033 On Decentralized Identity. Landscape

Part 1: On Decentralized Identity. Prequel.

In web3, we don’t as easily accept this reality. But the truth is, while we embrace the ideology of decentralization, we have not adopted decentralized identity. We have gotten comfortable with the status quo. Why? Because decentralized identity is hard, and a tradeoff not many want to make.

Fractal ID's founder, three weeks after they got hacked an 0.5% of their users were compromised.

Fractal ID is in the business of KYCing people, making sure they are who they. A common practice to prevent fraud and money laundering, but a thorn in the eye of crypto people. The status quo in the KYC industry is for a company to centrally store customer information. Same practice than for user-centric identities, the system we are all familiar with and using when you sign in with LinkedIn, Twitter, Google etc. Your identity credentials are stored centrally. That means the KYC and sign-in solution we're used to are not fully decentralized.

The status quo on the user side is giving away data without wondering what's happening with it. Quest platforms give you extra points for connecting your socials, DAOs ask you to connect your wallet with your Discord username. You can also connect your ens name, which of course is tied to a wallet, to your socials. Boom, you created a link between the token you hold and your off-chain identity.

Over time, too many people became fed-up with the status quo. That's the phase we are in right now.

This piece will stay closely to the technical concept of decentralized (or digital) identity. Of course, digital identities are just like our analogue identities multi-dimensional. And that might be the key idea to hatch on: You are the only person in control of all of your analogue identities, why shouldn't it be the same for your digital ones?

The term decentralized identifier system encompasses three principles:

Principle 1: Identifiers are the core product. An identifier is the label given to a specific entity or object. This label follows a specific encoding process. Just look at your wallet address. That's an identifier following specific rules about it's length, combination of letters and numbers etc. Even the name on your passport is an identifier that follows rules of your birth country or ethnicity. Or the wimps of your parents. The general format for a DiD is [scheme]:[DiD method]: [DiD method-specific identifer]. Here an example of Verida's DiDs did:vda:mainnet:0xAC402a31E48075C2778B228Fe9fE8Cd145434261

Principle 2: The core product (the identifier) is decentralized. Decentralization, crypto's favorite child, in the context of identifiers means that the attestation and verification of an identity is solely in the hand of the entity who controls the identifier and not reliant on a third (central) party.

Principle 3: DiDs follow standards, linking a DiD to a DiD document. The DiD document lists the DiD subject and authentification mechanisms.

Identifiers, decentralization, and standards are high level concepts. Going a level deeper, there's even more.

1. The DiD subject. That's you. The entity that is described in the DiD document.

2. The issuer of an identity. This can be an employer, university, or app. They have personal information about a person, like school or medical records, financial transactions, health records, or reading history.

3. The verifier. This is an entity, person or company, that needs to verify something about a user.

4. DiD controller: That's the entity managing the DiD document. They hold the cryptographic keys. This can be the same than the DiD subject, or an entity designated by the DiD subject to manage the DiD.

Here a super-simple example curtesy of ChatGPT

DiD subject: Alice, as she is the entity the DiD represents.
DiD Controller: Alice herself, if she manages her own DiD document, or it could be an identity management service Alice uses.

Identity Issuer: The university that issues Alice a digital diploma.

Identity Verifier: A potential employer verifying Alice's digital diploma during a job application process.

How these parties interact with each other, and most importantly who automatically trusts whom, is what sets a decentralized system apart from a centralized system. In a centralized system there is bi-directional trust between the issuer and the verifier. The issuer (e.g., university) knows and trust the verifier (e.g., employer), and in the same way, the verifier knows and trust the issuer.

Most of us, even those big on decentralization, have used some centralized identity system, at some point in their life. Don't feel bad, it's tempting to reduce complexity by using single-sign on services. For my biggest client, I'm pushed to use it. I sign into zoom using the university's issued identity, and zoom knows the name of my employer. Everything is tied together and I have no control of who has access to what part of my online identity.

In a decentralized system the verifier (e. g., employer) will trust the issuer of the identity (e.g., university), but the issuer might never know who the verifier is. Also, what part of your identity can be more tightly controlled. When you show your passport or ID document to prove your age, you show your full date of birth, your gender, address and so on. Most of it isn't necessary to prove that you are old enough to drink. With DiDs, the user controls what shards of their online identity, provided by issuers, they give access to verifiers. The result is a kaleidoscope of identities.

Imagine this: You are applying to a university degree. Might be pressured by your parents, or not yet ready to be responsible. Or you just love learning. The verifier is the univeristy. The issuer your high-school. What information about you should the verifier aka university have access to? Your grades? Your gender? Your age? Your location? A typical high-school or university degree goes way beyond your grades.

For those of humanity who don't care giving away their digital lives, the pertinent question is "What can you do with your decentralized identity?" Keep in mind most DiD solutions transfer ownership and with this responsibility to the user aka owner. Of course, for many people in web3 this is the main selling point, but for others, this just sounds like a pain in the neck making life unnecessary more complex...

