An Accessible Interface Layer for Self-Sovereign Identity

The mechanisms and evolving standards collectively known as self-sovereign identity (SSI) offer the prospect of a decentralized Internet by providing a central pillar for a human-centered data ecosystem (HCDE). Once established this technology promises to afford participants the same agency in the digital realm as individuals experience in the real world. Investigation suggests that the domain is now suf ﬁ ciently mature to realize practically the principles of SSI, but in order to achieve sustainable adoption, signi ﬁ cant design focused work needs to be undertaken at the interface layer. This paper presents recent practice-led research designed to project current SSI prototypes to scale through conceptual modeling, preliminary user interface, and critical analysis. This research introduces the term sovereign boundary mechanism (SBM), a standardized collection of SSI interactions, which can be described as a metaphorical ring of sovereignty between the participant and the wider network. Within this model, participants control identity, relationships, and data streams and access control. This research identi ﬁ es the domains of interaction and the minimum required objects for a full-scale SSI engagement through an SBM. It de ﬁ nes the component parts and functionality of a wider HCDE which require further consideration, and it identi ﬁ es emergent concepts for which a participant may lack mental model and understanding. The research considers human computer interaction (HCI) theory across internalized, external, and distributed cognition, arguing that the current trajectory of SSI requires signi ﬁ cant internalized representations, prior knowledge, and participant responsibility. This research argues that these elements are problematic and pose a signi ﬁ cant barrier to sustainable adoption. In conclusion, this research suggests that the decentralized community needs to recognize the obstacle potentially posed at the interface layer and engage in collective standardization, strategy, and design thinking to increase the probability of sustainable adoption.


INTRODUCTION
The management of digital identities and personal data represents a formidable challenge for the 21st century; issues of privacy, inference profiling, surveillance capitalism, GAFA monopoly, democratic interference, and the lost opportunities of big data are significant.Many envisage a decentralized alternative to the centralized network, one that places the human at the center of data streams, facilitating transparency, agency, and negotiated access to personal data.Self-sovereign identity is a collection of concepts and standards that promises to emancipate the everyday user from the asymmetrical relationships observed across today's Internet.By establishing and controlling persistent digital identities and exchanging digital credentials, relationships and trust networks can be established.The decentralized nature of the technology and the subsequent requirement for the individual to manage and protect what is a complex decentralized key management system pose several interactive design challenges.This paradigm shift introduces unfamiliar concepts and raises issues of missing metaphor and mental model.If SSI is to become accessible and sustainable, we must investigate and understand SSI applications and case studies and interactions and identify the foundation design patterns needed to manage and transact personal data through digital identity.
This paper presents what is part one of a two-part publication of outcomes from doctoral research conducted between 2017 and 2020.The research poses a primary question: can a sustainable technology be established to allow for individual agency within a decentralized Internet?Two additional questions were then derived.The first considered usability at the interface layer and asks: can an interface layer for a decentralized Internet be designed to allow for accessible interaction?And the second considered value proposition and adoption and asks: how might a decentralized Internet provide value, emerge, and be adopted?As this work progressed, it became evident that the trajectory toward a decentralized Internet would require the development of a human-centered data ecosystem (HCDE): a central pillar of which could be provided by the emergent domain of selfsovereign identity (SSI).This paper presents the academic framework, method, findings, and recommendations relating to the investigation of usability and accessibility at the interface layer for SSI.A second paper presenting the findings relating to value proposition and adoption can also be found within this journal.

PRE-ASSUMPTIONS
It is not the intention of this research to advocate privacy concern or lobby for the adoption of sovereign identity decentralized technologies.The aim of this research is to consider and reflect the current proposals for SSI interactions and to extend current prototypes to scale in the context of the defined principles, required mechanisms, and evolving standards.The objective has been to enter the problem space as a designer, extend its current position, and then reflect on the outcome.That said, there are a number of accepted arguments on which this work is constructed.It is accepted that the broad concept of network centralization means giving up control of our personal information and identity (Moglen, 2013;Van Kleek and O'Hara, 2014) that the advent of the centralized model poses a significant threat to our collective and individual privacy (Solove, 2008) and that personal data are now exploited by capital in order to leverage influence over our daily lives (Schneier, 2015;Zuboff, 2015).It is accepted that there is a decentralized alternative to the centralized model which will offer a participant greater agency over elements of their personal data (Haddadi, 2015;Hornung et al., 2015;Mortier, 2014) that identity can be established through the ownership and control of personal data (IIW, 2019) and that an identity layer is integral to a sovereign engagement with the wider network and evolving Internet (Cameron, 2005;Allen, 2016;Tobin and Reed, 2016).There is an awareness of what could be considered to be a moderate bias, and every conscious effort has been made to prevent it from influencing the design of this research, the methods of data gathering, and the analysis and interpretation of results.

