Identity Woman

Independent Advocate for the Rights and Dignity of our Digital Selves

publication

MyData Talk: From Data Protection to Data Empowerment (not an easy path) for the Technology Pragmatist

· ·

This is the edited text of a talk that I gave during the first plenary session of the MyData Online 2020 Conference. I was asked relatively last minute to join this session which was headlined by Siddharth Shetty talking about Designing the new normal: India Stack. In 2019 I was a New America India-US Public Interest Technology Fellow and traveled to India to India to study the UIDAI the Unique Identification Authority of India the entity that enrolls Indians via their biometrics into a system and then issues them an Aadhaar Number. You can read that research here. While there I met many critics of the system that had been silenced and an amazing crew of security researchers who organize in a collective called Kaarana.

I didn’t have time to do a deep dive and research the latest on the India Stack and the new Date Empowerment Protection Architectures. What I did have time to do was based on what I learned almost 2 years ago on that trip was to put forward some hard questions that apply to both what is being put forward as a design in India but also for many other systems being developed at this time globally. I hope these Big Questions put forward by myself a technology pragmatist can provide food for thought both at this MyData conference and beyond as we continue to create and build new systems.

Thank you for inviting me here to share my thoughts in this opening plenary

I want to start off by declaring myself a technology pragmatist. Meaning I want to put my self in the middle of the spectrum between what I call neo-luddites on the one hand who never met a technology they didn’t like and are throwing cold water on any innovation mostly because they don’t engage with the details. And, on  the other hand the techno-utopians who haven’t met a technology or business model based on neoliberal economic premises the they didn’t like.  They say “the future will be great, just trust us.” They don’t really welcome intensive inquiry into how things the details of their systems actually work or discernment about how power flows in their systems

I argue as a technology pragmatist  that we need to engage with both types of questions – the details of how things work and how power really flows in these system and will be putting forward in this talk several Big Questions that I think we need to consider. 

My starting point as a technology pragmatist is advocating for innovations in technical infrastructure and capabilities so people can be in the center of their digital representation and data lives. 

That path is a noble one but NOT an easy one. 

I’ve been in the weeds with technical folks hosting the Internet Identity Workshop for 15 years in order to struggle to find technical ways to make this real.  I founded the Personal Data Ecosystem Consortium 10 years ago with a vision very similar to the MyData vision to build a movement and momentum for a new way to empower people with their data one that connects consumers with ethical businesses to make it real. 

I believe that you can’t  the problem with words alone – with “laws”.  GDPR was put in place but its authors seemed to lack knowledge and understanding of what was practically possible in technology systems. 

It is also true that now 3 years into GDPR there has been very limited enforcement –  what does this mean?

Well if you go look at the github repository for the Data Transfer Project in has seen basically no activity in a year – its almost like it has been abandoned.  

What good are these “laws” without enforcement?

So as a technical pragmatist I have more questions… 

Big Question 1

Can Big Tech Regulate itself? 

India has a heavy reliance on self regulating entities in their financial and other sectors and yet another one is forming now called Sahamati to regulate this Account Aggregator system

Two years ago I travelled to India to study the UIDAI the entity that issues Aadhaar numbers. It is entirely self-regulating – there is no outside entity that it is responsible and accountable to. 

How does this work if these types of entities because of their self-regulating nature are unresponsive to critics?

Big Question 2. 

Can New Technology Emerge and be held accountable?

What happens when critics of new technology are trolled? 

This happened in India when critics of the UIDAI where harshly trolled extensively on twitter – it came to light that the one of the main trollers was the co-founder of iSprit. 

What happens when critics of new technology have police reports filed against them?

This happened to over 30 people and leaders of NGO organizations that critiqued UIDAI and Aadhaar.  These NGOs had it made abundantly clear that if they continued to research, and publicly raise issues with UIDAI and related emerging technology around the India stack they would have their status as NGOs threatened and their ability to do their work severely limited. 

