A "for dummies" glossary of electronic identities

alberto · October 30, 2019, 4:18pm

I have already reported on the workshop on online identities led by @RobvanKranenburg at the NGI Forum in Helsinki. As I read more about the topic, I find many words and expressions that are highly specific of that intellectual space, and they are not necessarily super intuitive for a nonspecialist who is trying to form an opinion. So, I feel the need for a small glossary where I can stash their definitions, and come back to when I need to refresh one. Lately I came across this post, and I decided to start writing one. I’m making it a wiki in case others want to help.

Disposable identities

Disposable identities are temporary attribute-based identities describing a smart contract between a receiver and a supplier of a service, ie. rent, leasing a car, energy for a home, paying taxes, basically any service.

I am not sure about the “smart contract” part, but the “disposable” part seems to point to identities that are “one shot”: you use them to secure a certain service, and then never again. In An example close to the experience of many of us is disposable email addresses: these are addresses you only use when you sign up to an online service, and only to do one thing: validate the email address. Once validated, you throw them away, or they even self-destruct (but now need to store your login information in a safe place). You can also get disposable phone numbers, and there is even a fun Fake name generator you can use to confuse algorithms.

Ok, but then how would it work to rent a car based on a disposable identity? When you rent a car, you need to show your driving license, for the very good reason that you carry responsibility and liabilities for any bad deed you might be carrying out with that car. It would be nice to rent one with a disposable ID, but I don’t think Avis is going to be willing to give you the keys.

Trust framework

I think the document refers to the IoT Trust Framework. This is basically a checklist meant to assess the trustability of a connected device. If the device does not meet the framework’s requirements (that is, if one or more “must have” characteristics are not there), then the device is not trustable.

Provable computing

I cannot find online definitions of this. By analogy with provable security, I imagine it to be a type of computing which does not happen in a black box; you can verify that the computing really treats the input data in the way it says on the label. +

In science, we have a similar concept called reproducibility. It comes down to publishing not just your results, but also your data and the code to crunch them.

Self-sovereign identities

Self-sovereign identity is the concept that people and businesses can store their own identity data on their own devices, and provide it efficiently to those who need to validate it, without relying on a central repository of identity data. […] There are three parts to identity: claims , proofs , and attestations. (source)

RobvanKranenburg · October 30, 2019, 8:48pm

Thank you Alberto. This is a very good start, and your readings are very helpful and raising new interpretations. All of this is quite in flux and I hope in the coming time we can engage edgeryders in this.

The main argument is this:

As we move into a hybrid world, no longer analogue + data in digital devices, but every object digitally addressable and traceable (item level tagging), a world of iot, Big Data, and AI whoever owns this relationship of one person -one number – currently companies with shareholder obligations and national governments with selected self -interests – is given a large number of extra layers of capabilities that were not negotiated in the registration process, are un democratically non accountable (non-transparent algorithms) and acquire a pro-active capacity that is not shared (or only shared when beneficial to the country or company) with the person whose number is used.

The text is here:

https://www.theinternetofthings.eu/sites/default/files/docs/Rationale%20for%20an%20ETSI%20Group28102019v2.pdf

Interestingly just a few days ago a very large group of organizations came out on this very topic:

WhyID: Protecting Our Identity in the Digital Age

So our interest is timely and our solutions are radical (going down to heart of the matter breaking the current value model totally), but realistic and legally enforceable, or at least that is where we will, in our NGI Forward project, will be working hard on.

alberto · November 7, 2019, 3:35pm

Wow, I really like the WhyID letter, and have decided to sign it.

Those who promote these [digital ID] programmes must first critically evaluate and answer these basic WhyID questions, along with providing evidence of such rationale. In addition to answering these questions, these actors must actively engage and consult all actors. If there is no compelling rationale, evidence-based policy plan, and measures to avoid and repair harms, there should be no digital identity programme rolled out.

After DECODE, I am now seeing a “Polanyian pushback” everywhere, so I may not be entirely objective here. But it seems to me that WhyID is fully compatible with that interpretation. The fight to control a single source ID layer can be interpreted as an obvious consequence of Big Data/Big Tech/Big Money, and these initiatives can be interpreted as society’s reaction against this.

teirdes · November 7, 2019, 9:41pm

There is a similar project by Omidyar network #GoodID, which I think #WhyID is a reaction to.

It’s truly a fascinating topic, identity - but there is little by way of international law - the real deal with identity is the intrinsic power in “papers please” that a government can exert of its (or other governments’) citizens, and what that means both internally to that country (social benefits, business opportunities, etc) and externally (migration, for instance). GoodID comes from this type of argument:
https://www.weforum.org/agenda/2019/04/data-oil-digital-world-asset-tech-giants-buy-it/

i.e. identity is a resource, it’s valuable, and tradeable.

