Independent Advocate for the Rights and Dignity of our Digital Selves
I am pleased to share that I have joined the Secure Justice Advisory board. I have known Brian Hofer since he was one of the leaders within Oakland Privacy that successfully resisted the Domain Awareness Center for Oakland.
I wrote a guest blog post about a philosophy of activism and theory of change called Engaging with Industry that I share with Brian.
He has agreed to join the Advisory board for the next Thoughtful Biometrics Workshop that I am organizing for 2022.
I’m speaking today at the Phocuswright conference and this post is sharing key resources for folks who are watching/attending who want to get engaged with our work.
The Covid Credentials Initiative where I am the Ecosystems Director is the place to start. We have a vibrant global learning community striving to solve challenge of common standards for covid credentials and health passes.
As more and more governments adopt major COVID certificate standards to reopen borders, the travel industry is working hard to catch up on their technology to meet the evolving travel requirements. However, there is still no shortage of complaints from travelers about their cumbersome international travel experiences.
Our community has been working within Linux Foundation Public Health (LFPH) to support the implementers of COVID credential solutions with a particular focus on facilitating interoperability among technology standards while preserving the privacy of individual data. At this critical juncture of global reopening, LFPH and Affinidi, a leading player in the space, are bringing key actors from the travel industry and technology vendors who are serving the travel industry together, to share and discuss:
The agenda and speakers will be announced soon. Grab your seat today!
APAC Edition Dec 1
EU/US Edition Dec 2
We collaborated with Good Health Pass Collaborative on developing the Good Health Pass Interoperability Blueprint within the Trust over IP Foundation.
We at CCI are keen to continue this work and get travel happening together and welcome more active participation from the travel industry. Please join us!
There is also the Travel and Hospitality Special Interest Group at the Decentralized Identity Foundation it was this group that inspired and started work within the Trust over IP working group to develop a hospitality addendum.
For the opening episode of ‘Identikit Sequent X’, Michelle Dennedy welcomes Kaliya Young, also known as The Identity Woman, to Smarter Markets for our latest series examining the evolution of digital identity, and how self-sovereign identity, specifically, can advance a consent-based economy.
Kaliya is one of the world’s leading experts in self-sovereign identity and identity on the blockchain. She is the co-author of ‘A Comprehensive Guide to Self-Sovereign Identity’ and is widely known as The Identity Woman; also the name of her blog and twitter handle. Ms. Young has committed her life to the development of an open standards-based internet layer that empowers and enables the people and was named one of the most influential women in tech by Fast Company Magazine.
We had a great conversation about digital identity in Political Economies and specifically a paper with a proposal by Bryan Ford.
Life on Intersections: Digital Identity in Political Economies
Most digital identity systems are centralized (e.g., in big government or technology organizations) or individualistic (e.g., in most blockchain projects). However, being in the world is fundamentally social and intersectional — we are all part of networks. So how might we formalize digital identity in a way that better reflects this complex reality? This panel with leading social technology and computer researchers explores more robust digital identity approaches and potential application areas in political economies.
I’m super excited to announce that we have two different special topic IIWs coming up. If you interest or practice focuses on either of these we invite you to join us!!!
User-Experience and SSI is coming up Thursday July 22nd.
The Business of SSI is coming up Thursday August 4th.
This IIW Special Topic event creates the space for User Experience Professionals, Product Managers, Interface Designers, and those in related roles working on decentralized identity or self-sovereign identity applications and tools to discuss, share and collaborate together.
We know there is a lot happening in the industry and we know that just as important to the success of the technology as the “tech stack” is the human experience while using applications built on it. This half day event is an opportunity for those focused on UX to dive deeply into this side of things.
This IIW Spceial Topic event is for CEOs, Founders, Business Development leads, anyone who cares about the Business of SSI . It provides the space for you to discuss, share and collaborate together.
The Internet Identity Workshop has been bringing together innovators in the field of Identity focused around the individual since 2005. While open standards are essential to open digital identity systems, as important to getting adoption are viable business models and products that solve real world pain points for customers. This half day event is an opportunity for those focused the Business of SSI to dive deeply into this side of things.
It became clear to me again today why we here in California need Verifiable Credentials. I teach in a CCC – a California Community College. This summer I have a class and right now is the “census deadline” to drop students who haven’t been attending class.
Below is the note we were sent regarding fraudulent student applications.
Dear Faculty teaching summer 2021 courses, Fraudulent CCC Apply applications may have impacted the enrollment of your class. If so, these would be “students” that you were likely preparing to DROP with Census for no show. It is even that much more important that you COMPLETE YOUR Census ON Time. If you are not sure if any student is from a fraudulent application, you can look at your student roster. If there is a student with no phone number listed, they may be fraudulent because this is one of the identifying markers with this statewide problem. If you have students like this that have not attended class, complete your census, and please email your class code and the student ID number to __@____.edu
Earlier this week I spoke to Molly who wrote this article about so called “vaccine passports” we don’t call them that though (Only government’s issue passports). Digital Vaccination Certificates would be more accurate.
Early on when the Covid-19 Credentials Initiative was founded I joined to help. In December the initiative joined LFPH and I become the Ecosystems Director working to support the community along with my colleagues Lucy Yang the Community Director and John Walker as the Community Architect.
This article is about what it says it is and quotes me. CoinTelegraph, Women Changing Face of Enterprise Blockchain
I am writing this essay to support those of you who are confused about why some of the technologists keep going on and on about Intellectual Property Rights (IPR). First of all, what the heck is it? Why does it matter? How does it work? Why should we get it figured out “now” rather than later?
