Kirk Klasson

Identity and Sovereignty

A couple weeks back, both VentureBeat and Techcrunch published pieces on a new entity called Hu-manity.co; the word entity seems apt as Hu-manity.co appears to be an amalgam of philosophies, concepts, technologies, foundations and flat-out, for profit dot.com opportunism.

The press mentions were coincident with the announcement of Hu-manity.co’s new application #My31. Built on top of the open sourced version of IBM’s Hyperledger blockchain technology, #My31 is Hu-manity.co’s take on how digital identity is suppose to work. Philosophically, the name, #My31, is meant to reflect the notion that personal identity is one of the 30 or so rights outlined by the United Nations charter on human rights and that the ownership of that identity is sovereign to each individual, a goal the UN would like to achieve no later than 2030. Few, if any, sovereign nations fully subscribe to the UN Charter on human rights and none explicitly endorse the notion of digital identity as being exclusively sovereign to each individual. But, as Eleanor Roosevelt pointed out, you got to start somewhere.

Conceptually, Hu-manity.co is a node or a cog in a much larger decentralized, digital blueprint that is part of the Sovrin Foundation’s Provisional Trust Framework. Sovrin, a self described non-profit, international public utility, whose charter is the promotion and governance of self-sovereign identity, emerged a couple of years ago based on work conceived and codified by Evernym, a platform for decentralized identity using Distributed Ledger Technology (DLT) that was subsequently donated to the Soverin Foundation and the open source community. But Sovrin is by no means the only foundation/platform/project/standard out there that is seeking to attract the attention and ultimately the consolidation of parties interested in the success of a completely independent, self-sovereign, distributed indentity (DID) facility. Projects or companies that share this interest and in some cases common architectural, structural and governance elements include uPort, Civic, Blockstack, Veres One and a gaggle of other related initiatives.

Leaving aside the technical minutiae, the basic idea behind self-sovereign identity is that the authenticity of any unique identity can be established based on the trusted verification of a personal digital identity and attestation of a preponderance of transaction-generated verifiable claims (“the Ledger”) rather than an established, credentialed, centralized authority (think DNS or Google or Facebook, whose recent breach adds serious weight to this concept). The theory behind all this maintains that by removing the centralized authority, the sovereignty of any identity remains with the entity that created it. But nothing is ever quite that simple. Each of the players contesting for leadership in this arena are adamant about ditching centralized, commercial identity authorities for individual ownership so long as those individual owners, and the agents that act to verify their identities and claims, all subscribe to a common consensus distributed ledger platform. Currently, although all these contenders promote interoperability as a goal, if there is a fork (as in the path or codebase) in the future of these initiatives it will turn on the subscription to a particular DLT or favorite flavor of blockchain (“the Ledger”). So to achieve independence from centralized, commercial identity authorities you are going to have to pick a new, centralized DLT or blockchain technology and centralized governance structure to go along with it. Go figure.

Altruism, what’s in it for me?

So far, so good. But you still need a trusted authority to create an entity’s claim to a specific digital identity. And that’s where #My31 comes in. In Sovrin Foundation parlance, Hu-manity.co is a Trust Anchor, one of many roles outlined in Sovrin’s “web-of-trust” framework. In fact, if you read the Sovrin Foundation’s charter what you discover is that it is really long on governance and really short on just about everything else; Big Hat but not a lot of Trust Anchors to hang it on. And that is a non-trivial impediment to Sovrin’s over all success as well as the success and adoption of all the other players in this particular space. The other important aspect of Trust Anchor is that it allows the entity owner to specify what and how additional information about the owner can be shared and what rules must be followed to provide such consent. This is a key feature for things like coarse and fine-grained consent in aiding compliance under GDPR rules of engagement. This alone is going to take some time to sort out, however, if vanity plates are your idea of self-actualization, and you’re interested in monetizing your health care data, then by all means rush on over to Hu-manity.co and claim your digital identity now.

