Too big to fail? Google/Facebook/Twitter case for organic dismantling, part 2

“ID Triad” or the Facebook/Google kryptonite — the three missing ingredients of the fair, functional and respectful online space.

Following several years of research into the evolving online space and its ongoing deterioration, we’ve narrowed down three missing vital components needed for our digital presence to be independent, functional and offering an accurate representation of ourselves. We believe that their introduction can act as a natural healing balm, capable of bringing the current imbalance of power to an end.

1. Self-Sovereign Identity (SSI)

As suggested in part 1 of this article, there never was an “us” on the internet. While this might’ve sounded a little cryptic, it is because of the fact, that from a technological standpoint, the online world lacks a layer of user-held digital identity. The internet was not invented to deal with authentication at the base layer, as its origins stem from military systems, where it took place at the secondary layer, on a per-system basis. This remains the case — every application or a platform is a silo with a separate set of credentials needed for login, be it email, apps, games etc.

In today’s models, we entrust our data to the admins of the apps, hoping it will not be leaked or misused. Since our security is only as robust as its weakest link, which in this case is every other app admin, our hope is rather delusional. This data model is prone to hacking, leakage and rogue monetisation, with all three happening on a mass scale every day. The incentives for such outcomes are increasing, so we should not expect this to fix itself.

World’s biggest data breaches and hacks of the last 4 years. This chart does not include the recent 500 million Facebook accounts and passwords found on Amazon servers in plain text. Source: Information is beautiful

For now, this is the only model we have learned to know. Yet it is quickly becoming apparent just how corruptible its DNA is. Again, it is nobody’s fault — this intermediate phase of the internet has to move past the high-school bully mentality and hopefully grow into a respectful partnership with its users. If left to itself, however, we might end up in a relationship with an abusive controlling spouse also known as Orwellian surveillance nightmare. It is our responsibility to build better data handling models to prevent this.

It is precisely the absence of independent, sovereign, user-held identity that allows for the massive power imbalance and the manhandling of our data.

It is, therefore, a taboo for the big players, and likely to remain under wraps as long as possible. The emergence of a sovereign identity layer sets a foundation for the dismantling of this dysfunctional model, as through it we individuate as independent digital entities able to speak for themselves online. Luckily, with the current state of development of the Self-Sovereign Identity (SSI) frameworks, there is a ray of hope, as the missing technology is in its final stages of development.

An SSI user profile acts as an application-independent representation of ourselves online. It is a storage space for identity and sensitive user data, verifiable by others, but never owned by third parties.

Our SSI credentials, once issued, belong to us, in the same way, paper documents do. As in real life, they can be granted or voided by the issuers, but not physically taken away. SSI can also be seen as our privately held login to third party services, and a space on the Internet that operates entirely on our terms, with no snooping, tracking or non-consensual data processing. It brings us into actual existence online, as a sovereign digital representation of our offline selves.

From a business standpoint, SSI should be viewed as a protocol, not a stand-alone product, in the vein similar to email. Businesses build services on top of it, but not directly inside of it. There will likely be many providers of SSI, and hopefully a single standard for the expression of the underlying schemas and credentials.

In our view, SSI is the most needed and game-changing application of blockchain technology, Bitcoin and cryptocurrencies notwithstanding.

Self-Sovereign Identity key features:

• SSI profile belongs only to the user and can not be taken away by anyone, be it app provider, government or authority. Credentials can expire and be voided by issuers, but the core identity is always ours to keep.
• It lives on our devices. When lost or stolen, it can be recovered through a network of trusted, appointed peers or encrypted backups.
• It is not possible to hack it on a mass scale. Hacks can happen one user at a time, which is not profitable for hackers.
• It is portable and can be attached to mnemonic or biometric keys, allowing for great ease of use, even in difficult situations.
• No one can forge it, or use it in the owner’s name, even if read by an attacker.
• It acts as a container for certified documents and credentials issued and signed by trusted third parties, the authenticity of which can be instantly determined without the issuer's knowledge.
• It is perfect for storing sensitive information and digital reputation and does this in the most secure way known.
• It can easily work as a login into SSI-accepting apps. Such a login is not owned by a service provider and lets us expose only relevant data from the service’s standpoint and nothing more.
• It makes use of zero-knowledge proofs, meaning we can prove things about ourselves without revealing the underlying information. Example: cryptographically proving that someone is over 18 years of age without revealing the actual birthdate. Legal compliance is possible without privacy breaches.
• It is by default GDPR compliant — third parties do not store our sensitive data — we do.
• It enables the users to monetise their data on their terms, as any disclosure is consensual.
• We start to exist online. We become a subject. An “us” is born!

Technically, SSI technology relies on permission or public blockchains, depending on a particular implementation. The most important building blocks of SSI are Decentralized Identifiers (DIDs) and Verifiable Claims (or Credentials). Decentralized identifiers are the base of all SSI interactions, as they actually represent the actors within the system.

A Decentralized Identifier is:

• Permanent (persistent) — It never needs to change.
• Resolvable — You can look it up to get metadata.
• Cryptographically-verifiable — You can prove ownership using cryptography.
• Decentralized — No centralized registration authority is required.

Source: Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sovereign Identity (SSI)

For more information, check out this slideshow on the nature of DIDs.

