Some ruminations on decentralization of identifications

It’s tax season, which has me thinking about one of decentralized technology’s holy grails: self-sovereign identities. It’s a stirring vision, of a world in which control over our driver’s licenses, passports, birth certificates, social security numbers — the table stakes to participate in the modern economy — rests in our hands, rather than that of the governments who issue them and the companies who demand them. A world in which the tools of identity are as accessible to a stateless refugee as they are to an investment banker.

The concept is most eloquently explained by Christopher Allen in his essay “The Path To Self-Sovereign Identity” a few years ago. This piece recapitulates online identities: the hierarchically dictated identities of the Domain Name System and certificate authorities, still in use today; the idealistic, impractical “Web of Trust” of PGP; OpenID and OAuth; argues that the next phase of identity is self-sovereign identity; and itemizes its ten core principles. (Independent existence, user control, user access, transparent systems, long lives, transportable services, wide usability, user consent, minimized disclosure, protected rights.)

“Sounds great,” I hear you saying, “but what exactly does that all mean?” When you boil that stirring set of concepts and principles down to “what actually happens at the DMV after it switches to self-sovereign identities,” it probably — though there are conflicting visions — looks like this. Warning: blockchain ahead.

  1. Your unique, global, personally controlled “identity” is an account on a global shared datastore not beholden to any government or organization. (I told you a blockchain was coming.) You access this account via the knowledge of a secret series of words, which can be transformed into a cryptographic private key.
  2. You bring your phone — on which you’ve already unlocked your identity — to the DMV, and have it convey to their systems the identification they need. Today, I would need my physical green card, with my photo, and two physical proofs of address — say, one each from PG&E and Chase Bank. In a self-sovereign world, I wouldn’t need any documents at all. I wouldn’t even need my own phone; any trusted piece of hardware with access to that decentralized system would do. That “identity account” would already include attestations from the US government, PG&E, and Chase, stating e.g. “Chase Bank confirms that Jon is known to receive physical mail at this address,” signed with Chase’s own unforgeable private key.
  3. I would approve the sharing of those attestations — and only those relevant for this particular mission; the DMV needs my address, but doesn’t need my bank account balance or my credit rating. My green-card attestation would include the photo of me taken during that process. The DMV would then take their own photo of me, and…
  4. send to me their own attestation, “Jon is licensed to drive cars and motorcycles for noncommercial purposes in California until 1 April 2024, and this is a picture of him as of 1 April 2019,” signed by their own private key. My phone would then verify this attestation (presumably transferred to me as something like a QR code) and attach it to my own global identity account.
  5. When carded at a bar, I would then provide that photo and the attestation of my age. If pulled over by the police, I’d provide all the legally required information regarding my identity and registration … and no more.

You’ll notice that this “decentralized” solution requires buy-in from the State of California, PG&E, and JP Morgan Chase … i.e. the current centralized providers of identity information. Let’s suppose, for the sake of argument, that they’re willing to participate in this system, sign and use digital attestations, etc. Certainly enterprises are at least interested in the notion.

The advantages are significant. Identity theft would become vastly more difficult; knowing my social security number and address would do no good if the thief couldn’t sign them as me. The estimated billion people on Earth with no formal documents could begin chains of attestations, starting with local establishments who know them personally, or the UN High Commission on Refugees, which could in time accumulate into something solid enough to build credit and formally own property. Best of all, as long as you remembered your mnemonic phrase, you would literally carry all of your ID in your head, and would only ever need a cheap burner phone to use them. It would be a world devoid of any fear of losing your passport / green card / driver’s license / credit cards.

(You’ll note that Apple Card is a half-step towards such a world…)

Online, persistent passwords could be replaced by one-time-use ones — something as simple as signing a salted timestamp with a private key (well, in practice probably a revocable intermediate key) and having the site in question check that signature against your identity account’s public key. Phishing would become a thing of the past, because no password would or even could ever be used twice.

The complexities and disadvantages are also, to understate, nontrivial. In the case of losing or being forced to surrender your identity key, you could have a “social recovery” procedure in which, say, a majority of 5 out of 7 people, chosen by you, presumably very close and trusted, would have the power to recover or rotate your identity key, rendering your old one useless… but this is obviously much more difficult and fault-prone than going to a centralized power who can fix you up with the stroke of a single key.

What’s more, the sheer accumulation of all those attestations in one place could turn that into a single point of failure, and make them more vulnerable to misuse. Right now, immigration officers don’t usually ask for your credit rating, because it isn’t realistic to expect everyone to carry or have access to that information. But in a world where the same technology which tells them “this person is a citizen of Nation X” has the power to inform them, at the same time, of their credit rating … that expectation may change.

It’s possible that unifying identities and attestations in a single place is actually quite undesirable; individuals may theoretically have control over what they share, but in practice, can be put under duress where they have little choice to surrender it all. It’s not hard to envision a world in which states put you through the equivalent of an IRS audit, and airlines demand all your banking and credit information which then use to relentlessly upsell, every time you travel between countries … purely because they can, because doing so has become technically easy, and all your attestations are known to the attesters too, so you must constantly “volunteer” all your data to get anything done.

(You’ll note that people from poor countries applying for visas to rich countries must already go through this kind of invasive in-depth investigation of their personal and financial history. In this future technology would be a great equalizer! …by treating everyone in the same dystopian way.)

In short: decentralized self-sovereign identities are not a panacea, and if not carefully structured, they could even be an accidental boon to authoritarian governments. But their potential is great enough that I’m glad to see more and more companies working on them (particularly Sovrin and uPort, and Keybase is doing good work in this area too.) Watch this space: I expect a lot of interesting developments in this field over the next few years.