Identity and Personhood
Identity and Personhood
In the swiftly moving line, a sense of hope melded with palpable anxiety. The big screen above reiterated the criticality of the evacuation credentials. Mulu, a well-respected figure in her crumbling community, was on the cusp of a pivotal moment. Climate change had left her homeland in tatters, and she aspired to find solace and clear skies for her daughters in a new land.
As Mulu stepped forward, her past-rich and vibrant-flashed before her. She feared an uncertain future, mainly for her daughters, who faced potential stagnation. The government official, welcoming and friendly, asked her to scan the code for the Common European Asylum System procedure.
Her nearly defunct phone loaded a page with a few straightforward questions.
"Do you grant the common asylum system the consent to request an yes/no answer of..."
- ... your eligibility for our support program?
- ... whether you pose any potential threats to our community?
- ... whether your previous experiences could contribute to a productive role within our society?
She swiftly affixed her signature on the screen. Her phone then began displaying pertinent information to assist her in responding to the questions accurately.
- In a conflict-torn village, you built makeshift schools, bringing smiles to children's faces. This beacon of hope is echoed by 76 trustworthy sources, their praises etched on a digital ledger, endorsed by agencies recognized by the EU.
- At a press conference, your firm stance against affiliations with harmful individuals to your community echoed powerfully, backed by 41 affirming testimonials on a secure blockchain, showcasing an unyielding protector of society.
- Your efforts in bridging dialogue between communities and 34 government agencies have crafted a shield of trust and safety around you, each acknowledgment a mark of your dedication, immortalized in a digital shield of recognition.
- Your innovation fueled life changing projects, celebrated by 78% of your peers through vibrant digital narratives, weaving a dynamic tapestry of your significant contributions to the engineering sector.
- Your support for...
The list goes on. She recalled the lively scenes of children frolicking in the schoolyard, the mentors who inspired her to grace the stage with confidence, and the countless late nights spent collaborating with her dedicated colleagues.
The official's desk illuminated with green lights, approving her application based on the collected affirmations and her proven history.
The same acceptance embraced her daughters, welcoming them to a new beginning. With heartfelt warmth, the official welcomed them into a promising world that seemed ready to know and appreciate them truly, offering a fresh start for Mulu and her daughters to thrive once again.
Just as the most fundamental rights are those to life, personhood and citizenship, the most fundamental protocols for a network society are those that establish and protect participant identities. It is impossible to secure any right or provide any service without a definition of who or what is entitled to these. Without a reasonably secure identity foundation, any voting system, for example, will be captured by whoever can produce the most false credentials, degenerating into a plutocracy. There is a famous New Yorker Cartoon from 1993 "On the Internet, nobody knows you're a dog", so famous it has its own wikipedia page; to the extent this is true, we should expect attempts at online democracy to, quite literally, go to the dogs. This is dramatized in many "Web3" communities that have relied heavily on pseudonymity or even anonymity and have thus often been captured by the interests of those with access to physical and financial resources.
Thus, identity systems are central to digital life and gate access to most online activities: social media accounts, electronic commerce, government services, employment and subscriptions. What each of these systems can offer depends intimately on how richly it can establish user identity. Systems that can only determine that a user is a person will not, for example, be able to offer free benefits without ensuring that person has not already signed up for this offer. Systems that can determine a user is unique but nothing else can only offer services that can legally and practical be made available to every person on the planet. Given the ease of attacks online, only what can be established about a person can securely exist online.
At the same time, many of the simplest ways to establish undermine it, especially online. A password is often used to establish an identity, but unless such authentication is conducted with great care it can reveal the password, making it useless for authentication in the future as attackers will be able to impersonate them. "Privacy" is often dismissed as "nice to have" and especially useful for those who "have something to hide". But in identity systems, the protection of private information is the very core of utility. Any useful identity system has to be judged on its ability to simultaneously establish and protect identities.
To see how this challenge plays out, it is important to keep in mind the several interlocking elements of identity systems:
- Creation: Enrolling in an identity system involves establishing an account and getting assigned an identifier. Differnet types of systems have different requirements and requirements for enrollment related to how confident the system owner has in the identifying information presented by an individual (called Levels of Assurance) ICAO have developed a Guide to Evidence of Identity.
