Value Sensitive Design for Self-Sovereign Identity Solutions: Conceptual Investigation of uNLock Use Case

This paper aims to address the research gap in ethical design frameworks for self-sovereign identity (SSI) solutions. We present a case study of value sensitive design (VSD) conceptual investigation applied in the context of SSI-based solutions for the sharing of medical credentials uNLock. We evaluate the applicability and quality of VSD application on the basis of 5 criteria. We validate these findings by comparing the results of the original report with the studies presenting empirically informed insights from the deployment of SSI solutions for the presentation of medical credentials. We identify a problem of “value branching” particular to SSI solutions that can lead to the overinflation of the set of relevant values. We outline the affordances and limitations of the conceptual VSD investigation in our case study. We further reflect on the limits of general SSI principles and argue that the ethical design of SSI solutions always requires context-specific evaluative frameworks.


Introduction
The problem of ethical issues in identity management solutions is an underdeveloped topic, and yet, one of the most critical concerns in our increasingly digitalised societie. 1 Identity management solutions are embedded in a variety of social contexts and serve as crucial components for a wide range of systems and infrastructures. Most studies on moral issues in these specific contexts, however, narrowly focus on private data management. It can be argued, though, that while moral issues of private data management are at the heart of identity management solutions, they do not cover the whole spectrum of relevant concerns.
The events that followed the COVID-19 pandemic, the deployment of contact tracing apps and vaccination passports, have brought to the forefront such problems as individual autonomy, fairness, and power imbalances in the context of identity management solutions. Some of the more disturbing developments have highlighted how easily such systems could be re-purposed into the tools of social control. 2 It became obvious that the integration of identity management solutions with access control systems easily results in uncontrollable function creep, moral hazards, and erosion of fundamental human rights (Dennis et al., 2022).
The same events, however, have also demonstrated the problem of moral overload faced by engineers, developers, and researchers working on identity management solutions. Different stages of the pandemic have created contexts where individuals and institutions had compelling moral reasons to consider all tools at their disposal without a clear understanding of the potential consequences. While we can hope that there will be no repetition of a crisis on a similar scale, it is also clear that the implementation of identity management solutions is rife with moral hazards that require systematic understanding and comprehensive theoretical frameworks. Identity management solutions are critical infrastructures in our highly digitalised society, and the design and implementation of these systems have far-reaching societal and ethical consequences.
Self-sovereign identity (SSI) presents particular interest here as an approach to the design of technological architectures for identity management informed by social and ethical considerations. At the same time, SSI is still an open set of engineering standards, rather than a comprehensive socio-technical theoretical framework. The technological affordances of the SSI approach regarding trust, security, and privacy guarantees are relatively well understood. In contrast, socio-ethical aspects of SSI design and implementations, at the moment, are formulated as high-level considerations at best. A particular research gap here is the lack of comprehensive ethical design frameworks that could guide the development of SSI solutions. This paper aims to address this research gap by providing insights into the application of value sensitive design (VSD) methods for SSI application development. VSD is a robust, well-developed methodology for the elucidation of values, identification of moral concerns, and resolution of moral issues associated with technological solutions. It has been suggested before that the VSD methodological framework can be a particularly promising approach in the context of identity management solutions for privacy (Friedman et al., 2013, van den Hoven, 2013 and SSI-based solutions in particular (Dennis et al., 2022;Toth et al., 2020).
To the best of our knowledge, the findings of the original report presented in this paper provide a first study on the application of the VSD framework for the design of an SSI solution. This report has emerged from the work of an industry/academia consortium collaboration in the Netherlands working on the development of a privacy-preserving system for the sharing of medical data, based on self-sovereign identity (SSI) design (Ishmaev et al., 2020).
The uNLock consortium was an initiative of the Dutch Blockchain Coalition (DBC), Universiteit Leiden, Rabobank, TNO, Deloitte, Ledger Leopard, CMS, and Stichting RINIS established in April 2020. The uNLock solution was an SSI-based application that has been built during the COVID-19 pandemic to provide a tool for Dutch healthcare facilities to determine if a person is compliant with the entry requirements of the facility on the basis of a negative COVID-19 test. The healthcare application context was partially considered in hope that such an application embedded in existing professional norms for healthcare employees would introduce fewer novel ethical risks.
The report (referred to as "uNLock report" in the text) was delivered by an independent ethics work group, comprised of the authors of this paper. 3 The goal of this report was to develop an ethical assessment for the design and use of such a system in the specific context of credentials for personnel in healthcare facilities using the tools and methodology of VSD. This paper analyzes the findings of the original uNLock report to provide insights on the application of the VSD methodology in the context of the design and development of an SSI solution. The scope of this research paper is limited to the evaluation of the VSD methodology application, and it does not aim to provide a moral-philosophical assessment of the SSI technological approach as such. Nor does this paper aim to provide an ethical analysis of "COVID-19 passports" or "vaccine certificates." We strongly agree though, that the VSD application should not be divorced from the moral-philosophical grounding and that the VSD process should make explicit use of an ethical theory (Jacobs & Huldtgren, 2021). VSD methodology is often used to identify factors facilitating or hampering social acceptance of technology rather than for the evaluation of ethical acceptability (Van de Kaa et al., 2020). Naive or uncritical application of VSD tools as a vehicle for social acceptance risks contributing to the performativity theatre exacerbating moral risks rather than alleviating them (Dennis et al., 2022;Milan et al., 2021). 4 This paper presents the findings of the original uNLock report in order to demonstrate the applicability of the VSD methodology in the context of an SSI solution.
We aim to answer the following key research question: Can VSD conceptual investigation provide a basis for the robust ethical design framework for SSI solutions? In order to answer this question, we evaluate the quality of the VSD application in this use case on the basis of 5 criteria suggested by Winkler and Spiekermann (2021). We validate these findings by comparing the results of the original report with studies that were carried out at later stages of the pandemic presenting empirical insights from the deployment of SSI solutions for the presentation of medical credentials.
The paper is structured as follows. Section 2 "Research Background" provides a comprehensive analysis of the research background relevant to the problem of ethical issue identification in the context of SSI solutions. While there is an abundance of existing literature on ethical issues of solutions for medical credentials, these studies do not explicitly consider the design of SSI architectures (Brown et al., 2021;Voo et al., 2022;Kofler & Baylis, 2020;Milan et al., 2021). The available research on SSI-specific solutions, at the moment, is mostly focused on high-level technological tradeoffs, with a focus on privacy and security guarantees (Halpin, 2020;Karopoulos et al., 2021).
Section 3 "Applying VSD to an SSI-based credentials app" provides an overview of the findings and methodology of the original report. We present a case description of the original uNlock report and present key findings on the application of VSD conceptual investigation in the context of SSI. We provide a rationale for the choice of VSD and present key findings on the identification of stakeholders, values, and translation of SSI in the context-specific use case.
Section 4 "Evaluation of VSD methods" looks into the findings of the original report and translates these results into the context of generic SSI architecture. Using the 5 criteria suggested by Winkler and Spiekermann (2021), we evaluate the results of the VSD methodology application. These criteria are (1) identification of direct and indirect stakeholders, (2) identification and conceptualization of values, (3) understanding of value harms and benefits, (4) development of mitigation strategies for value tensions, and (5) presentation of technical measures to address values. 4 The findings of the original report (which was finalized before the worldwide deployment of such applications) have found that the idea of an "immunity passport" for everyday social activities was highly morally problematic. The main reason for the negative assessment was the lack of scientific knowledge on immune response and the superficial appreciation of perverse socio-economic incentives in proposals on COVID-19 passports. The report concluded that any emergency measure for society-wide access control based on medical data risks becoming a permanent fixture of systematic discrimination and biosurveillance. At the moment of the writing of this paper (October 2022), these arguments hold. Given that the breakthrough re-infections for vaccinated people are well established, moral arguments framing such applications as tools for communal protection are undermined making these solutions even more morally debatable. We agree with the assessment that many of these programs were reduced to "technofixes" with questionable justification (Dennis et al., 2022).
Corresponding subsections discuss findings presented in the previous section in relation to criteria 1-4.
Section 5 "Validation and Discussion" validates the findings of the original report, specifically the identified values, harms, and benefits, against the empirically informed studies analyzed in Section 2. We suggest that the comparison of the original report findings, based on a priori conceptual analysis, against empirically informed studies, provides a valuable assessment of the efficacy of the VSD conceptual analysis. We also discuss the capacities and limitations of the SSI approach to mitigate value harms in these application contexts.
We conclude with the main findings and reflections on the limits of the conceptual VSD investigation.

