1. Introduction
In the next few years identity management will change as much as reading did after we got tired of copying books by hand. We will have identity technologies so sophisticated, nimble and powerful that they will humble current ones and leave us to wonder how we got by without them. We will tell future teenagers of the time when we could not prove instantly and precisely what we wanted to anyone we wanted. Teenagers will ask how we could possibly trust the people we interacted with, much like today they ask how we could make an appointment with our friends in town without cellphones.
What follows is a series of progressively connected short pieces, each aiming to drive home a single point required to understand the larger picture of the Brave New World of Identity. If you grok them, at the end you will see the clockwork turn. They require no leaps of faith — only a few changes in perspective.
The rarer but original meaning of ‘identity’ (as used in the word ‘identical’) points to the concept of ‘correspondence’ rather than ‘individuality’, and gives us an idea of where the story is going. It all starts with a simple subway ride.
2. Taking the Subway as Proof of Identity
If you ride on the subway in Singapore — or many other cities for that matter — you tap a magnetic card on a turnstile when you enter the station, and again when you exit. The two taps are not the same as saying “hello” and “goodbye” when you get in and out of a shop. You must prove where you entered the subway as you exit, or you will have to pay the top fare. By linking these two events the system can calculate the appropriate fee in a way that satisfies both you and the Singapore Ministry of Transport.
We don’t think about taking the subway as a proof-of-identity transaction, but double-tapping the card is nothing more and nothing less than proving the identity (that is, the correspondence) of who first entered and then exited, as guaranteed by the uniqueness of the subway token.
Maybe riding the subway as a proof of identity sounds too abstract, so let’s move on to a more useful example: logging into Gmail. Website authentication these days is handled at the most superficial level through usernames and passwords. What a password attempts to prove is not who you are, but that you are the same person (or the same dog) who went on the internet and registered an account — much like in the Singapore subway. Passwords should be secret and hard to guess, and if you can type it in you are probably the same person who picked it. Any time you want to change your password you have to enter your old password, and this creates a chain of correspondence that links back to the first interaction between you and Google. If the chain breaks, you don’t have an identity anymore.
Registering a Gmail account does not require submitting a personal ID. It is only a simple handshake deal between you and Google. If no external identification is required to register an account, no external identification can retrieve it. If the handshake is compromised by the loss of the password or by the interference of a third party there is no government office you can petition to have your email address returned to you, as you would a driver’s license.
Passwords are easily cracked or intercepted, and we never discovered a silver bullet to securely identify users. This resulted in the creation of auxiliary, low-reliability systems that combined produce better security than any one of them alone. These days most websites offer new layers of security such as two-factor authentication — which implies possession of a separate device — a backup email address, a number of security questions or a valid phone number (which usually requires a government ID to acquire). The likelihood of all these layers being compromised at the same time is sufficiently low that Google feels confident they are sufficient to recover your identity. This system is more complex than that of the Singapore subway, but it is still made of the same probabilistic links of identity between actions and is becoming part of a broader web. The importance of creating webs of weak-ish identity links to reinforce each other will become clearer later.
This is good enough to prove identity to Gmail, but most of the time identity does not need to be proven back and forth between two parties exclusively. In most circumstances, Alice needs to prove to Bob something that Tom says about Alice. This form of claim can be called an ‘attestation’. In the real world, an example of attestation is a University granting you a degree. Attestations are probably the most important part of identity for daily life. Very little can be accomplished in the real world without the gravitas provided by external validation, whether in the form of a driver’s license, a bar exam certificate or a recommendation letter. Some attestations are univocal (like the above examples) while others require multiple parties co-signing a single attestation (like two parents naming a child). Others yet are reciprocal (like a marriage contract) or even more complex.
3. Misconceptions about identity and personhood
The examples of the subway and Gmail can point us to a misconception about identity: the belief that identity must start from a central core of individual personhood, and then move on to establish relevant properties associated to it such as a birthdate, marital status, citizenship.
Our intuitive idea of identity as intrinsically connected to personhood is created by life-long habits and experience with government IDs: you know that you are yourself, that your driver’s license is linked you, that if you carry it in the wallet you and only you can drive a car around — and this seems quite enough to know about the topic for daily life. Identity is monolithic and personhood-based in its current pre-packaged forms. An alternative way to look at identity is to build it from its component parts.
