Six years ago we started work on Self. It was 2019 and as we began to develop our ideas and start our early research the value of fraud hit 5 Trillion dollars. Back then it was a shocking figure, the third largest GDP on earth, and yet by 2024, just 5 years later, that number had grown by 80% to over 9 Trillion dollars, thats over 3 times the combined defence budget of all the militaries on earth.
This is the context in which we say: "The way we do identity has to change", because now, the problem we face is far more serious than Kim Cameron’s predictions of a loss of trust in the internet. Unlike 20 years ago, we are now utterly dependent on the internet to support humanity, we can’t just not trust it because there is no alternative. Today's reality is that failing to get a grip on identity risks a breakdown in the fabric of our societies as crime and misinformation continue to spread.
This is not exaggeration. Not solving identity is why power grids are at risk from hackers, why election vote uncertainty has to go to court and why we can’t tell AI from reality. It is also why the solution to the problem isn’t an identity company, or government issuing digital ID, or banks and telcos shoehorning themselves into the picture. The answer has to be a universal technology on which everything can be based and which everyone can use.
Kim Cameron predicted the scale of the criminality that was to come. What he got wrong was the way society would react. He thought the growth of criminality would lead to broad based distrust of the internet when in fact people overlooked the issues because the internet was so convenient and because scrolling, turbocharged by psychological design techniques designed to induce endorphin charged addiction, had replaced the television as the fentanyl of the masses.
As fraud and online crime grew, banks - already unpopular after the credit crisis of the late 2000s - were given the can to hold. They became responsible for losses suffered by consumers leaving the platforms, who are the delivery mechanism for so much of the criminality on the internet, free to profit from it.
Twenty years is a very, very long time in tech
It’s even a long time in business and some significant things have changed the lens through which we see Cameron's Laws today. Smartphones, social media and AI were all yet to be invented and they each have a profound impact, good or bad, on how we see and use identity.
We have also begun to see the issues raised by the internet in broader terms than just pure technology. The societal, emotional and human impact of the choices we have made in technology over 30 years may have impacts which are more profound than their functional implementation envisaged.
Time, and the changes that have taken place give us new perspective on the Laws of Identity. Things which were solid conclusions at the time have weakened with advances in technology, changes in society and the criticality of the internet itself. For the most part, the original questions still hold true, but some of the assumptions need to be revisited, and these are assumptions which change the basis for some of the original laws:
Assumption 1. Data is gathered by organisations who are best placed to protect and use it.
The importance of data, especially personal data, was explored in detail in the original paper. Particular attention was paid to the minimisation of its use and replacement of specific data — like a date of birth — with an age category which might expose only that the subject is older than 18. At the time we were pre-regulation and the mass hacking, data brokerage and correlation risks hadn’t fully emerged so there was no need to question the more foundational issue of whether this data should be being gathered and stored by organisations at all. With no mobile computing, there was no way to even envisage the idea that users might store their own data, companies, as they had been for 250 years were the only possible hub, and users had to be spokes.
Regulators through GDPR and CCPA and hackers through their constant breaching of vast stores of personal data are signposting for us very clearly that storing personal data in databases is a bad idea. Centralising personal data is a root problem, it makes very attractive targets for cybercriminals to attack — and without a proper identity mechanism they will succeed in hacking it. This causes a cascading security threat, with every record taking bad actors closer to compromising identities and individuals while the value of the correlated data they hold provides a driver to continue to attack data stores.
Traditional personal data is unnecessary in a digital context, it might be useful in a broader physical world context, for example shipping a package you’ve bought online to your home, but for the digital engagement itself it’s not just unnecessary, it’s actively negative, placing both the customer and the organisation at risk and adding in risk for the courier.
The depth of hacking is now so significant that the probability is that every single person on earth who is documented and or who has an internet presence has had their personal data compromised. The things we use to identify us online are breached. We now need to identify ourselves with something else if we are to have any protection from cybercrime.
Assumption 2. Identifying people online is done using identifiers and data which are the same as or mirror the things we use to identify people offline.
In an earlier blog we drew an analogy between a vault and the internet. The laws assume that we use credentials like email addresses, passwords and Keys to identify users when in reality they offer insufficient security. They were designed to protect a vault, with a single door and a security guard, not the colander of the internet. Those credentials have been adapted for use in a digital world, but they are not inherently designed for that use case and as a consequence offer myriad attack vectors for cybercriminals to exploit.
It is very difficult for humans to conceptualise a process like identification other than as a human interaction. It's one of the biggest challenges for technology, moving beyond digital solutions as a way to make legacy human interaction faster and more efficient, and into a world where we build digital solutions to be consumed by digital solutions. We're seeing it in Medical imaging where companies like Micrographia are building optical imaging which is not designed for the limited context of the human eye, and instead is built for an electronic eye with exponentially greater vision capabilities. That's what Self is building for identity, identifiers which are designed for digital systems to use and verify.
We need an identifier which is fit for purpose, identifying individuals precisely in real time while protecting them and their identity material. it must be irrefutably tied to the users biometrics, and if necessary by extension to their formal credentials (eg. passports etc.) but it must present in a form which is unique to each relationship
Assumption 3. The multiplicity of contexts makes a single universal identity system unrealistic even if it is technically resolvable.
Cameron assumes context for interactions using identity online is rooted in the needs of organisations and governments. That surfaces the prospect of thousands upon thousands of possible contexts for the use of digital identity within each country, and yet more when you take into account the government context.
This assumption is rooted in the narcissism of organisations and governments. Neither can see beyond their own needs, nor can they see their customers, or citizens other then in their own context. But people inhabit a vast range of contexts and through that they, not their suppliers or their country, are the only constant.
