🎧 You can also listen Spotify or Apple Podcasts

Hi there 👋 and welcome to Bookie: a casual diary of topics, lessons, and ideas I’m working through out loud. You can read everything for free and if you want to get every post straight to your inbox, subscribe by clicking below.

Today’s Read: 16 Minutes

On its surface, the concept of identity is deceptively simple to understand. It’s just who we are—that intangible “I” that ultimately defines human consciousness.

Or to flex some culture on you I’ll quote Descartes: “I think, therefore I am.”

But take this concept out of a philosophical vacuum and you quickly see the strange dichotomies our identities exist under.

Our identities are that internal, “special me thing” but also ultimately determined by how other people perceive us.  Our identities need to provide sameness and continuity throughout our lifetimes even though our physical, mental, and spiritual selves evolve over time. We’ve constructed artifacts like driver’s licenses, birth certificates, and usernames & passwords to represent our intangible uniqueness but only so institutions can define concrete, broadly applicable rules around how society operates.

As we transitioned from hunting & gathering alongside people we see every day to exchanging goods & services with people we've never met before—the rules and technologies that governed our identities were forced to evolve alongside it. 

Today, I have the fun task of exploring how we’ve collectively approached this difficult task and also try to make sense of how we may approach it in the near future. 

To do this, I'll be answering 3 fundamental questions:

* Why is identity an important and unsolved problem?

* What does a "good" identity system even look like?

* What's potentially in store for the future of identity? 

Why is identity an important and unsolved problem?

The earliest rules we defined around our identities focused primarily on naming. It was our first attempt to grapple with this notion of provable uniqueness—to answer “Is this person actually who they say they are?”

Provable uniqueness makes us accountable. You're less likely to steal food from your neighbor if everyone in your village can precisely point to exactly who did it.

But obviously you are more than just a name. Or rather, your name doesn’t really do a great job representing who you are.

Jared Dunn, one of my favorite television characters of all time, and makes this hilarious poignant insight in the. showSilicon Valley: “a name is just a sound someone makes when they need you.” 

To fortify uniqueness and accountability, we started layering more information about ourselves.

While there may be many Jared Dunns, there are fewer Jared Dunns who are 6'2, have blue eyes, and live in Palo Alto. There’s even fewer of them who work at Hooli. And there's probably only one Jared Dunn who has a police record for harassing pedestrians after an Adderall-induced bender.

Instead of trying to log a nearly infinite amount of information to represent ourselves, we cherrypicked information we deemed relevant for purposes like buying a home, traveling across borders, voting people into political office, etc.

People and institutions we trusted then standardized all of this information into artifacts like passports, drivers' licenses, and credit scores which ultimately became a de facto representation of you. These encoded factual aspects of your identity like your hair color but also subjective judgements like “can you trust this person to pay their bills?”

The government issues me an ID, validating that I am in fact a citizen and that I should be allowed to vote. The DMV issues me a driver's license which validates that I'm a good enough driver to operate a vehicle. My university issues a degree that validates I'm smart enough to get paid to sit around and stare at a computer screen all day.

This highlights our first important concept. Our identities are really just a collection of claims that are supported by some trusted entity.

And these claims ultimately determine what we can or cannot do.

We created a model of reductive trust. When you ask a bank teller that you want withdraw money from your bank account, the bank teller doesn't actually need to know who you are. They look at that piece of plastic with your picture on it. That piece of plastic is issued by the government and that bank teller has to trust the government acted in good faith when they issued that credential which ultimately validates that you are who you say you are. 

If A trusts B and B trusts C, then it's reasonable for A to deem C trustworthy. 

But our system of reductive trust doesn’t handle all the edge cases and near-infinite variety of people and circumstances. 

Imagine this real-life scenario. You have two babies born in the US at exactly the same time.

* Baby A is born in a hospital. Both parents are citizens and live in the same house that their grandparents lived in. They can easily provide their birth, mortgage, and employment records.

* Baby B was not born in a hospital. They had a natural birth at home somewhere in the US. Both parents moved to the US as refugees from a now-defunct country so all their official records of who they are have been lost.