THEORETICAL FRAMEWORK
When exploring the interface layer for SSI, this research considers the wider academic context.The domain of human data interaction (HDI) (Mortier, 2014;Haddadi, 2015) recognizes the pervasiveness of computing in our data driven society.The theory argues that human computer interaction (HCI) has traditionally focused on interactions between humans and computers as artifacts.However, with the rapid evolution of human's interacting predominantly with data, a different academic perspective is required.Moritier (2014) defines HDI as "placing the human at the center of the flows of data, providing mechanisms for citizens to interact with these systems and data explicitly" (p. 1).The concepts of HDI illustrate the opaque mechanisms used to process personal data and the hidden inferences and subsequent feedback loops.This theory argues that a user requires legibility to understand the ambient ways in which data are processed and utilized, that agency is required to control, manage, and permit access to personal data, and that users require a means to negotiate the terms under which their data can be used.The concept of SSI provides the mechanisms required fulfilling the principles laid down by HDI and as such HDI can act as a suitable overarching academic domain.
As the interface layer for SSI interactions is investigated, it becomes evident that the paradigms of cognitive theory found within human computer interaction (HCI) are highly relevant (Harrison et al., 2007;Rogers, 2012).The current trajectory within SSI suggests that participants will manage their affairs independently through a digital wallet, engaging what is coined within this research as a sovereign boundary mechanism (SBM).These are the core interactions enabled through SSI, found at the center of a wider human-centered data ecosystem.An SBM represents a standardized set of concepts, tools, and user representations that allows for an interaction with a decentralized Internet, through a HCDE with SSI at its core.
Figure 1 illustrates the component parts of a sovereign boundary mechanism.The inner core consists of identity, access to core functionality, and personal data.The second shell consists of the accessible applications and mechanisms required to manage personal identity, credentials, data, and contracts, together with the management of data storage and access control.The outer ring depicts the sovereign boundary between the participant and the wider network.
The SBM model represents a standardized collection of interactions that the participant independently controls.This is a strict task-based engagement that arguably presents new distinct ideas and original concepts.The notion of sovereignty at the core of this model equates to individualism and given the gravitas of the personal data being transacted, the assumption can be made that a strong internalized understanding of the domain will be required to engage initially and sustain participants.This research recognizes the value of the classical HCI theory of internalized cognition (Craik, 1943;Norman, 1986;Kirsh, 1997;Johnson-Laird, 2001), considering participant mental model, internalized understanding, and processing of information at both the interface layer and within the wider data ecosystem.There are long standing arguments that challenge the validity and value of specifically internalized cognitive psychology in HCI to inform the design of computer systems and interface (Carroll, 1991;Landuer, 1991).This research suggests that internalized HCI cognitive theory is still an important consideration, not in the pursuit of an overarching set of design rules for the development of general interactive experiences, but as a framework to map and design the required internalized understanding and core functionality of a specific and standardized domain.This position is supported by Payne (2003) who argues that internalized cognitive processes and mental model are valid when considered in a specific context.
As an SBM engagement progresses outwards toward transactions with the wider network, the required internalized cognitive understanding and processing of the core concepts migrate into the functional management of identity, relationships, credentials, and data across a spectrum of scenarios.When considering the design of the tools and mechanisms to facilitate this, the theories of externalized cognition are important.The notion of external cognition centers around the argument that "when individuals are solving problems, human beings use both internal representations stored in their brains and external representations, recorded on a paper, on a blackboard, or on some other medium" (Larkin and Simon, 1987, p. 66).Scaife and Rogers (1996) describe computational offloading, the way in which external representations change the amount of cognitive effort needed to carry out a task.They go on to describe graphical constraining, arguing that external representations can be designed in such a way as to limit the possible inferences that can be made in completing a task, reducing the load on internal memory allowing more space to plan the next move.There is the notion of re-representation, a consideration of how different external representations with the same abstract structure make the solving of problems easier or more difficult.They argue for the theory of cognitive tracing that an external representation should be interactive and that a user should be able to mark and annotate to aid understanding and to build external memory (Scaife and Rogers, 1996).O' Malley and Draper (1992) offer interesting arguments through which to consider the interplay between internalized and externalized representations when interacting with systems.They suggest that the internalized representation is not only knowledge of a systems function but also knowledge of where to look and how to find further information through the externalized representations.
It is the interplay between internalized and externalized cognition that needs to be understood and managed in the development of an interface layer for SSI, in what is arguably a significant paradigm shift in network engagement that by its very nature requires a degree of internalization.It is the balancing of these cognitive processes within the context of adoption theory (Rogers, 1962) and the technology life cycle (Moore, 1991) that will determine the probability of achieving accessible, sustainable technologies and tools for SSI within a wider human-centered data ecosystem.
When contemplating the cognitive HCI theory relative to SSI and a sovereign boundary mechanism, it is important to consider the interactions within the wider ecosystem.A human-centered data ecosystem has the potential to comprise a spectrum of participants, both human and machine, in a number of environments both virtual and physical.Users may engage with applications in emergent ways, as individuals or as a collective.This spectrum of activity and interaction involves interpretation and utilization of mechanisms relative to context, so the theories of situated action need to be considered within the equation (Suchman, 1987).As interaction across the wider network will include group and collaborative coordination, the theory of distributed cognition also needs to be considered (Hutchins, 2000).
This research argues that an accessible model of interaction for an SSI driven HCDE will contain internalized, externalized, and distributed cognitive processes and that understanding, mapping, and optimizing the relationships between these elements are critical for a sustainable, functional interface layer.This utilization of a range of cognitive theories across a border interaction utilizes what Harrison et al. (2007) describes as a phenomenological matrix, a collection of HCI theory applied pragmatically where and when it is required.

