- Facebook’s Libra white paper includes a brief but potentially seismic nod to digital identity standards.
- With 2 billion users worldwide, Facebook may be able to succeed
where others have failed in jump-starting a globally accepted digital
ID. - Some identity experts say this is even more important than the
cryptocurrency, but others question how much control Libra would give
users and find its approach overbearing.
Buried in Facebook’s Libra white paper are two short sentences hinting that the project’s ambitions go even further than bringing billions of people into the global financial system.
More than launching a price-stable cryptocurrency for the masses,
Libra could be aiming to change the way people trust each other on the
internet.
At the top of page nine, in a section describing the consortium that will govern the Libra coin, the white paper states:
“An additional goal of
the association is to develop and promote an open identity standard. We
believe that decentralized and portable digital identity is a
prerequisite to financial inclusion and competition.”
That’s all the paper has to say on the topic of identity, perhaps explaining why the brief mention of such a foundational issue for 21st-century commerce escaped widespread notice despite all the hype over the document itself.
But to some observers, the line dropped like a bomb.
Dave Birch, director of Consult Hyperion and the author of books on digital identity and bitcoin, flagged these lines as “the most interesting” in the paper.
Smoothing pathways on the internet
using identity is a bigger deal to many people than a putative
cryptocurrency, Birch argued, adding:
“There are no throwaway
remarks in a Facebook white paper that has taken a year to put together.
It’s in there for a reason. [Facebook] are actually going to try and
fix the identity problem.”
A Facebook spokeswoman said this week that the company had nothing to add about identity beyond what’s in the white paper.
Who are you?
It’s a problem almost as old as the internet itself. As the classic “New Yorker” cartoon put it, “on the internet, nobody knows you’re a dog.”
In such an environment, businesses need to guard against fraud, but
the copious amounts of personal data consumers must share to prove they
are who they say they are leaves them vulnerable to identity theft and spying.
Fixing this problem means finding a way to have the sort of
credentials an individual holds in their physical wallet realized in a
verifiable digital version which can be trusted across the internet. And
for many technologists who have thought long and hard about identity,
the solution must be “self-sovereign,” or controlled by the individual.
Birch, who has long seen the
potential of social networks as natural springboards for managing
digital identity, described a scenario where a user’s “I am over 18”
credential (rather than their exact birthdate) is needed to log into a
dating site.
This could be accessed through
Libra’s cryptocurrency wallet Calibra via one of its partners,
Mastercard, for example, with its two-factor authentication process.
Then a cryptographic credential is sent back to Calibra containing no
personally identifiable information but stating this person is over 18,
which can then be presented to the dating site at log in.
While others have proposed similar arrangements (sometimes involving blockchains), none had the reach of Facebook, with its 2.38 billion users worldwide.
If Libra were “to drift in the
direction of self-sovereign solutions, Facebook’s endorsement of that
approach might make more of an impact on the market than, say, uPort or Evernym might have done,” Birch said, referring to two such blockchain ID startups.
And despite its reputation as the ultimate Peeping Tom,
Facebook has hinted at such aspirations before. In February, while
Libra was still under wraps, CEO Mark Zuckerberg said he was investigating blockchain’s potential to allow internet users to log in to various services via one set of credentials without relying on third parties.
Standard setting
Stepping back, technologists have been trying to address the challenge of identity for more than a decade by establishing open standards.
In the same way that URLs, for example, open webpages anywhere on the
internet, standards are also needed to ensure digital attributes about
an individual can be universally issued and verified.
The OAuth standard, for example, is
what let you log into websites through a third-party service like
Facebook without sharing a password. More
recently, such work under the auspices of the World Wide Web Consortium
(W3C) has included things like Decentralized Identifiers (DIDs) and the
verifiable credentials standard, both meant to enable self-sovereign
digital identity.
Some veterans of this field were
taken aback by the suggestion that the Libra Association (a group of 30
or so companies, expected to reach 100 or more) would develop an open
identity standard.
“That’s very world domination-ish of them,” said Kaliya Young, a co-author of “A Comprehensive Guide to Self Sovereign Identity” and co-founder of the Internet Identity Workshop.
“Some of us have been working on that problem for a really long time.
You already have a set of open standards for verifiable credentials that
are basically done and working.”
Young pointed out that “unilaterally
declaring” an open standard belies the process of going through
standards development with an open community, adding that all the people
working on identity standards are connected to one another in reaching a
common goal.
“That
work is being led by a community of people deeply committed to there
being no one company owning it in the end, because identity is too big
to be owned, just like the web is too big to be owned,” she said.
(Indeed, Facebook was previously said to have rebuffed an invitation to participate in the DID project alongside Microsoft.)
Phil Windley, chair at the Sovrin
Foundation, which contributed the codebase to the Hyperledger Indy
blockchain ID project, acknowledged the risk of parsing two sentences in
Libra’s paper too finely. But he made the point that “decentralized”
and “portable” (Facebook’s words) are not exactly the same as
self-sovereign.
“Decentralized” could simply mean a
user’s identity data – their attributes and identifiers – are spread
among nodes that are run on the Libra blockchain, said Windley. This
doesn’t imply the user necessarily has control of them. Likewise,
“portable” just means credentials can be moved from one place to another
but doesn’t necessarily mean you get a say in how they are used.
Windley told CoinDesk:
“People often use
‘decentralized’ as an unalloyed gilt and just assume that it means
everything is going to be great. That could be what they are doing here –
just using ‘decentralized’ as a synonym for ‘awesome.’”
Joining the dots
That said, Windley was respectful
about the scale of Libra’s vision, which he suspects is much bigger than
dealing with know-your-customer (KYC) checks and the regulation around
building a global permissioned currency platform.
He pointed to the paper’s authors
which include many firms like Mastercard or Kiva, folks who have thought
very hard about digital identity. (Neither company would comment on
Libra’s approach to digital identity).
“I suspect given Libra’s goal of
financial inclusion, they are probably thinking about it bigger than
just authentication and authorization for a few narrow purposes,” said
Windley. “I think there is enough there (e.g. the smart contract
language) to believe a stablecoin is just one thing that they envisage
using Libra for.”
In the absence of any detail on what
might comprise a decentralized identity standard from Libra’s
perspective, some dots can be joined by examining the recent work of
George Danezis and his co-founders at Chainspace, a startup acquired by
Facebook in May.
A paper introducing a “selective disclosure credential scheme” called Coconut explains
how a system of smart contracts (computer programs that run on top of
blockchains) could “issue user credentials depending on the state of the
blockchain, or attest some claim about a user operating through the
contract – such as their identity, attributes, or even the balance of
their wallet.”
The Coconut protocol goes on to
describe how credentials can be jointly issued in a decentralized manner
by a group of “mutually distrusting authorities.” These credentials
cannot be forged by users or a group of corrupt authorities, and are
also “re-randomized” prior to being presented for verification to
further protect user privacy. Unlike some computationally-hungry proving
schemes, this is done in a matter of a few milliseconds making it
highly scalable.
Returning to the question of
standards, Birch said W3C, DIDs and verified credentials might be the
right option for Libra, but whether it’s that or something else,
basically whatever they choose would end up being a standard, he said,
concluding:
“And you could argue, is
that necessarily a bad thing? I mean what happens if they come up with a
good standard for identity and attributes and so on and then other
people can use it, e.g. banks would be one obvious example.”
source link