Research Background
At the time of the proposal of the uNLock solution and commissioning of the "Ethics Work Group" report in the winter and spring of 2020, there were no ready implementations of similar systems and no empirically informed studies on the design of such solutions. During the year 2020 of the running COVID-19 pandemic, an interest in digital medical credentials, such as results of a COVID-19 test, dramatically increased due to search for a public safety strategy.
By the spring of 2020, multiple governments have signalled interest in the development of solutions for the presentation of digital COVID-19 certificates that could be used to curb the spread of the pandemic and provide an alternative to blanket lockdowns. The earliest publication addressing these aspects is Kofler and Baylis (2020), published in May 2020. The authors lay out ten arguments against the implementation of COVID-19 immunity passports for social-wide access control to work, travel, and social events. Together with practical concerns regarding the lack of scientific evidence on the immunity against COVID-19, Kofler and Baylis outline distinctive moral concerns regarding privacy, fairness, discrimination, social division, and health. Brown et al. (2021) provide a response to critical arguments against such solutions. They argue that such solutions provide the only viable alternative to blanket lockdowns restricting freedom of movement and other civil liberties. Furthermore, they speculate that ethical issues presented by immunity passports are less problematic than those presented by lockdowns.
The topic of ethical issues associated with COVID-19 immunity passport was addressed by WHO Ethics and COVID-19 Working Group (Voo et al., 2022). This publication examines the ethical concerns of immunity passports that are related to equity, stigma, and unintended harm. Voo et al. state that the benefits and harms of immunity passports must be assessed to determine whether the implementation of immunity passport policies may be considered ethical.
At the moment of publication of this paper, a substantive body of knowledge on ethical issues associated with COVID-19 immunity passports is available (de Figuerido, 2021;Milan et al., 2021;Gstrein, 2021;Sharma et al., 2022;Dennis et al., 2022). We observe, however, that in contrast to general research on the ethics of immunity passports, there is a noticeable deficit of studies focusing on ethically relevant issues specific to SSI-based solutions. This observation relates to a more general deficit of research regarding ethical issues associated with the implementation of SSI solutions, even though many developments in this field are ethically motivated (Prekuschat & Reed, 2021).
From the perspective of VSD research, there is also a noticeable absence of studies on the application of VSD methods in the context of identity management solutions in general. We only identified one study employing a method of stakeholder value identification similar to VSD. Briggs and Thomas (2015) provide the results of a workshop aimed at the identification of common values between minority groups in the context of UK proposals on identity management. To the best of our knowledge, there are no studies either on the application of VSD methods in the context of SSI solutions.
Nevertheless, we identify several relevant studies providing insights into the identification of ethical issues and value frameworks that present interest in the context of this paper. Two of these studies (Abramson et al., 2020;Lacity & Carmel, 2022) look into the deployment of SSI solutions in a very similar use context: presentation and sharing of credentials for the employees of healthcare facilities. Abramson et al. (2020) present the findings of a workshop on the exploration of SSI solutions for sharing and presentation of professional credentials for employees of healthcare organizations. They created a set of SSI design principles by inviting a group of stakeholders to identify benefits and harms in a workshop setting. In addition to this exercise, Abramson et al. created a list of design principles that they distilled from a literature investigation and input provided by stakeholders. To create a value hierarchy, stakeholders were asked to rank eight design principles from the most valued principle to the lowest valued principle for technologies that enable clinical passports. The ethical investigation conducted by Abramson et al. is similar to the conceptual investigation proposed by the VSD methodology. However, Abramson et al. do not mention the usage of VSD or explicitly follow the process proposed by VSD.
Lacity and Carmel (2022) present a white paper on the implementation and management of an SSI project based on a case study at the UK National Health Service (NHS). The case study of the report is a digital staff passport to verify health professionals' qualifications and credentials, based on the Sovrin network. While the report does not address any ethical concerns specifically, it contains a number of insights on relevant stakeholder values. Based on insights from the use of the solution by NHS, Lacity and Carmel identify a number of benefits to the healthcare facilities and employees. They provide a cautious but optimistic assessment regarding the maturity of SSI standards and related technological solutions on the basis of the analyzed use case. Wilford et al. (2021) provide a broad overview of ethical issues associated with blockchain-based solutions for digital vaccine passports. While this study does not explicitly consider an SSI approach, it is relevant, given that the highlighted systems involve similar technological components. The authors critically review several such solutions including the COVID-19 Credentials Initiative (CCI), International Air Transport Association's (IATA) Travel Pass Initiative, IBM's Digital Health Pass, and EU Digital COVID Certificate. Wilford et al. outline a number of ethical concerns specific to this technological context, with a primary focus on privacy. They argue that the complexity of the resulting solutions cannot be addressed satisfactorily by the proposed regulatory frameworks, creating risks of opaque surveillance structures.
Halpin (2020) provides a more detailed low-level analysis regarding the use of SSI standards such as decentralized identifiers (DID) and verifiable credentials (VC) for COVID-19 immunity passport solutions. He highlights various limitations of such standards in the context of privacy and security guarantees for the users, with a focus on attacks that can undermine cryptographic components, data unlinkability, and integrity of credentials. Halpin also argues against the suggestions that ensuring security and privacy in such solutions can make them ethically acceptable. He points out that risks of the erosion of fundamental human rights presented by ubiquitous identity checks can make such solutions morally problematic regardless of underlying technological architectures. Karopoulos et al. (2021) provide a comprehensive survey on various solutions for digital COVID-19 certificates, analyzing relevant academic work, national proposals and initiatives, and available smartphone apps. They highlight several key initiatives including The WHO smart vaccination certificate (SVC), The International Air Transport Association (IATA) Travel Pass Initiative, COVID-19 Credentials Initiative (CCI), EU Digital COVID Certificate (EUDCC), CommonPass, AOKpass, and several others. Karopoulos et al. highlight that nine of the identified schemes leverage blockchain technology or a similar PKI solution. They give an overview of key functional characteristics with a more detailed focus on the privacy and security guarantees of the proposed solutions.
Our literature analysis supports the significance and novelty of the main research question of this paper. The survey of relevant studies makes it clear that the development and implementation of solutions for the presentation of medical credentials are rife with ethical issues. The related body of studies on technological architectures for such solutions also highlights a significant interest in SSI standards and solutions. However, there is also a noticeable research gap in research methods for the identification and mitigation of ethical issues in this specific technological context.