- Access: To access the account on an on-going basis, the participant uses a simpler process, such as presenting a password, a key or a multi-factor authentication.
- Linkage: As the participant engages with the systems that their account gives them access to, many of their interactions are recorded by the system and form part of the record of who the system understand them to be, information that can later be used for other account functions.
- Graph: Among these data that accumulate about a user, many are interactive with other accounts. For example, two users may harness the system to exchange messages or participate together in events. These create data that belong to multiple accounts and thus a "social graph" of connections.
- Recovery: Passwords and keys get lost and two-factor authentication systems break down. Most identity systems have a way to recover lost or stolen credentials, using secret information, access to external identity tokens or social relationships.
- Federation: Just as a participants creating an account draw on (often verified) information about them that came from external sources, so too do most accounts allow the information contained in them to be at least partially used to create accounts in other systems.
In this chapter, we discuss the operation of existing digital identity systems and the limits to how they navigate the dual imperatives of establishment and protection. We then discuss a number of important, but limited, on-going initiatives around the world to address these problems. Next we illustrate how to build on and extend this important work more ambitiously to empower a more plural future. Finally, we highlight how, because of the fundamental role of identity, it connects to and entangles with other fundamental protocols and rights, especially rights of association that we focus on in the next chapter.
Digital identity today
When most people think of their formal "identity", they are usually referring to government issued documents. While these vary across countries, common examples include
- Birth certificates;
- Certificates of enrollment in public programs, often with an associated identification number (such as Social Security for pensions and taxes in the United States or the Taiwanese National Health Insurance program);
- Licenses for use of potentially hazardous tools, such as automobiles or firearms;
- Unified national identification cards/numbers/databases in some countries;
- Passports for international travel, which constitute perhaps the widest system of identification given its implicit international federation. While these systems vary across countries, they generally share several notable features:
- They are canonical and highly trusted in a range of settings, to the point where they are often referred to as "legal" or even "true" identities, with all other forms of identity deriving being either "pseudonyms" or deriving their legitimacy from reference to them.
- Partly because of 1), they are used for enrollment into other systems in a variety of contexts (e.g. checking age at a bar, registering for a bank account, paying taxes) even when they were/are intended to be purpose or program-specific. A notorious example is the United States Social Security Number (SSN), which was created originally in the 1930’s to help manage a new pension system. By the 1960’s it was regularly being requested by many different government and private sector entities. This widespread use meant people’s activities across many different contexts could be profiled. In the late 1960’s and early 1970s concerns were raised about these practices and a series of laws came into place limiting the ability of agencies within the federal government to share data between agencies and also limited the usage of the SSN in the private sector . Since then the federal government has been working to reduce SSN usage and is actively working on finding replacements.
- They are typically issued based on extremely narrow and limited signals of identity. They usually trace back to other government-issued documents, usually at root a birth certificate that is itself dependent only on the signature of a single doctor. Occasionally these are supplemented by infrequent in-person appearance. However, they are often back-stopped by arduous legal procedures if there are persistent disputes over an identity.
These features together create a volatile mix. On the one hand, government-issued identities are foundational to modern life and often intended to avoid invasions of privacy. On the other hand, they do a poor job protecting identity because they are used across so many context that they cannot be kept secret and are founded on thin signals. Furthermore, as we discuss below, these problems are currently being exacerbated by the advance of technologies, like generative foundation models (GFMs), which can easily imitate and modify content and draw sophisticated inferences from public signals. Additionally, the process of creating digital versions of these IDs has been slow and inconsistent across jurisdictions. For all these reasons, existing physical (paper or plastic substraight) government-issued IDs are in an increasingly precarious position and offer quite an unattractive trade-off between establishment and protection.
A second group of widely used identity systems are account management for the various leading technology platforms such as Meta, Amazon, Microsoft (LinkedIn, GitHub), Alphabet, Apple and others. These are the platforms have leveraged open standards like OAuth and OpenID Connect to allow user to use their account from there platform to log-into other systems sometimes called "single sign-on" (SSO). These services are the foundation of the "sign in with ..." buttons that often appear on authentication interfaces online. Via this single sign in process the issuer of the identifier, a.k.a. “the identity provider”, the large platform “sees” everywhere an individual who has an account with them and uses it elsewhere goes.
