28 Sept 2020 / Tom Demeyer

Identity Management

Introduction

Considering Digital Identity in the context of the public stack, we see the subject represented in all layers, and firmly rooted in the foundation. Identity and its related concepts of ownership, authenticity, anonymity and privacy are a very integral part of the foundation on which systems and processes are designed. Some of the most important core values we consider in the digital domain, related for instance to the UDHR, revolve around concepts related to, or requiring a notion of, identity. The very actual questions around self-sovereign identity and data vaults and current efforts to formalise online ids from an administrative perspective are testament to the very active governance discussions around digital identity. 

We design for entities that we need to be able to talk about and address and that need to be able to interact amongst themselves. We design for privacy or for access for somebody who has to be defined and addressable in some way. And in our design we consider how much identity we require for the systems under consideration, where a scope from fully anonymous to fully identified is available for every aspect of our design.

In the implementation of technology and services we again see the need for a flexible and nuanced notion of identity, from the hardware layer -- in cryptographic systems you are represented by keys or functions, implemented in a usb dongle or a TPM, for instance, or more fancifully in PUF’s -- all the way to the services and application layer where identity is not only a very profitable business case for social media platforms, buy also a means of artistic expression for some. Here we’ve arrived at the top of the stack where we, as citizens, currently have only the thinnest thread of control. Designing (for) the public stack aims to correct that and make a truly public online space a possibility.

Identity and authenticity

The process starts in the foundation; this is where we decide what we see as the core values underlying the concept of the public space, how we govern it, sustain it and for whom. Much can and should be said about these topics, in this section we will focus on one specific value and try to follow its implications going up the stack: authenticity. 

We engage in the public space; we consume and we produce. We express, communicate, learn, teach, influence or let ourselves simply be entertained. Whether we consume or produce, in essence we engage in a relation. This could be one-on-one or one-to-many, it could be a conscious relation or an implicit one, and it could be real-time or take place across years or decades.

There are occasions where we do not care about the other parties in the relationship, we simply interact. At the same time we may not care for the other(s) to know us, we might want to be anonymous, or maybe our whole purpose is exactly not to be anonymous. Or maybe we have a carefully crafted alternate identity for a specific context. 

It is vital to realise that for all parties involved this is a continuous scale; from fully anonymous to fully identified, and that all positions on this scale fulfil proper and important needs, sometimes needs that have life or death consequences (think of critical journalists in some countries).

Authentication and protocols

If we take a leap of faith and suggest that an online public space can be defined through a set of values, governance rules, design principles and protocols (going up the public stack), we see that in the protocol sphere we can (and should) facilitate this continuum of identification. Through verifiable credentials we can disclose attributes of ourselves which can be tuned to the circumstance with arbitrarily fine granularity. See IRMA for a mature implementation of this approach to authentication.

Currently, these approaches are mostly used or imagined in the context of authentication; i.e. in cases where access to a resource or platform needs to be limited to a specific set of users. A social security number for access to my tax statement form, a verifiable statement of residence for a municipal questionnaire. This approach works well in conjunction with the GDPR data-minimisation requirements, and is an important step in assuring that our digital public space does not become a free-for-all personal data collection opportunity. 

An equally important opportunity previously mentioned protocols offer is their application to authenticity, both of media and of participants.  We live in an era of spam, bots, conspiracy theories, deep fakes and fake news. The social media platforms delete billions of fake accounts as a matter of fact, but miss billions more. Spam and phishing mails cost 100's of millions each year. Cleary, a naive concept of a public space anonymously open to all will face some serious challenges.