From a user perspective, what you can do with a DiD isn't that much different than with a centralized identity. You can authenticate yourself, prove that you are you and gain access to products and services. When all is well, companies behave ethically, and you can trust your government in all aspects, DiD don't provide a real benefit.

But you're delusional for believing that all is well and trusting companies, universities, schools and governments in all aspects. Say or do something and suddenly you find yourself cut-off from a service. Loosing access to Twitter is trivial to being debanked. Both dangers are real with a centralized identity. Of course, you could also just say nothing and do nothing than angers those in power.

DiD solutions are used by entities for KYCing (know your customer) process, a process put in place to guard against money laundering. Open any centralized bank account, and you'll go through KYC. Get a grant from a large ecosystem, and you'll go through KYC. For some this is inexcusable, and proclaim that the only true web3 way to get tokens is through a DEX or mining. For those, if KYC is involved, it's not web3.

For the rest of us, who (in)voluntary live with at least one foot in the current system, DiD solutions have two benefits: Providing privacy while proving some private and identifiable information to an entity, and proving how much of a human you are. Building on these two DiD benefits, is turning your digital twin into a money-making machine.

The point of the following paragraphs is not to provide an exhaustive lists of solutions, but to highlight what facet of the digital identity problem they claim to be solving.

As a teen, my father proudly proclaimed that having a Facebook account is akin to having an open house, 24/7. He changed his mind years later, realizing that via Facebook he could tap into online communities that didn't exists offline. But his security and privacy mindset remains uncommon. No mobile banking. No accessing private information while on a public wifi.

For those people whose privacy and security mindset are constantly on hyper-alert, digital drivers license are zombies raising from the marshlands. But what if it's a DiD? California used SpruceID to create digital drivers license while Daimler used Ontology to create Welcome Home accounts for drivers. In both cases, privacy was important. California's driver license can be used at airports for identity verification, showing only the information (name, gender, date of birth, photo). Users WelcomeHome profile can be ported to another Daimler car, and users can gain access to third-party application through verification while remaining anonymous after the service is completed.

Fractal ID, a KYC provider branded as web3's identity provider, uses OAuth2, a widely available authentication protocol for user authentication, authorization and resource retrieval. This might change with Fractal ID's move towards fully decentralized data storage. After a data breach, the team decided to move completely away from centralized storage of user data. Of course they could have used decentralized storage when they started in 2017 (Filecoin was funded in 2014) but centralized storage solutions is the norm in the KYC industry and using known processes help young companies get started.

SpruceID is another solution prominent in the web3 space. They are used for Tezos DiD. Tezos also partnered with MailChain so that users can move away from web2 email providers. SpruceID is not in the KYC business. They offer developers the tools to build a decentralized identity using w3C verified identity standards. They also include drivers for mobile license (mobile identity) and how to cryptographically verify an identity using Rebase.

Another privacy-first solution is Privado.iD (previously PolygonID). Polygon made a big bet on zero-knowledge (zk) proofs, and an identity solution that includes these types of proofs just makes sense. With a zero-knowledge proof, users will be able to proof their identity or part of it without showing the verifier (the entity who wants to check if a person is truly who they are) that information. For long, doing these proves where computational too expensive aka it took too long. If you are thinking "But I have nothing to hide, I can show them the raw information", then consider yourself privileged to live in a part of the world where you don't have to fear any institution. Or maybe you are too naïve and believe in the goodwill of humanity...

Aaaanyway, Privado.iD is fully compliant with W3C standards and in this way similar to SpruceID. Both offer ways to create and manage a decentralized identity. As Privado.iD has been developed by Polygon it's onchain-first, whereas SpruceIDs main selling point is verifying existing identities in a decentralized way. Onchain-first is short-hand for a set of integrated tools (smart contracts, blockchains, modularity, interoperability) and the belief that "owning things onchain" is worth it.

While SpruceID has been integrated by Tezos, Privado.iD has been integrated in Veridia wallet, a wallet already integrated with the Near protocol. Of course Privado.iD isn't the only solution that uses zk proofs. So does Sismo. With Sismo, users can create a data vault consisting of web3 (ethereum) and web2 (github, twitter, telegram) identities.

Interesting, Galxe also uses zk proofs in their identity protocol. For me, Galxe is a platform that let's you generate low-quality superficial tasks to create unsustainable, inorganic ecosystem growth. This is based on my early interactions with the platform. But, they might have moved on. Their move into identity provider and reputation score makes sense as they already collected private web2 account information as part of their quest platform.

And then there is IOTA, an open feeless, scalable distributed ledger. It uses a Proof of Authority (PoA) coordinator consensus mechanism run by six entities since IOTA mainnet (October 2023). Yes, I know what you are thinking. The animation, taken from their document, doesn't help form a different picture, but no we will park this thought and focus solely on identity. So scroll up and hide the all-seeing eye.

That being said, IOTA holds a strong point of view about centralized DLT. A DLT is a "database system that enables the peer-to-peer transfer and recording of digital assets. Each transaction within a DLT is recorded in a distributed ledger, which is maintained across all network nodes." Sounds familiar? According to IOTA, a centralized DLT is any blockchain that are controlled through "oligopoly of block-producing validators" or require "high-powered and prohibitively expensive hardware" to run a node. You can spot these centralized blockchains by the extend of how "Maximal Extractable Value (MEV) dominates Decentralized Finance (DeFi)" (source).

