Who really owns your data?

I have been chatting with friends lately about the outrageous way data brokers scoop up our information and sell it on to whoever will pay. That “data exhaust” then becomes fuel for bad actors and spammers, who use it to track, target, and harass us in ways most people never agreed to and barely understand.

Cyber, privacy and data sovereignty

Over the past few years, “cyber”, “privacy”, and “data sovereignty” have been treated as separate workstreams, with separate teams, frameworks, and regulators. In practice, they are now the same problem seen from three different angles: who controls data, who can see it, and who can compel it.

Self sovereign identity sits squarely inside that overlap. It offers a possible path towards more user control and data minimisation, while also exposing how dependent most current digital systems remain on centralised intermediaries, offshore platforms, and legal jurisdictions that users do not control.

From security and privacy to sovereignty

Most organisations grew up with a familiar split. Cyber security teams focused on keeping systems and networks resilient against attack. Privacy and legal teams focused on how personal information was collected, used, and disclosed under data protection law. Data sovereignty, if it appeared at all, was often reduced to a procurement question about where cloud data centres sat and which jurisdiction’s laws applied. But now that separation no longer works well enough.

In a cloud first and AI saturated environment, every meaningful privacy decision has a cyber dimension, and every cyber decision has a sovereignty dimension. Where logs and telemetry are stored determines which government can subpoena them. Where training data lives shapes which regulator can govern its use. Where identity and access management resides determines who can reach into the control plane.

Data sovereignty is often described in simple terms: data is subject to the laws and governance of the country where it is stored and processed. That sounds technical, but it goes to the heart of power and control. If critical data and security telemetry sit offshore, then part of the risk posture has effectively been outsourced to a foreign legal system.

Why jurisdiction is now a security control

The old model treated “where the data lives” as a compliance line item. Tick the box for local hosting, note a security certification, and move on. That approach is no longer sufficient.

Jurisdiction has become a first order security control because it determines which agencies can lawfully demand access, shapes what happens in a breach, influences which threat actors see infrastructure as strategically important, and conditions how easily sovereign monitoring and response can be established.

Australian organisations are increasingly paying attention to this. There are stronger expectations that cyber services, security operations, and data centre capabilities should be sovereign by default, with data, monitoring, and incident response retained within Australian borders and governed by Australian law.

Yet sovereignty without privacy becomes surveillance, and privacy without sovereignty is fragile. Both are needed.

Privacy as user level sovereignty

Privacy law has always been, at least on paper, about individual rights such as consent, access, correction, and purpose limitation. In practice, many identity and data architectures still treat users as objects to be administered by large platforms. Accounts are provisioned, identities are federated, tokens are issued, and people have limited control over the resulting data exhaust.

Self sovereign identity, or SSI, is one response to that imbalance. At its core, SSI is a digital identity model where individuals control their identity credentials rather than relying entirely on centralised identity providers. Users hold verifiable credentials in digital wallets and decide what information to share, with whom, and at what level of detail. A service can verify that a credential is valid without needing to ingest every piece of underlying personal data.

There is, however, an important debate about how far the “self sovereign” label actually takes us. An old friend, Steve Wilson, a Australian based identity and privacy researcher, has been influential in keeping these discussions grounded in data protection, assurance, and institutional realities rather than hype.

His work is especially useful because it reminds practitioners that identity is fundamentally about proving things about people in context, not simply “owning” a digital object. That emphasis matters when organisations are tempted to treat SSI as a branding exercise rather than a deeper redesign of how data is collected, verified, and shared

Instead of logging in through a central identity provider that sees and mediates every transaction, SSI allows the user to present cryptographically signed proofs directly to relying parties. In practical terms, that means proving enough for the transaction, such as being over 18 or holding a professional qualification, without disclosing the entire identity record.