Case Study of the Original uNlock Report
uNLock is an application that has been proposed in 2020 during the COVID-19 pandemic to provide a tool for Dutch healthcare facilities to determine if a person is compliant with the entry requirements of the facility. uNLock is premised on a situation in which COVID-19 tests for the healthcare sector are widely available. The schematic high-level architecture of the uNLock app is given in Fig. 1.
Once a person has been tested, she or he receives a unique credential of that test result that can be saved in the uNLock application on a smartphone. As soon as this person wants to enter a healthcare institution, the desk clerk requests the person to scan a unique barcode provided by the institution. The visitor can then read the access policy on her/his smartphone and receive a notification whether her/his COVID-19 test results are in compliance with the access policy of this particular healthcare institution. After that, the visitor can decide to show the cryptographically signed proof of compliance with the access policy to the desk clerk, whereby the digital proof's authenticity and validity are checked.

Methodology of the Original Report
The approach used in the study is based on the value sensitive design approach (Friedman et al., 2017). Value sensitive design (VSD) is "a theoretically grounded approach to the design of technology that accounts for human values in a principled and comprehensive manner throughout the design process" (Friedman et al., 2013, p.56). VSD supports a design of technological innovations that not only takes into account the instrumental aspects such as functionality, reliability, and ease of use but also the moral values of individuals and societies.
VSD has been applied in many cases over the past 25 years. Winkler and Spiekermann (2021) identified 113 papers discussing VSD projects in the period from 1996 to 2016 (only 17 of which applied all three perspectives). It has been argued that VSD methodological framework can be a fruitful approach in the context of identity management solutions for privacy (Friedman et al., 2013, van den Hoven, 2013. Both maturity of general VSD methods and demonstrable applicability in the design of solutions for the management of private data has informed our choice of methodology in the original report.
The comprehensive VSD approach places much emphasis on the fact that not only the values of direct stakeholders must be considered, i.e., the users of technological innovation, but also the values of indirect stakeholders who may be impacted by the innovation-even though they do not interact with it themselves. At the conceptual level, the relevant stakeholders and values are identified and defined, based on existing literature and knowledge. At the empirical level, the actual perception of these values by the various types of stakeholders is studied by employing methods such as interviews, focus groups, or experiments, leading to further elaboration of the values into norms. At the technical level, the values and norms are translated into technical design. The three perspectives are iteratively employed. They are meant to inform each other rather than be engaged in as separate, strictly sequential activities.
In line with the value sensitive design approach (Friedman & Hendry, 2019), we started with a conceptual investigation. We took a broad inclusive interpretation of values as suggested by Friedman et al. (2013) referring to what persons or groups consider important in life, circumscribed by the set of specific values with ethical import to system design. As the separation of the investigations is a conceptual tool, meant to appreciate interactional aspects of design, different investigations should not result in separate tracks within the project.
Thus, a resulting conceptual framework is a tool that not only is meant to inform the design of the system but that should be updated and refined in an iterative manner throughout the later stages of empirical and technical investigations, including broader engagement with stakeholders and a feedback cycle of the uNLock system technological development. In order to ensure that all ethical and social issues will be addressed in the value sensitive design, detailed insights and information regarding the uNLock application and the stakeholders are required in the conceptual investigation.
We have performed the conceptual investigation in the following three steps: Step 1: defining and mapping the stakeholders of the uNLock solution, their interests, benefits, and harms.
Step 2: translating interests, benefits, and harms into values and norms Step 3: harmonizing the uNLock value set with existing research on values and norms of SSI