One of them has their identity fully documented while the other, for all intents and purposes, has practically no identity. One will have a much easier time getting a job, buying a home, and ultimately passing their citizenship onto their offspring. The other will face hurdles and challenges each step of the way.

And yet, despite these differences, both of them are still fully legitimate US citizens and our system of government services is expected to treat them in exactly the same way from that point onwards.

Our system works great for the average case but it’s plagued by things nobody ever thought of. The infinite variability of human life and biology will mean that 1-2% of the population will always turn out to be completely immune to whatever reductive trust model we employ.

The few that don't have claims supported by trustworthy entities still have identities, but only in the philosophical sense and not ones that allow them to fully function in society.

As expected, technology has alleviated some of these problems while creating a whole host of new ones.

Identity on the Internet

The internet introduced entirely new ways of communicating, transacting, and coordinating. As a result, we needed new institutions to facilitate our system of reductive trust in an entirely new context.

Companies like Facebook, Twitter, and Google now host a wealth of information about our identities that weren't previously documented or verifiable—who we've interacted with, what we're interested in, and what groups we belong to.

Today, the average person maintains 90 or more password-protected accounts. Usernames and passwords have become the new credentials, giving us access to our favorite digital services and their respective claims about our identity. 

But obviously the average person isn't maintaining 90 unique username and password combinations. They probably use 1 or 2 which means a single breach anywhere on the internet compromises a multitude of other accounts everywhere else.

As more and more small businesses come online, many of them are now managing our most sensitive personal information like our passwords, addresses or payment details. Most simply don’t have the know-how to manage and secure this critical information which explains the sharp increase in the frequency and severity of data breaches in recent years.

Bad actors have always tried to infiltrate, commandeer, and misrepresent people’s identities, but never has this task been easier nor the scale of impact greater.

To combat this problem, the biggest players in tech—Google, Apple, and Facebook for consumer apps and Microsoft and Okta for the enterprise—started offering Single Sign-On solutions (aka SSO).

Instead of entering a username and password onto every site, “Sign-In with Apple” lets you login with just one account and they take care of your authentication and security with just a click of a button.

That is the state of play today. When you visit an app or website, it seems barbaric when they don’t offer one of these super convenient, Single Sign-on buttons.

And it’s not like these companies built this out of altruistic intentions—there’s strong business motivation behind these projects.

What I say next applies to all the big tech companies, but I’ll pick on Apple here since I do think they tend to get a free pass on these sort of things…

You’re much less likely to abandon your Apple account if it’s essentially the key to accessing the services you need. Apple gets to peer into which services you like to use, building a richer and richer profile of who you are and what you’re interested in. And because Apple is effectively driving traffic and signups to these other services, they have leverage if they ever wanted to negotiate favorable data or revenue share agreements.

By the way, despite branding itself as tech’s white knight for consumer privacy, Apple has actually been aggressively hiring people to build out their new advertising platform.

Needless to say, convenience never comes for free.

And while this paradigm is certainly much better than the old world of pure usernames and passwords, it also introduces a whole host of new problems.

* We have limited control over what gets shared about ourselves across the internet. Sure, we’re prompted to provide “permissions” to specific apps and websites but these permissions tend to be overly broad and impossible to understand for the average consumer.

* Our identities can also get “lost” with limited options to recover. Imagine losing access to your Gmail or Facebook accounts. You don’t just lose access to Gmail and Facebook, you lose access to everything that you've used those accounts for.

* Our identities, our personal information, and everything we’re allowed to do with them rests solely on a handful of tech companies acting in good faith. God forbid they have some sort of security breach, change their data & privacy policies, or decide to de-platform you. Oh wait…all of those things have already happened.

Now don't get me wrong, I'm not arguing that the current state of the world is this awful dystopia. Things evolved this way for a reason and work pretty darn well for the most part.

But I also think there’s a lot more that can be done—that we shouldn't just throw up our hands and declare "well this is just how it is!" 