Authenticity and reputation

Let's look at the authenticity of participants in practice. As an example of a platform in the online public space, take a health platform that is concerned with some particular ailment. The forum is open to everyone, but participants are potentially labelled as medical professionals, sufferers of the particular affliction or a family member of such. These labels are verifiable, meaning that there is an "authority" that underwrites that particular claim. For doctors this is the health board, for sufferers it may be the hospital or medical specialist, and for family members it would be the patient. This is all arranged at the protocol level and highly automated. The result is that discussions and experiences can be relatively anonymous, but participants can see at a glance (with a visual indication for instance) how to judge and interpret contributions. We do not need real names to participate authentically.  Without such a label participants can still join the discussions, but if one of them starts to praise the incredible effects of a particular medicine but is not labeled as a patient or specialist, people will be able to better judge the validity of these claims and maybe suspect commercial motives.

The implications of the use of these technologies need to be considered carefully, however. Naïve (technical, but, more importantly, social) implementations could lead to very undesirable effects. As an example, let's take a look at a non platform specific quality in dire need of authenticity: reputation.

We might be familiar with the troublesome ratings mechanisms of hotels, restaurants or online retail platforms' product reviews. These are highly manipulable and can cause businesses severe headaches or worse, apart from potentially misleading customers or clients. 

But, more relevant to the current subject, also people carry a reputation as part of their identity. Operationalised reputation is very important, for instance, for a worker in the 'gig' economy where it has a direct impact on the availability of work and income (temper, uber), but also in a more general sense, as a car-sharing user, an airbnb guest or host, or as an expert on a technical forum such as stackoverflow.com

There is no question that it would be very useful when reputation (both of businesses and people) could be trusted to be authentic, and personal reputation could be made portable across platforms. A trustworthy and careful airbnb guest may be relied upon to also take good care of the car you share with them. News items written by a peer-rated anonymous journalist might be taken more seriously than any old posting online.

Even though these ideas are about people substantiating claims they make about themselves (as opposed to the Chinese social credit system where claims about you are made by others - the state) the social effects could be similarly undesirable when generalised high reputation scores become a requirement for social participation. Careful research, discussion and design needs to lead to both social as well as technical (protocol-level) implementations and schemas that will make it robust against these sorts of effects and abuse. 

Verifiability 

Lastly, a public space is not only populated by people, businesses and systems, but also with data and media. Somewhat related to the previous topic of reputation, media is produced or data collected by someone, and with a purpose. Then it is shared, adapted, changed or manipulated (or not), by someone else and again with a purpose. 

Until the advent of 'social' media and the internet in general, the medium carried (and still does) the reputation, and provides a certain context. An item in a tabloid would be read in a different frame of mind than an article in a 'quality' newspaper or an item on BBC news. As the source of messages (and data) becomes more diffuse, the context in which they are to be consumed is lost as well. This confusion has traditionally been exploited, of course, by the advertising industry, where a message is presented with a particular frame of reference (i.e. scientific, or 'young happy people') instead of the objective one of the business that needs to sell a product.

Digitally signing a message has been possible for a long time. This would let anybody know from whom the message originates. Less relevant in the context of commercials, as we know the message comes from the manufacturer of the tooth-paste, but more so in the current era of politically motivated (dis)information and deep fakes. What we lack is an infrastructure to do so, and to do so with the needed granularity and the needed safe-guards for privacy. 

We do not need a full disclosure identity for all media at all times; when we can sign our messages with certain attributes this can already go a long way towards interpreting them in the right frame of reference. When we know (verifiably) that the item comes from a peer-accredited critical journalist-blogger, we do not need to know the name, especially not when she is working in a dangerous environment. The verifiable tag 'Dutch national' helps fight fake accounts on social media, as does the tag 'medical professional' in qualifying contributions on an online forum. The approach is the same as the one needed for the earlier mentioned verifiable credentials, infrastructure and user-level design challenges are huge, but first steps have been taken.

We cannot expect or require all media to be tagged or signed, but we do know that untagged messages are just that, and can then read or watch them as such.

Although we cannot be too optimistic in the knowledge of state-level meddling, we can hope that verifiable 'tags' on media are a start towards more confidence as regards the provenance of media and data and the frame in which to interpret them.

« all articles