After Facebook, we need a blockchain identity information system
(Author's Profile: Kaliya Young is the founder of the Internet Identity Information Symposium and HumanFirst.Tech. She is also an independent expert in the field of blockchain and identity information systems and has long advised government departments and startups.)
After the data analysis company Cambridge Analytics election scandal was exposed, a "Uninstall Facebook" campaign was launched. Then the question came: "Do we have other options?"
The answer here is not "other social platforms" but another people-oriented, new-generation Internet infrastructure based on open source standards that can carry new ecosystems.
Self-Sovereign Identity allows everyone to regain the benefits of their digital identity information in their own hands. In other words, our level of control over our digital identity rights should be as high as our own control of our own bodies. This is due to the fact that as a human being, no matter what the place of birth, no matter what qualities we have, we have natural dignity.
With the autonomy of identity information, any individual does not rely on third parties, such as Facebook, to issue an identity for them. People can create, own, and control their own identity, and control under what circumstances and with whom.
Under current conditions, we do not own and control our own identity. We are subject to the terms of the other party, be it a company (Google, Facebook, LinkedIn, Twitter, etc.) or a government. The components of these societies can play their part in the ecology of the identity information system, but emerging identity information tools with autonomy will change the state of power imbalances. Large companies or organizations should serve the people rather than the people serving them.
Individuals can collect, store, manage and disclose their own identity information and personal data through the equipment or services they control. This is the direction and ultimate goal of my entire career. I will explain some of the key technical breakthroughs that will jointly promote the realization of autonomy for identity information. These were unthinkable five years ago.
Hierarchical namespace
So far, if you want to create your own identity on the Internet, you can only implement it in a hierarchical namespace.
Specifically, in the current private namespace, you are under the company's terms of service. The company can terminate your digital identity at any time without any reason. You do not have any legal recourse. Whether it is Google's email address, or Twitter, Facebook, LinkedIn, Instagram accounts, almost all sites, as long as you create a user name and password, your identity is controlled under the other's namespace.
Above this level, there is also a global namespace. There are also a lot of namespaces at this level. The two most common are: the IP address system managed by the Internet Assigned Numbers Authority (IANA), and the domain name system managed by ICANN. Together these systems form the name space of the Internet today.
You can buy a domain name from companies like Godaddy, pay $10 to $15 a year, and you have a "namespace" in the global domain name system. It's a bit like you rent a number in a global phone number system through a telephone company.
In the above example, the company is actually renting a namespace. If the company’s payment is overdue for 30 days, or if the domain name is not updated in the next year, this domain name may be leased by others. Finally, individuals establish their own identity in a company-created namespace.
Corresponding to this, another path is to establish a global namespace specifically for identifying real people.
This path is very reasonable. It appeared more than a decade ago but it has not yet been achieved. A company formerly known as OneName, later renamed Cordance, tried to cooperate with Neustar in 2006 to launch the iNames system. In 2013 they renamed the system CloudNames. However, until now, has there been a good soil for the growth of true autonomy in identity information?
Decentralized identity
The first challenge to achieve this goal is to make the identity unique, recognizable, and resolvable across the entire network.
The Distributed Identity (DID) specification developed under the auspices of the Internet Standardization Alliance (W3C) is the basis for all solutions. It lays out the format of the DID and the format of the DID Descriptor (DDO), which contains all the metadata needed to verify ownership of the identity. There are many different types and approaches to distributed identities, but their descriptions follow the same basic framework.
The following introduction is more partial, please forgive me. DDO includes:
Distributed Identification (DID)
Public key list
List of controls for distributed identification (for restoring keys)
Service endpoint list (for interactions). This is the key to creating new tools and services around individuals and placing personally identifiable information under their own control.
Timestamp (for auditing historical data)
Digital signature with private key (ensure fairness)
Distributed ledger
We now have methods for creating unique identities across the entire network. Where can they be stored? How do people access it?
Distributed ledger (also known as 区块链) is a great innovation to achieve this. Computers on the network are kept in sync with one another, maintaining a copy of the mirrored books and databases on numerous machines. Entries in the database are encrypted ("every one to ten minutes, depending on the circumstances") and "archived" so that they are almost impossible to tamper with. Therefore, when you create a distributed identity and store it on the blockchain, no third party can delete it, only you or your agent can update it.
