return ✕︎

Identity and Personhood

By E. Glen Weyl, Audrey Tang and ⿻ Community

Identity and Personhood

In the swiftly moving line, a sense of hope melded with palpable anxiety. The big screen above reiterated the criticality of the evacuation credentials. Mulu, a well-respected figure in her crumbling community, was on the cusp of a pivotal moment. Climate change had left her homeland in tatters, and she aspired to find solace and clear skies for her daughters in a new land.

As Mulu stepped forward, her past—rich and vibrant—flashed before her. She feared an uncertain future, mainly for her daughters, who faced potential stagnation. The government official, welcoming and friendly, asked her to scan the code for the Common European Asylum System procedure.

Her nearly defunct phone loaded a page with a few straightforward questions.

"Do you grant the common asylum system the consent to request a yes/no answer of..."

  1. ... your eligibility for our support program?
  2. ... whether you pose any potential threats to our community?
  3. ... whether your previous experiences could contribute to a productive role within our society?

She swiftly affixed her signature on the screen. Her phone then began displaying pertinent information to assist her in responding to the questions accurately.

  • In a conflict-torn village, you built makeshift schools, bringing smiles to children's faces. This beacon of hope is echoed by 76 trustworthy sources, their praises contained in multiple digital credentials, endorsed by agencies recognized by the EU.
  • At a press conference, your firm stance against affiliations with harmful individuals to your community echoed powerfully, backed by 41 affirming digitally signed testimonials, showcasing an unyielding protector of society.
  • Your efforts in bridging dialogue between communities and 34 government agencies have crafted a shield of trust and safety around you, each acknowledgment a mark of your dedication, immortalized in a digital shield of recognition.
  • Your innovation fueled life-changing projects, celebrated by 78% of your peers through vibrant digital narratives, weaving a dynamic tapestry of your significant contributions to the engineering sector.
  • Your support for...

The list goes on. She recalled the lively scenes of children frolicking in the schoolyard, the mentors who inspired her to grace the stage with confidence, and the countless late nights spent collaborating with her dedicated colleagues.

The official's desk illuminated with green lights, approving her application based on the collected affirmations and her proven history.

The same acceptance embraced her daughters, welcoming them to a new beginning. With heartfelt warmth, the official welcomed them into a promising world that seemed ready to know and appreciate them truly, offering a fresh start for Mulu and her daughters to thrive once again.

Just as the most fundamental human rights are those to life, personhood and citizenship, the most fundamental protocols for a ⿻ society are those that establish and protect participant identities. It is impossible to secure any right or provide any service without a definition of who or what is entitled to these. Without a reasonably secure identity foundation, any voting system, for example, will be captured by whoever can produce the most false credentials, degenerating into a plutocracy. There is a famous New Yorker cartoon from 1993 "On the Internet, nobody knows you're a dog", so famous it has its own Wikipedia page; to the extent this is true, we should expect attempts at online democracy to, quite literally, go to the dogs.[1] This is dramatized in many "Web3" communities that have relied heavily on pseudonymity or even anonymity and have thus often been captured by the interests of those with access to physical and financial resources.[2]

Thus, identity systems are central to digital life and gate access to most online activities: social media accounts, electronic commerce, government services, employment and subscriptions. What each of these systems can offer depends intimately on how richly it can establish user identity. Systems that can only determine that a user is a person will not, for example, be able to offer free benefits without ensuring that person has not already signed up for this offer. Systems that can determine a user is unique but nothing else can only offer services that can legally and practically be made available to every person on the planet.[3] Given the ease of attacks online, only what can be established about a person can securely exist there.

At the same time, many of the simplest ways to establish identity paradoxically simultaneously undermine it, especially online. A password is often used to establish an identity, but unless such authentication is conducted with great care it can reveal the password more broadly, making it useless for authentication in the future as attackers will be able to impersonate them. "Privacy" is often dismissed as "nice to have" and especially useful for those who "have something to hide". But in identity systems, the protection of private information is the very core of utility. Any useful identity system has to be judged on its ability to simultaneously establish and protect identities.