IPR and the tone of worry around it confused me early on in 2005 when I was just getting started leading the Internet Identity Workshop. At that first workshop, a session had been called by Johannes Ernst, who at the time had created a protocol he called LID, Lightweight IDentity, to support people using a URL they had control of to do authentication (i.e., to prove they were the owner of that URL). He called a session with the other URL-based/URL-like identity authentication protocols in the room — OpenID (when it was a LiveJournal thing), Sxip and XRI. These formed into what they called YADIS — yet another digital identity system. After they began working on it … they decided OpenID was the best name of the bunch so they called it that.
At the time they kept worrying about how they could collaborate and they sensed that they needed to have IPR dealt with, but I couldn’t understand what they were going on about. This small thing delayed them working together for a long time. They literally had to spin up a new organization, get new bylaws developed and get everyone to join and sign off on the IPR regime before they could formally talk together about how to get all work to align and come up with one protocol.
Why couldn’t they just talk together and build something? Why did they need an organization and a structure and agreements? They had met at IIW just fine and talked…but what was different when it came to formally collaborating and writing something together?
Without an IPR agreement in place, many bad things could happen that would necessitate lawyers, after which all the well-meaning people’s work could be lost. What you are saying? Lawyers and lost causes…it all sounds so dramatic.
So, where to begin. There are several different forms taken by intellectual property, and almost all of them come into play here with their own rights structures.
Patents — A patent is a form of right granted by a given government to an inventor or their successor-in-title in a given jurisdiction, giving the owner the right to exclude others from making, using, selling, offering to sell, and importing an invention for a limited period of time, in exchange for the public disclosure of the invention.
Copyright — A copyright gives the creator of an original work exclusive rights to it, usually for a limited time. Copyright may apply to a wide range of creative, intellectual, or artistic forms, or “works”.
Trademarks — A trademark is a recognizable sign, design or expression which distinguishes products or services of a particular trader from similar products or services of other traders.
Organizations of all types work together to create all three of these types of intellectual property. When employees join companies or contractors work for them, they generally sign agreements that say the work they do for hire for the company is owned by the company (not the individual people doing it), so even within organizations there are explicit systems for managing intellectual property rights.
Corporations file paperwork with the relevant government(s) to be granted patents and trademarks. They might also file for specific copyrights, but these rarely have to be filed in advance to be exerted.
So given that IPR exists, how do you manage it when you are working together in technical communities to define specifications that are open and to collaborate on open source code. There are slightly different considerations for each, and these require different IPR regimes before companies feel safe collaborating. This post centers on specification and we will talk about the difference between Open Source and Open Standards in an upcoming article.
Let’s start with a protocol or a specification that you want to be “open”, meaning that after it is done, anyone can use it (i.e., anyone can create code that speaks the protocol). Anyone who had patents that are included in the protocol can not charge licence fees for usage of the protocol. (Nit: Some technical organizations charge a fee for the text of the specifications as a dues structure to sustain the sponsoring organization, but this is not to be conflated with licensing, since the implementation of the specification is licence fee free.) Examples of open protocols include the e-mail protocols SMTP and POP, and web protocols HTTP and HTTPS.
Companies working in technology have various things under patent. To make the space for collaboration safe for everyone, they want an organizational boundary in place that can require everyone to agree upfront (i.e., before they contribute to a specification) that they will not go after anyone who implements the standards for violating a patent they have that is included in the mechanics of the specification.
In plain language, this means that even if they hold patents related to the work being done collaboratively, they agree going forward not to charge users of the resulting, collaboratively-designed specification or protocol for the use of ideas that went into the process that are covered by patents.
If you just have a group of companies collaborating on a project without an IPR boundary or “membrane” that filters out potential future patent problems, today’s goodwill between participants is little guarantee.
There is a lot of diversity in the category of future patent problems. Someone who was contributing without declaring that they hold a patent related to the work can claim they had a patent later (years after the specification is finished) and seek payment from everyone using/implementing the standard, claiming licensing rights or even lost revenue on ideas they legally own.
This sucks and it has happened before. Because this has happened before…companies are smart and they will not implement a standard that doesn’t have the sign-off from everyone who created the standard so they don’t have to deal with the future risk of being sued by one of the creators.
If work happened to be created outside an IPR framework, but at a later time everyone who created it retroactively agrees to an IPR regime, then others will be able to use it without fear. That might sound reassuring, but “everyone” is doing a lot of work in that sentence. The process of retroactively finding all the companies and individuals who contributed, particularly if work was done remotely by an open-source community including pseudonymous or volunteer members, and then having all of them and their employers’ legal counsel sign off on any post-facto agreement is very time-consuming and there is always the risk that someone won’t sign or that you can’t find one of the past contributors.
Furthermore, “significant contribution” can be difficult to define, and even more difficult to prove or disprove, so the list of parties included in “everyone” can be difficult to pin down. For this reason, guests and listeners on standards calls are often admonished not to say anything “too specific” or concrete about specific solutions to problems discussed, as those could be considered significant contributions that changed the course of the collective conversation and solutions produced by it. The tension between openness of conversations and IPR protection it is best to read the IPR agreement, and if needed get legal opinion about how you/your company can contribute if you want to.
Another hazard against which collaboration needs to be protected is that ideas discussed or generated in a working group or other collaborative context can be “taken,” i.e., patented, by any listener or observer. In fact, patents can sometimes be obtained quite quickly in other jurisdictions, or exerted retroactively to the time of first filing, so an idea can effectively be patented the day it is first discussed in any collaborative context that does not require its participants to waive all patenting rights. This kind of waiver can be daunting to for-profit participants, but it also supports collaboration of the most productive kind.
This balance is usually struck by agreeing very explicitly and in granular detail about the exact scope of a group and waiving patent rights to the resulting specification (While retaining the right to the patents for usage outside the specification), while censuring discussion beyond it.Some companies are more sensitive than others about this and really want to make sure all the pieces of a potential implementation are covered by IPR, including implementation details a little further from the working core of the code like schemata, data dictionaries, and other semantics. In the decentralized identity space, this includes not just identities and data structures but also credentials, data flows, architectural designs, etc..