SELF-SOVEREIGN IDENTITY
The concept of self-sovereign identity solves one of the most challenging problems facing the Internet: the capability to establish, own, and control a persistent verifiable identity.SSI can be defined as the following: "a digital identity that is owned and controlled by an individual, company, or machine that has no reliance on any centralized authority.The identity is persistent and can never be taken from its owner.The identity is part of a wider ecosystem, where relationships can be built, trust can be developed, and identity attributes and data can be exchanged under the complete control of the sovereign identity."The concept of a wider ecosystem is important, as once a user can control an identity, the concepts of SSI then allow the user to establish independent unique relationships and private communication channels with peers across the network.It allows for the requesting, issuing, and distribution of verifiable credentials.The ecosystem allows for the development of trust networks that are judged appropriate, dependent on a given situation.The realization of SSI is considered to be Web 3.0 and to many is inevitable (Tobin and Reed, 2016).The core principles of SSI can be traced back to the work of Kim Cameron in his Laws of Identity (Cameron, 2005).These principles of digital identity were then evolved further in the context of SSI by Christopher Allen (Allen, 2016).Allen defined a number of principles that need to be satisfied in order for a technology to be considered self-sovereign.
• Existence.Users must have an independent existence.• Control.Users must control their identities.
• Access.Users must have access to their own data.
• Transparency.Systems and algorithms must be transparent.
• Persistence.Identities must be long-lived.
• Portability.Information and services about identity must be transportable.• Interoperability.Identities should be as widely usable as possible.• Consent.Users must agree to the use of their identity.
• Minimalization.Disclosure of claims must be minimized.
• Protection.The rights of users must be protected.
The guiding principles defined by Christopher Allan together with those established by the field of human data interaction (HDI) (Mortier 2014;Haddadi, 2015) have been considered alongside the wider objective of the decentralized movement and evolving technologies and standards to define the highlevel functionality and interactions required at the SSI interface layer.
Figure 2 illustrates the component parts of a self-sovereign identity ecosystem, establishing relationships and engagement between two sovereign peers through a pseudonymous pairwise relationship, the exchange and authentication of credentials, the writing and retrieval of digital identifiers, and credential signatures from a dedicated blockchain.When contemplating an interface layer for SSI, it is important to consider it functioning at scale; Figure 2 defines the core mechanics of SSI, but when developing this model within a sovereign boundary mechanism and indeed a wider human-centered data ecosystem, a practical engagement will require additional, peripheral functions and interactions.

THE NEED TO BUILD A CONCEPTUAL MODEL
Insight into usability issues surrounding personal data protection for the everyday participant can be found in previous research.The paper entitled Why Johnny Can't Encrypt (Whitten and Tygar, 2005) investigates email encryption software and argues that despite a well-designed interface, a lack of fundamental mental model and understanding prevents Johnny from successfully encrypting his communications.The research suggests that new methods of testing are required when developing interactions that contain novel concepts and ideas.It could be argued that this work draws striking contemporary resemblance to the design space surrounding SSI.Both involving a complex collection of novel interactions, an unfamiliar digital environment, and the transaction of information with a high personal value.When investigating the current decentralized domain, there is a sense that a technically focused development community is overlooking the inevitable user experience and accessibility issues.There is evidence supporting this assumption.In the research conducted by Dunphy and Petitcolas (2018) entitled A First Look at Identity Management Schemes on the Blockchain, the principles of Kim Cameron's Laws of Identity (Cameron, 2005) are used to evaluate several SSI projects.In conclusion, it is argued that none of the projects currently satisfy Cameron's 6th law, Human Integration, and in summary state that "there is a noticeable lack of contextual understanding relating to the user experience elements of the schemes we encountered" (Dunphy and Petitcolas, 2018).Developers of SSI applications need to consider the fundamental principles of the diffusion of innovation (Rogers, 1962) which recognizes the requirement for a participant to understand a new product offering, its function, and the value found within its concepts; this needs to be considered in the context of the persuasion of a new user when making a decision to adopt or reject a novel innovation.
This research has concluded that the technical components are now in place to build a functional human-centered data ecosystem with a central component of SSI at its core.Developing an accessible interface layer for such an ecosystem is now a design problem, one which needs to balance the cognitive load required for engagement, with the value proposition decentralized tools and services offer.When we consider the cognitive load, we need to understand the model of interaction, its component parts, and the journey users take to achieve their aims and objectives.We can then begin to map the required user understanding and scaffold for a mental model.The evolving structure can then be interrogated to examine the frictions, while iteratively evolving and improving the design.The first stage in this investigation is to establish a conceptual model (Johnson and Henderson, 2002), the details of which are communicated in the following section.

METHODS
The following section describes the methods employed to investigate the interface layer for SSI through practice-led research.This is a component part of a larger mixed methods design (Creswell, 2003) influenced by Design Theory for Mixed Methods in HCI (Turnhout, 2014).Prior to the design of this component, the pertinent literature was considered, and an investigation of historical and contemporary decentralized artifacts was undertaken.Semi-structured interviews with experts from the decentralized field were conducted.Also, interviewed were practitioners from the domain of user experience and user interface design.Figure 3B illustrates how this work sits within a wider research study.