Now that we have a globally-resolved distributed namespace, we need to use cryptographic keys to increase its security.
Public and private keys
How to prove that you have a distributed identity (DID)? The answer is the old-school public key facility (PKI).
For outsiders: Public and private keys are mathematically related two sets of codes. The public key can be made public, and the private key should be kept secret. Only the owner can use it. If I want to send you a message that only you can see, I have to use your public key, my public key, and my private key. These three elements must be present to encrypt this message and send it out. Then, you must have your public and private keys and my public key. These three elements can decrypt this information. This is the infrastructure for all encrypted information channels.
Now we have learned how to establish unique digital control with control and safeguards across the entire network. Next, can we establish a unique identity for each of our relationships with different entities?
Guided identity
In today's poor identity information system, you use the same identity in multiple places, so someone can link all your activities together.
Government-issued uniform IDs are used everywhere, such as the U.S. social security number or India’s Aadhaar number, where there are serious privacy issues that also create significant weaknesses for the system. As long as you understand someone's personal information, you can act as that person. Collecting these personal information is easy, the name and date of birth are public, and the social security number is also widely shared, either through legal means or through black market auctions of hacking trophies.
However, nowadays, with a distributed identity identification (DID) infrastructure, individuals can create unique network-wide identity identities. Through a public key mechanism (PKI), it is possible to make secure information channels between individuals and organizations possible.
If you say that the database of the bank you use has been compromised and your private key is exposed, only this account will be affected. This private key is useless elsewhere - unlike today's social security numbers. The bank can also re-establish new public and private keys and secure connections with you. This technique does not prevent data leakage, but it reduces the impact of data leakage, because each different relationship has its own unique identity, rather than using the same identity in multiple places.
Above I have introduced the underlying infrastructure that is not accessible to users at ordinary times. Next, we talk about how to apply.
Mobile Apps and Cloud Services
In our new system, everyone has hundreds of unique identities for connecting with different people, applications, and service providers. Remembering so many different logos sounds like a nightmare, but luckily, software helps us manage these keys. There will be many companies offering such applications and cloud services, and individuals can choose between different vendors. In addition, people can still delegate data management authority to trusted agents—maybe parents of teenagers, grown children of older people, or someone’s lawyers or accountants. The ultimate control is always in the hands of individuals (or agents). You can change your service provider, just as we get our money from a bank and deposit it in another bank. In this environment setting, we give people the ability to manage many applications in a very safe way.
Verification of information
In the past, verification of any information needed to be verified by the verifier and the source of information in order to verify the authenticity of the information.
For example: If you want to go to the bar for a drink, the bartender will usually look at your driver's license and the date of birth on your driver’s license. But what if it is a digital driver's license? The bartender needs to contact the relevant department that issued the certificate to determine whether the information on the certificate is true. This is precisely what you do not want to see, because in this way, the information source will know all your whereabouts and actions. In other words, there are countless days of the eye watching you.
In another situation, if the proof of the information source is stored in a distributed public ledger, the verifier can confirm the authenticity of the information without contacting the information source.
This is not the most powerful, and the next technology allows us to make information invisible when we verify the information.
Zero knowledge proof
How to prove the authenticity of information without revealing information? Returning to the example above, how can you prove that you are over 21 years of age without revealing your birthday (and other information on your documents, such as name, address, etc.)? Powerful cryptography and math tools can help you.
When you send out a Zero Knowledge Proof (ZKP) message, the verifier can verify the authenticity of the information by verifying the encoding of the information encryption. Then, you can use this certificate to disclose the information you want to disclose to the other party. In this case, the verifier verifies the authenticity of the information, but your information is not completely disclosed and your privacy is protected.
to sum up
When all of these technologies come together, a self-sovereign identity becomes possible. Please note that this term is relatively new. When we started this path 15 years ago, we used to call it a "user-centric identity system."
This kind of open standard facility platform has laid the foundation for a new generation of Internet. A platform like Facebook will become the past. On this new generation of Internet infrastructure, people will have control over their own identity information and connect to application tools and service providers according to their own conditions. The alternative to the next generation of Facebook must be based on an infrastructure with autonomy for identity information.