Before you can contribute to an open standards working group, it is important that you always disclose (and in some cases release) any patents that might conflict with the scope of the working group. This is why the scope of working groups is defined in a charter, and why its so important to have participants adopt the charter.
It is also why it is risky to have a vague or open-ended scope, since people won’t know if their existing IP is relevant or not. Furthermore, if the working group later decides to reinterpret the scope in a way that impacts the IP of existing members, this can cause real problems, as it becomes very difficult to distinguish which ideas down the road would or would not have been arrived at without the earlier participation of the parties that did not yet know they had a patent conflict. Substantial changes in scope are generally cause to close the group and recharter a new one, to minimize this kind of legal ambiguity.
Participating actively in the scoping discussions is the best way to get a rich and multidimensional understanding of the boundaries of a given charter’s scope, and discussing with trusted (and tech-savvy) counsel is a close second. When in doubt, ask a lawyer — we are in the ideas business, after all.
Hopefully this quick introduction made clear why starting a working group (or even joining one!) is such a complex deliberative process — and gave you the tools to navigate it for yourself.
In 2020 I had a contract along with Juan Caballero to do communications at DIF for a few months. We got the youtube channel going with content from the F2F event and published several articles.
I coauthored this one with Margo Johnson about the glossary process we went through to define Wallet, Agent and Credential.
Finding the Bell Curve of Meaning: A process for supporting the emergence of shared language in broad collaborative communities
I wrote these three articles myself:
DIF at #IIW31 – self explanatory about the Internet Identity Workshop
Where to begin with OIDC and SIOP: and how today’s most powerful authentication mechanisms can be decentralized
Understanding DIDComm: A cross-community effort to standardize on common, DID-anchored capabilities
Here are the ones both Juan and I collaborated on:
Those of you who know me – know I really care a lot about the difference between Open Source and Open Standards. So we drilled down on this topic with these two posts.
Drilling down: Open Standards: What standards are and what it means to make them openly
Drilling down: Open Source: A crash-course in the complex world of variously-open software licensing
DIFS updated code of conduct. Its great…for Setting a tone for inclusive collaboration.
I had a great time with the the folks at RMIT on their Mint & Burn Podcast. Enjoy!
I have authored a new paper in my new role as Ecosystems Director at CCI.
You can read the blog post about it on the Linux Foundation Public Health
I should have written this post at the beginning of the year…but the year is still young.
I have two new part time roles that I’m really excited about.
I am the Ecosystems Director at the Covid-19 Credentials Initiative. I am working with a fantastic team helping lead/organize this community. Lucy Yang is the Community Director and John Walker is the Community Architect.
I am the Chair of the Verifiable Credentials Policy Committee which is under the Blockchain Advocacy Coalition lead by Ally Medina.
I continue my community leadership work co-chairing the Interoperability Working Group at DIF and the Secure Data Store working group at DIF/CCG.
I am publishing a weekly newsletter/summary of SSI news that covers the Identosphere. This is in partnership with Infominer. You can subscribe here and support us on Patreon here (yes two different places) .
I do an (almost) weekly podcast with Seth Goldstein called Privacy Surveillance and Anonymity Today.
I have a new page up with Media Coverage if you want to check it out.
Yes I do do consulting. If you have a question you need answered about this emerging industry. I can help you figure it out.
I just learned about the internet of people project. It seems cool…I need to dig in a bit more…but already there is a huge red flag/disconnect for me.
These are the guys who are signing off on this post they put a picture of themselves on zoom.
These are the women (many of them of color) at the top of the page.
I was so hopeful when I started reading this post that this group of women was actually leading this project. THEY ARE JUST STOCK PHOTO.
Protip: If you want to build the future of the web and make it for people your team needs women and people of color on it.
Pretending with photos doesn’t cut it.
I was quoted in this article about Tim Berner’s Lee and the Solid Project.
….“No one will argue with the direction,” said Liam Broza, a founder of LifeScope, an open-source data project. “He’s on the right side of history. But is what he’s doing really going to work?”
Others say the Solid-Inrupt technology is only part of the answer. “There is lots of work outside Tim Berners-Lee’s project that will be vital to the vision,” said Kaliya Young, co-chair of the Internet Identity Workshop, whose members focus on digital identity.
I was invited to join Heidi Trost to join her on my new podcast focused on Human Centered Security. We had a great chat focused on Self-Sovereign Identity.
You can find it here on the Web, Spotifiy or Apple Podcast
In this episode we talk about:
What Kaliya describes as a new “layer” to the Internet to support decentralized identity, much like how html or email supported what came next.
The importance of open standards.
How to build a “digital wallet” paradigm that makes sense to people.
What SSI means for businesses/business models.
Kaliya is the co-author of “Comprehensive Guide to Self-Sovereign Identity,” and author of “Domains of Identity.” She is also one of the co-founders of the Internet Identity Workshop, which brings together people to help develop open standards for ways people can own and control their digital representations of themselves.
This is the edited text of a talk that I gave during the first plenary session of the MyData Online 2020 Conference. I was asked relatively last minute to join this session which was headlined by Siddharth Shetty talking about Designing the new normal: India Stack. In 2019 I was a New America India-US Public Interest Technology Fellow and traveled to India to India to study the UIDAI the Unique Identification Authority of India the entity that enrolls Indians via their biometrics into a system and then issues them an Aadhaar Number. You can read that research here. While there I met many critics of the system that had been silenced and an amazing crew of security researchers who organize in a collective called Kaarana.