Research Phases
This component of research was undertaken in 4 phases:

Phase One: Defining a Conceptual Model
The current position of SSI comprises of a clear description of principles, defined concepts, developing standards, and preliminary prototypes.The objective of this practice-led component is to extend this current model to a scalable analog interaction and then critically analyze the result.As such, phase one engaged a conceptual modeling method (Johnson and Henderson, 2002) which suggests that practitioners should "begin by designing what to design" (p. 1).The method describes a process which results in a structured text and table-based outcome.The first step is to define the application's purpose and high-level functionality.Once this is established, the process continues with the definition of the major concepts and vocabulary.The next stage considers the conceptual objects visible to the user through what is termed as an objects and operations analysis.This process investigates the objects users manipulate, their attributes and operations, and the relationships between them.The method then progresses to a task-to-tool mapping exercise.This considers how a participant uses an application to carry out tasks engaging the visible objects, attributes, and operations.Within this practice, the development of a preliminary user interface reflects this stage.
An important understanding within the conceptual modeling process is that it is agile and flexible.As the designer progresses to develop a user interface and evaluation methods are employed (Nielsen, 2005), the conceptual model is continually updated and refined.

Phase Two: Developing a Preliminary User Interface
With a defined conceptual model in place, the method progressed to establish a preliminary user interface in a wireframe format.The purpose of the wireframe is to visualize the defined objects and their relationships, while developing the minimal interface touch points to enable the required interactions.The guiding principle in developing the user interface is simplicity.There are no radical design choices and the process utilizes existing tablebased interface design patterns.

Phase Three: Critical Reflection
Once a conceptual model and preliminary user interface had been established, a critical reflection was undertaken by the researcher.This was consciously conducted from the standpoint of the user.A user journey was considered across the full range of functionality at an introductory level.Efforts were made to uncover significant interactive friction, while identifying original concepts, metaphor, and the participant mental model.In addition, the critical reflection identifies elements of a wider human-centered data ecosystem, identifying missing components which may be required for a full spectrum of interaction.

Phase Four: Evaluation Focus Group
Once established the conceptual model and preliminary user interface can be used to communicate the concept of the domain, its components, the required objects, and the scope and scale of the required user interaction.The developed model was subjected to an additional critical analysis, this time through consultation with usability experts and interface designers.The objective of this evaluation was to consider a first cycle of development, investigate the integrity of the fundamental concepts, and provide an unbiased perspective from a practitioner's standpoint.In order to facilitate this evaluation, a workshop was designed incorporating a focus group.Guidance was taken from Finch and Lewis (2003) in its design and planning.Participants were selected locally, in the Manchester United Kingdom vicinity, for their reputation, experience, and expertise.A website was authored together with Supporting Materials which were then distributed to participants in advance of the workshop.The workshop began with a detailed presentation of the research, the concept of the decentralized Internet, and its principles and objectives.An overview was given of existing technologies, concepts, and standards.A detailed explanation was given regarding the practice-led component of research, including the conceptual model and initial UI.Following the presentation and Q and A, a focus group was conducted based on the following topics of discussion:

The Conceptual Model
The following section presents results for each stage of the conceptual modeling process.

Purpose and High-Level Functionality
The following list defines the purpose and the high-level functionality of a standardized sovereign boundary mechanism, considered in the context of a wider humancentered data ecosystem, the principles of human data interaction and self-sovereign identity, and the evolving technologies and standards.

SSI Case Studies and User Scenarios
Table 1 presents an overview of case studies and user scenarios defined as part of the conceptual modeling process.Each has been explored through the development of a user journey and reflects core interactions which might be found in a broader humancentered data ecosystem.

Objects and Operations Analysis
The objects and operations analysis requires the identification of the conceptual objects that a participant can see and manipulate.Once the objects are identified, their attributes are specified and listed alongside their relationships to one another.As the conceptual model develops, outstanding and resolved issues are also listed.Currently, 27 objects have been defined and a brief overview of each is listed in Table 2.

Initial UI Development
With an objects and operations analysis defined, a full initial user interface has been developed.A low-resolution image of which can be seen within Figure 3A.This initial user interface is a wireframe utilizing a simple table-based layout.A panel for each of the identified objects has been created, supplemented by a description of the required attributes and functions.To aid in the reading of the wireframe, a colour key has been provided highlighting the identified spheres of interaction; these relate directly to the objects and operations analysis.A PDF version of the wireframe can be found as Supplemental Material of this paper.INITIAL_SSI_UI_DEV_LOCKWOOD__2020.pdf.