After the data analysis company Cambridge Analytics election scandal was exposed, a "Uninstall Facebook" campaign was launched. Then the question came: "Do we have other options?"
The answer here is not "other social platforms" but another people-oriented, new-generation Internet infrastructure based on open source standards that can carry new ecosystems.
Self-Sovereign Identity allows everyone to regain the benefits of their digital identity information in their own hands. In other words, our level of control over our digital identity rights should be as high as our own control of our own bodies. This is due to the fact that as a human being, no matter what the place of birth, no matter what qualities we have, we have natural dignity.
With the autonomy of identity information, any individual does not rely on third parties, such as Facebook, to issue an identity for them. People can create, own, and control their own identity, and control under what circumstances and with whom.
Under current conditions, we do not own and control our own identity. We are subject to the terms of the other party, be it a company (Google, Facebook, LinkedIn, Twitter, etc.) or a government. The components of these societies can play their part in the ecology of the identity information system, but emerging identity information tools with autonomy will change the state of power imbalances. Large companies or organizations should serve the people rather than the people serving them.
Individuals can collect, store, manage and disclose their own identity information and personal data through the equipment or services they control. This is the direction and ultimate goal of my entire career. I will explain some of the key technical breakthroughs that will jointly promote the realization of autonomy for identity information. These were unthinkable five years ago.
Hierarchical namespace
So far, if you want to create your own identity on the Internet, you can only implement it in a hierarchical namespace.
Specifically, in the current private namespace, you are under the company's terms of service. The company can terminate your digital identity at any time without any reason. You do not have any legal recourse. Whether it is Google's email address, or Twitter, Facebook, LinkedIn, Instagram accounts, almost all sites, as long as you create a user name and password, your identity is controlled under the other's namespace.
Above this level, there is also a global namespace. There are also a lot of namespaces at this level. The two most common are: the IP address system managed by the Internet Assigned Numbers Authority (IANA), and the domain name system managed by ICANN. Together these systems form the name space of the Internet today.
You can buy a domain name from companies like Godaddy, pay $10 to $15 a year, and you have a "namespace" in the global domain name system. It's a bit like you rent a number in a global phone number system through a telephone company.
In the above example, the company is actually renting a namespace. If the company’s payment is overdue for 30 days, or if the domain name is not updated in the next year, this domain name may be leased by others. Finally, individuals establish their own identity in a company-created namespace.
Corresponding to this, another path is to establish a global namespace specifically for identifying real people.
This path is very reasonable. It appeared more than a decade ago but it has not yet been achieved. A company formerly known as OneName, later renamed Cordance, tried to cooperate with Neustar in 2006 to launch the iNames system. In 2013 they renamed the system CloudNames. However, until now, has there been a good soil for the growth of true autonomy in identity information?
Decentralized identity
The first challenge to achieve this goal is to make the identity unique, recognizable, and resolvable across the entire network.
The Distributed Identity (DID) specification developed under the auspices of the Internet Standardization Alliance (W3C) is the basis for all solutions. It lays out the format of the DID and the format of the DID Descriptor (DDO), which contains all the metadata needed to verify ownership of the identity. There are many different types and approaches to distributed identities, but their descriptions follow the same basic framework.
The following introduction is more partial, please forgive me. DDO includes:
Distributed Identification (DID)
Public key list
List of controls for distributed identification (for restoring keys)
Service endpoint list (for interactions). This is the key to creating new tools and services around individuals and placing personally identifiable information under their own control.
Timestamp (for auditing historical data)
Digital signature with private key (ensure fairness)
Distributed ledger
We now have methods for creating unique identities across the entire network. Where can they be stored? How do people access it?
Distributed ledger (also known as 区块链) is a great innovation to achieve this. Computers on the network are kept in sync with one another, maintaining a copy of the mirrored books and databases on numerous machines. Entries in the database are encrypted ("every one to ten minutes, depending on the circumstances") and "archived" so that they are almost impossible to tamper with. Therefore, when you create a distributed identity and store it on the blockchain, no third party can delete it, only you or your agent can update it.