This raises questions about the ability of civil society to meaningfully engage in raising questions and seeking accountability in these new systems. 

Big Question 3. 

Can an ecosystem emerge when there is only ONE of a thing?

There is only one DigiLocker provider (the locker service to store your government issued ID in the cloud)

When I was in India speaking to government officials working on it they said they were being overwhelmed trying to manage all the requests from educational institutions to make a direct “hard” connection to the service to both upload student achievements and download them records from prospective from students. It was clear that expanding this to even more sectors might not be doable because it would mean that every single institution in the country would have to directly federate into this bottle neck. 

Is it a sustainable model if every institution must connect to “one thing”? 

Can an ecosystem emerge when there is one identity provider that matters and you must authenticate (phone home) to it – to access services?  iSprit’s model and vision of how the India Stack works puts Aadhaar in the middle of everything. 

UPI is a remarkable system – it totally disrupted the credit card payment rails and effectively made a ultra-low cost payments clearing system the whole economy can leverage. 

UPI also “sees” everything so it potentially gives the government total transparency into the economy/ what’s happening. [to be fair it is clear that some government agencies in other economies watch international bank transfers in networks like SWIFT]

On the positive side It also works at scale.  

There is with the creation with Account Aggregators and the Data Empowerment Protection Architecture the movement of financial data … and will likely get it working

but I go back to earlier questions I have what about critics –

  • What about the lack of recourse when things go wrong?
  • What about the self regulation and the issues that arise with that lack of external accountability?

Big Question 4. 

Can industry innovate modalities of feedback and discernment – – going beyond “voting” for boards of directors. 

Could we be leveraging things like 

Imagine randomly selecting users and running citizens (user?) juries and innovation games on a regular basis to engage with customers of a company OR can accountability organizations like MyData seek feedback in this way – going beyond audits and certification as a modality to provide direction and accountability. 

I find inspiration for MyData and the movement overall. In the Social Venture Network – this is a community I learned about over 20 years ago and was founded by entrepreneurs like Ben and Jerry to build community amongst ethical/sustainable businesses – it is why I started the Personal Data Ecosystem Consortium 

But Governance is Hard…HARD

Big Question 5. 

How do we really and meaningfully govern these new ecosystems?

How do we govern them in ways to not super over burden them? 

but also not just let things continue on their current trajectory – because it seems  GDPR is favoring the big guys. 

The trouble with tech is that “intention” is not enough…

“don’t be evil” <— how is that working?

OR 

“making the world more open and connected”? <— or this?

One thing I know about this new technology as a technology pragmatist is that the details matter

They matter a lot 

The details are where struggle for real user-empowerment and control lie and where current power flows can be shifted to new ones that better align with people and humanity. 

How do to get enough / care interest in the details ?

Can people and organization that we trust really see the details and see how things really work for us?

MyData is in tech but not necessarily in the weeds of how it will work…we need to get into them…and not just keep pushing it down the road. 

Standards are a huge part of the details that matter – not just open APIs

I will make a note that if we had had seen investment in user-centric digital identity standards between 2003-5 when first proposed by Planetwork in the Augmented Social Network paper that was shipped around to the Ford Foundation and Open Society Institutes we might not be facing these dilemmas now.  But they “didn’t get it.”

True technical interop means parts of the ecosystem are replaceable and that there is NOT locking for one stack or provider. 

To this end…I co-lead work on the confidential data store specification in the secure data store working group. I’m actively tracking developments in the self-sovereign  identity / decentralized identity community.   (In the last few weeks I got  potentially divergent paths to talk pre-divergence – talking about VCs and object capabilities standard – on the CCG list.)

I also co-chair the DIF interoperability group to push for convergence so that all these amazing things we work on actually work together. 

Big Question 6. 

Can we with SSI and tech make public key encryption usable by normal people?

Can we really make data private & usable. … I’m feeling like the answer is an optimistic maybe.  With all this work. 

Big Question 7. 