Critical Reflection
The conceptual model suggests that a minimum of 27 objects are required for a functional sovereign boundary mechanism.When observing the resulting UI, it is evident that this is complex, and in terms of a cognitive load, it can be debated that it is significant.The user experience requires a clear interpretation and understanding of the system state, within which the interactions are reliant on complex sequences.There is a number of sub-domains within the system and a general understanding of the majority of objects and their relationships would be necessary in order to enable confident engagement.In subsequent phases of development, efforts can be made to reduce complexity, and many of the system processes might be reordered, automated, or streamlined following usability testing.It remains, however, that a human-centered data ecosystem through self-sovereign identity, offering full agency through a sovereign boundary mechanism, presents a collection of original concepts and interactions, which may prove challenging in the context of initial and sustained adoption, interactive friction, and participant mental model.
This research suggests, based on the evidence derived from the conceptual model and subsequent UI, together with the defined principles of HDI and SSI, coupled with the value of personal data, that a sovereign boundary mechanism requires a considerable amount of internalized understanding before meaningful interaction can be achieved.The introduction of such a system introduces considerable friction and is a backwards step in the context of contemporary user interaction design.The notion of sovereignty and independence places a great weight of responsibility on the participant, which potentially results in what is discussed later in this paper as the paradox of the sovereign boundary mechanism.
It is important to separate what can be argued to be a high friction demanding user interface experience and the internalized knowledge and understanding of system and concepts that will be required in order to engage.Critical reflection suggests that the dominant issue in any future development of an analog selfsovereign identity system is not the physical interface design.Many office management tasks, media editing tools, and social networks require engagement with complex UI structures and interactions.This research concludes that in this context, the dominant issue is that of the understanding of concepts and mechanisms.Within a sovereign boundary model of interaction, there are potentially multiple novel concepts that lack precedent, existing mental model or metaphor to allow a participant to build a sufficient internalized understanding.
Below is a non-exhaustive list of potential original concepts which may prove alien to a new participant: Initial critical analysis of the model also raises some interaction challenges and potential incomplete mechanisms.These issues manifest around the edges of the core interaction and include the following: • Direct messaging: issues concerning machine readable text.
How can messages be interpreted, processed, and responded to at scale? • Claim/credential sending: this would require a repository of standard templates across different categories.• Claim/credential request: there would need to be a means of transmitting the claims that the connected entity provided.• Machine readable T&C: there needs to be a means of providing machine readable T&C and potentially contracts.These need to go beyond the notion of Mary Hodders Customer Commons (Hodder, 2019).• Dynamic data streams: there needs to be a means of understanding the data streams and usage around data binding.• Progressive trust development: how can the initial building of trust through proofs be streamlined?• Semantic layer: who defines the semantic layer to link claim elements to zero knowledge proofs?

Focus Group
The focus group included ten prominent individuals from the user experience and interface domain.Five predefined questions were posed to participants following prior communication of SSI technology and the results of the conceptual model and preliminary user interface through a purpose built website.
There now follows a summary of the discussion and emergent themes.
From a Participant Perspective, How Understandable Are the Concepts Surrounding Self-Sovereign Identity?
Discussion was centered on the idea that the core concept of relationship building and the proving of something with a verifiable credential was solid, but the peripheral mechanisms may prove problematic.Comments were made regarding the paradigm shift from asymmetric relationships to peer to peer engagement.Concerns were raised that the concept of having individual relationships for every transaction might prove difficult to grasp.First-hand experiences of the development of money sending applications were discussed, highlighting the problems encountered engaging users with one single new concept.It was argued that SSI posed an interesting challenge, as the overall system incorporated multiple new concepts and mechanisms.Arguments were made that these concepts need to be placed into context with clearly understandable use cases and value proposition.Concerns were raised with regard to the abstraction of many of the components of interaction and that in its current form, only the most committed privacy advocate or technology enthusiast would have the drive to fathom the conundrum.The consensus was that the system needed simplification, it needed to be placed in context, and that niches of value needed to be found in order to drive interest and engagement.
What Are Your Views on the Complexity of These Interactions?
The consensus to this question, in the context of the system presented, was that the current manifestation is over complex, that many of these issues can be resolved, but that a considerable reduction in friction needs to be achieved through systematic redesign and usability testing.It was argued that a balance between exposed and hidden interactions needs to be considered if a participant is to be able to initially engage with the system.An interesting debate ensued with regard to how much the user needed to see to comprehend the value, to understand the systems functions, to trust the system, and ultimately to develop and engage a mental model.This was considered to be a key set of variables that would need to be crafted within a further design cycle.
How Do We Build Something That Is Accessible?
The debate continued in the vein of the exposure to the under-laying mechanism, complexity of interaction, and motivation to engage.It was recognized that this would require a fine balance considering initial introduction of the technology through common place usage.The issue of exclusion and the prospect of a large proportion of society not being able to access SSI due to its complexity, initial friction, and the weight of responsibility were discussed in detail.The sentiment being "just because I can, does not mean I would want to," a conversation continued to discuss on boarding, with ideas being suggested that existing users of large public or corporate systems might be automatically enrolled into an SSI system, only realizing this once additional products and services were offered.This would be seeded by an existing base set of identity credentials.The debate moved to foundation identity credentials and how they could be established and the need for some kind of solid ground that all parties could trust and build upon.There was some interesting conversations regarding trust in one's own capabilities and the risk this entailed and from a user's perspective having different, sometimes compromising identities linked to one sovereign system.The consensus was that the interactive friction needed to be reduced, automatic migration to such systems might aid in adoption, and people needed to trust and understand the system, while having confidence in their own competence and capabilities.
Could You Share Your Thoughts on Mental Model and Metaphor?
The general consensus was that in its current form, the system would be difficult to comprehend and understand.There are potentially multiple original concepts all of which need to be considered and simplified relative to a holistic user experience.It was argued that a system of this kind needed to be standardized in terms of general concepts, language, and interaction, so the experience was consistent across contexts.There was agreement that the lack of understanding of the system might exclude certain types of individuals and that participants would need assistance from a trusted party to adopt.Comparison was made with crypto currency with it being argued that for many, this is not a technology that can be adopted independently.Comment was made that the next steps should include a systematic testing strategy in order to understand, simplify, and reduce friction and that a scaffold of the required mental model in terms of the concepts, interactions, and wider ecosystem should be mapped.

Can Any of This Be Automated?
The general consensus that emerged is that automation could solve many of the complexities and frictions identified that individuals are becoming accustomed to AI and that AI can work for the individual in a sovereign way.It was suggested that

Objects
System state "notifications/activity/data flow" A central object or dashboard from which other objects will be managed.The area will deal with notifications and warnings and act as a jumping-off point to other areas of interaction.Admin and auth Administration An object from which general administration configuration can be accessed.