At its foundation, ‘identity’ is a provable link between any two (or more) relevant facts that satisfies a given counterpart. Some proofs of identity depend on a single link, as in the subway example, others require a link to a broader network of proofs, as in the case of your Gmail account, and others yet require access to a much broader network.
This does not mean that we can rebuild current identity systems using this framework . It means that they already are based on this framework, and could not be otherwise. If you strip all properties from an identity you don’t end up holding your core, bare self — you end up with nothing. Identities are strings of salient statements and attestations attached to each other, going from your birth to your death certificate.
4. All that is gold does not glitter
Every time you show your driver’s license to a cop, your PADI diploma at a diving centre or your university credentials during a job interview, your identity was never expressed directly, only implied through sufficient attributes. We assay the authenticity of what is around us not through its essence but through a lists of properties we can experience. We establish that gold is gold not by reaching for its imagined gold-ness, but through salient aspects of its phenomenology. A fool might be convinced by a conman at a bus station that a necklace really is made of gold by its shine, while a wiser buyer will test its malleability and specific weight — among other factors. Both only discern sufficient attributes of gold-ness, never gold-ness itself.
In the same way, when you pass through customs at the airport the officer will screen you through a list of attributes that provide sufficient confidence that you are who you say you are — a passport with a photo and a serial number that to check against a database, deskcam pictures taken when you used that passport to enter or exit the country, and other criteria which I assume customs officers know about. Ideally he will also check you negatively against a list of suspects that could enter the country with a forged passport. If the attributes of authenticity decrease the likelihood of a fake to a satisfying degree, the officer will stamp your passport and wish you a pleasant stay, and the investor will walk home with the gold.
Identity systems do not have to provide 100% confidence to do their job. For specific purposes, their margin of confidence can be both low and useful. The launch of a nuclear strike requires a proof-of-identity protocol that must be at the same time exceedingly secure and extremely fast. You cannot afford to launch your ICBMs by mistake, but you also cannot afford to launch them too late when under attack. Most other identification procedures require a significantly lower level of confidence, since the cost of mis-identification is lower, and can be considered as part of the cost of doing business. The destruction of mankind cannot be part of the cost of doing business, but a fraudulent credit card charge can. AirBnB uses a mixture of Facebook and Credit Card verification to provide ‘good enough’ identity for the transactions it facilitates. This leaves them open to some degree of fraud, which is cheaper than not being in business at all.
5. From Subway to Government
Earlier I argued that you can build an identity profile with Google with the same building blocks that are required for a subway ride: a series of actions connected to the same person with sufficient probability. The same building blocks are also the foundation of your identity with the government. Deep down, there is little difference but more paper.
You probably have a number of official documents, many of them displaying your physical appearance, each of them matched with a corresponding entry in one or more government databases. When one expires, you can have it replaced using the old one, much like you would choose a new password with your old password. If one gets lost, a combination of the others can replace it, much like your Gmail password can be reset using a combination of backup email address, phone number and security questions. No one piece of paper is conclusive, and only enough of them combined establish your gold-ness.
If all are lost, usually a number of witnesses can be summoned to re-authenticate you as yourself: provable identities can be used as sufficient guarantees to reinstate a lost one (fingerprints, hand-written signatures, DNA samples and other distinctive characteristics also help). This will become very important in Part 2 when we talk about Decentralised Blockchain Identities.
The creation of your account with the government works a little differently from a Gmail account. Any number of Gmail accounts can be created, as long as you can prove that “you are not a robot”. Google does not care if a single person registers multiple Gmail accounts, but governments need to make sure that an identity is tied to a single physical person. This is usually done by combining attestations from parents (“I am the mother of this baby”) and from a hospital (“this baby was born to this woman in our hospital”). This is the government equivalent of the “create new account” button. A government-issued identity emerges from combined attestations from people or institutions with existing identities of their own, and “it’s turtles all the way down”.
6. Limitations of current Identity systems
Are standard identity systems dissatisfactory? Besides a few mishaps, they work well enough for most of us, and for most of our needs — but so did typewriters.