Source: Sovrin’s Provisional Trust Framework ontological schema for digital identities

 

If you subscribe to the notion that an entity’s identity can be authenticated by a preponderance of distributed verifiable claims then you need a boat load of verifiable claims to create a meaningful preponderance. Sovrin, Veres One and Civic all outline and require a well defined eco-system of specific partners or services in order to complete their functionality at specified levels of performance. The Sovrin Framework articulates and codifies a significant number of specific concepts and roles that need to be adhered to and provisioned in order to achieve any meaningful critical mass. For instance, it numerates the role of a Sovrin Service Provider which could be a Steward, an Agency or a Developer, and each of these could, in turn, fulfill all or just one of these roles. To date Sovrin has declared that it has recruited 21 Stewards to help build out its blueprint. By its own admission, it will need thousands if not hundreds of thousands of these players to achieve any kind of critical mass, the well-oiled preponderance that can make verifiable attestation and this concept a viable reality.

Source: Sovrin’s “web-of-trust” ecosystem enumerating projected roles and number of players.

 

One small but important factor in provisioning of Sovrin’s global web-of-trust is the motivation of the players to actually participate. Fortunately, Sovrin has given this a good deal of thought and like many trust brokers (see Anonymity -Ain’t What It Used to Be – August 2017) has come up with a “Sovrin token” where by issuers and verifiers of authenticity can be compensated along with the individuals and entities that actually own specific digital identities or services. It appears that Soverin, as most of its rivals, will maintain control over “the ledger” and through that control generate fees from other users and service providers. Further, while short on details, Sovrin proposes that services such as claims validation will be facilitated by a “trust market” of their own making where the value of such exchanges of information could be established as a function of supply and demand. Sovrin’s funding to date appears to be a combination of VC backing and debt. There maybe some private, sponsorship funding as well. Other self-sovereign schemes incorporate ICO funding as part of their initial pre-revenue, build out.

Source: Veres One allocation of ICO funds pre-revenue suggesting which segments of a self-sovereign identity eco-system will consume what degree of funding in order to achieve critical mass

 

One of the major challenges for all of these contenders is how to price, monetize and incentivize global trust services in a pre-volume and sustaining critical mass environment. If services are forward priced to attract individual, identity consumers there may not be much incentive on the part of service providers to join any particular initiative. If service providers are financially incentivized by “ledger owners” in advance of sustainable volumes, the entire scheme might be subject to intolerable financial risk and a single missed quarter could cause the roof to fall in. And if, as Sovrin has proposed, the only way to make this work is to become an international public utility or non-profit consortium the freedom to price services and independently achieve a successful economic model will ultimately rest with sovereign governments and their agents. What could possibly go wrong with that?

The common architectural components in each of these initiatives suggests that they could all provide various levels or degrees of trust, some rudimentary levels that could be teased out of the underlying technology platform while deeper levels of trust could be provided by fee-based entities and relationships. If we assume that the underlying technology, “the Ledger” that maintains the custody and veracity of the transactions, is a primary source of authenticity, one might argue that it should be an open, queryable, no-cost facility. Such that any interested party could posit “does such and such identity exist?” and have “the Ledger” and Trust Anchors resolve and provide an accurate and verifiable response. Interested parties might also ask -“does such and such identity exist and if so how would you prove it?” without actually divulging any of the pertinent transactions or verifiable claims (zero-knowledge proofs or zk-SNARKS) . If we took this one step further and posed the query –“does such and such identity exist and could they afford to purchase an Aston Martin Vanquish?” (see Who’s Zoomin’ Who? – October 2015) – we would get kicked into a market for verifiable credit claims where we could negotiate and secure an answer for a fee.

