Kaliya Young: It’s great to be with you this morn­ing. So I thought I’d start at the begin­ning. I found­ed the Internet Identity Workshop with some col­leagues in 2005, and we are still con­ven­ing. We began meet­ing real­ly ask­ing this ques­tion, how can indi­vid­u­als own their own dig­i­tal iden­ti­fiers? How can we get out from being under­neath the plat­forms that we’re inter­act­ing with? Just a user­name and pass­word, or now more recent­ly you have these inter­me­di­aries like Google and Facebook, that you’re using to log into var­i­ous things. 

And then, if you got your­self your own iden­ti­fiers how do you actu­al­ly prove mean­ing­ful things about your­self using them? And the good news is after fif­teen years of con­ven­ing, we’ve got­ten some­where. Our next one’s actu­al­ly hap­pen­ing next week, and you’re all invit­ed of course. 

There’s a whole set of open stan­dards around self-sovereign iden­ti­ty that have emerged. And I’m gonna touch on them real­ly briefly. 

At the core of them is this, the decen­tral­ized iden­ti­fi­er. And it’s an iden­ti­fi­er that indi­vid­u­als them­selves cre­ate, along with a pub­lic key and a pri­vate key, and they can post them to ledgers. And there’s lots you can read online about the tech­ni­cal details and I’m not gonna go into them now. There’s not enough time. But I invite you to explore them. 

And con­cep­tu­al­ly at the top you have iden­ti­fi­er own­ers. Then you have the next lay­er. You have indi­vid­u­als have dig­i­tal tools that work on their behalf. So at the core of this is a wal­let that they would prob­a­bly car­ry on a smartphone. 

And then next you have what is hap­pen­ing in the cloud, so that indi­vid­u­als will have agents that are cloud-based that are con­nect­ed to their wal­let. And these are also under their con­trol. And the vision for these is that they act much more like a bank does today. We go and we put our mon­ey in a bank, and the bank helps us do things with our mon­ey. But it’s our mon­ey; we go back to the bank and go, ​“I want my mon­ey, I’m going to take it to the oth­er bank.” The same should be true with our data. It should­n’t break down if we choose to change ser­vice providers and those that are act­ing on our behalf with it. 

And then next you have, as has been men­tioned, shared ledger, dis­trib­uted ledger tech­nol­o­gy, of which there are quite a few dif­fer­ent folks (Sovrin is the one that’s been named here) already that are sup­port­ing this. And it’s real­ly a rout­ing infra­struc­ture. There isn’t very much infor­ma­tion stored on these in the dis­trib­uted ledger. It’s real­ly a way to go find and con­nect between agent to agent for indi­vid­u­als, and to con­nect using pub­lic key infrastructure. 

And the oth­er thing that you can do with this is ver­i­fi­able cre­den­tials to sup­port the move­ment of attes­ta­tions, cre­den­tials, claims—however you want to call it—from insti­tu­tions to individuals. 

So where do these ver­i­fi­able cre­den­tials come from? And one source is reg­istries. And this is what I’m real­ly grate­ful for Mike’s work, is kind of to go oh right, okay, that’s one way to look at them. And I spent the last two years at UT Austin in their new Masters of Science and Identity Management pro­gram. And I’ll tell you a lit­tle bit of the sto­ry and then I’ll walk through what we have. 

In that pro­gram, we were in a cohort of twelve folks. And we would get new teach­ers, right. This hap­pens in a cohort pro­gram. And we kept talk­ing about iden­ti­ty as if it was one real­ly big thing. And I was like wait a sec­ond. There’s dif­fer­ent forms of iden­ti­ty, in dif­fer­ent places, and we need to have a frame­work to think clear­ly about it. 

And so this is actu­al­ly part of Mike’s paper. So what are the dif­fer­ent places that PII, personally-identifiable infor­ma­tion, ends up in data­bas­es? And this is the anchor for how I thought about divid­ing up the world of iden­ti­ty into some man­age­able chunks. 