To see how this challenge plays out, it is important to keep in mind the several interlocking elements of identity systems:

  • Creation: Enrolling in an identity system involves establishing an account and getting assigned an identifier. Different types of systems have different requirements for enrollment related to how confident the system owner is in the identifying information presented by an individual (called Levels of Assurance)[4].
  • Access: To access the account on an ongoing basis, the participant uses a simpler process, such as presenting a password, a key or a multi-factor authentication.
  • Linkage: As the participant engages with the systems that their account gives them access to, many of their interactions are recorded and form part of the record that constitutes the system's understanding of them, information that can later be used for other account functions.
  • Graph: Among these data that accumulate about a user, many are interactive with other accounts. For example, two users may harness the system to exchange messages or participate together in events. These create data that belong to multiple accounts and thus a "social graph" of connections.
  • Recovery: Passwords and keys get lost or stolen and multi-factor authentication systems break down. Most identity systems have a way to recover lost or stolen credentials, using secret information, access to external identity tokens or social relationships.
  • Federation: Just as participants creating an account draw on (often verified) information about them from external sources, so too do most accounts—allowing the information contained in them to be at least partially used to create accounts in other systems.[5]

In this chapter, we discuss the operation of existing digital identity systems and the limits to how they navigate the dual imperatives of establishment and protection. We then discuss a number of important, but limited, ongoing initiatives around the world to address these problems. Next, we illustrate how to build on and extend this important work more ambitiously to empower a more ⿻ future. Finally, we highlight how, because of the fundamental role of identity, it connects to and entangles with other fundamental protocols and rights, especially rights of association that we focus on in the next chapter.

Digital identity today

When most people think of their formal "identity", they are usually referring to government-issued documents. While these vary across countries, common examples include

  • Birth certificates.
  • Certificates of enrollment in public programs, often with an associated identification number (such as Social Security for pensions and taxes in the US or the Taiwanese National Health Insurance program).
  • Licenses for the use of potentially hazardous tools, such as automobiles or firearms.
  • Unified national identification cards/numbers/databases in some countries.
  • Passports for international travel, which constitute perhaps the widest system of identification given its implicit international federation. While these systems vary across countries, they generally share several notable features:
  1. They are canonical and highly trusted in a range of settings, to the point where they are often referred to as "legal" or even "true" identities, with all other forms of identity deriving being either "pseudonyms" or deriving their legitimacy from reference to them.
  2. Partly because of 1), they are used for enrollment into other systems in a variety of contexts (e.g. checking age at a bar, registering for a bank account, paying taxes) even when they were/are intended to be purpose or program specific. A notorious example is the United States Social Security Number (SSN), which was created originally in the 1930s to help manage a new pension system.[6] By the 1960’s it was regularly being requested by many different government and private sector entities. This widespread use meant people’s activities across many different contexts could be profiled. In the late 1960s and early 1970s concerns were raised about these practices[7] and a series of laws were passed limiting the ability of agencies within the federal government to share data between agencies and limited the usage of the SSN in the private sector.[8] Since then the federal government has been working to reduce SSN usage and is actively considering alternatives.[9]
  3. They are typically issued based on narrow signals of identity, tracing back to other government-issued documents, usually at root a birth certificate that is itself dependent only on the signature of a single doctor. Occasionally these are supplemented by infrequent in-person appearance. However, they are often backstopped by arduous legal procedures if there are persistent disputes over an identity.

These features together create a volatile mix. On the one hand, government-issued identities are foundational to modern life and often intended to avoid invasions of privacy. On the other hand, they do a poor job protecting identity because they are used across so many contexts that they cannot be kept secret and are founded on thin signals. Furthermore, as we discuss below, these problems are currently being exacerbated by the advance of technologies, like generative foundation models (GFMs), which can easily imitate and modify content and draw sophisticated inferences from public signals. Additionally, the process of creating digital versions of these IDs has been slow and inconsistent across jurisdictions. For all these reasons, existing physical (paper or plastic) government-issued IDs are in an increasingly precarious position and offer quite an unattractive trade-off between establishment and protection.

A second group of widely used identity systems is account management for the leading technology platforms such as Meta, Amazon, Microsoft (Microsoft Accounts, LinkedIn, GitHub), Alphabet, Apple and others. These platforms have leveraged open standards like OAuth [10] and OpenID Connect[11] to allow users to use their account from their platform to log into other systems sometimes called "single sign-on" (SSO). These services are the foundation of the "sign in with ..." buttons that often appear on authentication interfaces online. Via this single sign-in process the issuer of the identifier, a.k.a. “the identity provider”, the large platform “sees” everywhere an individual who has an account with them and uses it elsewhere goes.

Just as there are a range of government-issued identities that nonetheless share common traits, so too SSO systems are diverse but have important features in common:

  1. They are mostly administered by private, for-profit corporations. The convenience they offer and the data they rely on (more on this soon) are used as features to maximize customer retention and value.
  2. They harness a wide range of signals and properties of users to maintain the integrity of and harness the value of user identities. While the specifics of the type of data (e.g. purchase histories, social network connections, email correspondence, GPS locations) vary by case, in all cases the maintainer has extensive, detailed, extended and sometimes intimate awareness of a full profile of behavior by the subject often across multiple domains. [12].
  3. Because of 2), these network endpoint identifiers are widely federated and are accepted for a range of authentication services online, including by services with a limited relationship with the SSO provider.

