Findings summaries

Model	Summary	Infrastructure Features	Link to Sovereignty Objectives
Centralized Identity Management	State or provider controls all identity records directly.	Central database, username/password access, direct government issuance.	Maximum state control, but vulnerability to breaches; weak user autonomy.
Federated Identity Management	One or a few providers act as hubs for identity verification across many services.	Identity Providers (IdPs), Single Sign-On (SSO) architectures.	Shared control; reduces duplication, but risks foreign tech dependence.
User-Centric Identity	Users control which providers access identity data; providers still involved.	Identity Brokers, Attribute-Based Credentials, Consent Management Platforms.	Strengthens user consent, but still anchored by third-party infrastructure.
Self-Sovereign Identity (SSI)	Users fully own and manage their identity credentials independently.	Blockchain or Distributed Ledger Technology (DLT), Wallets, DIDs, VCs.	Maximizes citizen autonomy and national technological sovereignty; but governance is complex.

5.2 old introduction for centralised

Q2. Legal and operational frameworks

1. Regulation Alone is Insufficient for Ethical and Effective eID Governance

While digital identity systems rapidly expand, particularly in the Global South, existing legal, regulatory, and administrative processes are inadequate for protecting rights or ensuring responsible governance.

Evidence:

“Current approaches to governing eID systems have been unable to fully address the trade-offs between the opportunities and risks associated with these systems.”
“Governments are not just regulators of the ID data but also distribute it for private sector exploitation.” (Hicks, 2020)
“Legacy legal frameworks have limited adaptability to new technological developments and associated risks.” (Brass and Sowell, 2020)
“Laws are only as effective as their implementation… regulations focussed on digital rights are still in their nascency.”
“A focus on data protection laws alone ignores the constant evolution of data mining methods, which can easily reidentify aggregated and anonymized personal data.” (Gandy, 2011)
“Principles of privacy by design... have fallen short of clear specification and enforcement for lack of an internationally approved standard.”
“Regulation alone cannot address the dynamism inherent in the digital space.”

2. Self-Sovereign Identity (SSI) Offers Promise—but with Unresolved Practical and Ethical Challenges