As we pointed out back in “Privacy, Blockchain and Balkanization” this would make “the Ledger” along with associated Trust Anchors the attestable custodians of Personally Identifiable Information (PII) for privacy as well as GDPR purposes. As a trusted custodian, the ledger could then be used to audit attested claims as well as well as user consent. For instance, let’s say that Unilever Global wants to launch a new line of cosmetics and it believes that Facebook user data might be a prime part of the targeted demo. It could compare the Facebook data to the trust anchor and ledger data to determine if consent for such purposes had indeed been secured from individual users prior to launching the campaign. Similar “data audits” could be conducted on other identity authorities such as Google or Axiom or Equifax to establish whether or not user consent had been obtained prior to disclosing any PII for specific commercial initiatives.

Whose identity is it anyway?

Just to be clear, sovereign, individual, digital identity and self-sovereign identity are by no means the same thing. Not even close. The latter is a potentially useful technological construct and the former is an inalienable endowment of personhood. Under self-sovereign identity, not just people but things, organizations, entities and aliases could all be assigned a unique, digital identity. There’s some speculation that with arrival of 50 billion network attached devices, the Identity of Things will become far more important than the Internet of Things in the not too distant future. However, when it comes to the inalienable, endowment of personhood, rooted no less than in the very DNA of every individual, there is probably only one way to obtain sovereign, individual, digital identity. It must be conferred. And the entity that confers it must also be sovereign with the will and capability to protect that endowment and all that it entails.

This will no doubt be another case of careful what you wish for.

China’s a pretty big and very sovereign entity. China recently announced that your “identity” will, in part, be made up of a composite score of your social behavior. J-walk one too many times in Beijing and you won’t be taking the high-speed rail to Guangzhou anytime soon to visit grandma. The United Nations, another self-proclaimed sovereign entity, hasn’t the ability to enforce its existing human rights charter, with or without the addition of #31. And here, in the land of the free and the home of the brave, where Congress struggles to define the contours of digital privacy, there isn’t a single business or technology entity willing to divulge what personally identifiable information they may have of yours up to and including the United States government, who just so happens to have issued your original credentials.

Google, who knows more about you than your own mother and whose tag line has morphed from “don’t be evil” to “don’t get caught”, in an effort to demonstrate good faith, recently published its very own “Framework for Responsible Data Protection Regulation”. This is their way of getting in front of what is becoming a global initiative to kick the likes of Google and Facebook out of the data curation, personal information and global repository for the “record of everything” business. Apart from a general lack of specifics and accountability there are a couple of suggestions that will likely attract the attention of regulators everywhere. For instance, there is this gem. “Organizations must provide appropriate mechanisms for individual control…(however) this does not require specific consent…for every use of data.” Or how about this one. “geographic restrictions on data storage undermine security, service reliability and business efficiency,… privacy regulation should support cross-boarder data transfer and … not national boundaries”. Or this one. “Regulators should encourage organizations to actively inform individuals about data use…”. Encourage is a really long way from insist and even a whole lot further from mandate. What this framework makes clear is that the only sovereignty that Google is willing to provide to an individual’s identity is the one that it and it alone will confer.

Every journey…

Given where we are, self-sovereign identity seems like a promising next step. But what is also clear is that its success will only be achieved if social, regulatory and economic incentives are aligned under existing sovereign self-interests. Coalescence of rival technology initiatives could be accelerated through governmental certification of technology standards. Economic incentives could be achieved through sovereign investment and tax relief for participating entities. Global regulation of privacy frameworks could be harmonized and enforced. Public privacy utilities could be commissioned and deployed where harmonized privacy frameworks exist. Corporate possession of PII could be tightly controlled, strictly licensed and in most instances only allowed under explicit user consent.

The road to sovereign, individual, digital identity by no later than 2030 is clearly achievable so long as well-intentioned sovereign entities have the will to see it through to completion. While by no means a modest goal or insignificant effort, as Eleanor Roosevelt once pointed out, you got to start somewhere.

 

Cover graphic, fragment, courtesy of royalty free, stock photos, all other images, statistics, citations, etc. derived and included under fair use/royalty free provisions.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Insights on Technology and Strategy