There are two other important classes of entities that collect a lot of identity information or attributes about people. They share many of these characteristics but are not digital platform SSO systems and they do not have a direct relationship with the people about whom they collect information: advertising, data brokers, credit-scoring and national security agencies (who develop dossiers on people for both general surveillance and their own screening purposes for employees who agree to be screened to get clearances to do their work).

They similarly rely on rich signals, with high integrity and fairly broad use, but without the public legitimacy of more standard government identities. These data collection systems thus stand on the opposite end of the trade-off spectrum from government identities. They are far better at providing a rich profile about people, however they operate largely in the shadows because their "all-seeing" nature is socially illegitimate and vests a great deal of power in a few hands.

At a neat halfway point between these extremes in most countries sit accounts for crucial/foundational services such as bank accounts and mobile telephones. Banking is typically regulated by the government and requires government-issued ID before you can enroll (a process known as "know your customer" or KYC). Telecommunications providers often ask for government-issued ID to support effective account management (where do we send the bill) and recovery (I lost my phone. Yes it is me.) and in some countries they are required to know who their customers are before they can get a phone number. Both banks and telephone companies are privately administered and linked to rich user data that can be harnessed for security, and thus often become a crucial input to other identity systems (like SSO systems), but are typically far more regulated than SSO systems and thus typically have greater legitimacy and portability across private providers. In many contexts these systems are thus viewed as a useful combination of security and legitimacy, anchoring ultimate security for many services through multi-factor authentication. However, they at the same time suffer many of the flaws of both corporate surveillance and insecurity, as both can be relatively easily stolen, are hard to recover if stolen and lack the strong legal grounding of government-issued IDs.

In a different direction entirely from this spectrum are smaller, more diverse, and more local identity systems, in both more traditional contexts and digitally native contexts. Examples of these are explored by Kaliya Young in her book Domains of Identity:[13]

  • Civil society enrollment and transaction, such as educational credentials, membership in professional associations and trade unions, political parties and religious organizations.
  • Employment enrollment and transactions, such as work-related credentials and access.
  • Commercial enrollment and transactions, such as loyalty cards and membership in private insurance.
  • Pseudonymous identities used in a variety of online social and political interactions from "dark web" fora (e.g. 4chan or Reddit) to video game and virtual world interactions (e.g. Steam).
  • Accounts used in "Web3" for financial transactions, Distributed Autonomous Organizations (DAOs, more on these below) and associated discussions often on servers such as Discord.
  • Personal digital and real-life connections that record, in machine or biological (viz. mental) substrates, shared personal and relational histories, communications exchanged, etc.

These identities are the most ⿻ of all we have discussed and have the least common characteristics. They share a few features precisely related to their fragmentation and heterogeneity:

  1. These systems are highly fragmented, currently have limited interoperability, are rarely federated or connected and thus tend to have a very limited scope of application. Emerging standards such as Verifiable Credentials [14] are seeking to address this challenge.
  2. At the same time, these sources of identification are often experienced as the most natural, appropriate and non-invasive. They seem to arise from the natural course of human interactions, rather than from top-down mandates or power structures. They are viewed as highly legitimate, and yet not as a definitive or external source of "legal" identity, often being seen as pseudonymous or otherwise private.
  3. They tend to record rich and detailed, personal information, but in a narrow context or slice of life, clearly separated from other contexts. As a result, they have strong potential recovery methods based on personal relationships.
  4. They tend to have a poor digital user experience; either they are not digitized at all, or the process of managing the digital interface is unfriendly to non-technical users.
    While these examples are perhaps most marginal to digital identity, they are also perhaps most representative of its systemic state. Digital identity systems are heterogeneous, generally quite insecure, only weakly interoperable and have limited functionality while allowing entities with concentrated power to engage in extensive surveillance and breaking norms of privacy that in many cases they were established to protect. This problem is increasingly widely recognized, leading to focus in many technology projects on overcoming it.

Public and decentralized digital identity

In sharp contrast to most prominent trends in technology, the most influential developments in identity tools have been in and/or targeting as a market the development world, often under the banner of "Digital Public Infrastructure". This partly arises from the fact that identity systems are particularly underdeveloped in these countries, creating a strong need for such systems. Perhaps partly as a result, however, these systems have opted to follow a highly unitary and centralizing structure, usually based on biometrics, that while providing an impressive demonstration of what a digital-native identity infrastructure can accomplish, also falls short of helping richly establish and strongly protect identity.