I didn’t have time to do a deep dive and research the latest on the India Stack and the new Date Empowerment Protection Architectures. What I did have time to do was based on what I learned almost 2 years ago on that trip was to put forward some hard questions that apply to both what is being put forward as a design in India but also for many other systems being developed at this time globally. I hope these Big Questions put forward by myself a technology pragmatist can provide food for thought both at this MyData conference and beyond as we continue to create and build new systems.
Thank you for inviting me here to share my thoughts in this opening plenary
I want to start off by declaring myself a technology pragmatist. Meaning I want to put my self in the middle of the spectrum between what I call neo-luddites on the one hand who never met a technology they didn’t like and are throwing cold water on any innovation mostly because they don’t engage with the details. And, on the other hand the techno-utopians who haven’t met a technology or business model based on neoliberal economic premises the they didn’t like. They say “the future will be great, just trust us.” They don’t really welcome intensive inquiry into how things the details of their systems actually work or discernment about how power flows in their systems
I argue as a technology pragmatist that we need to engage with both types of questions – the details of how things work and how power really flows in these system and will be putting forward in this talk several Big Questions that I think we need to consider.
My starting point as a technology pragmatist is advocating for innovations in technical infrastructure and capabilities so people can be in the center of their digital representation and data lives.
That path is a noble one but NOT an easy one.
I’ve been in the weeds with technical folks hosting the Internet Identity Workshop for 15 years in order to struggle to find technical ways to make this real. I founded the Personal Data Ecosystem Consortium 10 years ago with a vision very similar to the MyData vision to build a movement and momentum for a new way to empower people with their data one that connects consumers with ethical businesses to make it real.
I believe that you can’t the problem with words alone – with “laws”. GDPR was put in place but its authors seemed to lack knowledge and understanding of what was practically possible in technology systems.
It is also true that now 3 years into GDPR there has been very limited enforcement – what does this mean?
Well if you go look at the github repository for the Data Transfer Project in has seen basically no activity in a year – its almost like it has been abandoned.
What good are these “laws” without enforcement?
So as a technical pragmatist I have more questions…
Big Question 1
Can Big Tech Regulate itself?
India has a heavy reliance on self regulating entities in their financial and other sectors and yet another one is forming now called Sahamati to regulate this Account Aggregator system.
Two years ago I travelled to India to study the UIDAI the entity that issues Aadhaar numbers. It is entirely self-regulating – there is no outside entity that it is responsible and accountable to.
How does this work if these types of entities because of their self-regulating nature are unresponsive to critics?
Big Question 2.
Can New Technology Emerge and be held accountable?
What happens when critics of new technology are trolled?
This happened in India when critics of the UIDAI where harshly trolled extensively on twitter – it came to light that the one of the main trollers was the co-founder of iSprit.
What happens when critics of new technology have police reports filed against them?
This happened to over 30 people and leaders of NGO organizations that critiqued UIDAI and Aadhaar. These NGOs had it made abundantly clear that if they continued to research, and publicly raise issues with UIDAI and related emerging technology around the India stack they would have their status as NGOs threatened and their ability to do their work severely limited.
This raises questions about the ability of civil society to meaningfully engage in raising questions and seeking accountability in these new systems.
Big Question 3.
Can an ecosystem emerge when there is only ONE of a thing?
There is only one DigiLocker provider (the locker service to store your government issued ID in the cloud)
When I was in India speaking to government officials working on it they said they were being overwhelmed trying to manage all the requests from educational institutions to make a direct “hard” connection to the service to both upload student achievements and download them records from prospective from students. It was clear that expanding this to even more sectors might not be doable because it would mean that every single institution in the country would have to directly federate into this bottle neck.
Is it a sustainable model if every institution must connect to “one thing”?
Can an ecosystem emerge when there is one identity provider that matters and you must authenticate (phone home) to it – to access services? iSprit’s model and vision of how the India Stack works puts Aadhaar in the middle of everything.
UPI is a remarkable system – it totally disrupted the credit card payment rails and effectively made a ultra-low cost payments clearing system the whole economy can leverage.
UPI also “sees” everything so it potentially gives the government total transparency into the economy/ what’s happening. [to be fair it is clear that some government agencies in other economies watch international bank transfers in networks like SWIFT]
On the positive side It also works at scale.
There is with the creation with Account Aggregators and the Data Empowerment Protection Architecture the movement of financial data … and will likely get it working
but I go back to earlier questions I have what about critics –
Big Question 4.
Can industry innovate modalities of feedback and discernment – – going beyond “voting” for boards of directors.
Could we be leveraging things like
Imagine randomly selecting users and running citizens (user?) juries and innovation games on a regular basis to engage with customers of a company OR can accountability organizations like MyData seek feedback in this way – going beyond audits and certification as a modality to provide direction and accountability.
I find inspiration for MyData and the movement overall. In the Social Venture Network – this is a community I learned about over 20 years ago and was founded by entrepreneurs like Ben and Jerry to build community amongst ethical/sustainable businesses – it is why I started the Personal Data Ecosystem Consortium
But Governance is Hard…HARD
Big Question 5.
How do we really and meaningfully govern these new ecosystems?
How do we govern them in ways to not super over burden them?
but also not just let things continue on their current trajectory – because it seems GDPR is favoring the big guys.
The trouble with tech is that “intention” is not enough…
“don’t be evil” <— how is that working?
OR
“making the world more open and connected”? <— or this?
One thing I know about this new technology as a technology pragmatist is that the details matter
They matter a lot
The details are where struggle for real user-empowerment and control lie and where current power flows can be shifted to new ones that better align with people and humanity.
How do to get enough / care interest in the details ?
Can people and organization that we trust really see the details and see how things really work for us?
MyData is in tech but not necessarily in the weeds of how it will work…we need to get into them…and not just keep pushing it down the road.
