When I refer to digitization, what I mean is that our rites live on in data long after they are performed: commutes are captured by a smartphone’s GPS, purchases by banks and credit cards, thoughts in texts and emails (and unsolicited voice recordings.)
This data has two features: it is widely dispersed and narrowly segmented. It’s dispersed in that different parties own different pieces of our identity. A social network (Facebook) may own our relationship architecture, while an e-commerce platform (Amazon) owns our purchase history and preferences. Their economics are built in part off their ownership of our data in the context of their network. It’s segmented in that each of these portions are narrowly relevant to the revenue-generating service provided by that party.
It is counter-intuitive, but the reality is that we don’t really own ourselves (in the digital sense). Though we can edit the profiles we create, third parties ultimately own our data. And it can be painful (or impossible) to wrest back control of that data. Imagine trying to sustain your personal relationships while deleting all your social network accounts, or put a down payment on a home without a credit history.
Why is this important? Well, to begin, as Jaron Lanier writes in Who Owns the Future, “You don’t get to know what correlations have been calculated about you by Google, Facebook, an insurance company, or a financial entity, and that’s the kind of data that influences your life the most in a networked world.” Lanier calls these services siren servers, and notes that we are eerily comfortable giving away personal data in a trade for convenience.
The implications of this paradigm are troubling:
We have no control. Each service has an abstracted model of who you are built into it. This information can be bought and sold, and also easily breached, without your consent. This setup is convenient (e.g. we get better-targeted recommendations), and also dangerous (e.g. we can be profiled and manipulated).
The segmentation is inefficient. What if all these data repositories played nice with each other? For instance — if your passport, driver’s license, bank and email were integrated — you could travel internationally, ensure your credit cards work, receive curated recommendations and alert people of your whereabouts, without any work required on your end. You could prevent identity theft. You could move around without identification.
We do most of the work for none of the benefits. This is Lanier’s primary contention. As has been noted, if services like Google Search are free, that is because we are not the customer, we are the product. In much the same way that Uber drivers occupy a grey area between employees and contractors, we act somewhat like workers for Amazon and Facebook, yet are only compensated with convenience, not payment, for giving up our data.
If you were to look at a complete model of your digital self, it would be a complex relational web. At the most granular level of that web are nodes, each representing actions (a text, a selfie, a purchase…). The connections between those nodes are formulas that infer relationships, record patterns and predict behavior. If you zoom out, you get the sub-web of a given service (Instagram account, Homeland Security profile, medical history…). These sub-webs then join together to form the larger web that is your digital identity.
At the risk of beating a dead horse, we should have ultimate control over our identity access points.
There are two key steps to reclaiming control of your digital identity: 1) establishing ownership of the nodes so you can grant or revoke permission for third-party services to access them, and 2) consolidating all these nodes into one location so your digital identity is no longer fragmented between separate walled gardens.
As Ron Miller writes, “The argument goes that if our identity were on the blockchain, it would give us more control over this information, and with proper applications allow us to present just the minimum amount of information a given party needs to identify us. That could be your date of birth at a bar, your credit score at a bank or a unique identifier to access an online service.”
Does this matter? Why sacrifice convenience for sovereignty?
People only tend to care about identity management when their identity is compromised. It’s fortunate for the sake of this article that, as I was writing it, Equifax suffered the most massive data breach in its history and Yahoo’s estimates of its data breach rose to 3 billion accounts. Enough ink has been spilled on that news, but I want to point to an excellent response by Chris Skinner using these breaches as a rallying cry for self-sovereign identity.
The concept of the sovereign individual is that people should have complete control of their digital selves. You would have to provide access to third parties to obtain benefits: to your passport to cross borders, to your medical records to get a new doctor, to your criminal history to pass background checks… But this data would all be permissioned by you and not by third parties without your consent. As Skinner argues, “only one constituent owns customer data and that is the customer.”
(Many trace this concept back to the 1999 book The Sovereign Individual, which discusses the advent of the internet for liberation from oppressive states. For what it’s worth, the book is full of unsubstantiated claims and is worth skipping.)
The Equifax breach encapsulates perfectly why sovereignty is so important: In a system where we are forced to relinquish our credit histories to a third party, it can use (and lose) that data in a manner that massively exposes us. These cases range from the trivial to the life-altering:
You forget a password and have to reset it (trivial);
Hackers impersonate you on social media (irritating);
Someone steals your SSN and defaults on a credit card in your name (serious);
An oppressive state spies on, tracks and arrests potential dissidents (life-altering).
There are many ways to approach this problem. Password managers (e.g. LastPass) try to consolidate digital access points to limit exposure risk. These services reinforce the existing paradigm, though: They may use APIs to access data, but the access is still controlled by third parties. e-Passports (like those rolled out by the DHS) use biometric identifiers. But as Skinner points out, biometric ID is as hackable as data, and can introduce more complexity and failure points. Today, many financial services offer two-factor authentication, but, as has been shownrepeatedly, this also is vulnerable
None of these solutions fully protect us. So what kind of solution would?
Panacea of the year: The blockchain silver bullet
Blockchain in 2017 is a crystal ball: everyone from scrappy entrepreneurs to large incumbents to central banks looks into it and sees their future business model. Opinions on blockchain’s revolutionary capability run the gamut; some compare it to the internet in the early ’90s, others to catch-phrases like “big data” — oft used but poorly understood.
In an age where: 1) we are increasingly reliant on our digital identities to open up access and participate in the modern economy, and 2) we are increasingly vulnerable to sophisticated data theft and impersonation, what would an ideal solution look like?
No reliance on third parties. At the risk of beating a dead horse, we should have ultimate control over our identity access points. The decentralized structure of blockchain ledgers is a good first step in this direction, and requires personal verification methods as a second step. This could take many forms: biometrics, trusted backup connections (friends and family) or cross-referencing personal identity knowledge.
Homomorphic encryption. One of the breakthrough features of blockchain is its usage of zero knowledge proofs to manage data. This allows users to disclose their ownership of certain certifications and grant access without revealing the information contained within. The dream of this type of encryption is that end-services can verify identity while the data is hashed. For example, imagine a bank running a credit check on you, while only handling your credit history data in encrypted form, so that even if that data were stolen it would be useless.
Consolidation to one record of truth. All of your identity information should live in one place. This is well encapsulated in the seminal Blockchain Revolution: “What if ‘the virtual you’ was in fact owned by you — your personal avatar — and ‘lived’ in the black box of your identity so that you could… reveal only what you needed to, when asserting a particular right.” To approximate to the real world, your entire digital identity could be stored in a wallet. (Credit to Skinner for the carve-out.)
We are still early in the first act with regards to blockchain and digital identity. Many of the promises of this technology are as of yet untested; there will likely be some painful learning curves in developing a good identity management solution, including hacks and loss. But we are increasingly tied to our digital signatures, and the promise of a solution that can consolidate and protect those signatures from third parties is too important to ignore.
Revolution: global protocols and one universal identity
The world of individual sovereignty would look remarkably different from today’s.
Seven years ago as an undergraduate, I wrote about the shifting paradigm toward a “consolidated wallet for everything.” An informal talk from Christian Catalini, professor of digitization and entrepreneurship at MIT’s Sloan School, two years ago blew me away with a broader vision of blockchain as the central access point for all personal data. Today, the beginnings of that vision are being realized.
The World Bank and UN, among others, recently announced the ID4D initiative to help the estimated 1.1 billion people around the world who can’t access basic services because they lack ways to prove their identity. I wrote last year on the transformative efforts of parties such as the Indian government, which rolled out a biometric system of national IDs to bring people onto the “services grid.”