The most prominent example is the Aadhaar identity system supported by the Indian government as part of the India Stack program. Aadhaar enrollment originally required residents to present some existing type of identification from any number of potential entities - existing state-level governments, ration cards (the list was extensive).[15] Each enrollee had a photo taken, each iris scanned and shared all ten fingerprints. The new enrollees had the information associated with their identities checked against the database to see if they had already been enrolled. If unique, they were issued an Aadhaar number which was sent to them in the mail on a card. India's Unique Identification Authority (UIDAI).[16] Through special entities that have capabilities to do authentication against the database provides authentication services - people who are interacting with government services were able to assert an Aadhaar number and then presented a fingerprint that was sent into the system and a yes/no answer was returned on authentication.

Subsequently, the Indian Supreme Court limited the extent to which the system can be used by the private sector.[17] Nonetheless, Aadhaar has enrolled more than 99% of the Indian population because enrollment agents were paid to maximize enrollment across the country. The government has also made Aadhaar a key part of social service provisioning including a monthly ration that over 800 million people get monthly and has also pushed to link Tax ID numbers (called PANs). It is believed that Aadhaar achieved some of the most impressive mixes of scale, inclusion of marginalized communities and security of any identity scheme in the world. The Aadhaar model has inspired the development of the Modular Open-Source Identity Platform (MOSIP) [18] and its adoption in Asia (e.g. Philippines, Sri Lanka) and Africa (e.g. Uganda, Morocco, Ethiopia). To date, they have enrolled 100 million people. The MOSIP platform has created a decentralized identity module, Inji[19], that gives those who deploy it the ability to issue verifiable credentials into the wallets of residents/citizens enrolled in a given national system.

Partly inspired by this success, a group of technologists including OpenAI Co-Founder Sam Altman and collaborators launched Worldcoin in 2019 with the aim of becoming the first globally universal biometric identity.[20] Using a propriety "orb", they have scanned the irises of several million people, almost exclusively in developing countries, to date. Harnessing cryptography, they "hash" these scans so that they cannot be viewed or recovered, but any future scan can be checked against them to ensure uniqueness. They use this to initialize an account that they deposit units of a cryptocurrency into. Their mission is to ensure that, as GFMs become increasingly capable of imitating humans, there remains a secure foundation for identity that could be used, for example, to distribute an equal "universal basic income" to every person on the planet or to allow participation in voting and other universal rights.

Despite this strong interest in these broad biometric systems, they have important limits on their ability to establish and protect identities. Linking such a wide variety of interactions to a single identifier associated with a set of biometrics from a single individual collected at enrollment (or registration) forces a stark trade-off. On the one hand, if (as in Aadhaar) the administrators of the program are constantly using biometrics for authentication, they become able to link or see activities to these done by the person who the identifier points to, gaining an unprecedented capacity to surveil citizen activities across a wide range of domains and, potentially, to undermine or target the identities of vulnerable populations.[21] Activists have raised concerns over this issue have been repeatedly raised in relation to the status of the Muslim minority in India.

On the other hand, if privacy is protected, as in Worldcoin, by using biometrics only to initialize an account, the system becomes vulnerable to stealing or selling of accounts, a problem that has decimated the operation of related services.[22] Because most services people seek to access require more than proving they are a unique human (e.g. that they have a particular name, an ID number of some type issued to them by a recognized government, that they are a citizen of some country, and maybe some other attributes like educational or employment credentials at a company, etc.) this extreme preservation of privacy undermines most of the utility of the system. Furthermore, such systems place a great burden on the technical performance of biometric systems. If eyeballs can, sometime in the future, be spoofed by artificial intelligence systems combined with advanced printing technology, such a system may be subject to an extreme "single point of failure".[23] In short, despite their important capacity for inclusion and simplicity, biometric systems are too reductive to establish and protect identities with the richness and security required to support ⿻.

Starting from a very different place, another set of work on identity has reached a similar challenging set of trade-offs. Work on "decentralized identity" grew from many of the concerns about digital identity we have highlighted above: fragmentation, lack of natural digital infrastructure, issues with privacy, surveillance and corporate control. A key founding document was Microsoft identity architect Kim Cameron's "Laws of Identity" [24], which emphasized the importance of user control/consent, minimal disclosure to appropriate parties, multiple use cases, pluralism of participation, integration with human users and consistency of experience across context. Kim Cameron worked on developing the cardspace [25] system while at MSFT and this became the InformationCard [26] standards. These did not get market adoption in part because they were too early - smartphones were not widely adopted yet and the idea that this device could hold a wallet for people.

The emergence of blockchain-distributed ledgers renewed interest in the decentralized identity community on achieving individual control over identifiers rather than being excessively tied to a single issue. This spurred the creation of the Decentralized Identifiers (DID) standard at the W3C that defines a way to have decentralized globally resolvable endpoints with associated public keys.[27] This creates a way to grant individuals "ownership" over identities, rooted in "public" data repositories such as blockchains, and create standardized formats for a variety of entities to issue digital credentials referencing these identifiers.