Standards are a huge part of the details that matter – not just open APIs
I will make a note that if we had had seen investment in user-centric digital identity standards between 2003-5 when first proposed by Planetwork in the Augmented Social Network paper that was shipped around to the Ford Foundation and Open Society Institutes we might not be facing these dilemmas now. But they “didn’t get it.”
True technical interop means parts of the ecosystem are replaceable and that there is NOT locking for one stack or provider.
To this end…I co-lead work on the confidential data store specification in the secure data store working group. I’m actively tracking developments in the self-sovereign identity / decentralized identity community. (In the last few weeks I got potentially divergent paths to talk pre-divergence – talking about VCs and object capabilities standard – on the CCG list.)
I also co-chair the DIF interoperability group to push for convergence so that all these amazing things we work on actually work together.
Big Question 6.
Can we with SSI and tech make public key encryption usable by normal people?
Can we really make data private & usable. … I’m feeling like the answer is an optimistic maybe. With all this work.
Big Question 7.
Are we looking far enough into the future?
I also know from talking with folks like Liam Broza the waves of personal data that are about to get exponentially larger with AR and VR headset data – we must have robust user/individual centric containers for this. I’m not sure we are ready.
We must look ahead to where the metaphorical ball is going with technology – massive amounts of data and AI <- can they be personal and work for us?
Will they help us be happier and better aligned with nature? the planet?
This was a key aspect of the originating motivation for Planetwork… to convene and ask itself what missing piece of infrastructure was needed to truly make Information and Communication Technology work for people and the planet
Can we do more with less? OR will they just be motivated by their owners profit making us “consumers” or companies driven by Ayn Rand libertarianism.
Why do we believe people and groups should have access to data?
Can we in the next wave of technology development center those marginalized in the last wave?
Can we listen to those who know what has got wrong with tech because it happened to them already?
I asked a lot of big questions in this talk
I will leave you with this important question
Why do we think people should be empowered to control the digital representations of themselves and their data?
When we know why. We will have more understanding of what aspects of how (the tech details) that are important.
We must innovate in ways that let new businesses and opportunities bloom.
I believe that open standards, protocols, done right, ones that have maximal expressive capacity will be key.
By expressive capacity they create a set of rules that make them understandable but also within them give enormous freedom to express. I believe that Decentralized Identifiers and Verifiable Credentials also know as SSI provide a good starting point for us to build what we need to fundamentally disrupt the current in current ecosystems from monocultures to an “agroecology of technology”. This is my vision as a technology pragmatist. I know that many of you care about these questions and in various ways many of the sessions will engage with them. I’m looking forward to spending these next three days to our exploring them together here at the MyData 2020 Online Conference.
Who is the “we” – this piece is co-authored by Kaliya Young and Tony Fish who together have worked for over 45 years on identity and personal data. For this article, we are looking at the role of values, principles and rules within the industry and sectors seeking to re-define, re-imagine and create ways for people to manage the digital representations of themselves with dignity.
As we write this there is an ongoing conversation about the regulation of Facebook and the regulation of big tech in general. We see a problem with the frame of the conversation because we believe ON PRINCIPLE they shouldn’t exist as in no-one entity should have that much power and control over the global population’s identities, “their” data and the conversion we have. So any frame that accepts BIG TECH as acceptable won’t create rules that actually move towards the principle of ending the current hegemony but rather just seek to regulate it as is.
With this piece, we are seeking to look at how principles change when the underlying fabric of what is possible changes? The entire privacy framework we have today is based on early 1970’s reports written in the United States to address concerns over mass state databases that were proposed in the mid-late 1960’s and the growing data broker industry that was sending people catalogues out of the blue. It doesn’t take account for the world we live in now where “everyone” has a little computer in their pocket.
So let’s get to the question at hand “Why does it matter that we connect values, principles and rules?” The connection is not clear because we have created so many words and variance in languages that there is significant confusion. We are often confused in ourselves to what we mean, we are very inconsistent in how we apply our understanding, often to provide a benefit to ourselves or justify our belief. To unpack the relationship we need to look at definitions, but we have to accept that even definitions are inconsistent. Our conformational bias is going to fight us, as we want to believe what we already know, rather than expand our thinking.
Worth noting our principles are defined by our values. Much like ethics (group beliefs) and morals (personal beliefs) and how in a complex adaptive system my morals affect the group’s ethics and a group’s ethics changes my morals. Situational awareness and experience play a significant part in what you believe right now, and what the group or society believes.
Values can be adaptable by context whereas principles are fixed for a period, withstanding the test of time. When setting up a framework where we are setting our principles implies that we are saying that we don’t want them to change every day, week, month, year, that they are good and stable for a generation but we can adapt/ revise/ adjust principles based on learning. Fundamentally principles are based on values which do change, so there are ebbs and flows of conflict between them, this means we frame principles and often refuse to see that they are not future proof forever. Indeed the further a principle is away from the time it was created, the less it will have in common with values.
Considering characteristics, conceptually principles are abstract and universal whereas a rule is specific and particular. Principles cope with exceptions, rules need another rule. Principles provide the power of thought and decision making, rules prevent thought and discretion. Principles need knowledge and experience to deliver outcomes, rules don’t. Principles cope with risk, conflict and abstraction; conflict is not possible for a rule, it is this rule or a rule is needed.
We love rules-of-thumb, as such rules and heuristics provide time-saving frameworks which mean we don’t have to think. Not having to think saves energy for things we like to do. Take away the little ways you have that creates a stable place for yourself and you end up exhausted. Travel to a new place and you don’t know where the simple amenities of life are, COVID19 took away the structure of our lives which created exhaustion until we found a new routine. However, we often confuse “our heuristics”, the way I do something, or “my rules” as a principle. This diet rule is a principle for losing weight. We should accept that we purposely interchange rules, values and principles to provide assurance and bias to the philosophy, theory, thesis or point we are trying to gain acceptance of.