Our expectations for the tools we use match only the highest-possible performance of the status quo. Incumbent technologies work well for low-performance tasks, and replacing them would feel like reinventing the spoon. As they are put under stress by high-performance requirements we feel a level of inconvenience that we learn to accept as part of life like back pain, taxes and traffic jams. What lies beyond the performance level of the available is not yet conceived of, and therefore cannot disappoint us. If browsing YouTube required swapping tapes in a VCR we’d think of the system as bad joke, but YouTube would have never been built with VHS tapes — and back in the ’90s nobody was complaining. What are we missing out on then? Let’s list some of the shortcomings of modern identity systems.
- Identities and attestations must be guaranteed by central authorities, and are therefore siloed. If you want to change or correct an attestation you must have access to a silo, and often the same goes if you want to prove it: a bouncer might trust your ID if you want to enter a club and look too young, but serious employers must doublecheck college degrees with the college itself.
- Silos cannot communicate easily with one another and transfer information — for technical and political reasons — but many attestations require other attestations that are stored elsewhere. Everyone is familiar with the redundant and labour-intensive paperwork required to transfer an attestation from a government agency to a local government office. Even identities managed by private organisations are mutually incompatible: your reputation as an Ebay seller cannot be used to rent a flat on AirBnB. PADI centres need to refer to your government ID to award you a diving certificate, and once you go to another centre you need both your government ID and your PADI certificate.
- If identity information is siloed it is also concentrated. If it has value, concentrating it creates honeypots for thieves. If your pantry burns, come winter you have to ask your neighbours for food. If the wheat silo in your village catches fire, come spring everyone is dead. Storing wheat in a silo is also more convenient than storing it at home, but arsonists have a harder time getting their way with a hundred pantries than a single silo.
- Wheat is tangible, and if removed from the silo someone will notice it missing. Information is digital, and can be shared without the knowledge of its owner. In an internet economy where monetisation is difficult, business models have evolved where silo owners will let you store parts of your identity and use it for free as long as you let them make a profit by selling it.
- Only a few organisations can provide attestations because creating them is labour-intensive and requires single-purpose infrastructure. This limits the range of attestations that can be provided to those so important that their utility is greater than the cost of setting up a central entity to create them, store them and guarantee them. In principle, anyone could provide attestations big and small to others as they see fit. Accumulations of such attestations could create important reputation links, but the cost of producing and demonstrating them is prohibitive.
- Centralised identity management by governments, no matter how efficient, is by definition inferior to decentralised open services, much like AOL’s one-stop-shop for all your internet needs was inferior to what was offered outside. The free market can be applied to identity to produce comparable improvement.
7. The Boring and the Exciting
There are two categories of problems within identity: the boring (but important) and the exciting (and also important).
The boring problems have to do with providing everyone with the same base identity services that most of us already enjoy. Some in the developed world and many more in the developing world are too poor or too underserved by institutions to possess a viable form of ID and its related attestations. Others have IDs, but cannot trust their government to handle them correctly. In such environments identities can be easily forged, stolen, lost or not recognised. Decentralised Blockchain Identities will grant anyone in the world with a smartphone a default level of sovereignty over himself, his past history, his property and his reputation.
The exciting problems require services that are in the “things we cannot yet imagine” category. Until they have been built and are ubiquitous, their feasibility will be doubted and their demand underestimated. These services have something in common with personal computers, the internet, and cryptocurrencies. At their inception, each appeared to laypeople and Intellectuals-Yet-Idiots as over-engineered novelty technologies whose complexity did not justify their limited usefulness. The problems they tried to solve — at first — were already solved sufficiently well by existing technologies, and they came with significant trouble to the end user. Typewriters, the USPS and bank accounts all worked better than the first word editor, the first email client and the first bitcoin wallet.
These technologies were derided by some and ignored by most. But their existence was naturally at odds with the status quo, by nature they pushed against it and progressively they conquered it. Personal computers and the internet eventually proved their pioneers right and silenced their sceptics, while cryptocurrencies are yet to reach a significant inflection point in adoption —and what adoption they have achieved is proportionate to their limited (but increasing) sophistication.
