|Home - Blog - Publications - CV - Scribblings - Photo Album - Funny|
Note: this is a brief, rough, first-draft sketch of a longer paper paper I intend to flesh out further in the near future.
The problem of identity has become a hot topic, with the idea of self-sovereign identity in particular attracting significant excitement. The essence of the idea, in short, is to put users in charge of how their identities and personal data are used. Self-sovereign identity posits that users should decide how much and what aspects of their identities to disclose in any situation, and should know and have control over what that information is used for.
I have no argument with these basic goals. The approaches to achieving them I’ve seen, however, start to run astray in the very next step. Self-sovereign identity systems typically focus in practice on representing an identity as a set of attributes or verifiable claims that users may “prove” about themselves to a relying party. For example, the standardization effort around decentralized identity currently defines decentralized identifiers as the “base layer”, and immediately atop that the verifiable claims layer defining a rich taxonomy of personal information someone might want to know about someone else.
A central presumption in this model appears to be that the main purpose of a decentralized identity, and its main value, should be to enable such distinctions through verifiable claims. This implies by extension that a decentralized identity without any attributes that a user can (or wishes to) claim is effectively a useless, valueless, “null” identity. But by single-mindedly focusing on attributes as the primary use of an identity, self-sovereign identity projects are pushing the cart before the horse. They forgot even to ask, let alone adequately answer, the question of who or what the user is who is supposed to be put “in control” of their identity, before seeking to facilitate discrimination between such users.
By rushing headlong toward the goal of differentiating people from each other via attributes and verifiable claims, self-sovereign identity projects neglect the even-more-fundamental requirement to differentiating people from non-people. Before we even begin to separate people from each other via attributes, we need a way to separate the human users, who are supposed to be in control of their identities, from the many non-human entities such as devices, websites, businesses, and governments, bots, AIs, and Sybils, which often deliberately work against a user’s control. Dividing people from each other via attributes, before uniting people in distinction from the increasingly-powerful non-people in the ecosystem, will work against and probably defeat the basic eponymous objective of imbuing identity with “self-sovereignty.”
With a focus on attributes, in order for a user to accomplish anything or use any service online, the service will have to demand the user disclose at least enough attributes for the service to be able to exclude trolls and abusers confidently. But that will also typically be enough data to identify the user uniquely, correlate that data with the user’s other actions and data found online, defeat the user’s privacy through correlation attacks, and effectively wrest control away from the user once again. Provable attributes and verifiable claims will remain tools of surveillance capitalism, even if the user supposedly “consents” to revealing them, typically by being coerced to do so as a condition of using the service that claims to need the information.
A focus on attributes and verifiable claims neglects to recognize the numerous uses that digital identity could and should provide people before disclosing a single attribute. Providing a mechanism for proof of personhood – enabling users to prove merely that an identity uniquely represents a real person, and nothing more – could by itself address a vast array of today’s online abuse threats. The online abuse threats that attribute-free proof-of-persionhood could address include Sybil attackers, sock puppets, online ballot stuffing, social reputation hacking through fake accounts, the inconvenience of subjecting users to constant CAPTCHAs, and the energy, re-centralization, and uneven stake distribution problems of proof-of-work, proof-of-stake, and other investment-proportional foundations for decentralized systems, blockchains, or cryptocurrencies. Perhaps most importantly, secure proof-of-personhood would drastically reduce the need for uses to disclose attributes online, and the range of reasons (or excuses) that businesses or online services could reasonably invoke to demand attribute disclosure.
In short, attempting to solve online abuse and related problems by making users disclose identity attributes or personal data is privacy-invasive, often unreliable and easily hacked, and exclusionary because many real people lack documentation or established trust relationships with institutions or other people. If we can succeed in building a proper personhood foundation for identity, then atop that there will be legitimate uses for verifiable claims. But in order to enable users to be truly “self-sovereign”, we need to maximize the value they obtain from the online ecosystem merely by being people while disclosing no other distinguishing attributes.
We need to ensure that all real people have a strong baseline of rights and functionality readily available to them, both to ensure that users often have a realistic and effective choice to disclose nothing other than their personhood, and to ensure that real people with no documentation or trust relationships to prove in verifiable claims – e.g., refugees, homeless, stateless, etc. – can be (and remain) first-class citizens online. The first and most important identity system design question should not be what people can do with attributes, but what they can do without attributes.
(to be continued…)