Defining and Mapping the Stakeholders of the uNLock Solution, Their Interests, Benefits, and Harms
Based on the information on the application that we gathered from the partners of the uNLock consortium (internal reports and online meetings with the partner responsible for market analysis, use-case analysis, and app development), we performed a stakeholder analysis to identify the main stakeholders of the uNLock solution. We first analyzed the main goal of the uNLock application, which was defined by the consortium as "to provide verified proof of COVID-19 test results." The direct stakeholders-the direct users of the uNLock application-were identified. At the next step, the indirect stakeholders-the group or persons and institutions that are affected by the use of the uNLock application without using it-were identified. Based on this distinction, we composed an overview of stakeholders. Next, based on the known roles of stakeholders in this use case, we described the interests of the stakeholders in the solution and identified the benefits and harms that the stakeholders could expect from the uNLock solution. Table 2 (Appendix) shows the elaboration of the stakeholder roles in the context of the application. Identification of the stakeholders was done by distinguishing not only direct and indirect stakeholders but also explicitly acknowledging the values of the consortium partners (values' source analysis).

Translating Interests, Benefits, and Harms into Values and Norms
We translated the benefits and harms from step 1 into underlying values. Values and their definitions can be broad and too abstract for instrumentalization in a specific context, such as needed for the formulation of design requirements. Furthermore, an overly abstract definition of values risks ignoring or obscuring relevant social, economic, and cultural differences. Thus, the second step of our conceptual investigation was to provide conceptualizations of identified values in the context of the uNLock solution. Identification of values was performed through philosophical analysis (van de Poel, 2013) and value source analysis (Friedman et al., 2017), based on uNLock app project proposal provided by the members of uNLock consortium (high-level system design).
We identified 29 values and sub-values. The list of identified values with corresponding conceptualisations is presented in Table 3 (Appendix). Identified values were conceptualised for clarity and translated into norms specific to the application context. 5 We took care not only to look at the uNLock solution in a narrow technological sense but to also take the social context into account, as well as the interaction between the two (co-evolve technology and social structure).

Harmonizing the uNLock Value Set with Existing Research on Values and Norms of SSI
In order to identify ethically salient features of the SSI approach in this context, we have analyzed the 10 principles of self-sovereign identity (Allen, 2017) by Allen. These principles were mapped to the list of identified values (Table 1).

Evaluation of the VSD Methods
The findings of the uNLock report are interesting in the context of the VSD methodology as the only available study at the moment that aimed at the explicit application of VSD methods for the design of an SSI-based solution. To evaluate the results of this report, we adopted the five criteria suggested by Winkler and Spiekermann (2021), for the assessment of VSD application outcomes. These criteria are (1) identification of direct and indirect stakeholders, (2) identification and conceptualization of values, (3) understanding of value harms and benefits, (4) development of mitigation strategies for value tensions, and (5) presentation of technical measures to address values. We argue that by using conceptual methods of VSD in the context Table 1 Mapping of SSI principles to values Ten SSI principles (Allen, 2017) and interpretation in the use context uNLock VSD value (1) Existence. While this principle is open to interpretations, in a general sense, it states that the credential holder is not fully described by or fully dependent on digital representation. In the context of uNlock scenario, this principle was translated into the autonomy of choice to use the provided ID scheme or alternative method (e.g., a paper credential).
This principle is thus instrumental to the value of autonomy of identity and control. To a certain degree, this principle facilitates values of employee autonomy and inclusion.
In the specific use case context, this principle translates into the requirement that information represented by the uNlock credentials can be accessed only with the consent of a credentials holder.
Given the inherently sensitive nature of medical information, adherence to this principle is necessary to ensure the protection of dignity.
(3) Access. Users must have access to their own data. In the use context, this principle requires that users must be able to access their data and any associated claims without the interference of gatekeepers or intermediaries.
This principle is relevant to the values of individual agency and more broad set of autonomy values.
(4) Transparency. Systems and algorithms must be transparent. The context-specific translation of this principle requires adherence to several norms: The system design is open-source; The system must operate in an intelligible and easily accessible format, using 'clear and plain language'; The implications of the use of the system must be explained to the user.
Adherence to these principles is crucial for the values of Transparency and Trust.
(5) Persistence. Identities must be long-lived, or at least as long-lived as desirable by the identity holder.
Non-permanent identities are necessary for users' privacy.
(6) Portability. Information and services about identity must be transportable. In the use case context, it was considered that the transferability of this ID solution scheme in other contexts has limited desirability, given the risks of function and scope creep.
The principle of data portability was considered to be adverse to the values of privacy and dignity. Sharing of sensitive medical data outside of the specific application context is ethically problematic, as justification for such sharing does not translate directly into new contexts.
(7) Interoperability. Identities should be as widely usable as possible. In the use context study, this principle was translated into the requirement to provide interoperability between different verifiers, as healthcare employees may need to present their credentials at different healthcare facilities even across borders of different EU countries.
This principle was considered to be instrumental for values of non-discrimination/fairness, as healthcare employees might be unfairly required to perform additional tests or use a different solution for the sharing of credentials.
(8) Consent. User must agree to the use of their identity. In the context of the application case, this principle means that each data transaction must be authorized (and only executed) with the user's consent.
Non-consensual sharing of sensitive data undermines trust in the solution and takes away users' agency. Thus, this principle is necessary to protect the value of trust and individual agency, as well as the broader set of individual autonomy values.
of generic SSI architecture, we can address 4 out of 5 criteria. The following four subsections present findings of the original report in corresponding four categories.

