"Ownership" of Data
Facebook Twitter LinkedIn

Informational Self-Determination in a Post Facebook/Cambridge Analytica Era

Combined Session
Thursday, May 17, 2018 15:30—16:30

Nat Sakimura from Nomura Research contributed his following viewpoint which will be discussed in this session:

The hype and hysteria around blockchain, blockchain identity and Facebook/Cambridge Analytica scandal have been quite interesting to watch. It did and is still showing a lot about people's understanding of the space, which is actually a bit different than what I think.

For example, people think that they own their data and ought to have sovereignty over their data and some people think that Blockchain identity and DID can achieve it.

I do not think so in general.
It is because of three reasons.

  1. The assertion that we own our data is wrong.
    There are very few data that falls into "I have full right to control" category. Most of the time, the data is actually shared among people, as they form relationships. For example, your DNA sequence is shared with your relatives. You do not have right to disclose it publicly as the result. Your location data is shared with someone you are with, and disclosing your location would disclose her location as well. Do you have a full right to disclose it? Probably not. Not only because people do not read the terms, because of this shared data aspect, "consent" is an unreliable mechanism for the data processing. And the Facebook/Cambridge Analytica scandal's root cause actually is here. It was not a hack. People "consented" to provide "his data". His data, in this case, included data about his friends.
  2. I do not see anything particularly new in SSI
    The basic model of SSI, as I understand, is that you write your identifier and claims location on a Blockchain. So, the blockchain works as the registry. People can then search the registry to find the location of the associated claims. Claims are not written to the blockchain. It is hosted off-chain. Does it not resemble something? It has just replaced DNS with a consortia run blockchain and Identity (=set of claims) Provider with Claims Provider. It just looks to me like the same model with new tools and some nice marketing phrases. Since it is easy for the authority to take down the claims provider, in such a situation, it is likely that the guy will be left only with his identifier, which is rather useless. Worse, the fact that most crypto-currency traders do not manage their keys themselves but use "online wallets" provided by cryptocurrency exchanges will make me think that they will probably use the Claim Provider as the online wallet and we are back to the square one. Welcome to the good old Online Identity Providers.
    Compared to this, Self-issued IdP (SII) in OpenID Connect looks much more radical. We got rid of the registry. It is completely distributed. It lives on your handset. We do not need a shared database like blockchain to find claims providers because the SII can provide the claims or claims locations locally. These claims can be signed by the source so it is verifiable as well. It can be deployed without blockchain so we do not have to worry about the numerous technical issues of the blockchain that are not solved yet. Actually, Cardspace was on a similar model.
  3. There are no economic incentives for RPs and Users to start using it.
    As I explained above, this "self-issued" model is not new. SII has been there since 2014 and I know of only one large-scale deployment (It started this February, by the way). Cardspace was even pushed through Windows 7 installations and it still did not fly.
    Why? It probably is because there are no incentives for RPs to accept self-issued identities while the population coverage is not large. The investment to start accepting SII cannot be justified. The converse is true for the users. If there is no RP, then there are no incentives for the users to install and use SII. It is a classic chicken-and-egg problem.
    Do you remember how Google got their identity flying? It was through a killer RP service called Gmail. After there were enough users, then RPs started to have incentives to start accepting Google identity. The same applies to Facebook.

Unless there is a way for the Self-sovereign identity to break through this problem, I do not see any reason why it should fly.

Joni Brennan
Joni Brennan
Digital ID & Authentication Council of Canada
Joni Brennan is the President of the Digital ID & Authentication Council of Canada (DIACC). Building upon 15 years of hands on experience in Identity Access Management innovations and industry...
Kim Cameron
Kim Cameron
Kim is Architect of Identity in the Identity Division at Microsoft, where he champions the emergence of a privacy-enhancing Identity Metasystem reaching across technologies,...
Eve Maler
Eve Maler
Eve Maler (@xmlgrrl) is VP of Innovation & Emerging Technology in ForgeRock's Office of the CTO. She is a renowned strategist, innovator, and communicator on digital identity, security,...
Joerg Resch
Joerg Resch
Joerg Resch is Co-Founder & Managing Director at KuppingerCole. He looks back on over 20 years of experience in Identity Management related projects and their implementation...
Nat Sakimura
Nat Sakimura
Nomura Research Institute
Nat Sakimura is a research fellow at Nomura Research Institute specializing on digital identity and privacy, and the Chairman of the OpenID Foundation. He is a co-author of many of the frequently...
Doc Searls
Doc Searls
Editor-in-Chief, Linux Journal
Doc Searls is author of The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012), co-author of The Cluetrain Manifesto (Basic Books, 2000 and...
Andrew Tobin
Andrew Tobin
Andrew Tobin (European Managing Director, Evernym) is a technology strategist. He has a history of delivering innovative technology solutions to complex business problems in the converging...
Subscribe for updates
Please provide your email address