Push authentication
An object from which pushed requests for authentication from established relationships can be accessed and actioned.Connection "creation and distribution" DID creation This object allows the creation of a new DID.At this point, metadata can be associated, so it can be recognized and managed by the agent application.

DID distribution
This object allows for the external distribution of a newly created DID.Connection "incoming and pairing" Inputting DID "by string" This object handles the inputting of initial or introductory DIDs.

Review DID doc and create pairing
Once a DID is entered into the inputting DID string object and verified, there is the option to pair with this DID to create a pairwise relationship.Connection "established connections management" Listing of established connections Within this object, all existing connections manifesting as DIDs can be viewed, filtered, and accessed.

History of interactions
Selecting an existing pairwise connection in the established connections object opens the history of interactions object.This displays a log of all interactions with this DID pairing.Messages/request claim/request proof/send claim/data binding.Detailed pairwise DID information Within this object, the details of the paired DIDs can be reviewed in detail.The DID document on both sides.Auth methods/ endpoints/signature.There will be an option to refresh and revoke.

History log detail
If a specific element in a pairing history is selected, a detailed drill down of this interaction can be understood within this object.Connection section "functions" Direct message From here, a direct text-based message can be sent.At this stage, this is very basic and will evolve as the system develops.

Claim request
The predetermined claims available and offered by the pairwise relationship will be listed.The users can then select the claim they require and make a request.

Proof request
The proofs available and offered by the pairwise relationship will be listed.The users can then select the proofs they require and make the request.

Claim send
The claims available will be listed.The users can then select the claim they require, populate, and send.

Proof building
Auto population and confirmation This object is launched from a proof request.Once opened, the details of the proof requests are visible.The zeros are auto populated and can be seen.Within each element, there is the option to select an alternative.
many interactions in the system are mundane and that repetitive actions could be driven by an overarching user policy.Discussion centered around two areas: firstly, the means for an individual to inspect the automated component and gain trust that it was acting in their interests, and secondly that we should not replace one kind of blackbox solution with another.There still needed to be visibility of the underlying processes and functions, so the participant can understand what was happening, in order to comprehend the value propositions and advantage.

DISCUSSION
The following sections cover the pertinent topics emerging from this research relative to the development of an interface layer for SSI, in the context of both a sovereign boundary mechanism and wider human-centered data ecosystem.

The Sovereign Boundary Mechanism
The development of a conceptual model in-line with the principles of the decentralized domain, following the trajectory of technologies and standards, realizes a system that allows participants to manage their data, information, communications and affairs independently through a digital wallet and agent.The concept of sovereignty in this context translates to individualism, and this in turn, given the complexity of the required interaction, poses several issues.Within this research, this independent domain of interaction has been titled a sovereign boundary mechanism.This means there is a clear boundary between the sovereign domain and the wider network.Within this domain participants manage identity, relationships, credentials, personal data, and access control, this is a strict taskbased interaction, one which incorporates new distinct ideas and concepts.Given the gravitas and value of the personal data being transacted, this research suggests that a strong internalized understanding of the domain will initially be required to engage users.This requirement for internalized knowledge relates to the traditional notion of internalized cognition and mental model (Craik, 1943;Norman, 1986;Payne, 2003).Creating a situation where a participant is required to engage in significant internalized cognitive processes is counterintuitive to the evolution of HCI theory and accepted design thinking, where externalized cognition and computational offloading are considered best practice (Scaife and Rogers, 1996;Hutchins, 2000;Payne, 2003).
The required degree of internalized understanding and cognition in the context of adoption and the diffusion of innovation (Rogers, 1962) is arguably a primary consideration for the decentralized community.This research has clearly highlighted the complexity of a sovereign boundary mechanism, and further research and design practice needs to be undertaken to explore how complexity, friction, and internalized cognitive processes can be significantly reduced.

The Paradox of a Sovereign Boundary Mechanism
The objective of decentralization is to emancipate the participant from the centralized Internet.In doing so, the negative consequences are mitigated, and the missed opportunities presented by a decentralized alternative can be realized.However, this research suggests that the current trajectory may inadvertently replace one set of constraints with another.The complex landscape, isolation, internalized cognitive load, responsibility of managing one's own data, and generation of friction not found in centralized counterparts may replace one form of incarceration with another.It can be argued that these issues can be addressed and overcome, but the notion of the proverbial, out of the frying pan and into the fire, needs to be considered as future tools are conceived and developed.
The notion of a genuine decentralized Internet is predicated on the principle that the owner of the data should have control over it.The individual should have command over multiple immutable persistent identifiers, and they should have agency to decide who to share a relationship with and who on the network can observe their activities and transactions.The participant should have the capability to manage and redistribute their credentials or data to whom they see fit under their own terms and conditions (Mortier, 2014;Allen, 2016).This research has demonstrated what has been termed as a sovereign boundary mechanism, representing a participant who sits within a metaphorical boundary, defining identity, controlling relationships, and managing data streams.This is achievable through an analog model that potentially liberates the participant from the centralized Internet.Paradoxically, this model comes with a number of caveats which pose significant problems.This research has raised the issues of complexity, internalized cognition, mental model, friction, risk, responsibility, trust, and exclusion.By recognizing and considering these challenges through design thinking, coupled with an investigation of value proposition, the probability of mainstream SSI adoption can be significantly improved.