Just as there are a range of government-issued identities that nonetheless share common traits, so too SSO systems are diverse but have important features in common:
- They are mostly administered by private, for-profit corporations. The convenience they offer and the data they rely on (more on this soon) are used as features to maximize customer retention and value.
- They harness a wide range of signals and properties of users to maintain the integrity of and harness the value of user identities. While the specifics of the type of data (e.g. purchase histories, social network connections, email correspondence, GPS locations) vary by case, in all cases the maintainer has extensive, detailed, extended and sometimes intimate awareness of a full profile of behavior by the subject often across multiple domains. CITE Zuboff.
- Because of 2), these network endpoint identitifiers are widely federated and are accepted for a range of authentication services online, including by services with a limited relationship with the SSO provider.
There are two other important classes of entities that collect a lot of identity information or attributes about people. They share many of these characteristics, but are not digital platform SSO systems and they do not have a direct relationship with the people about whom they collect information: advertizing, data brokers, credit-scoring and national security agencies (who develop dossiers on people for two purposes 1)broader surveillance and 2) for their own screening purposes for employees who agree to be screened to get clearances to do their work).
They similarly rely on rich signals, with high integrity and fairly broad use, but without the public legitimacy of more standard government identities. These data collection systems thus stand on the opposite end of the trade-off spectrum from government identities. They are far better at providing a rich profile about people, however they operate largely in the shadows because their "all-seeing" nature is socially illegitimate and vests a great deal of power in a few hands.
At a neat half-way point between these extremes in most countries sit accounts for crucial/foundational services such as bank accounts and mobile telephones. Banking is regulated by the government and requires government issued ID before you can enroll in the bank getting an account. Telecommunications provider often ask for government issued ID to support effective account management (where do we send the bill) and recovery (I lost my phone yes it is me) and in some countries they are required to know who their customers are before they can get a phone number. Both banks and telephone companies are privately administered and linked to rich user data that can be harnessed for security, and thus often become a crucial input to other identity systems (like SSO systems), but are typically far more regulated than SSO systems and thus typically have greater legitimacy and portability across private providers. In many contexts these systems are thus viewed as a useful combination of security and legitimacy, anchoring ultimate security for many services through multifactor authentication. However, they at the same time suffer many of the flaws of both corporate surveillance and insecurity, as both can be relatively easily stolen, are hard to recover if stolen and lack the strong legal grounding of government-issued IDs.
In a different direction entirely from this spectrum are smaller, more diverse, and more local identity systems, in both digital-native and more traditional contexts.
Traditional Contexts: A helpful framework for understanding identity contexts is Kaliya Young's book Domains of Identity we have put the domains related to particular contexts in brakets.
- Educational affiliations and credentials (civil society enrollment and transaction)
- Work-related credentials and affiliations (employment enrollment and transaction)
- Memberships in trade unions, professional associations and other non-employer-driven work-related activities (civil society enrollment and transactions)
- Membership in political parties, charitable groups and other collective action organizations (civil society enrollment and transactions)
- Participation in community, religious, recreational and other civil society organizations (civil society enrollment and transactions)
- Loyalty relationships with businesses of various sizes (Commercial enrollment and transactions)
- Medical and insurance relationships (civil society [healthcare] & commercial enrollment [insurance]- with a connection to employment enrollment and transactions OR government enrollment and transactions for those on public insurance)
Digitally Native Contexts:
- Pseudonymous identities used in a variety of online social and political interactions from "dark web" fora (e.g. 4chan or Reddit) to video game and virtual world interactions (e.g. Steam)
- Accounts used in "Web3" for financial transactions, Distributed Autonomous Organizations (DAOs, more on these below) and associated discussions
- Personal digital and real-life connections that record, in machine or biological (viz. mental) substrates shared personal and relational histories, communications exchanged, etc. These identities are the most diverse of all we have discussed and have the least common characteristics.
They they share a few features precisely related to their fragmentation and heterogeneity:
These systems are highly fragmented, currently have limited interoperability, are rarely federated or connected and thus tend to have very limited scope of application. Emerging standards such as Verifiable Credentials are seeking to address this challenge.
At the same time, these sources of identity are often experienced as the most natural, appropriate and non-invasive. They seem to arise from the natural course of human interactions, rather than from top-down mandates or power structures. They are viewed as highly legitimate, and yet not as a definitive or external source of "legal" identity, often being seen as pseudonymous or otherwise private.