Are we looking far enough into the future?

I also know from talking with folks like Liam Broza the waves of personal data that are about to get exponentially larger with AR and VR headset data – we must have robust user/individual centric containers for this. I’m not sure we are ready.

We must look ahead to where the metaphorical ball is going with technology  – massive amounts of data and AI <- can they be personal and work for us?

Will they help us be happier and better aligned with nature? the planet?

This was a key aspect of the originating motivation for Planetwork… to convene and ask itself what missing piece of infrastructure was needed to truly make Information and Communication Technology work for people and the planet 

Can we do more with less?  OR will they just be motivated by their owners profit making us “consumers” or companies driven by Ayn Rand libertarianism. 

Why do  we believe people and groups should have access to data?

Can we in the next wave of technology development center those marginalized in the last wave?

Can we listen to those who know what has got wrong with tech because it happened to them already?

I asked a lot of big questions in this talk 

  1. Can Big Tech (government or private sector) regulate itself?
  2. Can new tech emerge and be held accountable?
  3. Can an ecosystem emerge when there is only ONE of a thing? Can we get out of solutions with centralized dependencies?
  4. Can we innovate new modalities of feedback to companies/tools and services? and to systems regulators? 
  5. How do we really and meaningfully govern these new ecosystems? How do to get enough / care interest in the details ?
  6. Can we with SSI and tech make public key encryption usable by normal people?
  7. Are we looking far enough into the future?
  8. Will they help us be happier and better aligned with nature? the planet?

I will leave you with this important question 

Why  do we think people should be empowered to control the digital representations of themselves and their data?

When we know why. We will have more understanding of what aspects of how (the tech details) that are important. 

We must innovate in ways that let new businesses and opportunities bloom. 

I believe that open standards, protocols, done right, ones that have maximal expressive capacity will be key. 

By expressive capacity they create a set of rules that make them understandable but also within them give enormous freedom to express.  I believe that Decentralized Identifiers and Verifiable Credentials also know as SSI provide a good starting point for us to build what we need to fundamentally disrupt the current  in current ecosystems from monocultures to an “agroecology of technology”. This is my vision as a technology pragmatist. I know that many of you care about these questions and in various ways many of the sessions will engage with them. I’m looking forward to spending these next three days to our exploring them together here at the MyData 2020 Online Conference

Comprehensive Guide to Self-Sovereign ID

· ·

Last year around this time it became clear that a guide to understand the Decentralized Identity OR Self-Sovereign Identity Technologies was needed.
Last Summer I partnered with Heather Vescent to write the guide designed for C-Level Executives.
You can buy it here on Amazon. 
It has three big parts:
Part 1 explains the context of where the technology came from. It is rooted 15 years of work by the user-centric identity community that has gathered at IIW. It articulates the core technology that came together to make it possible. None of it totally new, PKI is 25 years old mobile phones 10, blockchains 9 -> but pulled together for the first time in a way that made sense.
Part 2 explains in more detail the core building blocks that make it work.
1) the Wallets/Hubs/Agents that people have to manage their identifiers and verifiable credentials.
2) The Issuer Code & Verifier Code. So to be issued verifiable credentials they have to be issued by a institution or enterprise (ok people can issue other people them but…). Verifier code is used by the institutions individuals share their credentials with.
3) The Distributed Ledgers or Blockchains – these are actually kinda optional. They are handy to get all this to work but not essential. They provide a place for decentralized identifiers to be place so the the keys associated with them can be found (via resolution).
Along with the explanation of the technology we also go through companies building each of these. So it is like an analyst report.
Part 3 cover the Open STANDARDS. These are the core of how we create a new layer of the internet…for identity…using open standards. So this goes into detail explaining at a high level what they are and how they work and provides links down into the specifications and locations of where to participate in the work.
The ending of the report covers the events where work is ongoing along with organizations.
You can Buy it Here on Amazon. 
 