In companies and for a social policy we set rules and principles into matrices as below. Asking is it better to break rules or comply, is better to uphold principle or challenge them.
A review round the four quadrants highlights that there is no favourable sector and indeed as a society who wants to get improve, we continually travel through all of them. Companies and executives often feel that upholding principles and obeyed rules (top right) creates the best culture, but also ask the organisation to be adaptive, agile and innovative.
Given that principles are based on values, the leadership team will be instrumental into how upheld the principles are. Whereas the companies level of documentation for processes, procedures and rules will define what is to be obeyed, the culture of the top team will determine if they are to be obeyed or not.
The matrix below thinks about the combinations of values and principles. Where values are either mine as an individual or we as a collective society.
The fundamental issue with the two representations (rules or values and principles) is that they cannot highlight the dynamic nature of the relationship between them. By example, our collective values help normalise an individuals bias and that collective values informs and refine principles. Indeed as principles become extreme and too restrictive say as our collective values become too godly, our collective values opt to no-longer uphold them. When our individualism leads to the falling apart of society we raise the bar to create better virtues as it makes us more content, loved and at peace.
Movement within the “stable compromise” domain has been explored many times but the Tytler cycle of history expands it very well.
In summary, a rules-based approach prescribes or describes in detail a set of rules and how to behave based on known and agreed principles. Whereas a principle-based approach develops principles which set the limits that enable controls, measures, procedures on how to achieve that outcome is left for each organisation to determine.
Having explored that a rules-based approach prescribes in detail the rules, methods, procedures, processes and tasks on how to behave and act, whereas a principle-based approach to creating outcomes crafts principles that frame boundaries, leaving the individual or organisation to determine its own interruption.
This post is titled “In a digital age, how can we reconnect values, principles and rules?” and the obvious reason is that rules change, values, which change principles that means our rules need to be updated. However, this process of learning and adoption depends on understanding the connection which offers closed-loop feedback. An effective connection is our risk frameworks.
The diagram below places rules and principles at two extremes. As already explored we move from principles to rules but rarely go back to rethink our principles, principally because of the time. Rules should refine and improve in real-time, principles are generational. However to create and refine rules we use and apply a risk framework. The risk framework identifies risk and to help us manage it, we create rules that are capable of ensuring we get the right data/ information to be able to determine if we have control over risk. As humans, we are not experts in always forecasting the unimagined and so when we implement rules things break and clever minds think how to bend, break or avoid them. To that end we create more rules to manage exceptions. However, occasionally we need to check that our rules are aligned to our principles and indeed go back and check and refine our principles.
Starting from “Principles” these are anchored in ideas such as Human Dignity, Subsidiarity, Solidarity, Covenantal, Sustainability, The common good, Stewardship, Equality.
Once we decide that one or more of these should anchor our principles and form a north star, a direction to travel in and towards. The reason to agree on the Principle(s) is that collectively we agree on a commitment to get to a better place. We state our principles as an ambition, goal, target with allow us to understand, manage and control uncertainty using a risk framework. The risk framework frame or bounds the risk we are prepared to take. The risk framework enables us to define rules that get to our known outcomes. We implement the rules to create controls using regulation, code and standards. Our risk frameworks use tools to identify, measure, manage, monitor and report on the risk, the delta in risk and compliance with the rules. Whilst all is good we use the risk framework to create more rules and better framing and boundaries, creating better outcomes. However, when the desired outcomes are not being created we revert to the principles, check our north star and take our new knowledge to refine/ redefine the risk we are prepared to take.
Having established this framework, the idea is to apply this to the authors favourite topics of data and identity. We have an abundance of rules and regulations and as many opinions on what we are trying to achieve through identity and data ownership. We don’t appear to have an agreed risk framework at any level, individual, company, society, national or global. This is not a bill of rights, this is “what do we think is the north star for data and identity and on what principle they are built?” How do these principles help us agree on risks, and will our existing rules help or hinder us?
Our problems probably started a while back when information could travel faster than people (the telegraph rollout of 1850). This was a change in the fabric of values and principles. The person who was trusted was passed over and that person-to-person trust was no longer needed. Delays that allowed time for consideration gave way to immediacy; a shift in values and principles.
The question is how do our principles change when the underlying fabric of what is possible changes, the world we designed for was physical; it is now digital-first. Now we are becoming aware that the fabric has changed, where next? By example, Lexis is the legal system and database. With a case in mind, you use this tool to uncover previous judgments and specific cases to determine and inform your thinking. However, this database is built on humans and physical first. Any digital judgements in this database are still predicated on the old frameworks, what is its value when the very fabric of all those judgements changes. Do we use it to slow us down and prevent adoption? Time to unpack this
Classic thinking (western capital civilisation philosophy) defined values and principles which have created policy, norms and rules. Today’s policy is governed by people and processes. We have history to provide visibility over time and can call on millennia of thought, thinking and wisdom. Depending on what is trending/ leading as a philosophy we create norms. In a physical and human first world, we have multi-starting positioning. We can start with a market, followed by norms, followed by doctrine/ architecture – creating law and regulations OR we can start with norms, followed by doctrine/ architecture, followed by market-creating law.
Without our common and accepted belief our physical world would not work. Law, money, rights are not real, they are command and control schema with shared beliefs. Our created norms are based on our experience with the belief. We cope by managing our appetite to risk.
People-in-companies rather than people-in-government form the new norms as companies have the capital to include how to avoid the rules and regulations. The best companies are forming new rules to suit them. Companies have the users to mould the norms with the use of their data. Behaviour can be directed. Companies set their own rules. Doctrine/architecture creates the market, forming norms, and the law protects those who control the market. Policy can create rules but it has no idea how rules are implemented or governed as the companies make it complex and hide the data. There are few signs of visible “core” human values, indeed there are no shared and visible data principles. We are heading to the unknown and unimagined.