Maybe the FIDIS project can provide some interesting knowledge: Use Cases & Scenarios: Future of IDentity in the Information Society

alberto · November 7, 2019, 10:11pm

Interesting about #GoodID, @teirdes, I was not aware of it.

What do you think about identity as a tradeable commodity? A month ago Rob and @hugi and I went to MyData 2019, and we found this:

What models for a data economy? Reflections from MyData2019

To my surprise, the MyData community seems to have a rough consensus that monetizing personal data is not a long-term sustainable way to run a data economy. The person that came up with the clearest formulation was perhaps Finnish lawyer Jussi Mäkinnen (not verbatim, I am quoting from my notes):

When copyright was invented in the 17th century, lawmakers conjured up a new property right, the right to own something immaterial. They knew it was a bit of a ghost, with little grounds in terms of the legal system of the time, but they wanted a way to reward the creators and their publishers. That, however, created more long-term problems than it solved. So, we have learned from the copyright story that legislating private ownership of personal data is probably a bad idea.

Ingrid Schneider’s super-good talk at the same conference went on to list four main proposals around the economic models for a data society. One of them was

But, as I said, at MyData these ideas seemed to be shrugged off as old and overtly neoliberal, not ideas that a respectable adult can really entertain, and certainly not in Europe. A fortiori this should apply to identity, no?

teirdes · November 7, 2019, 10:15pm

What do you think about identity as a tradeable commodity?

In Sweden, all formal identities are tradeable commodities owned by the government - social security numbers, car plate registration, corporate identities, information about grades, address, school, name, number of children, income, taxes, etc. Most major public authorities in Sweden finance their IT by selling personal data to various entities. For instance, one major IT-security scandal reported by Svenska dagbladet (big Swedish newspaper) about 2-3 years ago concerned the sudden, but brief, unavailability of the Social Security Agency (Försäkringskassan) databases to private insurers in the middle of the night. Not such a terrible security incident in my view (“oh no! an insurance company could not purchase citizens from the SSA for two hours on a Thursday night!”) - but it’s extremely engrained in Swedish society.

On principle, I’m not so comfortable with this - I do not consider myself, not even my formal administrative incarnation under Swedish public services, a tradeable good and I do not see others this way either. But I recognise it’s one of the administrative models that exist in the EU, and yeah.

teirdes · November 7, 2019, 10:18pm

My “favourite” government identity management system in the EU is the German system. I think it respects the need of individuals for unlinkability and diversity, and also that it divides power between institutions and citizens in a scalable way. A different way of solving it - which I suspect is the backdrop of the #WhyID campaign from AccessNow - is the anglosaxon way: having no centralized government identity management at all, per se (“why government ID?”).

Maybe fidis.net will contain some more interesting thoughts for this discussion. It spawned, for instance, this Open Access Journal (which alas closed in 2010):

https://link.springer.com/journal/12394

alberto · November 8, 2019, 7:12am

Wow FIDIS is super interesting! I think I am finally starting to get what @RobvanKranenburg is at.

I just finished reading this scenario. Looks dystopian to me – the guy is spending his whole holiday doing the future equivalent of accepting cookies – but maybe it’s just kneejerk conservatisms (“kids these days”). I am, after all, in my 50s.

But this is dystopian for real:

Who cares about explicit informed consent when your wife is in labour?!

Which bring us back to Oskar van Deventer’s nightmare scenario:

RobvanKranenburg · November 8, 2019, 8:40am

Hi Amelia,

Great to see you in Turin and I will be in touch in mail as well, sending you the Disposable Identities text I will put online as well next week. The German example. Is indeed fascinating in its historical perspective, more later! Greetings, Rob

alberto · May 4, 2020, 3:25pm

@RobvanKranenburg I am working through the notes of our call in order to produce a post. It is slow going because I want to make sure I understand the low level of the technology, no cutting corners.

Something I forgot to ask you in that call: what are your thoughts about Bruce Sterling’s pamphlet “The Epic Struggle of the Internet of Things”? He seems to expect a messier scenario than you and your associates, or am I wrong?

RobvanKranenburg · May 4, 2020, 5:37pm

Hello Alberto,

If you want to understand it from a technical point of view (which I do not) then you have to talk with other people in the project. If you want I can give you names. My understanding is always intuitive and related to larger trends that can not be immediately grasped. I never read that text from Bruce, but yes he will no doubt be messier then my associates as my associates in this endeavor are structured and embedded in crypto, software development and business models, apart from being interested in the balance between accountability and anonymity in a society where citizens have self sovereign identities.

Greetings, Rob

MariaEuler · May 20, 2020, 4:19pm

@RobvanKranenburg could you maybe give a short update on your DI project, where it stands now? jus 2-3 paragraphs

RobvanKranenburg · May 20, 2020, 5:43pm

Hi Maria,

The latest is here:

https://www.disposableidentities.eu/about-disposable-identities-community-statement

Cheers, Rob