And so at the top of this is me and my iden­ti­ty. And this is the place where I as the indi­vid­ual col­lect and man­age and store my own infor­ma­tion. And we have sev­er­al vari­eties. User-centric dig­i­tal iden­ti­ty, this is what the folks I’ve been sup­port­ing, con­ven­ing at the IIW, have been work­ing on for a long time. There’s the Indie Web efforts. Folks have been work­ing on these chal­lenges in that con­text. You have the quan­ti­fied self move­ment, which is all these track­ing and all sorts of tools for peo­ple to man­age and track their own infor­ma­tion. And now this new kid on the iden­ti­ty block, the self-sovereign iden­ti­ty work. So this is me and my identity. 

Next is a cat­e­go­ry that often gets over­looked, but how do elders, chil­dren, folks with dis­abil­i­ties, and oth­ers man­age their iden­ti­ty? They do it with folks act­ing on their behalf. So you have ​“you and my iden­ti­ty,” or del­e­gat­ed rela­tion­ships that we need to have account­abil­i­ty in the sys­tems to sup­port folks who aren’t man­ag­ing their own iden­ti­ties hav­ing oth­ers do it on their behalf, but in a way that means they’re not giv­ing away their credentials—that there’s accountability. 

So, these are the sources for data and iden­ti­ty infor­ma­tion in the next twelve domains. And we’re gonna step through them. 

So the first one is gov­ern­ment reg­is­tra­tion. And there’s two forms, real­ly. There’s pri­ma­ry reg­is­tra­tion, which is done by par­ents on behalf of their chil­dren. This is when you reg­is­ter your child’s birth at the coun­ty lev­el, and now more recent­ly also with the fed­er­al gov­ern­ment to get the issuance of a Social Security Number. And then also sec­ondary reg­is­tra­tion is all the reg­is­tra­tions you do after that, often your­self, using those pri­ma­ry doc­u­ments to get a dri­ver’s license, to get a pass­port. All kinds of dif­fer­ent things need you to get anoth­er iden­ti­ty issued to you by var­i­ous governments. 

And all of these sys­tems and process­es are very recent inven­tions. Most of them are less than a hun­dred years old. And there’s a loop that hap­pens, actu­al­ly, where mod­ern states came into being in part because they went out and reg­is­tered their cit­i­zens, who then thought to them­selves, ​“I’m part of this thing called a state.” So this actu­al­ly forms a recur­sive loop in terms of peo­ple’s sense of iden­ti­ty when these process­es are put in place. 

And this is a map from Mia Harbitz, whose work is in the CRVS space (civ­il reg­is­tra­tion of vital sta­tis­tics) about what hap­pens when you have effec­tive civ­il reg­is­tra­tion in terms of enabling a holis­tic pic­ture of its impact on society. 

Next you have gov­ern­ment trans­ac­tions, and this is where you show up with the doc­u­ments you had in step one, which is get­ting reg­is­tered, and you go and use them to do things, actu­al­ly. And this is actu­al­ly where you find a bunch of reg­istries. You can’t reg­is­ter your car unless you have a dri­ver’s license in which to make the con­nec­tion, right. And when you do land trans­ac­tions that are record­ed by the gov­ern­ment, they ask you to present government-issued ID. 

Next we have civ­il soci­ety. This is a whole clus­ter of orga­ni­za­tions that come togeth­er for the pur­pos­es of this, which is orga­ni­za­tions which you have an ongo­ing rela­tion­ship, and that are pro­vid­ing not just com­mer­cial trans­ac­tions but health, edu­ca­tion, many oth­er things. And all of these insti­tu­tions have a reg­is­tra­tion process and some sort of issuance of cre­den­tials that you re-present when you show up to ask for the services. 

And you present the cre­den­tials you got through the reg­is­tra­tion process, and you’re able to trans­act to get the ser­vices. And this is also a place where we find, ta da, a reg­istry. Professional licens­ing often hap­pens in these types of insti­tu­tions, right. This is anoth­er registry. 