Where IOTA differs from the other identity providers is that a decentralized wallet can be created for a person, organization, things and objects. As other providers, they follow the W3C standards for DiD. I was not able to figure out how the DiD for people, organizations and things are different. It seems to be more of a philosophical stand that also non-person can have a decentralized identity.

Most identity solutions focus on verifying a customer or person or in some other way proving the human-ness of an online entity. IOTA makes the point that with the massive amount of objects that are connected to the internet, it is necessary for objects to verify their capabilities. That gives humans the peace of mind that these objects have been build to specifications. It reminded me of a display in the Spy museum in Berlin showcasing how smart products help entities collect information about humans. Tools as spies.

In Europe we might see more of IOTA, as it has been chosen to participate in the European Commissions Blockchain Sandbox.

Finally, as I'm talking about privacy, I should be mentioning Oasis Protocol. It's not a digital identity solution per se. It's a confidential aka privacy-first blockchain. In this network, data is processed in a trusted execution environment. Sort of a blackbox within the application that decrypt, processes, and encrypts the data. This blackbox set-up makes it ideal for decentralized AI, improving AI models without compromising privacy. When interacting with AI, you normally add some very specific context, like the prompt itself or context about your problem. Normally, all this will be added to the AI model for future training. With Oasis Protocol, this type of private information will remain private. That means the (decentralized) agents will have "private thoughts".

Scanning the DiD providers, it's hard to disentangle a digital identity with some form of scoring of what that digital identity is worth to others. Humans seem to be inexplicable drawn to leaderboards and ranking of humans. And of course there is the fear of bots, as interacting with a bot is perceived to be a false or inhumane interaction.

Funnily, grading by a bot is perceived to be fair if the student is happy with the grade, but unfair if, you guessed it, the student is not happy with the grade. I saw this research a good ten years ago and our sentiment towards interacting with robots we create hasn't changed much. Pick up "Do androids dream of electric sheep" by Philip Dick. Great exploration of the humanity of Androids, and what could set humans and androids apart.

Of course, the most well-known web3 product that certifies a person's humanity is the GitCoin passport. Connect dapps to increase your score. If you like it, reach out to me. Keen to hear another side of the story.

Orange Protocol provides a more interesting approach to scoring humanity. A user can select the data model that will be the basis for their reputation. Now, the user flow could be improved, but that's a recurrent criticism for web3 products. Point is that Orange protocol priorities users choice in what data to use to create their humanity score. Now, this user agency is flying outside the window if a company requires certain data sources to be included in the calculation.

And then there is the Galxe score, a multifacet reputation score of web3 users. 🤔

You must have heard it before "if the product is free, you are the product". The notion that web2 companies like Facebook, Google, Instagram and so on are making money off your data. Your interactions on these platforms is a treasure throve of behavioral data that can be sold to other companies to help them sell better. Because knowing your customer descriptive information (age, gender and so on) isn't enough. To really be selling successfully companies need to know your deepest desires, those that you hesitate to express out loud. (Un)fortunate, these, are revealed unconsciously through our interactions on social platforms: when we log in, with whom we interact, what we like, when we stop scrolling, when we log off.

There's Camp that let's user create a digital passport aggregating their web2 data. For what purpose isn't clear, but why not sell it to a company. Data is stored using IPFS. Of course, data is encrypted and a verification that the data exists posted on the network. The project is early, and user benefits aren't more explicit than creating on-chain value from off-chain entertainment.

This sounds similar to Itheum who creates streaming NFT so that you can rent out your data to companies. Itheum sees themselves as a data broker, and not as an identity provider. The user is responsible for creating data files and sharing them as a data NFT. As part of data landscape, they partner with data coalitions for specific use cases (e.g., Health, Gaming) increasing the users bargaining power to get more bucks for their bytes.

It's a marketplace. We want to own stuff, and show people the stuff we own. Ownership of assets has always been a marker of social status. Over time, the specific items you needed to own to be part of a social group changed, but the principle remained: What you own, defines you. It's no surprise that companies and communities want to discover the ins-and outs of their members. That's why human scoring methods pop up like mushrooms. Organizations want to interact with real humans, preventing Sybil attacks from bot farms or some poor dude in Thailand. There is a disdain for human-to-bot interaction, and human-to-human contact is put on a peddle stool it doesn't always deserve (google brain rot).

That's one side of the marketplace. Organizations really wanting to know their customers, of course in the name of safety. The other side is humans wanting to own stuff.

The advantage of owning stuff online is that you can bring it with you. Have you ever moved houses and looked at your book collection? Too heavy to take with you, but too close to your heart to throw away? That's why I moved from paper books to kindle, even though the experience is subpar. I want to own the books and bring them with me.

To own stuff online and share it with others or show it off you need a digital place to store them. A digital identity, or a multitude of digital identities is the logical consequence of owning stuff online.

Next step is the metaverse