Three new SSI papers I helped Review

· ·

Last week was the Internet Identity Workshop and also in the past week there were two new papers released about Self-Sovereign Identity both of which I had a hand in reviewing.  ( A third just got released and it was added below in early November.)
They are both good papers and I recommend them.
The first one to be released by by the Future of Property Rights program at New America Foundation was A Nail finds a Hammer: Self-Sovereign Identity, Design Principles and Property Rights in the Developing World.  From the Introduction:

Our interest in identity systems was an inevitable outgrowth of our earlier work on blockchain-based1 land registries.2 Property registries, which at the simplest level are ledgers of who has which rights to which asset, require a very secure and reliable means of identifying both people and properties. In the course of investigating solutions to that problem, we began to appreciate the broader challenges of digital identity and its role in international development. And the more we learned about digital identity, the more convinced we became of the need for self-sovereign identity, or SSI. This model, and the underlying principles of identity which it incorporates, will be described in detail in this paper.
We believe that the great potential of SSI is that it can make identity in the digital world function more like identity in the physical world, in which every person has a unique and persistent identity which is represented to others by means of both their physical attributes and a collection of credentials attested to by various external sources of authority. These credentials are stored and controlled by the identity holder—typically in a wallet—and presented to different people for different reasons at the identity holder’s discretion. Crucially, the identity holder controls what information to present based on the environment, trust level, and type of interaction. Moreover, their fundamental identity persists even though the credentials by which it is represented may change over time.
 

The Second is by the Identity Working Group of the German Blockchain Association Self-sovereign Identity:  A position paper on blockchain enabled identity and the road ahead. 
From the Introduction:

Digital Identity is a field that matters to a seemingly infinite number of stakeholders from diverse backgrounds. Confronted with this extensive scope, we decided to structure this position paper around two major objectives:
First, to provide our readers with a structured overview of the identity field from the perspective of self-sovereign identity, and second, to motivate stakeholders in the identity community to embrace the idea of a universal identity layer and join us for the road ahead.
As a result of our collaboration in the identity working group in the German Blockchain Association, we propose the SSI model as a way to enable an identity ecosystem that is capable of solving many inefficiencies in existing identity solutions and addressing novel demands on identity in the emerging decentralised web. Whilst SSI systems can be constructed without the need for any blockchain system, blockchain systems can add significant value to SSI systems, as this paper will show. Ultimately, the universal identity layer that we describe is required to enable blockchain based decentralised systems and business models to reach their full potential.
Our aim is to present an overview that is independent from any one company’s product offering. We instead present an industry-wide consensus on the model of SSI that is geared towards the establishment of a truly interoperable and modular identity system that utilizes open standards. The paper can thus be understood as the baseline of agreement between all represented businesses from the identity space. The paper is an attempt to describe the universal identity layer from a high-level perspective with a focus on shared positions and agreement instead of going into technical implementation details that certainly matter but need to be discussed further on in the debate we intend to initiate with this position paper.

The Third report was pulled together by folks at GovLab NYU. BLOCKCHANGE: Blockchain Technologies for Social Change. FIELD REPORT: On the Emergent Use of Distributed Ledger Technologies for Identity Management

This is from page 54 which is part of a two page pull out by me :).

THE BLOCKCHAIN IDENTITY PARADIGM CHANGE
During our analysis, some have suggested that the above (enterprise) ID lifecycle is not representative of how blockchain can transform Identity. They have subsequently called for a new paradigm.
According to Kaliya “Identity Woman” Young: “The mental models of how identity is “managed” whether by an employer relative to an employee or by a government relative to a citizen or by an individual just logging into to a web service is disrupted by the new emerging standards of DIDs and Verifiable Credentials.

The authors did a literature of existing Identity Management research from academia that is not really familiar with current industry frames (a read a lot of this literature while I was in the Master of Science in Identity Management and Security and it was stale and out of date).  The case studies built on these existing frames rather then engaging from the current literature frames rather then new ones.