
Furthermore, we suggest that these findings warrant reflections on the limitations of general SSI principles. A critical observation here is that identity management systems should never be conflated with access control solutions. Moral risks and value harm inherent to access control solutions cannot be addressed by the mere application of the SSI framework. Attempts to do so are not only disingenuous in relation to affected stakeholders but can present a problematic cooptation of SSI terminology for the obfuscation of critical value tensions. These observations highlight again that the design and implementation of SSI solutions should be supported by an ethical framework that is context-specific and robust.
In general, identity management systems can deal with all kinds of entities: addresses in communication networks, physical devices, artificial agents, etc. Here, by “identity management” systems, we refer to a specific class of technological solutions that deal with the identification of real persons.
“China bank protest stopped by health codes turning red, depositors say.” June 16, 2022. Reuters (https://www.reuters.com/world/china/china-bank-protest-stopped-by-health-codes-turning-red-depositors-say-2022-06-14/).
The task force was divided into an ethics work group and an ethics committee. The focus of the ethics work group was the development of a conceptual framework for the anticipatory identification of values and ethical issues both for the specific technical uNLock solution and for the ecosystem in general, using methods of value sensitive design. Here and further in the text, “we” refers to the same set of authors of the original reports (ethics work group) as the authors of this paper.
The findings of the original report (which was finalized before the worldwide deployment of such applications) have found that the idea of an “immunity passport” for everyday social activities was highly morally problematic. The main reason for the negative assessment was the lack of scientific knowledge on immune response and the superficial appreciation of perverse socio-economic incentives in proposals on COVID-19 passports. The report concluded that any emergency measure for society-wide access control based on medical data risks becoming a permanent fixture of systematic discrimination and bio-surveillance. At the moment of the writing of this paper (October 2022), these arguments hold. Given that the breakthrough re-infections for vaccinated people are well established, moral arguments framing such applications as tools for communal protection are undermined making these solutions even more morally debatable. We agree with the assessment that many of these programs were reduced to “technofixes” with questionable justification (Dennis et al., 2022).
This list with corresponding norms can be found in Annex 2 of the original report (Ishmaev et al., 2020).
Even though in certain cases of SSI application, supervisory authorities can be included in the list of direct stakeholders, and in the context of uNlock, they were considered outside of the scope.
By value hierarchy, here, we do not mean normative hierarchy, e.g., prioritisation of one value over another. Rather, we consider the problem of semantic hierarchy where some conceptualizations of values are broader in meaning than others.
We argue that the articulation of criteria of adequacy for conceptions cannot be done without empirical and technological stages of VSD investigation. Thus, it might be prudent to consider an inclusive and pluralistic set of value conceptions at the conceptual VSD stage and make choices in favour of particular conceptions at later stages of the investigation.
It can also be argued that certain key principles of SSI more directly translate to technological system requirements, and some of these principles, namely, portability, interoperability, minimisation, and protection rather should be addressed within the scope of broader socio-technical arrangements (Stokkink & Pouwelse, 2018). This distinction makes it possible to highlight value tensions addressable by technological means within the scope of the SSI approach. Such investigation, however, requires attention to application-specific technological architecture and thus lies outside the scope of this paper.
Friedman et al. (2002) considers the “validation” of findings not in a strong scientific sense but in a weak sense as an assessment of consistency with later VSD findings. Validation here does not aim to establish facts but to identify the adequacy of the chosen design direction. We consider validation in this sense as well.
We consider efficiency in a broad sense, given that cost assessment is a critical part of a feasibility assessment for any project at the early stages of the design.
The proposed application was not intended to be fully decentralized, but rather a federated solution. Scalability and standardization requirements were left out of the scope.
