Identity Review | Global Tech Think Tank
Keep up with the digital identity landscape.
Web3 critically examines various ownership models and decentralization of content, data, and personal information systems. Operating in a permissionless ecosystem while empowering users requires a fundamental rethink of digital identity. In a world where privacy concerns have dramatically increased, many are turning to web3 for digital identity solutions.
Identity companies and solution-buyers and decision makers should take into consideration the functionality of the digital identity system as well as the long-term effects on privacy. This requires a nuanced view of digital identity solutions for web3 especially as they relate to privacy.
Digital identity solutions have to support regulated, compliant services. User’s digital identity must work equally well in both environments, web2 and web3, because regulatory obligations are not about to change soon. For example, regulatory obligations within the financial services industry include basic data sharing (KYC), data retention, and data verification. If these sound like web2 requirements, it is because they are and they will continue to be relevant for future platforms that are eager to make the bridge into web3.
Digital identity must serve the needs of users first and foremost and support their rights to privacy by enabling the reduction of data sharing. This also implies the requirement for full transparency of how and where personal data is stored, used, and reshared.
The biggest obstacle to adoption of identity solutions is utility and usability. A high-friction process will discourage even the most loyal of customers. In today’s world, permission to identify, verify, and authenticate is requested by centralized identity custodians – web3 must be able to disintermediate this all while adding equal if not more value. What will definitely have no chances of long term adoption is a web3 solution that fails to earn user’s trust for privacy preservation.
A government approach to protecting user’s privacy is a flurry of personal data protection regulations around the world. 60+ privacy laws in the United States alone are either already signed or are making their way through the legislative process as of the writing of this article. Needless to say, compliance with these laws will be obligatory and rather burdensome. Originally intended to increase capital efficiency of economic processes, these laws will have the unintended consequences of numerous litigations that are sure to spring up.
Regulatory obligations and credentialed access to services require that identity information is available on demand so that user’s involvement is not required. One example is submission of a suspicious activity report (SAR) in traditional finance where the user’s KYC information is used. Access to user’s data must be agreed upon a priori so as not to depend on user’s additional permissions to share required data. In fact, submissions of the SAR must be made in strict confidence without alerting the user. Similarly, service access conditioned on proof of certain claims about a user’s identity must be able to attest these claims without asking for the user’s permission. After all, some services should be able to function seamlessly 24/7, making it impractical to request user’s permission each time.
One may be excused for quickly jumping to self-sovereign identity (SSI) as the answer for web3. Certainly, the tenets of web3 align very well with the manifesto of SSI: control, consent, interoperability, transparency, minimization of data sharing, privacy preservation, etc.
If the user is the sole owner of their data, compliance with data privacy laws will be made simple. Imagine a smiling CISO claiming their service does not store any of the user’s data.
Yet to date, the pure SSI user experience leaves much to be desired. In part, there is too much responsibility for managing your own information due to such a high cost of identity loss. There are too many actions to connect, approve, and present proofs, all while requiring a healthy amount of technical acumen.
SSI solutions are impractical, in their purest form, for applications to regulated ecosystems. User’s data must be retained and shared with law enforcement to prevent fraud and abuse. Going even further, law enforcement officials are ready to dismiss pure SSI platforms without giving them much thought. Regulated entities still must collect KYC information and store it due to their data retention obligation. Even distributed financial applications will most likely be subject to such requirements in the future. We shall see if this prediction holds.
Still, SSI is a great starting point.
Another potentially dangerous (for privacy) type of digital identity is a purely distributed one where identity claims are assured on a blockchain.
The most obvious argument against keeping encrypted personal data on a public immutable ledger is the threat of future advanced decryption methods. The second argument is the technical inability of such platforms to comply with user’s right to be forgotten.
Moving to less obvious implications, consider the use of distributed ledgers to store immutable, provable assurances that the data belongs to a certain user. Not the data itself but its ownership may be attributed to a specific, even if anonymizing, identity wallet. In this case, privacy preservation is only as strong as the weakest link securing the association of the identity wallet with a specific permissioned service. Coupled with the revealing nature of some credential schemas, privacy shredding is a real threat.
For example, consider an identity wallet W which holds a medical test result credential. Without central authority to assure standardization of credential schemas, another, more revealing credential may be offered and accepted by a user from a 3d party: “STD test results”. An identity wallet W thus holds “STD test results”. A hack of an NFT auction service leveraging this identity solution may connect one John Doe to the identity wallet W. You get the point.
Not convinced this information is privacy shredding for John? What if the same wallet holds credentials “Sanctions list clearance”, “Enhanced screening clearance”, “Special interest list clearance” but not “Politically exposed person clearance”. Deduction: John is a public political figure. Even without association of John to wallet W, a combination of credentials he has or doesn’t have may be privacy shredding. Without a way to exercise the right to be forgotten, John will regret setting up his distributed digital identity just to buy that one NFT at an auction.
Digital identity solutions can be one or more of the following: distributed, decentralized, self-sovereign, custodial, and or trustless – just to name a few options. Each of these comes with its own set of benefits and pitfalls and not only due to implications of privacy.
The starting point for a web3 digital identity is definitely SSI but with a caveat and, I hope the purists will forgive me, certain improvements.
Imagine a self-sovereign identity platform with more user friendly recovery of a private key compensated by stronger authentication measures to prevent account takeover.
Imagine a self-sovereign identity platform with more oversight over who can issue credentials in order to protect users from accepting potentially privacy shredding credential offers.
Imagine a self sovereign identity platform that does not store proofs on an immutable ledger. Instead it enables selective sharing of credentials through a standalone vault minimizing the necessity to download the data.
Imagine a self sovereign identity platform that lets the holders track all interactions with the verifiers to easily exercise their rights to be forgotten.
But most importantly, imagine a future where we own our own identities, our privacy, our information and who gets to see it. What a novel concept. “You may say I’m a dreamer but I’m not the only one.”
There are various solutions to digital identity for web3. Each presents its own set of challenges with respect to the user’s privacy preservation. A purist approach will not solve for all requirements of web3 identity but a hybrid approach, with emphasis on practical privacy preservation, may just offer hope of the kind of future of the internet that web3 promises.
ABOUT THE AUTHOR
Vadim Slavin is an experienced technology leader, investor, writer, and a published research scientist. Vadim managed R&D teams in machine learning and reasoning (military intelligence analysis), marketplaces and consumer experience (luxury segment), and FinTech (compliance and identity verification) domains. A mentor/advisor to startups in his spare time, Vadim is now a Technical Evangelist at GlobaliD, an identity management company.