Let me explain! No, there is too much. Let me sum up.
Welcome to week 5 of my series on identity. My argument so far:
Accounts represent real people, and should not be tossed aside via quick terminations.
Platforms make it too easy to get an anonymous account, which enables large-scale abuse.
Paradoxically, anonymity is also essential to online safety.
There’s no single solution. We need something that supports variety and nuance based on context and risk.
The unifying problem here, I believe, is that the Internet is really bad at trust. Two weeks ago, a new group called the First Person Project published an 80-page white paper proposing a usable trust layer for the Internet. I really enjoyed reading it, but in case you have other plans for the weekend, here’s my attempt to get the key points across in 10 minutes or less.
Why is trust online such a mess?
In the real world, trust is full of the variety and nuance we don’t have online. You can establish trust with formal proof, like showing your passport to board an airplane, or getting licensed as an architect. You can tap into social proof, like asking your friends to recommend a dog walker, or getting tipped off to not invite Bob out to dinner because he never pays his fair share of the tab. People and organizations can earn personal trust by living up to their commitments. Even if you have nothing else to go on, you can evaluate verbal and visual cues.
Platforms have mostly tried to implement trust on the cheap, and it shows. Social proof online is constantly gamed with fake ratings and reviews. Formal proof with “blue check” verifications are fragmented, hard to get, and only transmit the most basic trust fact – that the account isn’t an obvious imposter. And it’s easy to avoid the accountability of personal trust by moving to a new anonymous account.
Governments are going too far in the other direction. The UK, Australia, and 25 US states force you to turn over your entire government ID to prove your age. This is already a disaster – hackers have stolen the information of 70,000 Discord users and publicly shared their selfies and government IDs.
Why hasn’t anyone solved this already?
Online trust is not a new problem, and pieces of a solution have been around for 30 years. I’m not going to try to explain public-key cryptography, certificate authorities, and webs of trust here. You just need to know that A) they are reliable and secure thanks to really sophisticated math and algorithms; and B) they’ve historically been too complicated for billions of non-technical people to use directly.
Why are things different this time?
The First Person Project makes trust usable thanks to something you already have on your phone, and three ideas that build on it.
Digital wallets have gone mainstream.
Organizations can put trust credentials into your wallet.
You can share different pieces of your trust credentials in different contexts, without revealing more than you want.
We can all add credentials to each other’s wallets, and share bits of trust with each other, without a central authority.
1. Digital wallets everywhere
Every Android and iPhone now has a digital wallet for tap-to-pay, airline or concert tickets, and more. Digital wallets put a user-friendly face on all that complicated math I avoided explaining above. If built properly, they are secure and private. Seventeen US states and over two dozen countries worldwide, including Denmark, Estonia, and Thailand, now offer some form of government ID for digital wallets.
2. Store trust credentials in your wallet
Once you have a safe, reliable digital wallet, you can store additional verified credentials that help you establish online trust.
This starts with a personhood credential – some entity vouches that you are a real, unique human in their context (but, importantly for privacy purposes, not that you are a specific, globally-unique human).
From there, your employer could give you a credential proving that you work there. You could request a credential from your high school or university verifying the degrees that you’ve earned. A utility company could provide a credential that you are a customer in good standing at your address.
The end result is something like a superpowered version of a LinkedIn profile, because it is 1) owned by you and portable, and 2) fully provable using fancy cryptographic math.
The First Person Project introduces two controls to protect your privacy. First, you can define different personas for different contexts, such as your professional life versus your local community versus your private life. Second, you’ll be able to reveal only the facts you choose to share, using another piece of complicated math you don’t need to understand, called a zero-knowledge proof (ZKP).
ZKPs let you prove a fact, like your age or what part of the world you live in, without sharing any other details. In other words, no more sending copies of your driver’s license to online companies you barely know. This is also the solution for establishing anonymous trust relationships without putting your real-world identity at risk.
This is real. In July, Google released open-source libraries for ZKP, and just last month, my old colleagues at the Applied Social Media Lab demoed a working prototype of privacy-preserving age verification.
4. Build your own trust network
This is where the magic happens. A digital wallet that makes it easy to add and share credentials lets you recreate your own portable social network without a central platform. For example, I could vouch that my wife is a real human being who is married to me and not a chatbot, and she can (hopefully) do the same for me. My friends could give a credential to a handyman they trust. Members of a PTA could vouch for each other. Millions of interactions every day would build up to a decentralized trust network that anyone can add to or use.
This makes you safer, because when you interact with someone new online, you can ask them to share credentials to help to decide if they are trustworthy. Phishing emails wouldn’t work if you could quickly verify whether they are coming from an authentic company representative. And attacks at scale would be harder, because a platform could require personhood credentials (but not identity) to weed out repeat offenders and armies of AI bots.
What are the next steps?
Digital wallets, verifiable credentials, and protocols for selective sharing are the foundations of this new trust network, but like anything new, there are still problems to solve. These include:
Because the big digital wallets today are controlled by Google and Apple, they’re not actually owned by you and portable (yet). A new third-party wallet could solve that, but wouldn’t have the integration and usability advantages. Data portability regulation like Utah’s Digital Choice Act could help here.
Before organizations can issue verified credentials, someone has to verify the organizations, or the network will be swamped by bogus credentials from fake versions of real companies and universities. There also have to be security practices to be sure organizations aren’t tricked into giving out real credentials to fake accounts. This will take time to sort out. A model to emulate might be the global governance of domain names through ICANN.
Big projects like this can hit a wall if they are set up so they only have value if everyone adopts them at once. The First Person Project has to find communities where online trust is valuable today, and expand from there.
Luckily, one major organization is already betting on this model. The Linux Foundation, home of the Linux Kernel project, is working with the First Person Project to implement these credentials as their new trust system for the Linux kernel, to ensure there's never another fake-person attack like the almost-successful compromise of a key Linux utility in April 2024.
As you can probably tell, I am optimistic about the First Person Project. If you want to learn more, I encourage you to read the full white paper and contact them to get involved.
Ideas? Feedback? Criticism? I want to hear it, because I am sure that I am going to get a lot of things wrong along the way. I will share what I learn with the community as we go. Reach out any time at [email protected].