Abramson, W., van Deursen, N. E., & Buchanan, W. J. (2020). Trust-by-design: Evaluating issues and perceptions within clinical passporting. https://doi.org/10.48550/ARXIV.2006.14864
Allen, C. (2017). The path to self-sovereign identity. https://github.com/WebOfTrustInfo/self-sovereign-identity/blob/master/ThePathToSelf-SovereignIdentity.md
Briggs, P., & Thomas, L. (2015). An inclusive, value sensitive design perspective on future identity technologies. ACM Transactions on Computer-Human Interaction, 22(5), 1–28. https://doi.org/10.1145/2778972
Brown, R. C. H., Kelly, D., Wilkinson, D., & Savulescu, J. (2021). The scientific and ethical feasibility of immunity passports. The Lancet Infectious Diseases, 21(3), e58–e63. https://doi.org/10.1016/S1473-3099(20)30766-0
de Figueiredo, A., Larson, H. J., & Reicher, S. D. (2021). The potential impact of vaccine passports on inclination to accept COVID-19 vaccinations in the United Kingdom: Evidence from a large cross-sectional survey and modeling study. EClinicalMedicine, 40, 101109. https://doi.org/10.1016/j.eclinm.2021.101109
Dennis, M. J., Ishmaev, G., Umbrello, S., & van den Hoven, J. (2022). Values for a post-pandemic future. In M. J. Dennis, G. Ishmaev, S. Umbrello, & J. van den Hoven (Eds.), Values for a Post-Pandemic Future (Vol. 40, pp. 1–19). Springer International Publishing. https://doi.org/10.1007/978-3-031-08424-9_1
Friedman, B., & Hendry, D. G. (2019). Value sensitive design: Shaping technology with moral imagination. Mit Press.
Friedman, B., Hendry, D. G., & Borning, A. (2017). A survey of value sensitive design methods. Foundations and Trends® in Human–Computer Interaction, 11(2), 63–125.
Friedman, B., Kahn, P., & Borning, A. (2002). Value sensitive design: Theory and methods. University of Washington Technical Report, 2, 12.
Friedman, B., Kahn, P. H., Borning, A., & Huldtgren, A. (2013). Value sensitive design and information systems. In Early engagement and new technologies: Opening up the laboratory (pp. 55–95). Springer.
Gstrein, O. J. (2021). The EU digital COVID certificate: A preliminary data protection impact assessment. European Journal of Risk Regulation, 12(2), 370–381.
Halpin, H. (2020). Vision: A critique of immunity passports and W3C decentralized identifiers. In T. van der Merwe, C. Mitchell, & M. Mehrnezhad (Eds.), Security Standardisation Research (Vol. 12529, pp. 148–168). Springer International Publishing. https://doi.org/10.1007/978-3-030-64357-7_7
Ishmaev, G., Noordhoek, R., van Steenbergen, M., & Vermaes, N. (2020). Sense and sensibility in COVID-19 medical credentials: A value sensitive design perspective on the use of self sovereign identity enabled access to healthcare facilities (p. 24). https://dutchblockchaincoalition.org/assets/images/default/uNLock-Ethics-White-Paper_Sense-and-Sensibility-in-COVID-19-medical-credentials_1.0.pdf
Jacobs, N., & Huldtgren, A. (2021). Why value sensitive design needs ethical commitments. Ethics and Information Technology, 23(1), 23–26. https://doi.org/10.1007/s10676-018-9467-3
Karopoulos, G., Hernandez-Ramos, J. L., Kouliaridis, V., & Kambourakis, G. (2021). A survey on digital certificates approaches for the COVID-19 pandemic. IEEE Access, 9, 138003–138025. https://doi.org/10.1109/ACCESS.2021.3117781
Kofler, N., & Baylis, F. (2020). Ten reasons why immunity passports are a bad idea. Nature, 581(7809), 379–381. https://doi.org/10.1038/d41586-020-01451-0
Lacity, M., & Carmel, E. (2022). Implementing self-sovereign identity (SSI) for a digital staff passport at UK NHS.