Now that we have a globally-resolved distributed namespace, we need to use cryptographic keys to increase its security.
Public and private keys
How to prove that you have a distributed identity (DID)? The answer is the old-school public key facility (PKI).
For outsiders: Public and private keys are mathematically related two sets of codes. The public key can be made public, and the private key should be kept secret. Only the owner can use it. If I want to send you a message that only you can see, I have to use your public key, my public key, and my private key. These three elements must be present to encrypt this message and send it out. Then, you must have your public and private keys and my public key. These three elements can decrypt this information. This is the infrastructure for all encrypted information channels.
Now we have learned how to establish unique digital control with control and safeguards across the entire network. Next, can we establish a unique identity for each of our relationships with different entities?
Guided identity
In today's poor identity information system, you use the same identity in multiple places, so someone can link all your activities together.
Government-issued uniform IDs are used everywhere, such as the U.S. social security number or India’s Aadhaar number, where there are serious privacy issues that also create significant weaknesses for the system. As long as you understand someone's personal information, you can act as that person. Collecting these personal information is easy, the name and date of birth are public, and the social security number is also widely shared, either through legal means or through black market auctions of hacking trophies.
However, nowadays, with a distributed identity identification (DID) infrastructure, individuals can create unique network-wide identity identities. Through a public key mechanism (PKI), it is possible to make secure information channels between individuals and organizations possible.
If you say that the database of the bank you use has been compromised and your private key is exposed, only this account will be affected. This private key is useless elsewhere - unlike today's social security numbers. The bank can also re-establish new public and private keys and secure connections with you. This technique does not prevent data leakage, but it reduces the impact of data leakage, because each different relationship has its own unique identity, rather than using the same identity in multiple places.
Above I have introduced the underlying infrastructure that is not accessible to users at ordinary times. Next, we talk about how to apply.
Mobile Apps and Cloud Services
In our new system, everyone has hundreds of unique identities for connecting with different people, applications, and service providers. Remembering so many different logos sounds like a nightmare, but luckily, software helps us manage these keys. There will be many companies offering such applications and cloud services, and individuals can choose between different vendors. In addition, people can still delegate data management authority to trusted agents—maybe parents of teenagers, grown children of older people, or someone’s lawyers or accountants. The ultimate control is always in the hands of individuals (or agents). You can change your service provider, just as we get our money from a bank and deposit it in another bank. In this environment setting, we give people the ability to manage many applications in a very safe way.
Verification of information
In the past, verification of any information needed to be verified by the verifier and the source of information in order to verify the authenticity of the information.
For example: If you want to go to the bar for a drink, the bartender will usually look at your driver's license and the date of birth on your driver’s license. But what if it is a digital driver's license? The bartender needs to contact the relevant department that issued the certificate to determine whether the information on the certificate is true. This is precisely what you do not want to see, because in this way, the information source will know all your whereabouts and actions. In other words, there are countless days of the eye watching you.
In another situation, if the proof of the information source is stored in a distributed public ledger, the verifier can confirm the authenticity of the information without contacting the information source.
This is not the most powerful, and the next technology allows us to make information invisible when we verify the information.
Zero knowledge proof
How to prove the authenticity of information without revealing information? Returning to the example above, how can you prove that you are over 21 years of age without revealing your birthday (and other information on your documents, such as name, address, etc.)? Powerful cryptography and math tools can help you.
When you send out a Zero Knowledge Proof (ZKP) message, the verifier can verify the authenticity of the information by verifying the encoding of the information encryption. Then, you can use this certificate to disclose the information you want to disclose to the other party. In this case, the verifier verifies the authenticity of the information, but your information is not completely disclosed and your privacy is protected.
to sum up
When all of these technologies come together, a self-sovereign identity becomes possible. Please note that this term is relatively new. When we started this path 15 years ago, we used to call it a "user-centric identity system."
This kind of open standard facility platform has laid the foundation for a new generation of Internet. A platform like Facebook will become the past. On this new generation of Internet infrastructure, people will have control over their own identity information and connect to application tools and service providers according to their own conditions. The alternative to the next generation of Facebook must be based on an infrastructure with autonomy for identity information.