Back Peddling on Friction
A topic discussed within expert interviews and exposed through the practice-led component is that of increased interactive friction.This research suggests that the existing SSI analog model extended within this research exhibits a higher level of friction across interactions than that found within centralized counterparts.This relates to the required cognitive engagement, the understanding of original concepts, vague mental model and metaphor, and the shouldering of more personal responsibility.This research does not offer a metric on this assumption, but through developing and analyzing a sovereign boundary mechanism, the array of conceptual components for interaction and the collective required objects, and subsequent multilayered user interface, the friction level would appear to be substantial.If decentralized technologies are to find adoption, friction needs to be reduced not increased.Placing a number on this increased friction, potentially found in differing forms of decentralized interactions, is outside the scope of this research.However, this is a topic that warrants further investigation and should be prioritized within any continued endeavor.

A Missing Mental Model
When considering the underlying assumptions driving this research, the paper, Why Johnny Can't Encrypt, is cited (Whitten and Tygar, 1999).The assumption is stated that the circumstances described within Whitten's work may emerge when considering decentralized endeavors.Within the cited research, it is argued that different methods of user evaluation are required when considering software, where a user lacks the understanding of the underlying concepts and mechanisms.In essence, the user lacks the mental model of the domain.The paper is concerned with sending emails with encryption software and argues that even with a well-designed interface, users struggle to complete what is a relatively simple task.A sovereign boundary mechanism represents a system which is arguably considerably more challenging.This research has demonstrated a user domain that is significantly complex.There are multiple concepts, processes, and interactions, which when taken individually, potentially lack the mental model for meaningful engagement.However, when these elements are combined as a whole, this research suggests that without considerable guidance, the objective of sovereign agency and utilization of personal data through a mechanism of this kind are impractical.It is accepted that the developed user interface within the conceptual model is preliminary and that further cycles of refinement will reduce complexity and potentially improve the mapping of interactions.However, refinement of the UI will not be enough and it has to be recognized that a full sovereign boundary mechanism, in this guize, presents considerable barriers with respect to forming an operational mental model for the participant.

Internalized Cognition
Leading on from the discussion regarding the complexity and potential missing mental models, even with sufficient understanding of the system domain, the degree to which a participant may rely on internalized cognition in order to engage is of concern.
This research identifies that the required internalized understanding for both the interaction and many of the broader concepts is significant.It can be argued that the cognitive load for initial engagement poses an issue for adoption.The very concept of sovereignty, and the metaphor of a secure boundary, suggests a degree of user isolation and internalization.The value and differing types of the personal data, the weight of being solely responsible, and the complex processes through which data must traverse to engage in meaningful transactions amounts to a sizeable load of internalized understanding and knowledge.If a mental model for this domain can be established, it can be argued that engagement will still require a considerable degree of internalized cognition.Within the expert interviews, comparison was made with crypto currencies and the difficulty individuals have in understanding and engaging with an ecosystem when asset value and responsibility fall into the equation.It can be argued that a sovereign boundary mechanism is considerably more complex.Within the product design process, the degree of internalized cognition needs to be accepted and measured.From there, every effort needs to be made to reduce the internalized understanding and decision making required.As discussed in the back pedaling on friction section, the increased friction posed by decentralized systems is a primary issue, and it is the internalized processes that are arguably responsible.

A Spectrum of Human Computer Interaction Theory
This research concludes that a human-centered data ecosystem through a sovereign boundary mechanism requires the consideration of a spectrum of HCI theory and paradigms (Rogers, 2012) and that any further innovation needs to recognize this in its deliberation.The graphic in Figure 4 suggests the applicable theory across a model of a humancentered data ecosystem.
Internalized cognition and domain specific mental model (Payne, 2003) is relevant to the core of a sovereign boundary mechanism.Externalized cognition (Scaife and Rogers, 1996) is relevant between the core and the boundary.The notion of distributed cognition (Hutchins, 2000) (Payne, 2003) and situated action (Suchman, 1987) is applicable as engagement and transaction occur outside of the user boundary across the wider network.In addition, interactions and decision making within the wider ecosystem will be reliant on community-based templates and the development of trust networks, so societal and cooperative theories of HCI are also relevant (Schmidt, 2011).What is clear is that SSI falls into a number of HCI paradigms, and in identifying them, the application of Harrison's phenomenological matrix, where theories are considered and selected were deemed appropriate, would seem to be of relevance (Harrison et al., 2007).
This research suggests that the SSI community needs to recognize the importance of HCI cognitive theory and systematically address both issues of direct usability and the interaction and internalized understanding of concepts.This research argues that Payne's theory (Payne, 2003) of specific mental models for domains should be followed to map the required user understanding in detail.Any direct interaction should consider how the interface layer can push as much cognition as possible into the externalized realm.Finally, interaction and transactions need to be fully understood outside the sovereign boundary mechanism so that distributed cognitive relationships and situated actions can be defined.Above all, the consistency and cooperation across all stake holders are considered critical.
Types of activity recognized through this research, which may be reliant on distributed cognition and the consideration of situated action are as follows: A final notable HCI theory and ethical movement is that of human values, which argues that digital technology should strive to consider human values within its development process and ultimate application (Harper et al., 2008).The theory introduces the notion of empathy into the design process, as a point of reflection to consider the human values within any technology development.