The systems have the flexibility to allow individuals to have multiple accounts/pseudonyms. They also share a common practical challenge, namely that for an individual to truly "own" their identity, they must either control some ultimate key that gives them access to it and/or be able to reliably recover that key without resorting to some higher, controlling authority. Other than possibly biometrics (the problems with which we discussed above), there is no widely agreed method to allow recovery without a trusted authority and no example of keys that individuals have been reliably able to self-manage in large, diverse societies.

Despite these common challenges, the details of these schemes vary dramatically, however. On one extreme, advocates of "verifiable credentials" (VCs) prioritize privacy and the ability of users to control which of the claims about them are presented at any time. On the other extreme, advocates of "soulbound tokens" (SBTs) or other blockchain-centric identity systems emphasize the importance of credentials that are public commitments to e.g. repay a loan or not produce further replicas of a work of art and thus require that the claims be publicly tied to an identity. Here, again, in both the challenges around recovery and the DID/VC-SBT debate we see the unattractive trade-off between establishing and protecting identities.

Identity as an intersection

Is there a way past this seemingly irreconcilable conflict, ensuring the secure establishment and strong protection of identity without centralized surveillance? The natural answer draws on the tradition of ⿻ we described in Connected Society and The Lost Dao: harnessing the ⿻ nature of identity and the potential of network architectures. Just as packet switching reconciled and actually connected decentralization and performance and hypertext reconciled speed with a diversity of pathways through text, it seems increasingly plausible that, with the right mix of experimentation and standards building, a ⿻ approach to identity could reconcile the goals of establishing and protecting identities.

The basic idea can be understood perhaps most easily by contrast to biometrics. Biometrics (e.g. iris scans, fingerprints, genetic information) is a detailed set of physical information that uniquely identifies a person and that in principle anyone with access to that person and appropriate technology may ascertain. Yet people are not just biological but sociological beings. Far richer than their biometric profile is the set of shared histories and interactions they have with other people and social groups. These may include biometrics; after all, anytime we meet someone in person we at least partly perceive their biometrics, and they may leave traces of others behind. But they are far from limited to them. Instead, they encompass all behaviors and traits that are naturally jointly observed in the course of social interactions, including

  • Location, as the very act of being together in a place implies joint knowledge of others' locations (which is the basis of alibis in forensics) and most people spend most of their time in the detectable vicinity of other.
  • Communication, as it always has at least two participants.
  • Actions, whether at work, play or workshop are usually performed for or in the presence of some audience. As we quoted in our chapter What is ⿻?, this is how Hannah Arendt defines "action".
  • Personality traits, which usually manifest in interactions with other people. In fact, the way we think of others' identities is usually primarily in terms of such "sociometrics": things we did with the person, places we went together, things they did and ways they acted, rather than primarily their appearance or biology.

This social, ⿻ approach to online identity was pioneered by danah boyd in her astonishingly farsighted master's thesis on "faceted identity" more than 20 years ago.[28] While she focused primarily on the benefits of such a system for feelings of personal agency (in the spirit of Simmel), the potential benefits for the balance between identity establishment and protection are even more astonishing:

  • Comprehensiveness and redundancy: 'Jointly, these data cover almost everything meaningful there is to know about a person; the great majority of what we are is determined by various interactions and experiences shared with others. For almost anything we might want to prove to a stranger, there is some combination of people and institutions (typically many) who can "vouch" for this information without any dedicated strategy of surveillance. For example, a person wanting to prove that they are above a particular age could call on friends who have known them for a long time, the school they attended, doctors who verified their age at various times as well, of course, on governments who verified their age. Such ⿻ attribute verification systems are fairly common: when applying for some forms of government identification many jurisdictions allow a variety of attribute-proving methods for addresses including bank statements, utility bills, leases, etc.
  • Privacy: Perhaps even more interestingly, all of these "issuers" of attributes know this information from interactions that most of us feel consistent with "privacy": we do not get concerned about the co-knowledge of these social facts in the way we would surveillance by a corporation or government. However, we will be more precise in the next chapter about the sense in which these (should/could) approaches allay privacy concerns.
  • Progressive authentication: While standard verification by a single factor allows the user to gain confidence in the attested fact/attribute equal to their confidence in the verifying party/system, such ⿻ systems allow a wide range of confidence to be achieved by drawing on more and more trusted issuers of attributes. This allows adaptation to a variety of use cases based on the security they require.
  • Security: ⿻ also avoids many of the problems of a "single point of failure". The corruption of even several individuals and institutions only affects those who rely on them, which may be a very small part of society, and even for them, the redundancy described above implies they may only suffer a partial reduction in the verification they can achieve. This is particularly important given the potential risks (as mentioned above) to e.g. biometric systems from advances in AI and printing technology. Given the basis of other verification methods above are much more diverse (a range of communicative acts, physical encounters, etc.) the chances of these all failing based on a particular technological advance are far less likely.
  • Recovery: This approach also offers a natural solution to one of the most challenging problems above: the recovery of lost credentials. As noted there, recovery typically relies on interactions with a single, powerful entity that can investigate the validity of a claim to an account; alternatives based on giving individuals full "ownership" are usually highly susceptible to hacking or other attacks. Yet a natural alternative would be for individuals to rely on a group of relationships allowing, for example, 3 of 5 friends or institutions to recover their key. Such "social recovery" has become the gold standard in many Web3 communities and is increasingly being adopted even by major platforms such as Apple.[29] As we will explore in a later chapter, more sophisticated approaches to voting could make such an approach even more secure by ensuring that distinct parts of an individual's network who are unlikely to cooperate against her interest would together be able to recover her credentials, something we call "community recovery".[30]