Identity systems are too important and play too big of a role in our lives to not continuously explore a better path forward.

What does a "good" identity system even look like?

So far, we've poked some holes into how real-world and digital identity systems work but we haven't yet defined what a "better" system would look like.

Fortunately, some very smart people have devoted a lot of thinking around this space and have even articulated some very compelling principles. 

This notion of Self-Sovereign identity has steadily gained traction over the past few years. It’s the belief that each individual should have full control over how to access, use, and share information about themselves without needing to rely on some intermediary.

You can read more about Self-Sovereign Identity here but I'll go ahead and highlight a few of the principles I find most compelling.

* Ownership: Today, our favorite internet services simply grant us access to our identities. We don’t really have control over what gets shared and have even less visibility into what they actually know about us. In a self-sovereign world, our credentials would allow us to manage our identities directly with full control over what information gets revealed to which parties. We shouldn't "exist" simply because a particular identity administrator says we do.

* Interoperable:  Without a standard protocol for identification, our identities get siloed into various walled-gardens. Our certifications let us do a job in one country but not the same job in another. Our health records are available in one hospital network but not another. These claims and credentials need to be verifiable across multiple platforms and services. Fundamentally, who we are shouldn't change just because we've changed contexts. 

* Security and Privacy: A robust identity system should be immune from single points of failure.. Hacks that expose sensitive personal information should be increasingly rare and (if they do happen) they shouldn’t compromise the security of millions of other people.  

By now, I bet a few of you have already sniffed out where this post is going. It's another Bookie post celebrating the virtues of Web3 & the blockchain.

But hear me out, I’m writing this because it’s an example of a real-world use case I’m legitimately excited about. Plus we needed some crypto optimism to balance out the catastrophe described in last month’s post about Luna.

Blockchains act as a public, shared database where everyone is incentivized to check and validate what ultimately gets written to it. The network collectively decides what’s true rather than trusting a handful of institutions. It relies on consensus rather than reductive trust.

The technology that enables us to exchange cryptocurrencies can also be used to create a universal sovereign identity system.

To understand how this works, we’ll discuss two critical concepts—Decentralized Identifiers and Verifiable Credentials—before jumping into some really exciting projects happening in this space.

Decentralized Identifiers

Today, we rely on intermediaries like our email provider, our mobile network, and the government to supply us with identifiers that prove our uniqueness in various contexts. Because no two people should have the same ID, we can verify who someone is, what they own, and what they're allowed to do.

However, these identifiers live in silos and we’re forced to rely on each entity to maintain a unique registry of which ID belongs to each person. There’s no agreed upon, universal ID that works everywhere. My email account lets me access some services but I’ll need my social security number to do other things. This is ultimately one of the primary reasons our identities aren't portable across different platforms. 

Blockchains unlock the ability for us to have decentralized identifiers (DIDs)—a globally unique, pseudonymous identifier that can be provided to users without any intermediary. You can also create as many DIDs as you wish, unique to each context you want to operate in.

Each person would hold a private key (sort of like a universal password) that would cryptographically verify that they own a particular DID. 

I’ll preface that my knowledge of cryptography is fairly thin. I don’t have space in this article nor the intellectual capacity to explain all the math behind behind hashing or asymmetric encryption.

And there’s some irony here because I dropped my cryptography course in college thinking it’d never be useful to me...

So I’ll just paint in broad strokes.

Just know, “owning your identity” could work similarly to how crypto wallets enable you to own cryptocurrencies. Your public wallet address allows people to send you digital assets and for the rest of the blockchain network to validate your transactions. That public address is essentially your decentralized identifier.

Your private key then lets you access and prove (cryptographically) that you do in fact own those assets attributed to that wallet address.

I actually wouldn't be surprised if popular wallet providers today like Ledger or Metamask evolve to support "identity wallets" on top of wallets that hold Ethereum, Bitcoin, or NFTs.

The cryptography on a public blockchain enables two parties who know nothing about each other to verify each other's identities without ever needing to go through a middleman.