They tend to record rich and detailed, personal information, but in a narrow context or slice of life, clearly separated from other contexts. As a result of them have strong potential recovery methods based on personal relationships.
They tend to have a poor digital user experience; either they are not digitized at all, or the process of managing the digital interface is unfriendly to non-technical users.
While these examples are perhaps most marginal to digital identity, they are also perhaps most representative of its systemic state. Digital identity systems are heterogeneous, generally quite insecure, only weakly inter-operable, have limited functionality while allowing entities with concentrated power to engage in extensive surveillance and breaking norms of privacy that in many cases they were established to protect. This problem is increasingly widely recognized, leading to focus in many technology projects on overcoming it.
WOULD BE GOOD TO HAVE A TABLE, EXAMPLES, STRENGTHS AND WEAKNESSES
Public and decentralized identity
In sharp contrast to most prominent trends in technology, the most influential developments in identity tools have been in and/or targeting as a market the development world, often under the banner of "Digital Public Infrastructure". This partly arises from the fact that identity systems are particularly underdeveloped in these countries, creating a strong need for such systems. Perhaps partly as a result, however, these systems have opted to follow a highly unitary and centralizing structure, based on biometrics, that while providing an impressive demonstration of what a digital-native identity infrastructure can accomplish, also falls short of helping richly establish and strongly protect identity.
The most prominent example is the Aadhaar identity system led by the Indian government as part of the India Stack program, about which more below.
Aadhaar enrollment required residents to present some existing type of identification from any number of potential entities - existing state level governments, ration cards (the list was extensive). They were asked for only 4 pieces of demographic information, name, birthdate, sex and physical mailing address (although phone numbers and e-mail addresses were also requested but not required). Each enrollee had a photo taken, each iris scanned and shared all ten fingerprints. These were collected by enrollment agents who sent the new enrollee information into the central databases managed by the Unique Identification Authority of India in batches. The new enrollees had the information associated with their identities checked against the database to see if they had already been enrolled - meaning did the biometrics they shared match another record in the system. If it did then they were rejected. If it was unique then they were issued an Aadhaar number which was sent to them in the mail on a card. India's Unique Identification Authority (UIDAI). Through special entities that have capabilities to do authentication against the database provides authentication services - people who are interacting with government services are able to assert an Aadhaar number and then present a finger print and this is sent into the system and a yes/no answer is given back if the person with that number does have a fingerprint that matches the template sent from the device).
A lengthy hearing the Indian Supreme Court has significantly limited the extent to which the system can be used by the private sector. Aadhaar got wide enrollment because it adopted a model where enrollment agents were paid per enrollment which incentivised entrepreneurs to proactively go to all corners of the country and into very remote villages and enroll people and has achieved 99% coverage of the population. The government has also made Aadhaar a key part of social service provisioning including monthly ration that ___hundred million people get monthly and has also pushed to link Tax ID numbers (called PANs) Aadhaar has been astonishingly effective in inducing 99% of citizens to adopt it.
Partly inspired by this success, a group of technologists including OpenAI Co-Founder Sam Altman launched Worldcoin in 2019 with the aim of becoming the first universal biometric identity. Using a propriety "orb", they have scanned the irises of several million people, almost exclusively in developing countries, to date. Harnessing cryptography, they "hash" these scans so that they cannot be viewed or recovered, but any future scan can be checked against them to ensure uniqueness. They use this to initialize an account that they deposit units of a cryptocurrency into. Their mission is to ensure that, as generative foundation models become increasingly capable of imitating humans, that there remains a secure foundation for identity that could be used, for example, to distribute an equal "universal basic income" to every person on the planet or to allow participation in voting and other universal rights.
It is believed that Aadhaar achieved some of the most impressive mixes of scale, inclusion of marginalized communities and security of any identity scheme in the world. The Aadhaar model has inspired the development of the Modular Open-Source Identity Platform (MOSIP) and its adoption in Asia (e.g. Philippines, Sri Lanka) and Africa (e.g. Uganda, Morocco, Ethiopia). To date they have enrolled 100 million people. The MOSIP platform has created a decentralized identity module that gives whose who deploy it the ability to issue verifiable credentials into the wallets of residents/citiznes enrolled in a given national system [^MOSIP].
