Soul-bound tokens. Proof-of-humanity. Self-sovereign identity. The web3 world is awash in schemes to bring your identity on-chain.
In response, Molly White asks, “is acceptably non-dystopian self-sovereign identity even possible?” This makes me want to ask a followup question:
Is acceptably non-dystopian digital identity even possible?
Identity or legibility?
The identity of an individual is essentially a function of her choices, rather than the discovery of an immutable attribute.
(Amartya Sen)
Would it not be a great satisfaction to the king to know at a designated moment every year the number of his subjects, in total and by region, with all the resources, wealth & poverty of each place […] and be able himself to know with certitude in what consists his grandeur, his wealth, and his strengths?
(Marquis de Vauban, proposing an annual census to Louis XIV in 1686)
What is identity? Who defines it? Who controls it? What is its relationship to software?
When I reflect on the lived experience of identity, I think of something that is complex, personal, intersectional, situational, intersubjective. It seems like the thing we are gesturing toward when we say “on-chain identity” is not this personal lived experience of identity, but something else. What is it?
James C. Scott’s book Seeing Like a State (1998) offers a clue. Scott examines something he calls legibility: a process of simplifying, restructuring, and labeling to enable control at scale. From the book’s introduction:
Originally, I set out to understand why the state has always seemed to be the enemy of “people who move around”. […] The more I examined these efforts at sedentarization, the more I came to see them as a state’s attempt to make a society legible, to arrange the population in ways that simplified the classic state functions of taxation, conscription, and prevention of rebellion. Having begun to think in these terms, I began to see legibility as a central problem in statecraft. […]
How did the state gradually get a handle on its subjects and their environment? Suddenly, processes as disparate as the creation of permanent last names, the standardization of weights and measures, the establishment of cadastral surveys and population registers, the invention of freehold tenure, the standardization of language and legal discourse, the design of cities, and the organization of transportation seemed comprehensible as attempts at legibility and simplification. In each case, officials took exceptionally complex, illegible, and local social practices, such as land tenure customs or naming customs, and created a standard grid whereby it could be centrally recorded and monitored.
(James C Scott, 1998. “Seeing Like a State”)
This sounds closer to the mark. When we say “on-chain identity”, we are gesturing toward something that is standardized, certified, registered, recorded. An API for quantifying people. This is reflected in the use-cases cited for on-chain identity, such as one-person-one-vote polling, credit scores, credentials, reputation, mutual rating, resumes, background checks.
Following Scott, perhaps what we are gesturing toward is not on-chain identity, but on-chain legibility.
Killing a forest by counting the trees
Certain forms of knowledge and control require a narrowing of vision. The great advantage of such tunnel vision is that it brings into sharp focus certain limited aspects of an otherwise far more complex and unwieldy reality. This very simplification, in turn, makes the phenomenon at the center of the field of vision more legible and hence more susceptible to careful measurement and calculation. Combined with similar observations, an overall, aggregate, synoptic view of a selective reality is achieved, making possible a high degree of schematic knowledge, control, and manipulation.
(James C Scott, 1998. “Seeing Like a State”)
Yet many useful things seem to be gated on legibility, both online and IRL. Why should we be concerned about it?
Scott details a pattern of disaster that repeatedly manifests around legibility. His opening example is from the late-18th century discipline of “scientific forestry”.
A natural forest is illegible. A tangle of plants. This is inconvenient from the standpoint of harvesting lumber. How do you quantify yield? Can you even make a meaningful map of this mess? Much easier to clear the forest and plant a legible “scientific” forest. Uniform rows of trees that produce good lumber. Now we can count the trees, make a map, track sustainable yield.
What’s missing from our map? Everything else. The forest has been made legible to lumber production. In the process, the entire ecological web of trees, shrubs, birds, bugs, moss, soil microbiota are stripped away. They didn’t fit into our map.
By the second generation of planting, there is a noticeable decline in forest health. Within one century: Waldsterben, forest death, ecological collapse.
This legibility disaster pattern repeats itself across many domains. Scott gives us dozens of examples spanning urban planning, agriculture, census-taking, more. The failure follows a Procrustean pattern:
Make a map to accomplish systemic goal
Reality is too complex and refuses to fit into map
Remake reality in the image of map
*Systemic collapse*
Legibility is disastrous at scale
Society must be remade before it can be the object of quantification. Categories of people and things must be defined, measures must be interchangeable; land and commodities must be conceived as represented by an equivalent in money. There is much of what Weber called rationalization in this, and also a good deal of centralization.
(Theodore M. Porter, “Objectivity as Standardization”)
The visual contrast between a natural forest and the grid of trees is an important touchpoint for Scott. A desire to make legible is a desire to construct systems that look simple when gazing down from a god’s eye view, when “seeing like a state”.
Creating this god’s eye map requires a simplification of the territory. An accurate model of the universe would be as large as the universe itself. Maps are simplifications.
. . . In that Empire, the Art of Cartography attained such Perfection that [they] struck a Map of the Empire whose size was that of the Empire, and which coincided point for point with it. The following Generations, who were not so fond of the Study of Cartography as their Forebears had been, saw that that vast map was Useless.
(Jorge Luis Borges, 1946, “On Exactitude In Science”)
At root is an inability of human values to comprehend the fullness of reality. When seeing with a god’s eye, we become blind to life at street-level.
Yet there are good reasons to want maps. Many schemes to improve the human condition require a degree of legibility. Taxes fund infrastructure, citizenship enables democratic voting. And yet Scott notes the same legibility to the state that made democratic citizenship possible also made universal conscription and total warfare possible. It’s an ambivalent situation.
