In response to a post on X about China's social credit system, Paul Conlon said:
Digital ID is ultimately about access control where those who impose the system are the ones determining what you are required to be and do.
Provision of resources and liberties become conditional upon the whims of the affluent. Doesn't sound safe or convenient to me.
From X
Referenced 2024-08-28T08:10:31-0400
How Paul said this struck me because I've been thinking a lot about access control lately. I believe that we build identity systems to manage relationships, but, as Paul points out, the ultimately utility of identity systems in many cases is access control.
This isn't, by itself, a bad thing. I'm glad that Google controls access to my GMail account so that only I can use it. But it doesn't stop there. If I use my Google account to log into other things, then Google ultimately controls my access to everything I've used it for. This is federation's original sin1.
Paul's comment points out the primary problem with how we build identity systems today: when access control is centralized, it inherently shifts power towards those who manage the system. This dynamic can lead to a situation where individuals must conform to the expectations or demands of those in control, just to maintain their access to essential services or resources. While we often accept this trade-off for convenience—like using Google to manage multiple logins—the broader implications are troubling.
The more we rely on federated identity systems, with their tendency to centralization, the more we risk ceding control over our digital lives, reducing our autonomy and increasing our dependence on entities whose goals may not align with our own. This is why the principles of self-sovereign identity (SSI) are so compelling. SSI proposes a model where individuals maintain control over their own identity, reducing the risks associated with centralized access control and enhancing personal freedom in the digital realm.
Critics of SSI will claim that giving people control over their identity means we have to accept their self assertions. Nothing could be further from the truth. When someone wants me to prove I'm over 18, I use a driver's license. The state is asserting my age, not me. But I'm in control of who I show that to and where. Sovereignty is about borders and imposes a system of relationships.
Now, China could use SSI to build the social credit system. One credential, controlled by the state, that is used to access everything. SSI makes individual control structurally possible, but can’t guarantee it. Technology alone can't solve this problem. As a society, we have to want a digital world, modeled on the physical one, where individuals are the locus of control and use information and assertions from a variety of credentials to build and and interact in peer-to-peer relationships. Until we value freedom and independence in the digital world, we will yield up control of our digital lives to others who will act in their own interests, not ours.
Notes
For similar reasons, I think federated social media systems are a bad idea too, but that's another blog post.
Photo Credit: Papers Please from DALL-E (public domain). Prompt: Draw a rectangular picture of police checking identity papers of people on the street
I am increasingly convinced that AI agents controlled by and answerable to the user (ideally provided by not for profit privacy protection organizations and licenced humans to assist) are the way to equip all users with the tools to interact with AI services so that it's a more balanced playing field for interaction and data sharing mangement, for which regulation may also play a part.
Cyber-insurance, which is increasingly concerned with personal data breaches/misuse will provide the financial incentive.
Great discussion, Phil - I think you touch upon two important areas in SSI and identity as access control.
1) In healthcare, "access control" means allowing you access to your data about you.
2) Looking at your DALL-E graphic, it makes me think of SSI in terms of Zero Trust. How do I know those ppl in uniforms that just say "Police" are authorized validators or my verifiable presentation?
Thanks as always.