You have probably noticed that each of these technologies enabled the next. Personal computers allowed for the modern commercial internet to flourish and the internet made cryptocurrencies possible. Similarly, cryptocurrencies open up the field for Decentralised Blockchain Identities.
8. The Decentralised Blockchain Identity , aka the “Phone-Borne Identity”
‘Decentralised Blockchain Identity’ (‘DBI’ from now on) is a placeholder name for whichever identity standard will emerge to first augment and ultimately replace the systems we use today. It is ‘decentralised’ because it does not depend on any issuing authority, but relies on tamper-proof consensus algorhythms to guarantee identity of authorship between relevant actions. It depends on a “Blockchain” because this identity standard will deployed on the blockchain of whichever cryptocurrency proves up to the task when the time comes.
If you are reading this you probably know a thing or two about cryptocurrencies. But in case you do not let’s establish some common knowledge. Cryptocurrencies do their magic by forming consensus on a certain state of a database — called a ‘blockchain’ — rules on how to update it and a series of game theory incentives to guarantee that this consensus cannot be tampered with (yes, they also create currency). Anyone can write on these blockchains for a small fee. There is no authorisation required to use them, and nobody can get locked out. In case this sounds trivial to you, I invite you to do more research on the topic — cryptocurrencies are probably the most consequential engineering feat in IT since the Internet itself. If you think that cryptocurrencies are too flaky or exotic of a tool to depend on for identity, consider the Lindy Effect. The oldest cryptocurrency and its blockchain have been around for almost eight years, and with each passing day of trouble-free uptime its chances of surviving further into the future increase.
If you want to create some form of identity on a blockchain, you need nothing more than access to a private key used on the ledger (see here if you want a human-readable explanation of public/private key cryptography). The identity of Bitcoin’s creator could be proven to some degree if only he signed a message with a private key associated with the first few blocks of the Bitcoin blockchain. The subway tap-in was the generation of the private key eight years ago, and the tap-out would be the signing of a new message. Given the right circumstances, a single key can be enough to prove identity.
A private key alone does not give you a full digital passport, but it allows any number of actions associated to that key to be linked to the same author. It provides some form of security — at least as good as passwords, with the advantage that private keys are a lot more complex than ‘RedSox83' and cannot be guessed (how to secure digital identities will be discussed later).
On blockchains we can freely and easily make statements and concatenate them — tiny chains of connected actions that can be traced back to the same author. Third parties can use their own private keys to sign attestations onto these identities. There is no limit to how many micro-identities we can create, or how large the network of provably connected statements can become. The size of these identities can fit precisely the purpose for which they are created, or be tied to larger sets of statements.
Blockchains are sometimes thought of as Panopticons where nothing is private and everything is in the clear (which would make them less than ideal to store identity information), but it is possible to make private statements and receive private attestations and then selectively disclose to chosen parties those you wish. You can prove to the Singapore Ministry of Transport that you tapped in at Orchard Road Station without revealing any details about your diving proficiency. You can even prove to a bouncer at a club that you are old enough to drink without disclosing your exact age — much less all the information displayed on a normal ID card.
How can DBIs, in principle, replace standard identity systems? DBIs can be deployed as an App on your smartphone. You can start by tapping your phone as you enter the subway, and later connect that initial statement to your login credentials for Gmail, then your birth certificate, your University degree, your diving diploma et cetera.
This is of course dependant on the relevant institutions proving willing to provide attestations in that fashion. Large organisations move slowly and governments slower yet, but there is no reason to believe that institutional endorsements of DBIs will not eventually come. At that point any counterpart could verify who you are and the truth of what you say about yourself without accessing an external silo for verification. During a job interview you could demonstrate beyond the shade of a doubt that you graduated from a certain University with a certain GPA. You could even prove it to a stranger on the street for that matter. It would happen instantly, without Human Resources having to verify your degree with the University, and using an identity system that is entirely under your control.
9. Handling Loss or Theft
Having the government manage identity relieves the average citizen from the problem of keeping it safe. Thanks to computers, information has become so easy to access and manipulate that it is also exceedingly easy to steal. No matter how incompetent a government is at IT, most of its citizens are even more incompetent. If your identity portfolio can be lost or stolen as easily as your Gmail password, you’d better stick with what you have.