Milan, S., Veale, M., Taylor, L., & Gürses, S. (2021). Promises made to be broken: Performance and performativity in digital vaccine and immunity certification. European Journal of Risk Regulation, 12(2), 382–392.
Mithani, S. S., Bota, A. B., Zhu, D. T., & Wilson, K. (2022). A scoping review of global vaccine certificate solutions for COVID-19. Human Vaccines & Immunotherapeutics, 18(1), 1–12. https://doi.org/10.1080/21645515.2021.1969849
Preukschat, A., & Reed, D. (2021). Self-sovereign identity: Decentralized digital identity and verifiable credentials. Manning.
Sharma, A., Hewege, C., & Perera, C. (2022). Exploration of privacy, ethical and regulatory concerns related to COVID-19 vaccine passport implementation. In A. Moallem (Ed.), HCI for Cybersecurity, Privacy and Trust (Vol. 13333, pp. 480–491). Springer International Publishing. https://doi.org/10.1007/978-3-031-05563-8_30
Stokkink, Q., & Pouwelse, J. (2018). Deployment of a blockchain-based self-sovereign identity. 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Halifax, NS, Canada, 2018, 1336–01342. https://doi.org/10.1109/Cybermatics_2018.2018.00230
Toth, K. C., Cavoukian, A., & Anderson-Priddy, A. (2020). Privacy by design architecture composed of identity agents decentralizing control over digital identity. Open Identity Summit, 2020.
Umbrello, S., & van de Poel, I. (2021). Mapping value sensitive design onto AI for social good principles. AI and Ethics, 1(3), 283–296. https://doi.org/10.1007/s43681-021-00038-3
van de Kaa, G., Rezaei, J., Taebi, B., van de Poel, I., & Kizhakenath, A. (2020). How to weigh values in value sensitive design: A best worst method approach for the case of smart metering. Science and Engineering Ethics, 26(1), 475–494. https://doi.org/10.1007/s11948-019-00105-3
van de Poel, I. (2013). Translating values into design requirements. In D. P. Michelfelder, N. McCarthy, & D. E. Goldberg (Eds.), Philosophy and Engineering: Reflections on Practice, Principles and Process (Vol. 15, pp. 253–266). Springer Netherlands. https://doi.org/10.1007/978-94-007-7762-0_20
Van den Hoven, J. (2010). The use of normative theories in computer ethics. The Cambridge Handbook of Information and Computer Ethics, 59–76.
Van den Hoven, J. (2013). Value sensitive design and responsible innovation (pp. 75–83). Managing the Responsible Emergence of Science and Innovation in Society.
Voo, T. C., Smith, M. J., Mastroleo, I., Dawson, A., & WHO Ethics & COVID-19 Working Group. (2022). COVID-19 vaccination certificates and lifting public health and social measures: Ethical considerations. Eastern Mediterranean Health Journal, 28(6), 454–458. https://doi.org/10.26719/emhj.22.023
Wilford, S. H., Mcbride, N., Brooks, L., Eke, D. O., Akintoye, S., Owoseni, A., Leach, T., Flick, C., Fisk, M., & Stacey, M. (2021). The digital network of networks: Regulatory risk and policy challenges of vaccine passports. European Journal of Risk Regulation, 12(2), 393–403. https://doi.org/10.1017/err.2021.35
Winkler, T., & Spiekermann, S. (2021). Twenty years of value sensitive design: A review of methodological practices in VSD projects. Ethics and Information Technology, 23(1), 17–21.
Consent for Publication
All authors have consented to the submission of the manuscript to the Digital Society journal.
The authors declare no competing interests.
About this article
Cite this article
Ishmaev, G., Noordhoek, R., van Steenbergen, M. et al. Value Sensitive Design for Self-Sovereign Identity Solutions: Conceptual Investigation of uNLock Use Case. DISO 2, 24 (2023). https://doi.org/10.1007/s44206-023-00046-2