The above benefits are remarkable when compared to the trade-offs described above. But essentially they are fairly simple extensions of the benefits we discussed in The Lost Dao that ⿻ structures generally have over more centralized ones, the benefits that motivated the move to packet switching architectures for communications networks in the first place. This is why some of the leading organizations seeking to achieve a future like this, such as the Trust over IP Foundation, draw tight analogies to the history of the creation of the internet protocols themselves. There are of course many technical and social challenges in making such a ⿻ system work:

  • Inter-operation: Making such a system work would obviously require a very wide range of present identity and information systems to interoperate while maintaining their independence and integrity. Achieving this would obviously be a herculean task of coordination, but it is fundamentally a similar one to that underlying the internet itself.
  • Complexity: Managing and processing trust and verification relationships with such a diversity of individuals and institutions is beyond the capacity of most people or even institutions. Yet there are several natural approaches to addressing this complexity. One is to harness the growing capacity of GFMs, trained to adapt to the relationships and context of the individual or institution using the model, to extract meaning from such diverse signals; we discuss this possibility extensively in a later chapter on Adaptive Administration. Another approach is to limit the number of relationships any individual or institution has to manage and rely on either institutions of medium size (e.g. medium businesses, churches, etc.) that play intermediary roles (which Jaron Lanier and one of us have called "mediators of individual data or MIDs) or on "friends of friends" relationships (which we call "transitive trust") which are known to connect, within a small number of links (roughly six), almost any two people on earth.[31] We will discuss the appeal, trade-offs and compatibility between these two approaches below.
  • Trust at a distance: Another closely related problem is that many of the natural verifiers for strangers we meet may be people who we do not know ourselves. Here again, some combination of using transitive trust and MIDs as we discuss shortly is natural. Currency, as we will discuss in a later chapter of this part of the book, may also play a role here.
  • Privacy: Finally, while most people would feel comfortable with the recording of information from the natural flow of social events above, the sharing of it for verification could pose important privacy issues. Such information is meant to stay in the natural flow of social life and a great deal of care is required to ensure any use of it for identity verification does not violate these norms of "contextual integrity". Addressing this challenge is the focus of the next chapter, as we discuss at the end of this one.

⿻ identity

How can we manage the complexity and social distance involved in ⿻ identity systems? We will return in a future chapter to the potential role of GFMs. Focusing instead on firmly network-based approaches, the two natural strategies correspond to the two types of networks that in The Lost Dao we recounted internet pioneer Paul Baran imagining: "decentralization" (also called "polycentrism", which we will use), where there are many verifiers of significant size but not so many as to create overwhelming complexity, or "distribution", where there are few larger-scale verifiers and we instead use transitive trust to span social distances.[32] A basic heuristic that is useful to keep in mind in considering all these possibilities is the "Dunbar number". This is the number (usually around 150) of people that an anthropologist, Robin Dunbar, argued people could maintain stable relationships with absent significant information technology.[33] Whatever the precise number is, it seems clear most people cannot manage more than a few hundred relationships, evaluation of reputation, etc. without significant technological assistance.

The polycentric approach tries to manage this problem by limiting the number of players. While this obviously limits ⿻ some, it is not a major problem as long as participants maintain a reasonable diversity of affiliations. Suppose, for example, that we have a population of 10 billion, and each person maintains 100 relationships with potentially verifying institutions (e.g. governments, churches, employers etc.). Suppose that to have a reasonable chance for verification to work, any two-person meeting must share at least 5 overlapping memberships. If memberships are randomly distributed, 300 verifiers could co-exist and still allow the chance that verification fails for any random pair of individuals to be one in several million. Of course, individuals who meet are rarely random nor do they form their affiliations randomly, nor are 5 overlapping memberships likely to be absolutely necessary for most interactions, especially among people meeting randomly. All of these suggest many more verifiers could thrive in such an environment of ⿻ memberships.