Early in this essay we saw how Google handles security by adding auxiliary layers of security to the password you use — each of them imperfect, and yet together more solid than any of them. We have also mentioned the option to bring in witnesses to reauthenticate a person with the government when everything else has failed. DBIs will expand on these models and create networks of redundancy so complex that eventually they will be almost unhackable and ungameable.
Uport, a Consensys startup, is developing an identity system that relies on so-called ‘delegates’ to protect identity. Delegates are trusted third parties (friends, family members of institutions), each with a DBI of their own, who can restore your identity in case it is compromised. After a number of delegates has been chosen, an arbitrary subset can be sufficient to reassign a DBI to its rightful owner. In a mature DBI environment, you could use as delegates your lawyer, your bank or your government. Some delegates could be more important than others: your bank and laywer could be enough to overrule your friends if they conspire against you. If you don’t trust your bank and lawyer, your friends could overrule them. If you trust your government, it could be your only delegate (governments will probably require control of the top-most backup key for the identities to which they provide attestations; in Part 2 we will discuss Pyramidal Identities, and why this doesn’t compromise the value of DBIs). Additional recovery keys could be assigned to third party services that identify hard-to-fake traits, such as typing patterns on a keyboard, or video facial recognition. For the extra paranoid, a private key split in two and stored in safety deposit boxes within separate Swiss bunkers could be the One Key to Rule Them All.
Any complex and new technology can be successfully attacked from multiple angles, and will be. DBIs are an open-source social technology, and as such they are antifragile: the more they are tested and the more the fail the safer they become. In the early days this will result loss of privacy and money for some, but best practices that balance security and ease of use will emerge. The massive losses incurred in the recent hack of ‘the DAO’ have hopefully taught how many eggs it is wise to place in a new basket prototype.
Progressively and inevitably, DBI security will become so dependable that you will trust them as much as government identities — and then even more. If necessity is the mother of invention, massive screw-ups are its deadbeat father.
10. Solutions to boring problems
How can DBIs improve the business of identity as we know it? I will conclude Part 1 of this essay by listing a few examples:
- Receiving and using a diving diploma from PADI will not require producing and receiving multiple IDs. On your phone you will be able to store your normal government attestations, and your diving centre will sign your diving certificate onto it. That phone will probably also store the time-stamped certificate of good health from your doctor that PADI requested to complete the course. PADI doesn’t even need to know your name.
- Registering and accessing an account with an internet service will be done using a single DBI, no passwords and no email addresses.
- Since DBIs can prove or reveal salient facts without disclosing one’s entire identity, databases that contain highly sensitive information can be anonimised. You can provide your medical history to a hospital without revealing who you are, and if their IT system was breached nothing would be revealed that traces back to you.
- Any form of fraud that depends on the falsification of documents — from passports to student cards and police badges — will become impossible without the cooperation of an insider. Impersonating a police officer today requires only a uniform and a piece of shiny plastic. With DBIs, you will be able to check on the spot whether the person who stopped you works for the police department or is wearing a Halloween costume. Police protocol in the future will probably require officers to provide DBI attestations before interacting with civilians.
- We will have provably fair elections. Voter registration rolls and electoral results will be transparent but anonymous. It will be impossible to register fake voters or prevent real ones from registering (four million dead Americans are allegedly registered to vote in the upcoming US Presidential election). Nullifying votes by intercepting ballots and voting more than once will also be impossible.
- Since proving identity will be easy and inexpensive, anything that can be proven will have to be proven — personal statements won’t cut it anymore. Resumes will be worthless without attestations of attendance from Universities and past employment from businesses. Even letters of recommendation will be unfalsifiable — bullshitters won’t have the same edge on honest applicants anymore. Even children (and their parents) won’t be able to falsify sick notes for teachers.
11. Conclusion
In Part 1 I discussed changes to identity-as-we-know-it. I hope I convinced you that current identity systems must evolve, and are well on their way to do so. It was necessary to get to the topics of Part 2, which are what I really wished to write about. What we have seen so far is the state-of-the-art of identity. Part 2 is its science fiction.
Part 2 is coming soon
