The world of crypto is finding out what the world of fintech found out quite a while ago which is that is impossible to really compete in the mainstream of financial services without dealing with the problem of identity. Across both sectors, the need for a population-scale digital identity infrastructure is evident. I saw an article in American Banker titled “Banks should take the lead in developing a trusted digital ID system” (and I agree), but as yet American’s do not have any bank-issued digital identity, so it is interesting to see if the crypto world might move us forward.
The Bitcoin Policy Institute (BPI) has just published a report called “Building a Trustworthy Digital Future: Digital Identity in the Land of the Free” which calls identity the “layer zero for participating in modern life” while simultaneously calling attention to the “fractured” nature of digital identity in America and noting the escalating scale of identity fraud. Indeed, while I was reading it noticed an all-too-typical report that hackers obtained the personal information of a majority of insurance firm Allianz Life’s 1.4 million customers in North America.
It is an interesting report and I urge you to read it, but for now I will simply hihglight that it (correctly) identifies tried-and-test cryptographic solutions such as digtial signatures and verifiable crednetials as the way forward. The report favours the use of decentralised identifiers that are “wholly controlled” by individuals – something I am not entirely convinced about, since it is not at all clear to me that individuals (eg, me) have the persisent competence necessary to exercise this control — and the use of selective disclosure to enhance privacy.
The Ethereum world is facing the same problem and Vitalik Buterin, the co-founder and a is a very smart guy, hasjust put forward a proposal for an “inclusive” digital identity model with interest. He suggests that we meet the challenges of identity verification in the digital age by creating a decentralized system that allows individuals to control their own digital identities. This might be a good – but what does good look like in the world of population-scale digital identity?
Buterin’s proposal emphasizes the importance of pluralistic identity systems, which enhance privacy and support the capability to maintain several digital identities. This approach is seen as crucial in an era where digital interactions increasingly require reliable and private identifications. The initiative suggests that digital ID systems should avoid a one-per-person model that heightens surveillance and reduces pseudonymity. Existing systems, such as those in the European Union, were referenced to illustrate the need for zero-knowledge proof applications. All of which I think is uncontroversial.
He then goes on to discuss the Sam Altman-backed World ID. This uses iris biometics to distinguish individuals. Instead of storing the biometric, or the biometric template, they break up the template into encrypted pieces stored in different places. Working in a field known as secure multi-party computation (SMPC), they have applied cryptographic smarts to use the iris templates (known as “iris codes”) to enable them to determine an individual’s uniqueness withut creating a biometric honeypot for fraudsters. Privacy is enhanced because an application-specific ID is actually a hash that takes in the application ID and a session ID so that, for example, your bank ID and your airline ID cannot be linked without your permission. This is good practice and you could easily imagine (for example) a government ID application that did the same thing so whether you’ve scanned your eyeballs to get a World ID or scanned your passport with your phone’s NFC reader to get some of sort of ID based on your government identity, Vitalik says that the two have the same properties “barring a few edge cases like multiple citizenship”.
On the Edge
Vitalik’s aside about “edge cases” caught my eye, because of course to digtial identity obsessives (eg, me) it is those edge cases that determine the viability of a digital identity system and, certainly in the case of a national digital identtiy infrastructure, in fact define the core functionality. Let me explain. If someone tells me about new digital identity scheme, it doesn’t interest me to understand how it works for a normal law-abiding citizen going about some mundane task that should really be handled by an AI. What interests me is precisely how it handles the edge cases. I have three standard edge cases that I use to examine such a scheme. They are generically what I call the “3Ws”: wtiness protection, whistleblowing and accessing adult services.
Witness Protection
Suppose there is a British Citizen ID is based on a biometric register, something like World ID. So each citizen can have only one ID, and if someone tries to register for a second ID then the system will block them. Well, how will that infrastructure deal with “state” pseudonyms for purposes such as espionage and witness protection? How does James Bond get two IDs, one as James Bond and one as Dave Birch when he needs to go undercover to break an international spy ring that is operating behind a front of amiable Dungeons & Dragons groups? How willl that infrastructure give a new identity to Dave Birch when he enters the witness protection scheme as Tantamount Horseposture? And if I am found laying in the round and the police scan my iris on the way to hospital, how will the infrastructure know whether to return the ID of James Bond or Dave Birch or Tantamount Horseposture?
These are hardly esoteric use cases. A common example that it worth using to explore some of these ideas is the case of (generally women) and abusive ex-partners. I remember the case is that of a women who fled from an abusive husband who then destroyed all of her identity documentation so that she no longer had access to money. Soon after, her bank sent a letter to her and her husband, giving away the address of the “safe house” where she was living in fear. Never mind spies and master criminals: how can society help this woman? How can her current identity be erased and replaced with a new identity (that can obtain a new bank account)?