Stakeholder Analysis
Identification of stakeholders is usually considered to be an initial stage of the VSD method aiming at systematical analysis of individuals and groups that are expected to be affected by the investigated technology. The traditional distinction involves direct stakeholders who do interact or will interact with technology directly and indirect stakeholders who will not directly interact with the technology but can nonetheless be affected by the deployment. As Friedman et al. (2017) argues, effective identification of all affected stakeholders necessarily requires broad inclusion of not only individuals, but also groups, institutions, and societies. At the same time, Winkler and Spiekermann (2021) point out that the identification of stakeholders can be particularly challenging as a broad definition of stakeholder groups can undermine value sensitivity.
In the context of SSI solutions, the set of direct stakeholders to a certain degree is defined by the architecture and the data flow of the SSI method for sharing and the presentation of the credentials (Fig. 1). Typical direct stakeholders in a generic SSI data flow include a credential holder, an issuer of the credentials (issuer), and verifier of the credentials (verifier). However, particular roles of the direct stakeholders can vary between specific contexts of applications and define role-specific values, benefits, and harms.
The specific context of the original uNlock report has identified specific roles of direct stakeholders in the analysis ( Table 2 in the Appendix). These roles include employees of healthcare facilities as credential holders, managing organizations of healthcare facilities as verifiers, COVID-19 testing providers as Ten SSI principles (Allen, 2017) and interpretation in the use context uNLock VSD value (9) Minimization. Disclosure of claims must be minimized. In the context of the report, this principle translates into the requirement that data shared in the credentials should be as minimal as possible, as well as the requirement that developers and system administrators should consider and implement best practices in data minimization techniques.
This principle is necessary for the protection of privacy and security.
(10) Protection. The rights of users must be protected. In the context of application, this means that users' data and any associated claims must be as protected as possible, and data may not be shared with third parties or re-used in other contexts.
This principle was found to be instrumental for the values of security.
issuers, members of uNlock consortium as infrastructure providers, and patients of the healthcare facilities. 6 Identification of indirect stakeholders in the scope of the uNLock report was based on a conceptual analysis informed by considerations on the integration of the proposed solution in the broader social and regulatory frameworks. We have identified non-users (individuals/organizations), professional unions, government agencies (excluding direct supervisory authorities), regulators, and wider society as indirect stakeholders most likely to be affected by the deployment of the uNlock solution.

Identification of Values
As presented in Section 3.2., broad definition of values, as suggested by Friedman and Hendry (2019), was taken as an operational definition in the uNlock report. Friedman et al. (2017) suggests that it is also important to distinguish between different sources of values in order to identify divergence and alignment between different stakeholders. Three suggested sources of values include (1) explicitly supported project values referring to an agreed-upon set of values that guide the design process of system development. All these sources were included in the analysis of the uNlock report. The core set of values was primarily identified through the process of analysis of stakeholders' interests. This set was extended by the explicitly supported project values that were defined by the core 10 principles of the SSI approach translated into corresponding values. The professional values of the uNlock consortium members in this context overlap with the values of infrastructure providers as a stakeholder group. Values of the report authors in that case also overlap with stakeholder values but also served as critical reflexive points and anchors for the moral-theoretical grounding of the investigation.
We observed that many of the identified values present a hierarchical taxonomy, where there are certain values such as trust, privacy, well-being, and autonomy branch into different conceptualisations, with distinctively different semantics. One reason for such branching is that conceptualisation of values is contingent on attribution to different stakeholders. E.g., conceptualisation of autonomy is different from the autonomy of the credential holder to use the solution in a particular way and the autonomy of the verifier to establish verification policies consistent with organizational norms. The second reason is the inherently broad meaning of label terms, such as privacy and trust, branching into different conceptualisations if considered in technical, legal, and ethical meanings. Furthermore, label values attributed to the same stakeholder can branch into specific interpretations such as autonomy of identity as a more general ethical principle and employee autonomy as a context/ role-specific value.
Such value branching requires careful attention in the context of SSI architectures, given that there is no uniform interdisciplinary conceptual framework. Current work on the standardization of SSI terminology largely focuses on the level of data models and as such is limited to technical terminology. 7 Work on the integration of this terminology in regulatory frameworks is still in the early stages. 8 However, the lack of attention to this conceptual branching can lead not only to the failure to identify relevant values but also to the failure to identify harms and benefits. For example, as we show in the following sections, the autonomy of a credential holder can come into conflict with the organizational autonomy of a verifier.
The uNLock report aimed to address this shortcoming through the adoption of a broad set of working definitions for value conceptualisations (Friedman et al., 2017). It is clear, however, that the application of the VSD methodology in the SSI context could greatly benefit from such a hierarchical taxonomy of values, supporting VSD practitioners to accurately navigate between general label terms of values and conceptualisations varying between stakeholder-specific and field-specific interpretations. 9 Value hierarchy has been previously proposed in the context of VSD as a tool for the translation of general value conceptualisations into application-specific norms and technical specifications (van de Poel, 2013;Umbrello & van de Poel, 2021). Our observation on the branching of values is different from these studies in one important aspect. van de Poel (2013) distinguishes specification of values from conceptualisation arguing that the latter often does not require detailed knowledge of the domain in which the value is applied. And in the case of competing conceptualisations, we can choose conceptualisations that are more adequate on the basis of general philosophical analysis.
In our experience, the problem of value hierarchy occurs already at the stage of value conceptualisation, where there are no clear criteria available on why some conceptualisations are more adequate than others. For one, choosing certain value conceptualisations over others carries a risk of replacing stakeholder values with designer values. Secondly, it carries a risk of ignoring certain value conflicts and tensions that can be revealed at the level of context-specific conceptualisations.
We argue that the observed issue is a particular case of a broader problem in applied ethics of technology. Namely, the need for the articulation and formulation of specific adequate conceptions of general notions (and articulating criteria of adequacy) become problematic in their application in new contexts (Van den Hoven, 2010). van den Hoven suggests that the semantic expansion of general concepts in specific contexts can be grasped by the Rawlsian distinction between general concepts and their specific instantiations as conceptions. Here, we consider label values as general operational definitions of general concepts and sub values that can be derived from label values through stakeholder attribution and discipline-specific definitions as conceptions. 10