At the same time, these systems have important limits on their ability to establish and protect identities. Linking such a wide variety of interactions to a single identifier associated with a set of biometrics from an single indivdiaul collected at enrollment (or registration) forces a stark trade-off. On the one hand, if (as in Aadhaar) the administrators of the program are constantly using biometrics for authentication ann as a side effect of this frequent authentication able to link or see activities to these done by the person who the identifier points to, they gain an unprecedented capacity to surveil citizen activities across a wide range of domains and, potentially, to undermine or target the identities of vulnerable populations. Activists have raised concerns over this issue have been repeatedly raised in relation to the status of the Muslim minority in India.
On the other hand, if privacy is protected, as in Worldcoin, by using biometrics only to initialize an account, the system becomes vulnerable to stealing or selling of accounts. Because most services people seek to access require more than proving they are a unique human (e.g. that they have a particular name, an ID number of some type issued to them by a recognized government, that they are a citizen of some country, and maybe some other attributes like educational or employment credentials at a company etc.) this extreme preservation of privacy undermines most of the utility of the system. Furthermore, such systems place a great burden on the technical performance of biometric systems. If eyeballs can, sometime in the future, be spoofed by artificial intelligence systems combined with advanced printing technology, such a system may be subject to an extreme "single point of failure". In short, despite their important capacity for inclusion and simplicity, biometric systems are too reductive to achieve establish and protect identities with the richness and security required to support Plurality.
Starting from a very different place, another set of work on identity has reached a similar challenging set of trade-offs. Work on "decentralized identity" (DID) grew from many of the concerns about digital identity we have highlighted above: fragmentation, lack of natural digital infrastructure, issues with privacy, surveillance and corporate control. A key founding document was Microsoft identity architect Kim Cameron's "Laws of Identity" , which emphasized the importance of user control/consent, minimal disclosure to appropriate parties, multiple use cases, pluralism of participation, integration with human users and consistency of experience across context. Kim Cameron worked on develoing the cardspace [^CS] system while at MSFT and this became the InformationCard [^icard] standards. These did not get market adoption in part because they were too early - smart phones were not widely adopted yet and the idea that this device could hold a wallet for people.
With the emergence of crypto currencies and distributed append only ledgers that can store information indefinately in a public way. The community focused on user-centric identity considered how this could be used to achieve the vision of people really being the pivot point or control locus of their own digital represntations (rather then being at the affect of a central athority assigning them an identifier (corporate SSO or an Aahdaar like system) that they had to authenticate against but ultimately didn't control. They developed the Decentralized Identifiers (DID) standard [^DID] at the W3C that defines a way to have decentralized globally resolvable endpoints with associated public keys. This creates a way to grant individuals "ownership" over identities, rooted in "public" data repositories such as blockchains, and create standardized formats for a variety of entities to issue digital credentials referencing these identifiers.
The systems have the flexability to allow individuals to have multiple accounts/pseudonyms. They also share a common practical challenge, namely that for an individual to truly "own" their identity, they must either control some ultimate key that gives them access to it and/or be able to reliably recover that key without resort to some higher, controlling authority. Other than possibly biometrics (the problems with which we discussed above), there is no widely agreed method to allow recover without a trusted authority and no example of keys that individuals have been reliably able to self-manage in large, diverse societies.
The architectural design for digital credentials with an issuer of credentials, a holder (often the subject) of the credentials and the relying party who receives and verifies (checks the cryptography) the credentials has achieved significant adoption. The European Union deploying it to all citizens within the next several years. It is developing an open source code base[^wallet] for member states to be able to use to give every citizen a digital wallet. At the time of writing they have begun 4 large scale pilots [^pilots] that will test the system with 10s of millions of citizens. The country of Bhutan has built its whole digital identity system with this design architecture[^bhutan]. When a citizen is enrolled in a national register with biometrics and then is given a digital wallet with credentials derived from the enrollment. To interact with government and private sector services they present the credentials from the wallet - there is no phone home architecture like corporate SSO systems or India's Aadhaar system.