The greatest danger emerges when legibility is paired with godlike power and totalizing ambition. You can only simplify reality to match your map when you operate at the scale of a god, a state… or perhaps, of a network.
The internet is always at scale
Legibility is disastrous at scale, and the internet is always at scale. The internet is flat, frictionless, and global, and algorithms are totalizing.
The internet is adaptive, and will algorithmically reshape its reality around anything that is legible. Google makes clicks legible, so clickbait manifests. Facebook makes reacts legible, so inflammatory content manifests. YouTube makes engagement legible, so creepy videos for toddlers manifest.
Legibility on the internet is hazardous. And if it is hazardous to make clicks or emotes legible to algorithmic forces, how much more hazardous is it to make people legible? Making identity legible at internet scale is seeing like a state.
Self-sovereign legibility
Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. […] These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation.
(Timothy C. May, 1988)
Anything that promotes ease of travel and communications has a positive effect on state growth and expansion.
(Peter Turchin, 2012)
Another thing Scott’s framework reveals is that the dangers of legibility are not related to the sovereignty of an ID. There are many reasons self-sovereignty is valuable, but the function of a self-sovereign identity is still to make the bearer legible. What’s measured gets managed. What’s legible gets controlled.
If your goal is to shift the locus of control toward the user, my sense is that self-sovereignty is not enough. We also need to consider illegibility and privacy.
Identity wants to emerge
Over the long run, any stable joinable key becomes an identity as it accumulates more correlated information about you.
We see this today in the ads ecosystem, where data brokers and cross-site advertising networks use data joining to correlate information about you and track you around the internet. Email addresses, cookies, IP addresses, advertising identifiers—anything that is unique and stable can be used for data joining.
Identity wants to emerge, because many systems want to make you legible.
Social credit score on the blockchain?
A blockchain is a global, immutable, unstoppable ledger. That is its purpose. Anything written to a blockchain is legible forever, and many systems want to make you legible.
Is emergent social credit score on the blockchain inevitable?
It certainly seems like an attractor. A strong cypherpunk ideology motivated the invention of Bitcoin. Well, but the universe has an ironic sense of humor, and often an ideology will push for one thing, and the emergent effects of that ideology will generate a different thing, even an antithesis.
I suspect legibility has a tendency to eat adjacent goals, because legibility is aligned with the interests of money and power.
Identity considered hazardous
We are stuck, alas, with Leviathan, though not at all for the reasons Hobbes had supposed, and the challenge is to tame it. That challenge may well be beyond our reach. (James C. Scott)
Is acceptably non-dystopian digital identity even possible? At the very least, it seems fundamentally hazardous. But identity wants to emerge, and seems likely to do so. We find ourselves faced with a dilemma.
Identity is hazardous
Global ledgers are hazardous
Universal address spaces are hazardous
Static joinable keys are hazardous
A lot of this stuff is not going away any time soon. I don’t have silver bullets, but I wonder—are there ways we might progressively improve on our situation? Can we build networked software that allows people to be illegible? Or at least self-selectively legible?
Keys not IDs: toward personal illegibility
An insight—the thing most software needs to solve for is not identity, but authorization.
The important thing from a logging-into-software perspective is not who you are, but what you are authorized to do. So, Keys, not IDs.
Public-key cryptography seems like the tool we need to implement ACLs without the baggage of seeing like a state. But this presents us with new practical challenges:
Keys need to be cheap. Instead of username/password, each app should have its own key, or else you’re back at identity. So, where do you put all of these keys?
Keys need to be rotatable to thwart joining, and in case of compromise. So how do you rotate them?
Keys need to be recoverable. If you lose you device or otherwise lose access to your keys, you need some way to get back in.
Tricky problems, none of them new! But I see some bright new glimmers on the horizon.
The emergence of the wallet app paradigm is one bright glimmer. It’s a keychain for all of those keys. In some ways the wallet paradigm feels obvious. Many of us use password managers anyways. Yet it took the strong ideological commitments of crypto to create an ecosystem that rejected the local maxima of username/password. This was an extreme choice! But it forced the emergence of new tools.
Now it seems the wallet app UX paradigm may escape cryptoland and become a feature of mainstream operating systems. Goodbye logins. Nobody will miss you.
Non-custodial key recovery is still an open problem from a practical product perspective. But it’s being worked on. Perhaps there will be breakthroughs. Perhaps key escrow is a necessary pragmatic solve for the time being.
Either way, it seems like the best approach is to always use keys at the protocol level, and layer wallet UX on top. Crypto got this one right. Key-based protocols enable both custodial and non-custodial experiences on top, and leave room to do better in the future. Identity-based protocols can only see like a state.
UCANs (User Controlled Authorization Networks) are another bright glimmer.
User Controlled Authorization Networks (UCANs) are a way of doing authorization (“what you can do”) where users are fully in control. There’s no all-powerful authorization server, or server of any kind required. Everything that a user is allowed to do is captured directly in a key or token, and can be sent to anyone that knows how to interpret this format. (ucan.xyz)
UCANS are JSON Web Tokens that describe some capabilities, and are signed with your private key. You can grant a service the ability to perform some action on your behalf by giving it a UCAN, or by wrapping that UCAN with another that has equal or lesser rights, and handing that one out.
This gives you the building blocks for key invalidation and rotation, and also for gluing together multiple permissioned APIs, all without login.
UCANs seem like an extremely promising building block, which is one reason we’re developing rs-ucan, an open-source Rust implementation. We hope to make keys-not-ids a core feature of our upcoming “protocol for thought”.