Value Harms and Benefits
In VSD approaches, identification of harms and benefits to stakeholders can be performed both on the basis of empirical investigation and conceptual investigations drawing on analytic investigation and philosophical arguments. The uNLock report, limited to conceptual investigation, has focused on the identification of harms and benefits of technology through the means of applied ethical analysis. We have established a list of all potential benefits including arguments from the initial consortium proposal on the development of the uNlock application and considered the implementation of an SSI-based solution in the proposed specific use context.
We found out that the identification of stakeholders' harms and benefits and the identification of values are most fruitful when these tools are seen as a series of iterative feedback loops. Initial identification of benefits that could be derived from the technological architecture and use context has provided new insights into values attributable to different stakeholders. These insights in turn have helped to locate relevant ethical considerations grounded in moral theoretical analysis that have helped to identify corresponding harms. Such an analysis performed in a series of iterative updates was used to inform the final list of values (Table 3) as well as corresponding harms and benefits.

Mitigation Strategies for Value Tensions
The original report being limited to the conceptual stage of VSD investigation did not produce a comprehensive set of mitigation strategies for value tensions. In a multi-stage VSD process, the development of such strategies is relegated to later stages of an investigation when empirical insights can be translated into technological solutions addressing identified value tensions. However, in the context of the uNlock report, the known constraints and affordances of the SSI approach have made it possible to outline potential design directions capable of facilitating, protecting, or upholding certain values. Interestingly enough, some of the SSI principles were identified as adverse to certain values.
We achieved these insights through the translation of the 10 key SSI principles into use-case-specific norms and consequent mapping to identified stakeholder values. This helped to distinguish which values potentially could be facilitated (protected) by SSI principles and values that must be addressed outside the scope of the SSI approach (Section 3.3.3.; Table 2). 11 Here, we elaborate on the interpretation of these principles in the context of the original report and highlight the potential capacity of these principles to address specific value tensions.
We have found that mapping the SSI principles to the list of identified values in this specific use case can provide a number of insights. For one, this exercise helps to reveal that the general SSI framework aims to address a significant number of stakeholder values, namely, broad label values of autonomy, control, agency, transparency, trust, privacy, and security. Secondly, the translation of these general principles into application-specific norms highlights an extended number of relevant values that can be considered within the SSI design framework: dignity, fairness, and inclusion. And interestingly enough, one of the key principles of SSI was found to be in adverse relation to privacy and dignity when translated in the context of the specific use case.
At the same time, this analysis also reveals the limits of the SSI approach as many of the identified values are left outside the scope of the ten key principles. Values such as solidarity, well-being, welfare, freedom of movement, stakeholder power, individual and organizational reputation, accessibility, organizational responsibility, and efficiency do not reveal an immediate connection to general or application-specific SSI principles. This does not necessarily suggest that these values cannot be addressed within the limits of socio-technical SSI principles. However, it shows that the scope of the original SSI principles is mostly sharing and presentation of private data.
These findings are also not surprising given that SSI principles are aimed at the mitigation of value conflicts pertaining to identity management, data sovereignty, and private data flows, but not at the value conflicts associated with access control solutions. The literature analysis provided in Section 2, however, demonstrates that identity management solutions are often conflated with access control solutions. Such conflation is problematic, leading to the obfuscation of relevant values and value conflicts. We argue that the clear distinction between project values, designer values, and stakeholder values is a necessary minimum requirement for the prevention of such obfuscation at the early stages of design.
Such identification is necessary but not sufficient to make accurate judgments about whether the SSI approach can satisfactorily facilitate or protect all or most key values in the specific use case. This question can not be answered without empirical investigation providing accurate semantics to values in different contexts (stakeholder-specific, field-specific, application-specific). Furthermore, the technological stage of investigation is necessary to consider what tools at the disposal of designers can satisfactorily address arising value tensions.