Focusing down on the role identity really plays shows clearly that the only viable context for digital identity is the individual, the person. Everything else is a credential. Nationality, names, relationships, they can all change, only the birthdate and the biometrics of the individual are truly immutable, and it is those characteristics to which we must anchor digital identity in the context of the user to whom they relate.
That requires a system which ties identity to humans regardless of their credentials, and in doing so it offers utility to organisations and governments without needing context specific identity infrastructures. At the same time it places individuals in control of their data and their identities.
Assumption 4. Identity is a product
The language of the laws assumes not only that digital identity will be provided by commercial organisations, but that contexts will make a multiplicity of identity types a necessity. The assumption, which is not questioned, is that digital identity is a product, and moreover it is a commercial product which will generate profits and government revenue.
Identity is an inherent part of being human, of our self. It is far more nuanced and complex than just our credentials, and that complexity is an asset. Identity doesn't expire as a passport does, nor should it be invalidated by anything other than death. We exist, electronic identity needs to replicate our existence and allow us to evidence and align it with credentials and ourselves.
Identity is made up of personally identifiable information about the person it relates to. GDPR clearly defines the owner of that information as the data subject. Therefore digital identity belongs to the person to which it relates, not to a service provider or to afederated identity vendor. Nothing in that is commercial, nothing in that should be being commercialised, organisations should not be treating identity as a product to be commercialised because they down't own the data. Digital identity could well be the next PPI or car finance scandal.
Furthermore, in assumption 3 we discussed the issue of contexts, and proposed that there is really only a single relevant context for each individual, that of themselves. If the context is the individual, then identity cannot be a product, it is the sharing of knowledge of a person, by that person to another, there are no identity service providers in that loop.
Most critically it is the pricing of identity which locks so many out of these services, while governments insist that such services be inclusive, the greatest barrier to that being a reality is the price placed on identity material and services, often by governments themselves. Identity should form part of any bill of rights, but failing that a system of identity which operates outside of national boundaries and commercial considerations offers the best hope for inclusion.
Conclusion
Our research and development work has told us that, 20 years after the publication of the Laws of Identity, a single identity solution is no longer unrealistic, in fact it's essential. However the single identity solution we have envisaged and delivered looks very different to the identity solution imagined and rejected by Cameron. Our network is principally for identifying people, not supporting organisational contexts. Secondarily it is for identifying things people control or own like organisations and assets.
By focussing on people we can reduce the context our vision for digital identity operates within to individual humans. That means shifting from data being gathered by organisations about thier users to data being gathered by individuals about themselves.
Our network is a single technical framework through which any relying party, organisation or individual, can call for assurance as to identity or credentials as part of any conceivable online interaction. Crucial to this concept is that control rests with the individual, not with a third party. Organisations can still define their digital relationships, just that those relationships are now both consensual and natively digital. Self is not a party to those relationships, it is just the facilitator.
The gateway for users is not yet another dedicated app or website, but is embedded into any organisations apps and platforms with SDKs and APIs designed for rapid integration. Tooling creates workflows which deliver value to organisations, like authentication or digital signatures, while the user collates and correlates their own cloud of personal data including their formal credentials (eg. passports etc.) on their phone, in their hand, in all probability without even realising it.
There is no central store of users, or their data in the network, even Self is unaware of the users or their relationships, so there is nothing to hack, no risk to users or organisations from cyber criminals attempting to steal or correlate data. Where organisations chose to and are able to, they too can remove personal data from their datasets, storing it with their users using their Self ID and leveraging our network to maintain communication with their customers. That small change moves company datasets out of regulation and significantly reduces their attractiveness to hackers, removing the financial and reputational risk associated with being hacked.
Every entity on the network is identified using a non-correlatable identifier called a Self ID specifically designed for a digital context which ties identity to humans regardless of their credentials. It must be irrefutably tied to the users biometrics, identifying individuals precisely in real time while protecting them and their identity material. Because it must cover every entity type, identifiers can be given to organisations and things, but only with reference to the humans who own or hold ultimate responsibility for those things. Most critically user identifiers must present in a form which is unique to each relationship, so there can be no external correlation.
Placing the individual at the core of the system, offers utility to organisations and governments without needing context specific identity infrastructures. Organisations can leverage identity appropriately, but they cannot misuse it. Agents will provide the ability to ensure users can't misuse their autonomy, by persisting agreements and providing access to data which might only be required in case of a breach. At the same time it places individuals in control of their data and their identities, and removes the value of physical world identifiers to cybercriminals.
As the value chain shifts from commercialising the identity material itself we move away from the price barriers which characterise the current digital identity landscape. An Identity layer must be an enabler to growth and security without being a commercial burden. Our network relies on charging for messages which transit it. We don't differentiate based on content, we just enable organisations to rapidly engage with users, simplifying the processes and reducing friction through common choke points like onboarding, authentication and KYC.
Users get a secure, biometrically gated Identity and a digitally appropriate identifier applied to a user specific context. It's a safe digital representation of them which they can apply to any relationship they hold without it being complex or even something they are aware of. It's consumers using keys and cryptography representing them as humans to secure everything from signing documents to using tickets and voting.
Next
The next blog in this series looks at the Laws as we now see them and proposes a new set of Laws for the second quarter of the century.
- Everything must be identified using non-correlatable, non-human-readable identifiers.
- Identity is binary, User controlled biometrics enables binary identification.
- Personal data must be held by the person to whom it relates.
- Identity is not a product
- The human is the context.
- The network and it’s tools are available to all.