Verifiable Credentials

Verifiable credentials will be the digital analogs of the physical credentials we hold today. Like our diplomas or driver’s licenses, they represent specific claims supported by the entities who issued those credentials.

We’ll continue with our crypto wallet analogy to explain how this would work. Every time you send someone cryptocurrency, your wallet writes a transaction to the blockchain describing 3 things:

* The amount of cryptocurrency you’re sending over

* The public addresses of the sending and receiving wallet

* A cryptographic “signature” (based on the sender’s private key) that can be used to verify who initiated the transaction

In a decentralized identity system, the person issuing a virtual credential will write essentially the same things to the block chain:

* The credential they’re issuing (instead of the transaction amount)

* The DIDs of the issuer and receiver of that credential (similar to the public addresses of the sending and receiving wallet)

* The cryptographic “signature” (based on the issuer’s private key) that can be used to verify who issued that credential

In both cases, the blockchain network comes to a consensus (based on rules already established) for what constitutes a “valid” issuance before that interaction gets written permanently.

Because you can’t change anything once it’s encoded in the blockchain, it's essential that no personal data ever written. Instead, the blockchain will simply act as a public, free-to-access ledger that shows who issued which verifiable credentials to whom. 

And this unlocks a system where we’re not just limited to a handful of credentials backed by a handful of institutions.

Instead of just a university issuing you a virtual diploma, you can imagine being issued a verifiable credential for each project you've completed. You could receive verifiable credentials for major milestones you've achieved at work. Companies could issue you NFTs (which is a form of a verifiable credential) for your customer loyalty. 

Our achievements can be recorded, updated, and shared in much greater detail. 

Imagine how much more streamlined finding a job would be. Instead of providing a static resume or self-reporting your skills, your decentralized identifier can map to all the verifiable credentials issued by people and institutions supporting your achievements. And these claims can be quickly verified by your employer on the blockchain without time-consuming background checks.

As the "holder" of these verifiable credentials, you also have full control over who can access them. Smart contracts would allow the verified owners of these claims to grant or revoke access all the credentials they own.

When applying for a credit card, instead of sharing your social security number and all your financial information, you can simply have your employer issue you a verifiable credential. The credential could simply state that you make over >$x, giving the credit card company confidence that you can actually pay your bills, and then you can revoke access to that credential once you actually have your credit card.

Because we would all operate under a public, shared set of facts, our identities become interoperable and we can take them with us and use them however we please across multiple contexts. 

A decentralized identity system will more closely resemble how things work in the real world. We own our reputations and achievements instead of having them padlocked in various gatekeepers.

Your digital wallet can single-handedly act as your login, your government ID, and your resume. 

Coming back to our 3 favorite self-sovereign identity principles, we now have a better sense of see a possible future where blockchains, DIDs, and verifiable credentials can improve our existing identity systems:

* Ownership: Everyone is responsible for managing their own “identity wallet”. Their wallet stores all claims about their identity in the form of verifiable credentials and they can control how and when they can be shared.

* Interoperable: A public, distributed ledger allows the network to operate under a common source of truth. Anyone can easily verify any claim, which allows our identity to move fluidly across different context.

* Security and Privacy: We avoid having a single point of failure because trust and ownership are distributed across the network rather than concentrated to a handful of players. Cryptography also ensures that claims can be verified without needing to expose sensitive information about ourselves.

It’s an exciting future. And one that I believe will provide greater access and agency to people negatively impacted by how we currently maintain our identity systems.

* The unbanked will have easier access to financial services now that their trustworthiness can be determined beyond just a credit score 

* Loan applications that used to require mountains of paperwork can be submitted and processed in seconds

* Consumers will have more control over what information gets shared and stored about them while they’re browsing and transacting online

Now, all we have to do is figure out how to get there.

So what’s next? 

If decentralized identity could ever achieve mainstream impact, there are 3 challenges (among many) that are top of mind.

* We’ll need some way to map people’s real-world experiences, credentials, and achievements to a public blockchain

* Then we’ll need to standardize how these verifiable credentials get recorded, shared, and verified across a network along with relevant context. For example, when we record someone’s contribution to a project, we also need to capture the context around how they earned that credential and what skills they demonstrated.   

