We’re over two decades into an era of digital feudalism.
Feudalism is a centuries-old concept. In medieval times, the nobility owned vast amounts of land. Serfs worked the land to create value, but most of that value was confiscated by the landlord.
Instead of farm produce, today the new asset class is data—created by us, but captured by digital landlords such as social-media companies, search engines, online retailers, governments, and banks. “Surfing the internet” has become “serfing the internet,” with users giving up intimate details of their lives for the internet lordships to aggregate, expropriate, and monetize. We, as the serfs, only get left with a few lousy cabbages.
This is important, because this data isn’t just the biproduct of your labor. It is the stuff of your identity in the digital age.
All this data constitutes a “virtual you.” The digital crumbs that you leave in daily life create a mirror image that knows more about you than you do. You probably can’t remember dozens of your personal identifiers: your driver’s licence details, credit-card numbers, government information. But you definitely don’t know your exact location a year ago; what you bought or what amount of money you transacted; what you said online; or what medication you took or diagnosis you received.
And that’s just the beginning. In the future, the virtual you will contain detailed medical information like your heart rate, blood pressure, or myriad other real-time measures of what you do, how you function, where you are, and even how you feel.
The trouble is that the virtual you is not owned by you. “Imagine if General Motors did not pay for its steel, rubber, or glass—its inputs,” economist Robert J. Shapiro once said. “That’s what it’s like for the big internet companies. It’s a sweet deal.”
We create the asset: They expropriate it. Yet we still thank them for use of their land, rather than demanding what is rightfully ours.
There are problems with this new form of feudalism:
- First, we can’t use our own data to plan our lives. It’s stored in other people’s silos, which we can’t access—but third parties like Cambridge Analytica can, often without our knowledge.
- Second, we enjoy none of the rewards of this third-party data usage, yet we bear most of the risk and responsibility for its clean up, should they lose or abuse our data.
- Third, these elites are invading our privacy and telling us to “get over it,” when they know full well that privacy is the foundation of freedom; just look at the Chinese social credit scoring
- Fourth, we can’t monetize these data assets for ourselves, resulting in a bifurcation of wealth and all its discontents.
The serfs are starting to get mad as hell and are not going to take it anymore. But populism, from Brexit to Trump, is not the solution. Nor is the European Union’s general data protection regulation (GDPR), which is a partial measure at best, and hypocritical in light of the new EU common identity repository. Nor is a heads-will-roll type of policy that calls for the breakup of Amazon, Facebook, and Google for violating anti-monopoly laws.
What we need is a wholesale shift in how we define and assign ownership of data assets and how we establish, manage, and protect our identities in a digital world. Change those rules, and we end up changing everything. It is a revolution to be sure.
We’ve called it the blockchain revolution.
State-run internet-based systems are problematic. In the last ten years, at least 48 government databases have been breached, exposing the data of 1.44 billion people—and that number doesn’t include hacks to government-managed health-care and education records. Yet, we’re dependent on system administrators who can freeze access, delete our voter registration or other credentials, and use banks, telecoms, and tech firms to surveil us.
Nothing about these institution-centric systems is citizen-friendly. They discriminate against the poor, the rural, the homeless, the imprisoned, and the overworked in society. Syrian refugees in particular put a spotlight on the crisis of state-based identification.
The reality of a government-sourced and -sanctioned identity is untenable—both administratively and philosophically. Why should any government get to rubber-stamp who we are? We should be establishing our own identities and, as Joseph Lubin of ConsenSys wrote, bootstrapping ourselves into economic enfranchisement. We need to take action now.
What each of us needs is a self-sovereign and inalienable digital identity, one that is neither bestowed nor revocable by any central administrator and is enforceable in any context, in person and online, anywhere in the world.
As Alex Tapscott and I argue in Blockchain Revolution, the means now exist to assert what developer Devon Loffreto calls “sovereign source authority”: Identity is not simply endowed at birth; it is endowed by birth.
Here’s how it works.
To bootstrap our identity, we first need a model that is distributed among and maintained by the people whose identities it protects. This means that everyone’s incentives align in an identity commons, with clear rights for users to steward their own identity, protect their privacy, access (and allow others to access) and monetize their own data, and participate in rule-making around the preservation and usage of the commons.
