FPR at the Internet Identity Workshop

The Future of Property Rights Program recently attended the 27th Internet Identity Workshop (IIW) in Mountain View, California. The biannual gathering, organized by Phil Windley, Doc Searls, and Kaliya Young, is described as “the largest concentration on the planet of talent dedicated to designing and building identity systems that empower individuals.”

The workshop is an “unconference”: participants create an agenda each morning and then engage in free-flowing discussions. One regular attendee compared IIW to a trading post in the nineteenth-century American West. A multitude of influential thinkers and prominent firms within the digital identity space meet to openly compare notes, examine current trends, and collaborate for change.

Our goal was to connect with these experts and to learn more about digital identity, especially following the release of our report, The Nail Finds a Hammer, on self-sovereign identity (SSI), registries, and property rights. FPR believes that SSI --or a persistent digital identity that is administered by the individual rather than by a central authority-- will have a positive impact on land administration around the world.

FPR will continue to track progress within the digital identity space and plans to write about the ideas explored at IIW well into the future. Below are five insights from the myriad sessions, discussions, and working meals:

FPR is inherently forward-looking and believes that self-sovereign identity will be widely adopted in the future. Within our recent report, we even speculated on the extensive functionality of an SSI solution and its many potential use cases.

While it is certainly exciting to theorize, various participants at IIW emphasized that we are still in the early stages of technological development. The creation of blockchain and advancements in biometrics have only recently brought SSI from concept to reality. Many questions at the workshop centered on the immediate implementation and/or utility of solutions; vendors often responded with an appeal for patience. As one speaker stated: “don’t punish a freshman for not having graduated yet.”

The novelty of SSI also prompted companies, such as Evernym and uPort, to address various myths surrounding the technology. In relation, representatives from another digital identity firm, Civic, emphasized that their behavior model is “proposed” and may evolve as lessons are learned.

Self-sovereign identity and surrounding concepts are complex and nuanced. It is clear from IIW that public education, patience, and design flexibility are all necessary as we move forward.

Given the many issues and controversies related to centralized control of user data, such as the recent Facebook hack, it may be tempting to call for rapid implementation of SSI solutions. However, many ideas circulated at IIW can better be described as incremental steps to self-sovereign identity.

FPR has previously written about the Verifiable Organizations Network in British Columbia. This functional solution was on display at IIW and demonstrates how developers can work towards creation and adoption of an SSI platform. Through use of the provincial corporate registry, the Government of British Columbia created digital identities for businesses and supplemented this ID with “verifiable credentials” --registrations, licenses, and permits. The solution stores this information in a public-facing repository known as “TheOrgBook”; does not require a company to own a digital wallet; and increases efficiency through consolidation and exhibition of trusted information.

In Saskatchewan, the provincial government partnered with the firm Vivvo to create CitizenOne, a digital service delivery platform. Also exhibited at the workshop, this solution “allows individuals the ability to manage their information and the government services they use with one simple profile.” Citizens no longer need to manage multiple accounts to access various e-services, such as social services, health care, and the provincial licensing system. Importantly, the province manages users’ digital wallets.

It could be argued that neither of these examples embody “pure” SSI. Indeed, each government controls and/or stores user data to a certain extent. Yet we believe that these solutions, at the very least, represent progress towards true self-sovereignty.

As a final point, Doc Searls discussed the concept of user-generated privacy policies. Instead of mindlessly agreeing to a website’s “terms and conditions,” individuals could set the boundaries for data collection and internet tracking. Searls and his colleagues at Customer Commons are working to create this set of user terms. Such an idea notably aligns with the SSI design principles of “Consent” and “Transparency” as outlined by Christopher Allen, and serves as another example of the incremental development of self-sovereign identity.

An absorbing component of IIW was the “Demo Hour.” Many concepts within the space are abstract, and the technology is sometimes explained through jargon. It was therefore useful to view and interact with live solutions.

The British Columbian project was a prominent exhibit, demonstrating that the Canadians are important movers in the community. TheOrgBook already contains hundreds of thousands of registered entities, along with credentials, all displayed on a simple platform. A range of companies, from multinational firms to locally-owned businesses, are included.

Another demo, by Markus Sabadello, founder of Danube Tech, displayed a true sense of community, as well as the importance of interoperability. Markus demonstrated a “Universal Resolver,” which enables communication between decentralized identifiers --or DIDs-- situated within different solutions.