Despite these common challenges, the details of these schemes vary dramatically, however. On one extreme, advocates of "verifiable credentials" (VCs) prioritize privacy and the ability of users to control which of the claims about them are presented at any time. On the other extreme, advocates of "soulbound tokens" (SBTs) or other blockchain-centric identity systems emphasize the importance of credentials that are public commitments to e.g. repay a loan or not produce further replicas of a work of art and thus require that the claims be publicly tied to an identity. Here, again, in both the challenges around recovery and the DID/VC-SBT debate we see the unattractive trade-off between establishing and protecting identities.
Identity as an interseciton
Is there a way past this seemingly irreconcilable conflict, ensuring secure establishment and strong protection of identity without centralized surveillance? The natural answer draws on the tradition of Plurality we described in "The Lost Dao": appreciating the plural, intersectional nature of identity and the potential of network architectures. Just as packet switching reconciled and actually connected decentralization and performance and hypertext reconciled speed with a diversity of pathways through text, it seems increasingly plausible that, with the right mix of experimentation and standards building, an intersectional approach to identity could reconcile the goals of establishing and protecting identities.
The basic idea reason can be understood perhaps most easily by contrast to biometrics. Biometrics (e.g. iris scans, fingerprints, genetic information) is a detailed set of physical information that uniquely identifies a person and that in principle anyone with access to that person and appropriate technology may ascertain. Yet people are not just biological but sociological beings. Far richer than their biometric profile is the set of shared histories and interactions they have with other people and social groups. These may include biometrics; after all, anytime we meet someone in person we at least partly perceive their biometrics and they may leave traces of others behind. But they are far from limited to them. Instead they encompass all behaviors and traits that are naturally jointly observed in the course of social interactions, including
- Location, as the very act of being together in a place implies joint knowledge of others' locations (which is the basis of alibis in forensics) and most people spend most of their time in the detectable vicinity of other
- Communication, as it always has at least two participants
- Actions, whether at work, play or workshop are usually performed for or i the presence of some audience
- Personality traits, which usually manifest in interactions with other people. In fact, the way we think of others identities are usually primarily in terms of such "sociometrics": things we did with the person, places we went together, things they did and ways they acted, rather than primarily their appearance or biology.
Such social identities have an astonishing range of useful properties:
- Comprehensiveness and redundancy: Furthermore, jointly, these data cover almost everything meaningful there is to know about a person: the great majority of what we are is determined by various interactions and experiences shared with others. For almost anything we might want to prove to a stranger, there are some combination of people and institutions (typically many) who can "vouch" for this information without any dedicated strategy of surveillance. For example, a person wanting to prove that they are above a particularly age could call on friends who have known them for a long time, the school they attended, doctors who verified their age at various times as well, of course, on governments who verified their age. Such plural attribute verification systems are actually fairly common: when applying for some forms of government identification many jurisdictions allow a variety of attribute proofing methods for addresses including bank statements, utility bills, leases etc.
- Privacy: Perhaps even more interestingly, all of these "issuers" of attributes know this information from interactions that most of us feel consistent with "privacy": we don't get concerned about the co-knowledge of these social facts in the way we would surveillance by a corporation or government.
- Progressive authentication: While standard verification by a single factor allows the user to gain confidence in the attested fact/attribute equal to their confidence in the verifying party/system, such plural systems allow a wide range of confidence to be achieved by drawing on more and more trusted issuers of attributes. This allows adaptation to a variety of use cases based on the security they require.
- Security: Pluralism also avoids many of the problems of a "single point of failure". The corruption of even several individuals and institutions only affects those who rely on them, which may be a very small part of the society, and even for them the redundancy described above implies they may only suffer a partial reduction in the verification they can achieve. This is particularly important given the potential risks (as mentioned above) to e.g. biometric systems from advances in AI and printing technology. Given the basis of other verification methods above are much more diverse (a range of communicative acts, physical encounters etc.) the chances these all fail based on a particular technological advance is far less likely.
- Recovery: This approach also offers a natural solution to one of the most challenging problems above: the recovery of lost credentials. As noted there, recovery typically relies on interactions with a single, powerful entity that can investigate the validity of a claim to an account; alternatives based on giving individuals full "ownership" are usually highly insecure to hacking or other attacks. Yet a natural alternative would be for individuals to rely on a group of relationships allowing, for example, 3 of 5 friends or institutions to recover their key. Such "social recovery" has become the gold standard in many Web3 communities and is increasingly being adopted even by major platforms such as Apple. As we will explore in a later chapter, more sophisticated approaches to voting could make such an approach even more secure by ensuring that distinct parts of an individual's network who are unlikely to cooperate against her interest would together be able to recover her credentials, something we call "community recovery".