Validation and Discussion
These findings present an example case study of VSD method application at the early stages of the design for SSI solution. A comprehensive VSD approach aims to refine and validate conceptual findings through the empirical investigation and analysis of technical solutions. In the ideal case, this validation should be performed on the basis of the same solution or application at the later stages of design and deployment (Friedman et al., 2017). In the case of the uNlock application, such validation is not available given that this particular solution was not deployed in production.
However, validation of the conceptual findings can also be performed on the basis of the research of relevant technological solutions (Friedman et al., 2002). 12 In the context of this paper, we take advantage of the fact that several studies on similar solutions based on the SSI approach became available after the study of the original report. This has allowed us to analyze different use cases and compare findings on values provided by the conceptual investigation, with the findings on values informed by empirical research and experiences from implemented solutions. We choose to focus on the value findings of the original report (Table 3) for two reasons. Findings on similar lists of stakeholders only would be trivial. Identification of stakeholder-specific harms and benefits, on the other hand, is not feasible, given the variation between high-level and low-level analysis in relevant studies.
We have chosen five relevant studies from the literature analysis provided in Section 2 for validation of our findings. The choice of these studies was based both on the scope of the studies, SSI solutions for medical credentials, and presentation of value-identifying results in some form (Abramson et al., 2020;Halpin, 2020;Wilford et al., 2021, Karopulos et al., 2021Lacity & Carmel, 2022). The study of Mithani et al. (2022) was omitted from the validation analysis, given the very brief and high-level character of the presented findings.
We performed a manual analysis of these five studies to identify mentions and discussions corresponding to the label values of the original uNLock report presented in Table 4 (Appendix). We have considered values as consistent with our findings, in two cases: first, straightforward correspondence between general concepts (marked "x" in the table), e.g., "privacy" and "privacy"; second, if identified conceptions of values could be mapped to the conceptualisations of values (Table 3) in a relatively direct manner, e.g., "voluntary use" and "individual agency." Such mapping can be open to interpretation, but we argue that narrow technological and application contexts here allow for more or less reliable identification of consistency (or inconsistency).
We identified 8 label values to be consistent with the findings of relevant studies: accessibility, autonomy (credential holder), dignity, fairness, efficiency, privacy, security, and trust. Each of these values is explicitly mentioned and discussed in at least 4 out of 5 studies. We found further 5 label values to be somewhat consistent with the findings in relevant studies: autonomy of identity, freedom of movement, health, individual agency, and transparency. Each of these values was highlighted in at least 3 out of 5 studies. 13 Particular interest present also presents values highlighted in several studies but not identified in the uNLock report. Most notable here are values such as decentralization, scalability, ease of use, and standardization. We attribute some of these omissions to the focus of the report on the identification of explicitly morally salient values in the specific use case. 14 Other omissions, however, indicate limitations of conceptual investigation, as the identification of certain project values and stakeholder values is premised on the identification of specific engineering parameters. This is particularly evident in the context of privacy requirements, which can only be meaningfully conceptualised in a very specific context.
A number of values presented in the original report were not identified or only briefly mentioned in the relevant studies. Some of these omissions can be explained through the contextual variations between label values and sub-values, e.g., variation of "trust" conceptions. Some of the omissions, however, can not be explained by these variations, notably, values such as dignity, inclusion, solidarity, and institutional responsibility.
These results of course remain open to interpretation, given the limited number of relevant studies. However, four of these studies present a meta-analysis of multiple solutions, thus extending the scope of the comparison. We suggest that while these findings do not present validation of the used VSD methods in a strong sense, they highlight certain convergence between the results of the conceptual findings and empirically informed studies in similar use cases.
These results are also consistent with the approach to the validation of conceptual findings suggested by Friedman et al. (2002). The main difference is a longitudinal measurement in the study of Friedman et al. (2002), performed over the course of 5 years. However, given the observation of the shortened R&D cycles in the context of the COVID-19 pandemic (Dennis et al., 2022), we do not consider the shorter period of observation of a factor that could undermine these results.

Conclusion
We have presented a case study of VSD conceptual investigation applied in the context of SSI-based solutions for the sharing of medical credentials. In order to evaluate the adequacy of these methods as components of an ethical design framework, we analyzed the findings of the original uNLock report. We adopted the five criteria framework for the assessment of the VSD application proposed by Winkler and Spiekermann (2021).
We evaluated the findings of the uNLock report on the basis of these criteria and demonstrated that the conceptual stage of investigation of the VSD approach can provide a robust tool for the identification of stakeholders, relevant values, and value harms/benefits and outline some strategies for the mitigation of value tensions.
To validate these findings and assess the adequacy of the VSD application, we performed a comprehensive analysis of relevant studies on the implementation of SSI solutions for sharing of medical credentials. We have chosen five studies that are (1) relevant in the technological and application contexts, (2) present in some explicit findings on the identification and explication of associated values, and (3) are empirically informed. We found that the findings of a conceptual VSD analysis regarding the identification of values are consistent with the findings from studies based on the analysis of technological design and stakeholder workshops.
We also presented some findings on the methodology of VSD application in the context of SSI solutions. The complex socio-technical nature of identity management systems in general and SSI solutions, in particular, necessitates the adoption of a broad interdisciplinary conceptual framework. This can create difficulties for VSD practitioners in the process of value identification, where it complicates a choice between competing value conceptualisations. We identified this problem as "value branching" and argue that the adoption of a hierarchical semantic structure for value conceptualisations can be helpful to address this issue.
Finally, with the help of the results of the conceptual VSD analysis, we identified some potential affordances and limitations of general SSI principles as a means of addressing value tensions. In order to do so, we translated the 10 key principles of SSI into application-specific norms and mapped these norms to the list of identified values. We found that while value harms related to personal data control can be sufficiently grasped within this framework, certain values are left out of scope. Most notably, value harms and moral risks pertaining to the access/control functionality of the proposed solution are largely left out of the scope of SSI principles. Furthermore, some of these principles applied in the context of credentials sharing for access control can undermine ethical and stakeholder values.
Our study shows that conceptual VSD investigation can be used as a robust tool for ethical SSI design. Through the identification of stakeholders, relevant values, and value harms/benefits, conceptual investigation can inform further stages of the design process, helping to establish the feasibility and moral desirability of particular design choices at early stages. Our observations also demonstrate that the conceptual investigation cannot be considered sufficient without empirical and technological investigations. First, the articulation of criteria of adequacy and relevance of different value conceptions in SSI cannot be done without empirical and technological stages of VSD investigation. Second, the results of the validation of conceptual findings demonstrate that the identification of certain project values and stakeholder values is premised on the identification of specific engineering parameters.
Furthermore, we suggest that these findings warrant reflections on the limitations of general SSI principles. A critical observation here is that identity management systems should never be conflated with access control solutions. Moral risks and value harm inherent to access control solutions cannot be addressed by the mere application of the SSI framework. Attempts to do so are not only disingenuous in relation to affected stakeholders but can present a problematic cooptation of SSI terminology for the obfuscation of critical value tensions. These observations highlight again that the design and implementation of SSI solutions should be supported by an ethical framework that is context-specific and robust.

Appendix
Author Contribution All authors have contributed equally. All authors reviewed the final manuscript.

Holder of identity (user of the uNLock application) Benefits
The holder of identity would be able to access work by using the uNLock application to provide irrefutable proof of health status tests. This would benefit the holder of identity by reducing the administrative burden of providing documented proof for each updated health test, and the application could minimize the personal data shared by the holder of identity.
Access to work (or people they care for); less administrative stress; irrefutable proof of health status; possibility to minimize data sharing.