Whistleblowing
The sort of tip-off systems that work for whistleblowers needs unconditionally anonymous identities that have unforgeable credentials attached. If I am to tell the authorities “hey, I work at the First Bank of Dave and I think account number 666 is being used by money launders” then I want to do it through an anonymous web interface by presenting a credential that proves I am an employee of the bank (“Mr. XXX”) but means that it is mathematically infeasible for the authorities or the money launderers to find out which employee. And, of course, I will want the reward sent to Mr. XXX in anonymous cryptocurrency or a deposit to an anonymous bank account somewhere, if such things still exist.
Think of the example of nurse reporting a surgeon for misconduct. The hospital will need to see a credential that proves that the whistleblower is Nurse YYY while simultaneously ensuring that Nurse YYY’s identity is protected. However, should investigation determine that a surgeon was drunk on duty, or whatever, then there may be some legal necessity for the nurse to testify in court. In this case, it ought to be possible for the authorities to present someone (leave aside who for the moment) with a legal warrant requiring them to provide the link to the nurse’s mundane identity. The key point here is that neither the hospital nor the surgeon should be able to do this in the absence of a warrant.
We need to move beyond a model where access to services requires us to provide some all-encompassing notion of our identity and move on to one in which we simply prove that we have specificaly required attributes.
Adult Services
I often hear people jokng about how adult services are the trailblazers for new technology, but there is some truth in this, and it maybe true in digital identity as it was in video records or online payments. When 800,000 account holders on the adult site Brazzers have had their details breached thanks to a software vulnerability (their email addresses, user names and plain text passwords were exposed) or when SextPanther had 11,000 identity documents belonging to sex workers (including names, home addresses, dates of birth, government IDs and biometrics) exposed, I would have thought that the need for pseudonyms and payments tokens was crystal clear. I assumed at the time that banks would seize this opportunity to establish a modern, sophisticated version of the Nordic “Bank ID” to create a platform that would keep their customers safe and open up a revenue stream that is not based on payments. In essence, I was thinking that when you go to create an “Adult ID” you would get bounced to your bank where you would log in using the mandatory two-factor authentication (2FA) and the bank would then return a cryptographic token confirming that a) you exist, b) the bank knows who you are and c) you are over 18.
The reason for going down this path is that if the adult service is compromised, the attackers get a cryptographic token that contains no personally identified information and can only be linked to the customer by their bank. If customers get used to this kind of strong pseudonymity for adult services then maybe they will be begin to use it for other services.
xxx
Consumers of pornography do not want to go to the trouble of proving their age and identity to view content that is protected under the U.S. Constitution. Some are worried about future government interference and reprisals as well as their biometric data being stolen and sold.
From Texas law paused. Age verification for porn sites put on hold | Biometric Update.
I strongly support age verification for adult services, and yet I also firmly agree with all of these statements. First of all, proving your age to view content that is protected under the U.S. Constitution should not be “trouble” (for U.S. citizens, at least). Secondly, the government should be able to “interfere” in such a transaction (unless you have broken the law, for example). Thirdly, there should be no possibility of the consumers of adult services having their biometric data stolen. So how do we achieve all of these goals?
Well, technologically, the solution is trivial. When you go to an adult site, the adult side should demand verifiable credentials that show you to be over 18 and and a U.S. citizen. Note that there is no reason for either of these credentials to contain any personally-identifiable information (PII). Let us imagine that you have a digital wallet on your smartphone that contains any number of credentials, but in particular has a credential issued but your bank that says you are over 18, are a U.S. citizen and have had an account at the bank for more than one year.
The wallet pops up on your phone and says “hey I see you are logging in to XXX site, the site wants to know if you are over 18 and a U.S. citizen, is it OK to tell them?” and you hit “OK”.
The credential goes from your wallet to the adult site. The credential includes the digital signature of the issuer. Let’s say the issuer is Bank of America. The adult site knows Bank of America’s public key (so does everyone else, as it is… well, public) so it can check the digital signature and check that the credential really does come from Bank of America and not from your brother.
At this point the adult site needs to know that you are the subject of the credential and that you didn’t kist copy if from your older brother’s phone. Now, the credential contains a public key, so the adult site encrypts something using that public key and sends it over to your smart phone. The only way to decrypt the message is by using the associated private key, which is in secure tamper-resistant memory in your phone. The requires you to authenticate yourself before it will use the private key, so it uses FaceID or FingerID or whatever. With the authentication complete, the message is decrypted and sent back to the adult site.
Now the adult site knows that you are over 18 and a U.S. citizen.
Pluralistic
Explicit pluralistic identity naturally bakes in the capacity for pseudonymity: you can have a pseudonymous identity (or even multiple identities), and each of those identities can build up reputation in their communities through their actions. An ideal explicit pluralistic identity system may not even need to have the concept of discrete identities at all, only discrete reputations that can be cryptographically-proved on demand. If (for example) British Airways want to know if I am a member of the (for example) Manchester City Fan Club they do not need to ask Manchester City, they can ask me. If my wallet contains a proof the I am current member of the fan club then it can go online and get the relevant verificable to credential to prove this. British Airways do not need to know my fan clib number or any other identifier that might be stolen in the event of a data breach.
The idea that a person might half a dozen digital identities much as they have half a dozen credit cards has always seemed right to me.
Snippings 