The past months have been a whirlwind of scandals, Zuckerberg testimony, and Twitter discussion about privacy online and the prospects for competitors to the major internet platforms. Much of the conversation on competition has centered on the prospects for data portability and standardized interoperability, to make it easier for users of one social network to pull up stakes and move to another and bring their data and access to their friends with them. But there’s another important issue that is impacted by Facebook’s domination which is getting less focus: identity.

The modern world bombards pepole with endless opportunities to prove some form of identification. The 21st Century bureauocratic state and life online both demand it. You have to prove that you’re over 21, you actually went to college, or that you have an account at mydogclimbstrees.club (or, more likely these days, Facebook or Google). All of these identities are overlapping, sometimes interrelated, and varying degrees of accurate. None of them belong to you. None of them ARE you.

Government identities such as drivers’ licenses, college IDs, and passports may sit in your wallet or purse, but they belong to the government and can be revoked, though someone may have more or less protections against that depending on where they live or where they’re from. Someone convicted of driving drunk in the United States could have their driver’s license taken away. If you’re a Syrian refugee, the government that issued you that credential may no longer exist. Or may want you dead. Or you may simply have not grabbed the right papers in your flight from your home. The fact that the security of a person’s identity, such a fundamental aspect of being a conscious entity, turns on the grace of whatever government ruled the plot of land on which you were born should strike us as Kafkaesque.

Online, we derive our identity from the online services we have had accounts at forever. This can take the form of an email address with a password for authentication, but this model leads to reused passwords and serious problems when any one website has a data breach. The other common form is to log in to a new website using a Facebook or Google account. This solves the problem with passwords, but creates new problems of its own. We don’t control these identities any more than those created by governments. In fact, the ways in which our online IDs can be revoked are even more arbitrary than governmental ones. The web is full of stories of people who have violated some esoteric clause of Facebook’s Terms of Service and had their account shuttered, leaving them unable to log in to a multitude of other websites that all use Facebook for authentication. If we are worried about the control that the large internet platforms have over our data, it might be time to start worrying about our identities too.

What’s the alternative?

Decentralized Identity

Decentralized identity (DID), also sometimes called “self-sovereign” identity, is an identity that is created and maintained by the person that it represents. It says about her what she wishes to say and cannot be revoked by any outside force. Some DIDs may be temporary or anonymous. Others will be permanent, strongly attached to a single person and carried throughout a lifetime. A DID may have attached to it any number of what we call “verifiable claims” that cryptographically prove a piece of information about the person represented by the DID. For example, a university might place a verifiable claim on its graduates when they earn a degree. A government might place a verifiable claim on a DID asserting that the subject can drive a car or is over 21 years of age. DIDs are not limited to people either; other entities such as corporations, collectives, and governments are all likely to have uses for a DID.

A DID itself is simply a short string. It acts as an address just like a web URL does. Here’s one: did:ipid:QmYA7p467t4BGgBL4NmyHtsXMoPrYH9b3kSG6dbgFYskJm. That string is me. I control its content. Let’s take it piece by piece: The did is a protocol identifier, just like http is for the web. The next portion, ipid in my example, is a DID method scheme. The DID method can refer to any number of different ways of storing an identity document, such as the Bitcoin blockchain, the Sovrin identity service, or, in this case, the IPFS distributed document system.

The DID itself is a pointer, just like a URL. The document it points to is called a DID Document. It can be retrieved from whichever database the method schema refers to and it describes an entity in more detail. Here’s mine:

{
    "@context": "https://w3id.org/did/v1",
    "id": "did:ipid:QmYA7p467t4BGgBL4NmyHtsXMoPrYH9b3kSG6dbgFYskJm",
    "publicKey": [{
        "id": "did:ipid:QmYA7p467t4BGgBL4NmyHtsXMoPrYH9b3kSG6dbgFYskJm#keys-1",
        "type": "RsaVerificationKey2018",
        "owner": "did:ipid:QmYA7p467t4BGgBL4NmyHtsXMoPrYH9b3kSG6dbgFYskJm",
        "expires": "2019-02-26T00:00:00Z",
        "publicKeyPem": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGSZo4AuXQLsxcwiY1c5x5R+jxANXAVYaZ95zhc93Y+Tpi+7Ji6XZJ5wLBaJ9mJcUXYoTcKNWRvG6NsSvUSmJUmzJfFnBBS2AuDD0NRWb0elMGiPqUmOeG4/aEhkVXwNFja7+YyWhoMykZ6lBn+2j9zYE6XhaSEm+qxbS8ngGMEmRFEhbhTPsOjsrrSlqUdA3XQRBYY395f5DXMdF2VovnyeM+gZmF9W4lSOKqqIIyyWnbVi9y5wwiow9n3R0OEL4xBzSstaQwVqNVtyPxtZvrLq9eDwgFxR4D58KQc3qqnpiJ8fLWSiSgnfuSzGmYxFZWvXFgFdL3pgQR9VmQRMZwIDAQAB-----END PUBLIC KEY-----"
    }],
    "authentication": [{
        "type": "RsaVerification2018",
        "publicKey": "did:ipid:QmYA7p467t4BGgBL4NmyHtsXMoPrYH9b3kSG6dbgFYskJm#keys-1"
    }],
    "service": [{
        "type": "SocialWebInboxService",
        "serviceEndpoint": "https://social.rbs.io/users/ross/inbox"
    }],
    "created": "2018-04-02T00:17:39Z"
}

That’s a lot to take in, but that’s ok. A DID Document isn’t necessarily meant to be read by people (though it can be), but instead to be meaningful to machines. Folks who work in web development will immediately recognize this as JSON. What does this one say about me?

First, it confirms via the id field that this document is linked to the DID we were talking about above.

Secondly, it announces my public encryption and signing key by embedding a representation of the key in the document. It also tells the world that if they want to authenticate someone claiming to be me, they can use this same public key for that purpose. This syntax is extensible so that future methods of authentication, such as biometrics, can fit in easily.

This DID Document next lists a service endpoint that is affiliated with me. In this case, its my Mastodon social web inbox, but it could just as easily be a MatrixID, or just an email address. Finally, DID Documents can also carry timestamps showing when they were created and when they were last updated.

Astute readers will notice that, aside from my social web inbox URL which happens to (but doesn’t have to) contain my name, the strings Ross and Schulman don’t appear anywhere in that document. That’s by design. Since many of the DID methods involve the public posting of all content, particularly where the method is backed by a blockchain, putting personally identifiable information in the DID Document is frowned upon for privacy reasons.

Verifiable Claims

As I go through life, opening new accounts and adapting to whatever the Snapchat of the future brings, I’ll update my DID document with new keys and service endpoints. It will always, however, be available at that same DID address, providing me with a stable and permanent focus for what is, essentially, me. If I’m the keeper of my own identity, though, what’s to stop me from claiming to be 21 or a world renown brain surgeon?

This is where “verifiable claims”(VC) come in. VCs are cryptographically provable statements made by one entity about another. That seems abstract, but if the entity making the statement is the Government of the State of New York (where I was born) and the statement is “the person represented by this DID [i.e. Ross Schulman] is over 21 years of age,” then suddenly we have a way for other people to feel fairly confident of my legal ability to purchase alcohol.

Which is a good thing.

VCs have potential applications in all sorts of contexts. Government claims, such as “licensed to drive,” “tax ID,” or “citizen of Thailand” are obvious. There are also interesting possibilities for private entities, such as “graduated from the University of Wisconsin,” or “licensed to practice medicine.”

What’s Next

DIDs may someday be revolutionary, but right now they’re more of an idea than a workable solution. There are a number of companies working right now on bridging that gap, however. Next steps in the space include getting actors across the spectrum to try the idea out, and making the technology understandable and easy to use. Much of this work is taking place on the various resources available from the Identity Foundation webpage.

I’m going to be tracking progress on the whole space and looking for ways to use my personal decentralized ID in distributed technologies going forward.