Yet this number would clearly be far smaller than the population size, perhaps around 100,000, the number with the property that goes into 10 billion 100,000 times. This would be vastly more ⿻ than our current identity landscape, allowing a far better trade-off between autonomy/control and functionality/security. But is even more possible?

One of the most important discoveries in quantitative sociology is that, despite Dunbar-like limits, by traversing a few degrees of separation most humans are connected to each other. To see how this is possible, suppose that each of us can only maintain 100 relationships. This would imply that we might have 100^2=10,000 second-degree relationships, 100^3=1,000,000 third-degree relationships, 100^4=100,000,000 fourth-degree relationships and 100^5=10,000,000,000 fifth-degree relationships, greater than the global population. Thus it is entirely possible that each of us could be within 5 degrees of separation from every other person on the planet. Given that some of these relationships will, at any level, overlap, the number of degrees of separation should be somewhat larger: most sociological studies have found roughly 6 degrees of separation between any two randomly chosen people.[34] Furthermore, at least if one goes to chains of 7, there are usually many mostly independent chains of social connection between any two people.

Furthermore, the idea of establishing relationships, information and validity through transitive chains is ancient and common. It lies behind the concept of an introduction, the game "telephone" (which emphasizes some of its limitations) and the popular professional social network LinkedIn. Finding and managing the many possible chains of introductions between socially distant people clearly requires some technical support, but nothing much greater than has already been shown possible by computer science research where it is known as the classical "maximum flow" problem. The problem is actually quite similar to that underlying the packet switching that powers the internet.

Furthermore, the decentralized and distributed strategies can be combined to greatly amplify each other. To take a simple example, consider our suggestion above that there might be 100,000 issuers of attributes. In a world of 10 billion, each would have to be managing relationships with 100,000 participants, on average. If they were also able to manage a similar number of relationships with other issuers, every issuer would have a direct relationship with every other issuer. Two degrees of separation could do far more, allowing millions of issuing organizations to thrive under the same logic that can leverage the attributes from other issuers to do verification. Thus a mixture of transitive trust and polycentrism can quite easily allow, even without any of the magic of GFMs we discuss below, a highly ⿻, and thus both functional and private, identity landscape.

Identity and association

The key question that then remains is whether the process of such ⿻ social verification would end up undermining the protection of identities. After all, a core part of why we have such a dysfunctional identity landscape is that liberal democratic polities have resisted the creation of identity systems is precisely this fear. If we are to build better alternatives, we need to ensure they are better most of all along this dimension. Yet, to do so requires us to dig deeper into what precisely "privacy" and "control" mean from a ⿻ perspective.

As we noted above, almost everything relevant about us is known by others and is typically just as much about them as us. None of us feels this bare fact as an infringement on privacy. In fact, erasing the memory of our first kiss from the mind of the partner to that kiss would be just as much a violation of privacy as would one of us sharing that information inappropriately. What we are after, therefore, is not well-described by the term "privacy". It is about information remaining in the social setting for which it was intended, what leading privacy scholar Helen Nissenbaum calls "contextual integrity".[35] In fact, it requires a certain kind of publicity: if information is not shared and understood by those for whom it is intended this can be as damaging as if information is over-shared. Given that these are inherently social settings, furthermore, they are not primarily about individual choice or protection, but rather the protection of groups of people against violations of their collective norms about information. In short, the central problems are about another fundamental right: the freedom of association. In essence, systems supporting and implementing the right of personhood must simultaneously bolster the freedom of association and the dual challenge of establishing and protecting associations parallels those in the identity context.

  1. Peter Steiner, "On the Internet, nobody knows you're a dog" The New Yorker July 5, 1993. ↩︎

  2. Vitalik Buterin, "On Nathan Schneider on the Limits of Cryptoeconomics", September 26, 2021 at ↩︎

  3. Puja Ohlhaver, Mikhail Nikulin and Paula Berman, "Compressed to 0: The Silent Strings of Proof of Personhood", 2024 available at ↩︎

  4. For example, the International Civil Aeronautics Organization that oversees international commercial air travel developed a Guide to [Evidence of Identity], available at ↩︎

  5. A leading open standard that allows this is OAuth (Open Authorization), an Internet Engineering Task Force open standard published originally as RFC 5849 in 2010 and then updated to OAuth 2.0 as RFC 6749 in 2012. ↩︎