* And finally, we’ll need widespread adoption of the technology standards that will support this new decentralized system

Piling on here…once we figure out the technology and adoption challenges, we'll then need to contend with significant societal challenges as well—some we can foresee and certainly some we won't expect. 

* Web3 today skews affluent, male, and white. If we want to achieve a more inclusive decentralized system, we must be careful not to exacerbate existing socioeconomic divides by accruing influence to only the privileged.

* A system where claims are permanently written to a public record will make it difficult to escape past one’s past. If bad credit scores or getting canceled on Twitter serves as an omen, we should think through the implications of people never being able to escape a mistake. 

* Crypto wallets offer little protection if your private keys ever get compromised. Before Web3 can serve as a mainstream repository for identity and reputation, it will need to provide systems of insurance and recovery that we expect from other services.

So yeah...I'm a "glass half full" kind of guy but there’s understandably A LOT of headwinds to replace an imperfect but longstanding way of doing things. 

Is decentralized identity perfect and inevitable?

No. And I'm highly skeptical of anyone who claims otherwise.

But with that said, I also think don't think this domain is purely an intellectual exercise.

Clearly, more work needs to be done but a handful of startups, organizations and even countries are already undertaking the ambitious task. A few examples:

* Ethereum Naming Service (ENS) allows crypto users to translate their public-key addresses (which is a garbled sequence of random characters) to human-readable addresses (like budlight.eth). This is currently the most popular form of obtaining a decentralized identifier.

* Violet is building a cryptographically secure "proof of identity" system on Ethereum. They’re focused on identity management and compliance for financial services but can likely expand to other use cases in the future.

* Rabbithole, Polywork, and 0xStation allow users to record professional achievements on-chain. Think of them as decentralized versions of LinkedIn that provide more granular, up-to-date signal on your skillsets, professional activity, and achievements.

* Proof of Attendance Protocols (POAPs) allow people to purposely record a “life event” on-chain, creating tokens that become a part of their digital identity. Similarly, people might make active attestations of other people’s skills by sending them custom verifiable credentials. 

* The country of Estonia (in partnership with a crypto company named Guardrail) built a new KSI blockchain identity system to handle citizen’s data and government services. Today, 99% of all government services can be carried out digitally. Citizens can take less than 5 minutes to file tax returns, they can vote securely online, and they can securely transfer their health records to any hospital network of their choosing. 

* Microsoft and Google have already announced decentralized identity projects (although right now they’re mostly focused on enterprise identity management). 

Conclusion

Part of what made this post an absolute doozy to write was just the sheer amount of information describing what's happening with identity.

There is so much history to cover and so many exciting new developments.

I considered scrapping this entire piece altogether on multiple occasions, worried that I didn’t have the intellectual horsepower to connect all the dots.

But ultimately, like a lot of posts on Bookie, I felt that the ideas were important enough to at least try to organize into something semi-coherent. Plus, stretching myself beyond my intellectual comfort zone was why I started writing in the first place :)

Even after hours of reading about the philosophical definition of identity, visiting landing pages of various crypto startups, and synthesizing all that information into something digestible, the whole space still feels dizzying. 

Writing this piece has been incredibly worthwhile though and while I can’t say I have a credible point of view on what’s in store, I am optimistic.

The possibility of truly owning our identities and having them become more useful in more places is pretty damn cool. 

So…let's see what happens next! 

Thanks for reading Bookie! Subscribe to get new posts straight to your inbox!

Read the full post on Bookie 

In what's been dubbed "Meltdown Monday", a series of market events led to the $UST stablecoin losing its peg to the US dollar. At the time of this writing, $UST is valued at $0.18 after spending most of its history valued at $1. The subsequent, "de-pegging" of $UST  triggered a chain reaction that ultimately caused $50B—that’s BILLION with a B—of market value to evaporate practically overnight. So why did this happen? What does it mean for the future of crypto? And what can we all collectively learn from all this carnage?