Identity 2.0 — a response

This was originally posted as a comment on a LinkedIn post by Dakota Gruener of the same name. In her post, Dakota Gruener questions if blockchain is necessarily the solution for Identity 2.0.

You can view the LinkedIn article here, and the same article on Medium here.

It’s refreshing to hear a voice of reason [Dakota Gruener] speaking at volume in the world of identity.

I’ve held a passion for cryptography for over half of my life and this extended naturally into the world of blockchain. The underlying invention of decentralized consensus is one of the most important technological and political advances of the century — it speaks worlds to me.

But ever since the blockchain crowd started speaking about identity, I’ve had an ever growing feeling that something is wrong. It mostly comes back to my passion for cryptography — many of the “problems” that people are throwing blockchain at are readily solved using established cryptographic primitives. But there are lots of startups out there bending over backwards to use blockchain, and they’re doing weird things like placing a hash of an identity on a blockchain and calling it “immutable” when the hash itself is an immutable and irrevocable representation of the data used to create it.

The one thing that’s difficult to achieve without blockchain is self-sovereignty. Self-sovereignty is the fundamental purpose of cryptocurrency — nobody can prevent me from accepting funds, and nobody can take those funds away.

The 70 million displaced and stateless absolutely need a solution. But is self-sovereignty the answer? Is it even a legitimate design goal in the world of identity?

Nobody is asking the question. Self-sovereign identity is the One True Way™.

But there are huge implications for self-sovereignty in the world of identity that don’t exist in the world of currency. Nobody can stop a person from creating or keeping an identity.

This is bad:

  • Who will stop the army of spam accounts?
  • Who will revoke hacked or fraudulent identities?
  • Who will help me re-establish a trusted identity after I lose mine, and remove the old one?
  • How can I trust any of the identities in such a system?

The burden of trust is shifted, not eliminated, and it’s shifted from the creators of identities to the consumers of identities. You gain self-sovereignty but you lose identity convergence: by design, nobody has the power to weed out duplicate identities (whether they be lost/fake/hacked/spam), and thus nobody is providing any guarantees that a person is who they claim to be.

And when faced with these problems, instead of taking a step back and considering whether or not they’ve landed in a Fable of the Roasted Pigs, entrepreneurs/experts/bloggers start hand-waving about implementing Web Of Trust over the top of their decentralized identity.

But anyone familiar with the decades of research on this topic, rather than just the brochure, will know how flawed and broken it is. Making Web Of Trust resilient against highly motivated and well-funded adversaries is an order of magnitude harder than fixing identity. In undertaking this challenge of exploding complexity we are completely removing ourselves from solving real problems for real people, making this whole thing feel like a religious quest — and in this story, I’m the heretic.

Unfortunately it’s really hard to publicly express an opinion against blockchain identity without losing credibility: there is a very well funded hype machine ready to destroy any and all opposition.