Can AI or Collective Intelligence Reduce the Cognitive Load?
This topic of discussion derives from both consultation with experts and the critical reflection of the conceptual model.More conversation centers around the intelligent agent or personalized artificial intelligence, taking control of much of the mundane decision making and ongoing administration, involved in this type of decentralized system.This might be based on broad sweep criteria defined by a participant or derived through machine learning based on the participant's history.This concept has the potential to drastically reduce the cognitive load required, drawing the participant's attention only to critical and important decisions.The concept of AI supporting decentralized engagement is attractive but can also be seen as a misguided panacea.There are issues of trust, understanding, and value, which need to be considered as trade-offs against automation.If an objective of decentralization is transparency, to hide critical decision making within a blackbox may be contradictory.How can the participant trust the AI? Who defines the AI?And more importantly, how much of the inner workings of the system does the user need to see and understand, in order to both have faith and see value in the engagement?This is a significant topic for further research and debate.
Another solution to cognitive load reduction and decision making may be the establishing of group or tribe, a trust network that collectively makes decisions through shared values, for instance an environmental collective that marshals relationships and transactions through ethical reputations.This is part of the trust framework conversation, related to the theories of distributed cognition (Hutchens, 2000) and the emerging of technology in context (Suchman, 1987).This again offers a rich seem for future research.
An aside to the notion of collective decision making is that of democracy, political representation, and vote casting.An interesting discussion might be found around the concept of decentralized systems acting as a voting mechanism.The logic being if knowledge is power then sharing your data and subsequent inferred collective information may offer a new and dynamic means of democratic process.

Balancing the Cognitive Load Against the Value Proposition
The practice-based component of this research has demonstrated that there is considerable cognitive load, complexity, and participant responsibility that potentially manifests within an active human-centered data ecosystem.This friction might be mitigated through careful design considerations, but it can still be argued that even then the required engagement demands more effort on behalf of the participant than that currently found within existing centralized services.To this end, in line with many of the decentralized arguments around the communication of privacy, control, missed opportunity, and value proposition, any development of an interface layer needs to be balanced against the value that interaction serves to the user.Where this balance lies and how it manifests is a central conundrum in the delivery of a sustainable decentralized Internet and stands as a source of considerable further research.This research has argued for a standardized set of user interactions to facilitate engagement with a user-centered data ecosystem utilizing SSI at its core.The objective of this work has been to develop an initial conceptual model and preliminary user interface.Critical reflection has suggested that there are significant issues regarding internalized cognition, mental model, and metaphor.There are considerable opportunities for further practice-based research as this initial representation evolves through subsequent cycles.The preliminary conceptual model requires further testing, prototyping, and development.The mechanisms of the wider ecosystem need to be explored and metrics need to be drawn against a spectrum of models for a sliding scale of user engagement.There is a need to refine a detailed optimized mapping of this challenging user experience, as this work has taken only the first tentative steps toward that objective.This research has not resolved the challenge of establishing an accessible interface layer for selfsovereign identity, instead it acts as a contribution to knowledge and a jumping-off point for further research and development for what is a very important academic and practical domain.

CONCLUSION
This research concludes that the core technological infrastructure is now in existence to facilitate a genuine sovereign identity layer for the Internet, one which satisfies the principles of both human data interaction and self-sovereign identity.Investigation suggests that a dominant trajectory for a human-centered data ecosystem with the advent of a functional identity layer is progressing toward a sovereign boundary mechanism with self-sovereign identity at its core.By projecting forward the current trends through a conceptual modeling exercise, this research has demonstrated a potential interaction model that is complex and high in friction, requiring significant internalized cognitive processes and knowledge.Though the core technological infrastructure is in place, the development of a preliminary user interface suggests a number of mechanisms and interactions which still need to be developed to facilitate a full human-centered data ecosystem.This research concludes that in the development of an interface layer for SSI, a spectrum of HCI cognitive theory needs to be considered and any next steps should attempt to map the interplay between internalized, externalized, and distributed cognition.This research suggests that the SSI community needs to recognize the obstacle potentially posed at the interface layer and engage in collective standardization, strategy, and design thinking to increase the probability of the sustainable adoption of this revolutionary technology.

FIGURE 1 |
FIGURE 1 | The component parts of a sovereign boundary mechanism.

FIGURE 2 |
FIGURE 2 | The component parts of an SSI interaction.

•
Identity sovereignty • Multiple identifiers • Individual unique relationships with peers • Peer to peer relationships and equality • Establishing individual relationships to engage services • The metaphorical boundary between the participant and the wider network • The understanding of and the managing of static and dynamic data • Data binding • The blockchain as a source of truth • Verifiable credential and the cascade of validity • The issuing of credentials • The concept of proving truths through partial data disclosure • Finding faith in distributed storage • Finding faith in one's self and the responsibility of managing presence • Understanding the relationships between digital and physical manifestations FIGURE 5 | Balancing the cognitive load against the value proposition.

Figure 5
Illustrates the balancing of Cogitative Load again the Value Proposition A Starting Point for a Full Interface Layer Mapping

•
Participant Understanding • Views on the Complexity of the Interactions • Mental Model and Metaphor • Building Accessibility • The Potential for Automation

TABLE 1 |
Simplified table presenting SSI case studies and user scenarios.

TABLE 2 |
Simplified table presenting objects and operations analysis.