Several identity projects in the blockchain space are working to provide such structure and capabilities.
- Blockstack, a public-benefit corporation in Delaware, incorporates the bitcoin blockchain in its open-source identity solution. Blockstack users can set the location of their user profile and application data, and Blockstack has no control over the identity information on the bitcoin blockchain or stored on Blockstack’s peer-to-peer network.
- Civic, a for-profit company based in San Francisco, offers an ID verification solution through an ethereum-based platform. Users collect verifiable claims of attributes from validators—such as banks, governments, and universities—but when a third party wants to learn something about a user, the user can decide whether and how much to reveal. The third party must then pay the validator of the relevant attribute, which is an incentive for validators to participate.
- Sovrin is an identity platform governed by a community-created governance framework and administered by the Utah-based non-profit Sovrin Foundation. The network runs on a distributed ledger based on Hyperledger Indy. The nodes maintaining the ledger are trusted entities such as banks, colleges, and governments, which are approved by the Sovrin Foundation Board of Trustees. Users download a wallet app like Connect.me for storing their credentials and tokens as well as communicating with other wallets for peer-to-peer exchanges of data, which are stored locally in the user’s wallet or encrypted cloud backup.
- uPort, a platform built on the ethereum network and funded by for-profit ConsenSys in New York, enables users to create a decentralized identity (DID) based on the proposed ERC-1056 lightweight ethereum identity standard for ethereum wallets. The app manages user identities and credentials, such as keys, identities, and attestations, which are portable across service providers and client applications. The app can authenticate a user and disclose verifiable claims to whomever the user chooses.
- Veres One, a blockchain operating under the guidance of the Veres One W3C Community Group, may be the simplest self-sovereign identity infrastructure. It has no tokens and stores no user data—it only stores only the DIDs used for key management and service endpoints discovery. Through Veres One, anyone with a web browser can generate a DID compatible with other identity services, allowing for portability.
Many of these start-ups are collaborating in the Decentralized Identity Foundation, a consortium consisting of Hyperledger and R3, and incumbents such as Accenture, Microsoft, and IBM. Its working groups are focusing on three big areas—identifiers and discovery, storage and computation of data, and attestation and reputation—with an eye to developing use cases and standards.
The ultimate solution, however, must exist independent of any corporation, government, or other third party, and should not be subject to the agency risk of executives or political parties. It must interoperate with these institutions, even as it outlasts them. In fact, it must be built to outlive its users and enforce their right to be forgotten. This would mean separating data rights from the actual data, so that the rights holder could delete it. To be inclusive, it must be user-friendly with a low-tech mobile interface and low-cost dispute resolution.
This transition will take time. We expect organizations to take at least three actions to rebuild the trust of those whose data they hold.
The first involves governance. Many large corporations and government agencies have strong governance mechanisms for their hard assets, but really poor governance of information assets. Companies must define decision rights around their data and develop an accountability framework that disciplines how employees use data.
The second involves the discontinuation of practices that collect and store customer data. This could involve either destroying these massive customer databases altogether (after returning files and records to customers) or migrating this data to distributed storage systems, such as the IPFS, and then transferring control to customers.
The third involves the cultivation of a new core competence: the ability to work with huge anonymized datasets rented from large numbers of people, all handled in a distributed and trust-minimized manner. It will remove data as a toxic asset from the corporate balance sheet and make it a fundamental human asset from birth. It will flip the data-analytics business model on its head and reward corporations for serving as data brokers on behalf of individuals. This will see the end of the large centralized data frackers that scrape, hoard, and rent, but don’t protect this data.
These new approaches to privacy and ID management give citizens ownership of their identities, the facts of their existence, and the data they create as they live their lives. The self-sovereign identity is one the pillars of a new social contract for the digital economy, and will be critical to the transformation to a more open, inclusive, and private economy.
We need more than access to some of our data. We should own it.
Correction: The original version of this piece misidentified Moxie Marlinspike as the originator of sovereign source authority. It was Devon Loffreto. Also, the Sovrin Foundation and not Evernym is responsible for administering the Sovrin platform.