Self sovereign identity as a privacy preserving layer

Modern SSI designs make use of decentralised identifiers, verifiable credentials, and increasingly privacy preserving cryptography such as zero knowledge proofs. These approaches allow a person to prove that a statement about them is true without revealing the underlying raw data. A person can prove they meet an age threshold without disclosing their full date of birth, or prove membership status without exposing unrelated profile attributes.

Several important consequences follow:

• Minimisation becomes easier because only the attributes required for a transaction need to be disclosed.
• Data aggregation is reduced because there is no single identity provider observing every interaction.
• User agency is strengthened because consent can become more granular and technically enforceable.
• Privacy by design is more achievable because the architecture itself limits unnecessary collection and retention.

From a cyber perspective, SSI can also reduce the honey pot value of large centralised identity stores. If fewer institutions need to retain full identity records for routine transactions, some categories of breach impact can be reduced, even though new risks are introduced around wallet security, key management, and implementation quality.

Wilson’s long standing scepticism about simplistic “identity on the blockchain” narratives is useful here. Commentary associated with his research and public appearances stresses that things like public blockchains do not magically solve assurance, privacy, or trust, because real world identity still depends on issuers, governance arrangements, and institutions that stand behind credentials.

Where data sovereignty and SSI meet

The most interesting part of this concept is where macro level data sovereignty and micro level identity sovereignty begin to overlap. At the macro level, data sovereignty is about the legal and political control exercised over data by states and institutions. At the micro level, SSI is about giving individuals more practical control over how identity data is disclosed and reused. Both are responses to unaccountable concentration of power.

For Australian organisations, this intersection has practical consequences.

• If core identity platforms remain subject to foreign legal regimes, local data sovereignty ambitions will always be constrained.
• If SSI and related privacy preserving architectures are ignored, organisations may continue embedding over collection into systems that should be moving towards minimisation.
• If AI and analytics pipelines are designed without considering where identity proofs and attributes live, meaningful user control will be difficult to provide.
• If digital identity is treated only as a convenience layer, its role in resilience, trust, and strategic agency will be underestimated.

In that sense, digital identity architecture is no longer a neutral technical choice. It is a direct expression of an organisation’s stance on privacy, control, and dependency.

What a more aligned approach could look like

A more coherent approach starts by treating cyber, privacy, and data sovereignty as one design problem rather than three governance silos. That means building environments where critical data and telemetry are stored and processed within jurisdictions that organisations are prepared to live under, and where oversight is meaningful rather than symbolic.

It also means designing identity and access systems around minimisation and selective disclosure, borrowing from SSI principles even where a full SSI stack is not adopted. Privacy impact assessments should examine cloud control planes, cross border data flows, and third country legal powers over vendors in the stack. AI and analytics pipelines should be governed not only by privacy law but also by explicit decisions about infrastructure dependency and jurisdictional exposure.

There is room for bounded experimentation in domains where SSI solves real problems. Government digital identity programs, education credentials, health access, and age assurance are obvious candidates. In these settings, verifiable credentials and selective disclosure can reduce unnecessary sharing while maintaining assurance for relying parties.

At the same time, it is important to stay realistic. SSI is not a magic fix. Sovereign hosting can increase cost and complexity. Stronger privacy controls can limit some forms of analytics. Wallets, credentials, governance, and recovery processes all need serious design. The point is not technical purity. The point is to align architecture with declared values about trust, resilience, and control.

Why this matters now

For countries like Australia, the strategic issue sits just beneath the operational one. If critical data, identity systems, and AI workloads all depend on foreign infrastructure and foreign legal systems, then national room for manoeuvre in periods of stress will be narrower than official rhetoric often assumes.

That is why cyber, privacy, and data sovereignty should no longer be discussed in isolation. They are now core questions of institutional design and strategic agency. Self sovereign identity does not solve the whole problem, but it does offer a useful lens. It forces a more serious conversation about how much data should be collected, who should mediate trust, and what genuine control might look like for both individuals and institutions.