A DID is “a scheme with several attributes that uniquely identifies a person, object, or organization.” Each is persistent, secure, and fully owned and controlled by the “DID subject.” Through use of a “Universal Resolver,” anyone can retrieve information about a particular DID, allowing for more widespread formation of user relationships, transactions, data sharing, and messaging across different platforms. Additionally, users will not be vulnerable to vendor lock-in and related exploitation if interoperability is embraced.

FPR also joined an interactive demo conducted by the Sovrin Foundation and Evernym. The session involved downloading the Connect.Me application and collecting digital credentials from the various credential issuers. Once the user received a sufficient amount of these credentials, they were able to approach a credential verifier and digitally prove that they were attending IIW. (For an explanation of credentials, issuers, and verifiers, see our report.)

We previously researched and wrote about all three demos mentioned above. After months of desk research, it was rewarding to speak with the developers and to view the technology at work. The success of the demos strengthened our belief that it is a question of “when,” and not “if,” regarding adoption of SSI.

During previous research, a Caribou Digital report highlighted the dynamic and idiosyncratic identity-related practices in poor Indian communities. Its findings helped us realize that any SSI solution must be flexible and account for a number of different scenarios. Multiple sessions at IIW reinforced this thinking:

• Guardianship: The concept of “guardianship,” or the ability of a trusted party to manage the identity of a vulnerable person, is a prescient design feature. There will always be defenseless individuals, such as sex-trafficked children, the elderly, infants, refugees, or people who are ill. A conversation at IIW led by Bryan Pon produced new questions and nuances regarding the idea. For example, should “guardianship” be designed on a gradient, with an adolescent gaining more responsibility over their digital identity as they age? Or how would a guardian technically and legally transfer a digital identity to an individual? What can a solution do to mitigate against bad actors in a guardian role?
• Roles and Privileges: In most communities, there is turnover in politics, in business, and in civil society. People move jobs, or retire, or force an incumbent out. But what if certain privileges associated with a position of power are digitally connected to a self-sovereign identity? How do you ensure that a retired bank teller cannot continue to access a financial institutions’ intranet? Or that an ex-mayor cannot digitally sign legislation? Somewhat differently, how do you revoke the digital driver’s license of a drunk driver? Timothy Ruff and Rouven Heck provided a thought-provoking answer: a solution could allow credential issuers to automatically “re-issue” particular credentials --perhaps access to an office building-- every day. When an individual is no longer entitled to a privilege, the credential issuer could simply stop “re-issuing” the credential.
• Alternative Worldviews: Many IIW participants hailed from the individualistic West. As a result, Heather Vescent led a discussion on the potential bias of worldview within solution design. The session raised interesting questions regarding the ways in which other cultures might view digital identity. How would a person influenced by Ubuntu --“I am; because of you”-- perceive a highly individualistic SSI platform? Or how would a persistent solution best account for changes in worldview over time? Discussants could not resolve these complex issues in an hour, but all agreed that different worldviews should be taken into consideration while designing a platform.

Companies outside of the digital identity space are increasingly curious about the utility of self-sovereign identity. A conversation at IIW with representatives from a foreign telecommunications firm illustrates how these stakeholders can drive adoption of SSI solutions.

The company is based in an advanced island country with a sparse population; density is 15 people per square kilometer. The domestic telecommunications industry has recently become interested in 5G mobile communications. The speed of 5G is unprecedented and the technology could be widely disruptive. But it is also extremely expensive. No single company can afford to install the hardware for a countrywide network.

The representatives shared that competing firms are considering collaboration to install the 5G network. A major point of contention, however, is ownership of the customer data that will be produced by a functioning system. Each competitor rightly views such a database as an invaluable resource.

Flying thousands of miles to the workshop, these representatives hypothesized that a self-sovereign identity solution could allow consumer data to be stored in a decentralized manner. No telecommunications firm would manage a database. The companies would instead issue a credential allowing access to the shared 5G network that is managed by the user and stored in their digital wallet. Implementation of related microservices is also being considered.

We believe that this instance exhibits how the dynamics of the private sector spur innovation, and it is also a strong example of advanced technology enabling the development and implementation of other advanced technology.

FPR will continue to engage with experts and other stakeholders within the digital identity space, and will report on developments.

Please stay tuned, and if you have thoughts on where we are heading, please let us know at FPR@NewAmerica.org.

bit.ly/FPRatIIWtr