  6. See Carolyn Puckett, “The Story of the Social Security Number,” Social Security Administration, July 2009. See also Kenneth Meiser, “Opening Pandora’s Box: The Social Security Number from 1937-2018,” UT Electronic Theses and Dissertations, June 19, 2018, ↩︎

  7. Willis Hare, “Records, Computers and the Rights of Citizens,”, Rand Corporation, August 1973. ↩︎

  8. See “Social Security Numbers: Private Sector Entities Routinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information.” United States General Accounting Office, 2004. (GAO Report to the Chairman, Subcommittee on Social Security, Committee on Ways and Means, House of Representatives). See also Barbara Bovbjerg, “Social Security Numbers: Federal and State Laws Restrict Use of SSNs, yet Gaps Remain,” United States General Accounting Office, 2005, (GAO Testimony Before the Committee on Consumer Affairs and Protection and Committee on Governmental Operations, New York State Assembly.) ↩︎

  9. “News Release: DHS Awards for an Alternative Identifier to the Social Security Number,” US Department of Homeland Security, October 9, 2020, ↩︎

  10. OAuth 2.0 is the industry-standard protocol for authorization and provides specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. IETF Working Group ↩︎

  11. OpenID Connect enables application and website developers to launch sign-in flows and receive verifiable assertions about users across Web-based, mobile, and JavaScript clients. ↩︎

  12. ↩︎

  13. Kaliya "Identity Woman" Young, Domains of Identity: A Framework for Understanding Identity Systems in Contemporary Society (London: Anthem Press, 2020). ↩︎

  14. Verifiable Credentials Data Model v1.1 W3C Recommendation 03 March 2022 ↩︎

  15. They were asked for only 4 pieces of demographic information, name, birthdate, sex and physical mailing address (although phone numbers and e-mail addresses were also requested but not required). These are collected by enrollment agents who send the new enrollee information into the central databases managed by the Unique Identification Authority of India in batches. ↩︎

  16. The official UIDAI site ↩︎

  17. Read: Full Text of the Supreme Court's Verdict in the Aadhaar Case. Of the five judge-bench that delivered the verdict, three justices delivered separate opinions. ↩︎

  18. “Overview,” MOSIP, 2021, ↩︎

  19. Inji is a user-centric digital credential stack in MOSIP for all types of credentials and identification solutions. ↩︎

  20. Elizabeth Howcroft, and Martin Coulter, “Worldcoin Aims to Set up Global ID Network Akin to India’s Aadhaar,” Reuters, November 2, 2023, ↩︎

  21. It is worth noting, however, that if such systems are augmented with cryptography such as Zero-Knowledge Proofs (ZKPs), they can partially protect the user's privacy. Projects such as Anon-Aadhaar allow an Aadhaar user to selectively reveal only a subset of information to some entity in a provable way. “Advancing Anon Aadhaar: What’s New in V1.0.0,” Mirror, February 14, 2024, ↩︎

  22. Ohlhaver et al., op. cit. ↩︎

  23. Vitalik Buterin, "What Do I Think about Biometric Proof of Personhood?" July 24, 2023 at ↩︎

  24. Kim Cameron, “7 Laws of Identity,” Kim Cameron’s Identity Weblog, August 20, 2009, ↩︎

  25. Wikipedia, “Windows CardSpace,” December 14, 2023, ↩︎

  26. Wikipedia, “Information Card,” January 25, 2024, ↩︎

  27. “Decentralized Identifiers (DIDs) V1.0,” W3C, July 19, 2022, ↩︎

  28. danah boyd, Faceted Id/entity: Managing Representation in a digital world 2002, Masters Thesis for Program in Media Arts and Sciences at the Massachusetts Institute of Technology, available at ↩︎

  29. Vitalik Buterin, "Why We Need Broad Adoption of Social Recovery Wallets", January 11, 2021 at ↩︎

  30. Puja Ohlhaver, E. Glen Weyl and Vitalik Buterin, "Decentralized Society: Finding Web3's Soul", 2022 at ↩︎

  31. Jaron Lanier and E. Glen Weyl, "A Blueprint for a Better Digital Society" Harvard Business Review: Big Idea Series (Tracked) September 28, 2018: Article 5 available at Duncan J. Watts and Steven H. Strogatz, "The Collective Dynamics of 'Small World' Networks" Nature 393 (1998): 440-442. ↩︎

  32. Cameron, op. cit. ↩︎

  33. R.I.M. Dunbar, "Neocortex Size as a Constraint on Group Size in Primates", Journal of Human Evolution 22, no. 6 (1992): 469-493. ↩︎

  34. Watts and Strogatz, op. cit. ↩︎

  35. Helen Nissenbaum, "Privacy as Contextual Integrity", Washington Law Review 119 (2004): 101-139. ↩︎