The Internet, e-commerce, and digital discourse are dominated by identity. Until recently, identity was all we had to go on when trying to trust other people online. We developed a terrible habit of over-identifying: Relying parties tend to collect circumstantial clues, like credit card verification codes and social security numbers, instead of properly verifying what really matters. People divulge excessive personal data (often unwittingly) which then leaks and gets abused by criminals. We have way too much identity, sloshing around.
Is there a paradigm shift coming? The most important developments in our industry — Self-Sovereign Identity, the FIDO Alliance, and verifiable credentials — are really not about identity at all, but authorship, provenance, integrity, and control. Let’s move beyond identity and imagine a world where cryptographic infostructure is as universal as electricity or clean water. All the data we need is hallmarked, traceable and trustworthy thanks to authentication technologies.
An Unhealthy Obsession
I make this call with great respect for my friends and colleagues in the industry: we must end our obsession with identity. For thirty years, identity has dominated digital practice and discourse. We overcook the Peter Steiner gag that “On the Internet, nobody knows you’re a dog”. That was just a wry joke about dogs getting up to mischief, not an editorial commentary on digital trust. Until recently, when trying to "trust" anyone online, identity was all we had to go on. When faced with higher risk, we would seek higher trust and ask for more identity. We put the quantity of identity ahead of quality. We put identity first.
Bad Habits
Obsessed with identity, we developed terrible habits. Instead of verifying the particulars that really matter about people we deal with, we drag in circumstantial evidence — almost always extra identifying data — from unrelated contexts, such as CVVs and SSNs, much of which is then stolen and bought and sold and replayed by fraudsters. Consider Knowledge Based Authentication (KBA), which places a premium on “out of wallet” details that ought to be less likely to be known to criminals. But personal information is everywhere on the Internet and KBA backfires by motivating a black market for personal data.
Identification for digital risk management is like putting out fire with gasoline. We should do more to secure the specific facts and figures that each transaction really depends on.
Data as a Utility
Meanwhile, data has become the lifeblood of modern society. The World Bank last year in its world development report Data for better lives called for a “new social contract for data” to protect citizens against harm arising from the information and power asymmetries created by big tech. Data is now a resource almost as important as clean drinking water. Yet we access, accept, and recommend data on an ad hoc basis; outside certain professions and intelligence circles, data is handled without any standards for quality or provenance.
Regulatory Pressure
And so regulatory pressure is building, quite properly, on data flows and processing, and also on what customers know about data. There is more onus on transparency and accountability. There should be no more digital Wild West!
Digital Truth
Cynics say we are “post-truth” but as cyberspace grows in importance, surely our biggest challenge really is digital truth. From payment card fraud and online scams through to misinformation and AI-driven Deep Fakes, every one of these problems is fundamentally about poor-quality data. We can’t trust the evidence of our own eyes anymore. Are we really contemplating digital twins in a synthetic metaverse without first taking better care of fidelity?
Concerted multidimensional responses to the data quality problem are underway (not to mention some narrow legislated bans on Deep Fakes). For one, several major mastheads have teamed with Microsoft Research in the Coalition for Content Provenance and Authenticity (C2PA). The group’s first draft standard draws heavily on technical measures familiar to the identerati, such as digital signatures and certificates.
And the new Verified Information Exchange (VIE) is an interdisciplinary research program hosted by UW with a work program focused on network or scheme-based business models for data supply. According to the VIA, “The global information environment is a form of 'market' that needs exchange protocols and local standards”
Another new effort, the Global Assured Interoperability Network (GAIN) was prominent at Identiverse 2022. It means different things to different stakeholders; even the ‘I’ in G.A.I.N. since the initial publication has been reframed to interoperability. One of the best features of the concept is the Service Provider: a fourth party in the data flow, intermediating the familiar End User, Issuer and Relying Party, to enhance scalability.
Infostructure
The payment card processing networks exist purely so that certain customer data — account numbers and some metadata — can be reliably presented to merchants and verified. GAIN represents an extension of the four-party model for presenting and verifying data more generally.
Card schemes are a paragon of infostructure: An organizational structure used for the collection and distribution of information (usually hardware, networks, applications, etc.) used by a society, business, or other group (Ref: Oxford English Dictionary). That is, verifiable data sharing will be underpinned by rules, technologies, and business models.
Data Means Business
We know data is big business — good and bad — and that information is being organized into value and supply chains. We are still in the very early stages of digital transformation. As cyberspace becomes civilized, we need data business to be more orderly and transparent.
If there is any truth in the comparison of data and crude oil, then let’s think in terms of assaying data. That is, let’s start to measure the properties of data that make it reliable, fit for purpose, and valuable. And then let’s bind the assays to the data records as they move through the information value chains. I envision a world with widespread cryptographic infostructure, so that verifiable data is available everywhere, just like stable electricity and clean drinking water. We have the tools to build such infostructure. We IDpros know we have these tools because we have already built them!
The Post-Identity World
So let’s shift focus from the abstract to the concrete. Notice that I haven’t used the word “identity” since the start of this piece. The idea of identity is simply not helping. I know that it strikes some as a sterile perspective but what we think in the digital identity echo chamber doesn’t matter because the tools developed by our industry have shown the rest of the world how to design for verifiable facts and protect them cryptographically. We can trust without identifying. We are familiar with “zero trust” - let’s try zero identity!
We can break old habits. Instead of starting with identity, let’s ask:
- What do you really need to know?
- Where will you get the data?
- How will you know if it’s true?
It is perfect timing for a paradigm shift. We have intelligent devices at the edge, we have mobile digital wallets that make ideal verifiable containers for data, and we have clouds full of APIs for signing data. We can do better with digital identity; indeed, we can do something much bigger and better for all of cyberspace. Let’s apply our proven tools to build an infostructure that delivers data as a true utility.