Harms
Identity theft; unintentionally making detrimental decisions concerning own identity; losing identity proof, thus not being able to use it; identity being revoked; app does not work for whatever reason; access wrongly denied; need to own a smart phone; extra burden on administrative tasks; obligation to be tested; not being able to be tested; false idea of certainty and safety (i.e., due to quality of test or infection after test).

Harms
Increased security risks (i.e., through introducing more complexity to the IT system); only persons who have the app can get tested (depending on scope); more fraud (because of power of solution).

Verifiers (hospitals, care homes, etc.) Benefits
The verifiers are the institutions that could use the uNLock application to control the access management of their facilities. Originally, the uNLock application was intended for providing controlled access to the verifiers' facility for employees. The uNLock application is to be used in an employee and employer relationship.
Give controlled access to visitors (employees/volunteers/medical researchers); safety of personnel and hospital; reduced stress caused by uncertainty; increased speed of test results; effective implementation of protocol leading to less risk.

Harms
Unfair distribution of access privilege; false idea of certainty and safety (i.e., due to quality of test or infection after test); extra burden on the administration of verifier; increased security risks.

uNLock consortium Benefits
The uNLock consortium would be able to contribute to society by providing an application that could benefit the healthcare sector in enforcing its Covid-19 policy with regard to the entrance to the healthcare facility. Therewith, would the uNLock application benefit the creation of a self-sovereign identity digital infrastructure in the Netherlands?  Table 3 Values and conceptualisations

Value: autonomy of identity
Appreciation and respect for the capacity to reflectively endorse (or not be alienated from) aspects of oneself.

Value: honour of the individual
Value of recognition and approval that links reputation with conduct and helps sustain existing patterns of social ties. It is intrinsically tied to respect and the worthiness to be respected. Value: dignity Recognition of treating humans as self-governing persons and respect for the inherent capacity for upholding one's principles.

Value: individual agency
Individual agency is the ability of an individual to act in accordance with a goal; the agent has adopted on the basis of an overall practical assessment of her options and opportunities.

Value: transparency
Availability and integrity of information are the conditions of its accessibility including considerations on how this information may pragmatically or epistemically support the user's decision-making process.

Value: privacy
The right of an individual to determine what information about himself or herself can be communicated to others.

Value: non-discrimination
Guarantee that human rights are exercised without discrimination of any arbitrary kind.

Value: organizational responsibility
The possibility of a moral hazard. A person is able to make decisions and/or take actions on behalf of another person or entity, where the person is motivated to act in their own best interest, which is contrary to those of the person or entity they are working on behalf of. Embracing distributed responsibility and anticipatory approach towards risks and harms.

Value: security
Ensure the presence of peace, safety, and the protection of human rights or the absence of crisis or threat to human dignity.

Value: freedom of movement
Freedom of movement of individuals throughout the world in public spaces and spaces where they are entitled to.

Value: well-being
The state of being comfortable, healthy, and happy. The well-being of society, medical professionals, clients/patients, and non-holders should be sustained and protected.

Value: welfare (sub-value of well-being)
The state of physical and material well-being. People being able to do their job and make a living.

Value: health (connected to well-being)
Six main dimensions of health are distinguished: bodily functions, mental functions and perception, spiritual/existential dimension, quality of life, social and societal participation, and daily functioning. The ability to adapt and self-manage.

Value: solidarity
Willingness to give psychological and/or material support when another person is in a difficult position or needs affection. Unity or agreement of feeling or action, especially among individuals with a common interest; mutual support within a group. Desire to unburden medical professionals.

Value: stakeholder power (relevance)
The capacity or ability to directly influence the behaviour of others regarding one's own rights and legitimate interests. Knowledge about other people can provide power over them or others.

Value: inclusion
Ensure that the needs of disadvantaged (social) groups, such as those without access to mobile internet, illiterate, and disabled people, are considered so that no one is left behind.

Value: distributive justice (fairness)
To treat all individuals with equal characteristics in the context of data that is processed and interaction with the system equally. And with the same respect in terms of use.

Value: autonomy of employee
Everyone has the right to work, to free choice of employment, and to just and favourable conditions of work. Within the relationship between employer/employee, the employee is only bound by law and contracts, and the latter can only be signed by informed consent and without any form of pressure inflicting on the autonomy of the individual.

Value: trust
The justified belief and comfort of an individual or entity in the reliability of the system and/or all related entities and competence and benevolence of individuals that have a direct impact on the system. A psychological state compromising the intention to accept vulnerability based on positive expectations of the intentions and behaviours of another.

Value: psychological attitude of trust (sub-value trust)
A justified belief that entity (individual, organization) trusted to act on your behalf will reliably and completely act in your best interests.

Value: acting on trust (sub-value trust)
Delegation of power to another party to act in our best interests at the expense of increased vulnerability from that party.

Value: value of justified trust (sub-value trust)
Capacity to delegate complex or costly actions on your behalf to another party without excessive risks.

Value: trust capital (sub-value trust)
Sustained justified belief in a given society that the benefits of cooperation based on trust overweight possible risks and vulnerabilities.

Value: institutional reputation
The generalized beliefs and/or opinions of the public in the system or the entities that have a direct impact on the system, which can be found on any public source/forum and is translated by, i.e., journalist.

Value: individual's reputation
Value of recognition and approval that links reputation with conduct and helps sustain existing patterns of social ties. It is intrinsically tied to respect and the worthiness to be respected.

Value: accessibility
Having the opportunity and capacity to access the system for authorized parties.

Value: efficiency
Sustainable and optimized use of resources and time.

Value: autonomy of policy
Every organization has the right to draft and effectuate policy that requires adherence by stakeholders that have a contractual relationship with the organization, provided that these policies do not contradict established ethical and legal standards.

Value: right to complain
Practically feasible opportunity for all individuals that are direct or indirect stakeholders to object, to make suggestions, to be heard, and taken seriously.

Declarations
Consent for Publication All authors have consented to the submission of the manuscript to the Digital Society journal.

Competing Interests
The authors declare no competing interests.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/ licenses/by/4.0/.