A great example of a consortium consolidating SSI efforts and development goes under the name of Sovrin Foundation, an entity conceived by Evernym by open-sourcing a large codebase library created to deal with identity in a non-federated, independent way. With about 60 stewards, acting as custodians of the identity blockchain, they are building a framework for a web-of-trust, along with players that wish to rely on the new paradigm of identity management. With real use-cases on the ground, it’s worth keeping an eye on these initiatives.

What we are witnessing with today’s data breaches is likely a tip of an iceberg.

The gravitas of the SSI approach is profound: it is likely that the current mess cannot be fixed without it. It is logically flawed to expect online privacy and fairness if we scatter our information around and leave it at the mercy of thousands of external servers, with little or no accountability.

We are strolling around, carrying backpacks with holes and ripped open zippers. Our precious belongings keep falling out onto the street, only to be picked up by strangers. Yet, we expect to have full control over our possesions. In the real world this mindset would qualify as insanity, whereas online it is still a necessity.

Although the implementation of SSI does not automatically solve any of the aforementioned problems, its absence guarantees their sordid persistence.

2. Machine-readable P2P intention

Like identity, there is no protocol on the internet to express our intentions in a searchable, machine-readable way, resembling our unique, private voice online. Understandably, there cannot be, as devoid of identities, “we” are not in a position to have such a voice. Instead, we use applications that serve as fragmented services to cater for an array of needs. While a lot of them offer genuine added value and specialized functionalities, most of them are generic replicas of one another — find friends, exchange skills, buy/sell stuff, get hired, etc. This adds to the cluttering of our digital experience, making us juggle dozens of accounts and interfaces to get very simple things done. These functionalities can be replaced by a layer of P2P intention, working as a matchmaking engine to bring together parties offering complementary services.

This approach has been researched to some extent under semantic web efforts, schema.org and others, but has not reached a stage of actual user-friendly UI. This task is exponentially harder to implement than the SSI layer itself, as apart from SSI, it requires a standardized syntax for expressing intent, or alternatively, tools for real-time translation of various syntax models.

For a seamless integration of P2P intention, additional services, such as legal, arbitration and insurance in case of disputes will be necessary. Transition to P2P intentional communication will likely manifest in smaller ecosystems with flexible interfaces, which eventually might start talking to one another. Users will then able to opt-in to middlemen for additional services, based on trust and respectful relationships. Data used in these transactions will reside on the user’s side, being shared only with those directly involved in a given transaction.

In simple words, Machine-readable P2P Intention is our own distinct voice online, used for expressing our needs and offerings to the outside world. It is tied to our self-sovereign identity, which acts as the owner of that voice, accountable for its actions, traceable to it.

3. Verifiable Reputation

To move past the current ocean of fake news, manipulation, impostors, anonymous hate speech and other rampant pathologies, we need a verifiable, online trust layer. We need to see the track record of whoever is on the other side of the communications channel. Without it, we will remain stuck in the current deadlock, in which applications desperately try to moderate our interactions, but the users have little incentive to behave themselves. Trust is badly needed, and not much currently exists to support it.

Verifiable Reputation is a carrier for this trust and is linked to both identity and intention. It stems from transactions (finalized intentions) between two or more self-sovereign identities. From a technical standpoint, reputation lives inside of the SSI container. Its records are also verifiable credentials, signed by transacting identities. To represent us accurately, reputation needs to be contextual, so there is no way a Black Mirror-like scenario can occur, where a one-dimensional reputation score had the power to ruin a person’s life. I can be a good musician and an average tennis player, with two distinct track records for each, stemming from interactions and activities within these contexts.

In simple words, Verifiable Reputation is like an EBay rating, except contextual and attached to our sovereign identity profiles, instead of EBay or any other app. It is sourced from a multitude of transactions, certifying our trustworthiness as a counterparty.

These three components, Self-Sovereign Identity, Machine-Readable P2P Intention and Verifiable Reputation are crucial to our dignified online representation. Like in real life, through these three layers we are able to:

Introduce ourselves and verify who we are

Express what we want,in our own name

Prove we are trustworthy

Hang onto what is ours, aka our sensitive data

Once this is in place, our backpacks are again zipped up, and we are no longer dropping things left and right. We have an identity, a voice to express ourselves and a track record to prove we are worthy. None of this information is dependent on a particular third party, although like in real life, third parties may revoke credentials they have issued. A web of trust forms that resembles a non-digital community, with known actors and a common system of values. Our brains get it, and so do we.

The road ahead

It’s bumpy but exciting. The current state of the online space is very much the equivalent of the emergence of financial tycoons at the beginning of the 19th century. They owned almost everything and had a wide influence, yet eventually were broken up into smaller, more fragmented businesses, allowing a lot of their wealth to drip down, forming middle class and higher standards of living. This happened through regulation and slow empowerment of the individual, able to start their own competitive ventures.

Our endgame is to build networks that promote awareness, growth and empowerment, as opposed to the massive concentration of power in the hands of the very few, at the cost of our wellbeing. This fight more resembles a yogic striving for balance than an actual war, and is certainly not to be confused with class war or an attempt to instate digital communism.

Since our quest here is to tackle these problems head on, and not just theorize, in the next part we talk about concrete models for implementation of the outlined strategies, and how to put it all together.

Stay tuned…