The above benefits are remarkable when compared to the trade-offs described above. But essentially they are fairly simple extensions of the benefits we discussed in "The Lost Dao" that plural, networked structures generally have over more centralized ones, the benefits that motivated the move to packet switching architectures for communications networks in the first place. This is why some of the leading organizations seeking to achieve a future like this, such as the Trust over IP Foundation, draw tight analogies to the history of the creation of the internet protocols themselves. There are of course many technical and social challenges in making such an "intersectional" system work:
- Inter-operation: Making such as system work would obviously require a very wide range of present identity and information systems to inter-operate, while maintaining their independence and integrity. Achieving this would obviously be a herculean task of coordination, but it is fundamentally a similar one to that underlying the internet itself.
- Complexity: Managing and processing trust and verification relationships with such a diversity of individuals and institutions is beyond the capacity of most people or even institutions. Yet there are several natural approaches to addressing this complexity. One is to harness the growing capacity of GFMs, trained to adapt to the relationships and context of the individual or institution using the model, to extract meaning from such diverse signals; we discuss this possibility extensively in a later chapter. Another approach is to limit the number of relationships any individual or institution has to manage and rely on either institutions of medium size (e.g. medium businesses, churches, etc.) that play an intermediary roles (which Jaron Lanier and one of us have called "mediators of individual data or MIDs) or on "friends of friends" relationships (which we call "transitive trust") which are known to connect, within a small number of links (roughly six), almost any two people on earth. We will discuss the appeal, trade-offs and compatibility between these two approaches below.
- Trust at a distance: Another closely related problem is that many of the natural verifiers for strangers we meet may be people who we do not know ourselves. Here again, some combination of using transitive trust and MIDs as we discuss shortly is natural. Currency, as we will discuss in a later chapter of this part of the book, may also play a role here.
- Privacy: Finally, while most people would feel comfortable with the recording of information from the natural flow of social events above, the sharing of it for verification could pose important privacy issues. Such information is meant to stay in the natural flow of social life and a great deal of care is require to ensure any use of it for identity verification does not violate these norms of "contextual integrity". Addressing this challenge is the focus of the next chapter, as we discuss at the end of this one.
How can we manage the complexity and social distance involved in plural identity systems? We will return in a future chapter to the potential role of GFMs. Focusing instead on firmly network-based approaches, the two natural strategies correspond to the two types of networks that in "The Lost Dao" we recounted internet pioneer Paul Baran imagining: "decentralization" (also called "polycentrism", which we will use), where there are many verifiers of significant size but not so many as to create overwhelming complexity, or "distribution", where there are few larger-scale verifiers and we instead use transitive trust to span social distances. A basic heuristic that is useful to keep in mind in considering all these possibilities is the "Dunbar number". This is the number (usually around 150) of people that an anthropologist, Robin Dunbar, argued people could maintain stable relationships with absent significant information technology. Whatever the precise number is, it seems clear most people cannot manage more than a few hundred relationships, evaluation of reputation, etc. without significant technological assistance.
The polycentric approach tries to manage this problem by limiting the number of players. While this obviously limits pluralism some, it is not a major problem as long as participants maintain a reasonable diversity of affiliations. Suppose, for example, that we have a population of 10 billion, each person maintains 100 relationships with potentially verifying institutions (e.g. governments, churches, employers etc.). Suppose that to have a reasonable chance for verification to work, any two people meeting must share at least 5 overlapping memberships. If memberships are randomly distributed, 300 verifiers could co-exist and still allow the chance that verification fails for any random pair of individuals to be one in several million. Of course, individuals who meet are rarely random nor do they form their affiliations randomly, nor are 5 overlapping memberships likely to be absolute necessary for most interactions especially among people meeting randomly. All of these suggest many more verifiers could thrive in such an environment of plural memberships.
Yet this number would clearly be far smaller than the population size, perhaps around 100,000, the number with the property that it goes into 10 billion 100,000 times. This would be vastly more pluralistic than our current identity landscape, allowing a far better trade-off between autonomy/control and funcitonality/security. But is even more possible?