The companies automate, the decisions become automated, the machine defines the rules and changes the risk model. We are heading to the unknown and unimagined as we have no data principles.
By example. Our news and media have changed models. The editor crafted control to meet the demand of an audience were willing to pay to have orchestrated content that they liked. As advertising became important, content mirrored advertising preferences and editorial became the advertising and advertising the content. Digital created clicks that drove a new model to anything that drives clicks works. The fabric changed from physical to digital and in doing so we lost the principles and rules of the physical first world to a digital-first world that has not yet agreed on principles for data.
Imagine looking at this framework of “principles, rules and risk” within the industry and sectors seeking to re-define, re-imagine and create ways for people to manage the digital representations of themselves with dignity. How would privacy and identity be presented?
Within data and identity, we have an abundance of rules and regulations and as many opinions on what we are trying to achieve. We don’t appear to have an agreed risk framework at any level, individual, company, society, national or global.
The stated GDPR principles are set out in Article 5:
We know they are called “Principles” by the framing of the heading in Article 5, however, are these principles, values or rules? Further are these boundaries, stewardships or a bit of a mashup. By example to get round “Purpose Limitation,” terms and conditions become as wide as possible so that all and or any use is possible. Data minimisation is only possible if you know the data you want, which is rarely the case if you are a data platform. If a principle of The European Union is to ensure the free “movement / mobility” of people, goods, services and capital within the Union (the ‘four freedoms’), does data identity ideals and GDPR align?
Considering the issue with “the regulation of Facebook” or the “regulation of” Big Tech, in general, is that ON PRINCIPLE they shouldn’t exist, no one entity should have that much power and control over people’s identities and their data? So the framings that accepts them, as acceptable, won’t create rules that actually moves towards the principle of ending the current hegemony but rather just seek to regulate it as is. If we add in open API’s and the increasing level of data mobility, portability and sharing whose “rules or principles” should be adopted?
How do your principles change when the underlying fabric of what is possible changes? The entire privacy framework, say in the US today, is based on early 1970’s reports written in the United States to address concerns over mass state databases that were proposed in the mid-late 1960’s and the growing data broker industry that was sending people catalogues out of the blue. It doesn’t take account for the world we live in now where “everyone” has a little computer in their pocket. Alas, IMHO, GDPR is not a lot better than rules with no truly human based core principles.
By example here is the 1973: The Code of Fair Information Practices This Code was the central contribution of the HEW (Health, Education, Welfare) Advisory Committee on Automated Data Systems. The Advisory Committee was established in 1972, and the report released in July. The simplicity and the power of the code has been eroded and water down so that the code is now ineffective. Would we be in a much better place if we had adopted such thinking at the time?
We have outdated “principles” driving rules in a digital-first world. This world is now dominated by companies setting norms and without reference to any widely agreed-upon values. The down side of big tech gaining so much power that they are actually seen by people-in-government as “equivalent to nation-states” is telling. We have small well-networked organizations attempting to make a dent in this. MyData, for example, has generated, from an engaged collaborative community, a set of ideals (principles) that provide a good starting point for a wider constructive discussion, but we need historians, anthropologists, ontologist, psychologist, data scientists and regular every day people who are the users to be able to close the loop between the rules we have, the risk frameworks we manage to and the principles that we should be aiming for.
How can we leverage innovative democratic deliberative processes like citizen’s jury’s that are used in some parts of Europe to close the loop between rules and principles around emerging technology.
Now we are in the Meg Wheatly section of the article. I’ve been reading Meg’s book since I read Leadership and the New Sciences 25 years ago.
Relationships are the pathways for organizing, required for the creation and transformation of information, the expansion of the organizational identity, and accumulation of wisdom. Relationships are formed with information exchange between identifying / identifiable entities in identifying / identifiable organizings.
– THE DYSTOPIA OF SELF-SOVEREIGN IDENTITY (SSI)
I totally agree – its not in conflict with SSI style architectures. I would go so far to say that are currently no other architectures even come close to making it possible to have peer-to-peer relationships between people and other people and people and organizations at internet scale based on open standards.
Information needs to flow and DIDComm is a protocol to support different entities connecting and letting information flow between them.
It also lets one of the entities send information to the other entities in such a way that they can re-present that information to a party outside of the direct relationship in such a way that they can believe where it came from. That is what Verifiable Credentials do. So sitting on a high horse of intellectual greats like Meg and looking down at our technology instead of investigating how it might actually create affordances that are new in the digital realm that can get to the vision she articulates is where I have a real problem with your attitude towards our work.
The question of ‘digital identity’ is massively more critical than many working on it appreciate.
You center yourself as the judge to decide that some how we don’t think it is critical and that we don’t think it is massive. This is just demeaning of the dedication of many people some for 20 years and some for over a decade working diligently and hard with a lot of introspection and deep reflection to really build with a practical idealism that DOES appreciate the depths of what we are trying to do. We have been at it a lot longer than you. So when you say things like this off the cuff as if they are true – claiming we don’t appreciate how massive and critical our work is. I call BS and yes I think you are a troll because the way you have framed this is disrespectful to our intellects, our hearts and indeed our interpersonal relationships that weave together a thriving rich and deep generative community working diligently to make a new layer of the internet that empowers them.
Invite any and all people who feel compelled to consider so called “generative identity” to try out particiapting with the folks actually building real working tools now that can transform how identity operates on the internet and digital networks for the foreseeable future.
This is the 8th in a series of posts addressing Philip’s critiques.
First post
Bonus – Why my expertise is radically interdisciplinary and not focused solely on “information technology” cause that is always a reason to not listen to something a woman is saying.