You have com­mer­cial reg­is­tra­tion. This is where you sign up to get that loy­al­ty points or a cus­tomer num­ber with a ser­vice provider. 

And then when you present, you show up, you share what­ev­er it was you got in the reg­is­tra­tion process along with pay­ment and you get your goods and services. 

Next you have employ­ment reg­is­tra­tion. This is where indi­vid­u­als are apply­ing for jobs, shar­ing infor­ma­tion about who they are. Once they’re offered a job and it’s accept­ed they’re enrolled into the enter­prise sys­tems, and they get a cre­den­tial and they present that cre­den­tial to do work. And in return they’re paid for that work. 

So, this next cat­e­go­ry is where we end up with PII in data­bas­es and sur­veil­lance. And in my research there were three main kinds: vol­un­tary known, invol­un­tary known, and invol­un­tary unknown. And this hap­pens across all of the con­texts that I’ve already gone through. So you have gov­ern­ment sur­veil­lance hap­pen­ing, of all three types. You have civ­il soci­ety surveillance—so this is like CCTV cam­eras going into school or you know, var­i­ous ways that peo­ple are being tracked. And a lot of it’s vol­un­tary. Like I put on some sort of health mon­i­tor and it’s going back to my doc­tor, I under­stand that’s hap­pen­ing and I’m choos­ing it. 

And then you have com­mer­cial sur­veil­lance. And final­ly, employ­ment sur­veil­lance. So this is where…this is real­ly old. Taylorism is not new. 

So those are the next twelve domains. And then final­ly you have the data bro­ker indus­try that’s pulling data from all of the above contexts—public data, data from com­mer­cial enti­ties, com­pil­ing it into dig­i­tal dossiers and reselling it to gov­ern­ment and the com­mer­cial sector. 

And then final­ly all of these domains are sub­ject to attacks on the black mar­ket both by state actors and crim­i­nals. And this data is being spread around in that way. So there you have the domains of identity. 

Now, I want to quick­ly tie it all back togeth­er and be like, how do we actu­al­ly— If you notice in all these lit­tle dia­grams there’s the per­son. And what if we put the per­son at the cen­ter? Going back to SSI, using their wal­let and their cloud agent, that they could col­lect the cre­den­tials that they get from gov­ern­ment and then reuse them when they show up on the door of gov­ern­ment to do transactions. 

They can col­lect cre­den­tials from their civ­il soci­ety insti­tu­tion­al engage­ment, their pro­fes­sion­al licens­es, their num­ber from the water polo asso­ci­a­tion—all kinds of cre­den­tials in dig­i­tal form. And when they use them it’s real­ly easy for them. Their employ­ment reg­is­tra­tion cre­den­tials, proof of where they’re employed, and use those in a much more secure way to even log into those sys­tems of the enter­prise. And then, com­mer­cial reg­is­tra­tion, all their loy­al­ty cards, and points, etc. And use them.

So, self-sovereign iden­ti­ty is what sits in the mid­dle enabling indi­vid­u­als to man­age all these dif­fer­ent rela­tion­ships in a way that is sig­nif­i­cant­ly less com­plex than each of those insti­tu­tions need­ing to have a busi­ness rela­tion­ship with each oth­er to see those credentials. 

So, we are real­ly see­ing the emer­gence of a new lay­er of the Internet for peo­ple, I believe. Layer 8, on top of the one we have right now. And I want to close with this quote, Protocol is a lan­guage that reg­u­lates flow, directs net­space, codes rela­tion­ships, and con­nects life forms. It is eti­quette for autonomous agents. And these are also the new set of pro­to­cols to real­ly enable us as peo­ple to con­nect to one anoth­er and con­nect to organizations. 

And I’ll leave you with this. To get to this future we need to coor­di­nate the devel­op­ment of com­mon build­ing blocks, code, infra­struc­ture, and pro­to­cols. We must ship inter­op­er­a­ble prod­ucts, and we need to work towards align­ment and con­trol. So with that I thank you, and look for­ward to the panel.