One of the most important discoveries in quantitative sociology is that, despite Dunbar-like limits, by traversing a few degrees of separation most humans are connected to each other. To see how this is possible, suppose that each of us can only maintain 100 relationships. This would imply that we might have 100^2=10,000 second degree relationships, 100^3=1,000,000 third degree relationships, 100^4=100,000,000 fourth degree relationships and 100^5=10,000,000,000 fifth degree relationships, greater than the global population. Thus it is entirely possible that each of us could be within 5 degrees of separation from every other person on the planet. Given that some of these relationships will, at any level, overlap, the number of degrees of separation should be somewhat larger: most sociological studies have found roughly 6 degrees of separation between any two randomly chosen people. Furthermore, at least if one goes to chains of 7, there are usually many mostly independent chains of social connection between any two people.
Furthermore, the idea of establishing relationships, information and validity through transitive chains is ancient and common. It lies behind the concept of an introduction, the game "telephone" (which emphasizes some of its limitations) and the popular professional social network LinkedIn. Finding and managing the many possible chains of introductions between socially distant people clearly requires some technical support, but nothing much greater than has already been shown possible by computer science researchers. The problem is actually quite similar to that underlying the packet switching that powers the internet.
Furthermore, the decentralized and distributed strategies can be combined to greatly amplify each other. To take a simple example, consider our suggestion above that there might be 100,000 issuers of attributes. In a world of 10 billion, each would have to be managing relationships with 100,000 participants, on average. If they were also able to manage a similar number of relationships with other issuers, every issuer would have a direct relationship with every other issuer. Two degrees of separation could do far more, allowing millions of issuing organizations to thrive under the same logic that can leverage the attributes from other issuers to do verification. Thus a mixture of transitive trust and polycentrism can quite easily allow, even without any of the magic of GFMs we discuss below, a highly plural and diverse, and thus both functional and private, identity landscape.
Identity and association
The key question that then remains is whether the process of such plural and social verification would end up undermining the protection of identities. After all, a core part of why we have such a dysfunctional identity landscape is that liberal democratic polities have resisted the creation of identity systems is precisely this fear. If we are to build better alternatives, we need to ensure they are better most of all along this dimension. Yet, to do so requires us to dig deeper into what precisely "privacy" and "control" mean from a plural perspective.
As we noted above, almost everything relevant about us is known by others and is typically just as much about them as us. None of us feels this bare fact as an infringement on privacy. In fact, erasing the memory of our first kiss from the mind of the partner to that kiss would be just as much a violation of privacy as would one of us sharing that information inappropriately. What we are after, therefore, is not well-described by the term "privacy". It is about information remaining in the social setting for which it was intended, what scholar Helen Nissenbaum calls "contextual integrity". In fact, it requires a certain kind of publicity: if information is not shared and understood by those for whom it is intended this can be as damaging as if information is overshared. Given that these are inherently social settings, furthermore, they are not primarily about the individual choice or protection, but rather the protection of groups of people against violations of their collective norms about information. In short, the central problems are about another fundamental right: the freedom of association. In essence, systems supporting and implementing the right of personhood must simultaneously bolster the freedom of association and the dual challenge of establishing and protecting associations parallels those in the identity context.
References 1) History of the Social Security Number System as described by the Social Security Administration. 2) Opening Pandora’s box : the social security number from 1937-2018 by Meiser, Kenneth Donaldson, UT Electronic Theses and Dissertations. ↩︎
See 1) Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information by the GAO Report to the Chairman, Subcommittee on Social Security, Committee on Ways and Means, House of Representatives. 2) Social Security Number: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain, GAO Testimony Before the Committee on Consumer Affairs and Protection and Committee on Governmental Operations, New York State Assembly ↩︎
Kim Cameron's Laws of Identities (blog post, August 2009) [^MOSIP] (https://docs.mosip.io/inji/overview)https://docs.mosip.io/inji/overview [^wallet] https://github.com/eu-digital-identity-wallet/ [^pilots] https://digital-strategy.ec.europa.eu/en/news/eu-digital-identity-4-projects-launched-test-eudi-wallet [^bhutan] https://restofworld.org/2023/south-asia-newsletter-bhutan-national-digital-id/ [^icard] https://en.wikipedia.org/wiki/Information_card [^CS] https://en.wikipedia.org/wiki/Windows_CardSpace ↩︎