This is the 7/8 posts addressing the accusation by Philip Sheldrake that SSI is dystopian. We have now gotten to the Buckminster Fuller section of the document. I <3 Bucky. He was an amazing visionary and like Douglas Englebart, who I had the good fortune to meet and have lunch with, dedicated his life to exploring how to make things better for all of humanity.
The section is literally titled – “Identity is a Verb” this is a statement that I can totally get behind.
I believe that – Identity is process.
All of it.
All things come into being as “things” but really created that “thing” that can be seen as having an identity that is distinct from other things is process. Human beings are created via the process of life and are kept alive by ongoing processes in the body.
Remember I said it was socially constructed (construction is a process)
Some times the process of identity in some contexts leads to “things” getting produced and handed to us (like a university handing me a card when I first got to campus with my name and student number on it.
Some times when we encounter a given system we are pointed at by a system (given a number) so that the system can recognize us again – when it “sees us”.
However you are in complete denial about the nature of modern mass society if we believe that some how those things don’t matter. They matter because the institutions we have created care about them and use them to function. If we don’t want this to be true – I suggest a better course of action is to actually undertake transforming those institutions. Saying we shouldn’t have identity documents that we have in the contemporary world – then stopping SSI isn’t the way to make that change.
It makes no sense to attack people who are working on digital systems to create digital versions (verifiable credentials) of those “things” (cards).
These systems of identity (see its a system with processes that result in things) have emerged over the last 1000 years in the European context. They are the result of many forces and factors one of them being our inherent WEIRDness – building a society where individuality and who you are matters more then your family – because the catholic church beginning around 500 CE implemented what the the Marriage and Family System where there was only monogamous marriage and cousin marriage was banned. So we no longer have any kin based institutions beyond the nuclear family.
So just kin based local ties that we used for literally most of human history to figure out who people were – doesn’t work any more. So we invented tools to support people who had ZERO knowledge of who someone is having ways to do this that were invented for states to understand their subjects but it turns out that other folks seeking to transactions with people like these “state issued” documents because they provide them with enough confidence to be able to do transactions with them – they like this state “root of trust” and for better or worse that is how things work today in contemporary western society.
Legal (noun-like) identity features obviously then in the majority of the scenarios presented. This is no accident because this is how the SSI community thinks, and how it thinks is reflected in the technical architecture and documentation.
I don’t agree. I think it is a feature of the majority of features because the institutions working to “not be in the center” of how people prove the statements on their “noun” identity documents are funding the development of the technology so they do not have to build centralized architectures that require technical federation with them posing far greater privacy risks and are quite frankly not scalable.
And this statement “this is how the SSI community thinks” – really? How well do you know us? – have you actually joined our community? Have you actaully joined our discussions and meaningfully contributed? beyond just throughing your “smart thoughts” in that show you do not understand how we think and don’t understand the technology.
Have you participated in developing the Verb like features and functionality with protocols like DIDComm? – not that I know of. You just decided that because we even touch “noun” like results of identity systems and support people being empowered with this one narrow type of identity that all of what we are doing must be bad.
Historically, invoking legal identity is tiresome. It involves systemic friction and consequently it’s called upon only when really needed and ignored in all other contexts. How frequently and for what purposes have you needed to produce proof of legal identity so far this century?
Depends on who you are and where you are? In making these statements you are suggesting the status quo of paper based documents is working and good for people and points to your privilege in a major metropolitan center and being able bodied.
Do you think the rural Canadian who is in a very remote town should be denied the right to transact in a trusted (having confidence in the veracity of the party they are interacting with and vis-versa that the relying party has confidence in who they are). The Canadian government certainly believes they have the right to be able to do this and are investing heavily in digital infrastructure and trusted digital infrastructure leveraging SSI to serve remote rural people so they have the same opportunities afforded those in cities with government service centers.
Do you think the disabled woman who is largely home bound does not deserve the right to leverage digital credentials to do transactions in the world?
Really step back and ask yourself if the status quo is ok given the evolution of an importance of the digital world. Lessig didn’t think it was acceptable in 1998 and until SSI we really didn’t have any technology that could actually solve for some fo the very hard use-cases we are working towards solving.
But SSI demonstrates an unprecedented frictionless quality enabling the routine, programmatic proffering of or triangulating back to legal identity and other noun-like identities (+ buried in the foot note important point… )Many organizations and bureaucracies have a noun-like approach e.g. your employer assigns an employee number that endures.
So what do you mean by “routine and programatic” as if people don’t have control of when and how they share what. It is a system that explicitly gives people to control via their agent/wallet what is shared when.
With SSI if I’m logging into my employers site to do work for them – I can leverage a verifiable credential issued to me by my workplace. IDRamp is working in this domain.
With SSI if I’m a licenced lawyer in a given jurisdiction and I want to login into the court system in that jurisdiction I can use the crednetial that says i’m a licenced attorney to do so. Britich Columbia has this working right now.
If I’m a citizen seeking to apply for public benefits (because of the pandemic) and I can do so with a verifiable credential issued to me by that same state – because that is a relevant ID for that type of transaction. This should be able to be done using SSI because right now its done on paper and it is literally a nightmare for people and the state seeking to manage it all.
This is about Alice’s freedom, perhaps indeed her “sovereign right” if that’s how you conceive the world, to live and live through her verb-like identities most of the time as she does today.
Great – use the SSI tools to build more verb like systems and structures with them. That is what DIDComm literally does – so go nuts and make some great stuff happen.
It literally is a protocol to build relationships between people and between people and organizations using a secure connection that NO entity is intermediating like they do today with all other types of identifiers provide.
This is the 7th in a series of posts addressing Philip’s critiques.
Bonus – Why my expertise is radically interdisciplinary and not focused solely on “information technology” cause that is always a reason to not listen to something a woman is saying.
