The ethical dilemma posed by Decentralized Identity

And how to solve it, in theory and in practice

Identity systems have traditionally been hierarchical directories. In organizations, central administrators define the rights that each user (or group of users) has on the system. And so, they need to know who the user is.

One the internet, nobody knows you’re a dog

That’s a big problem to solve, famously cartooned by Steiner in 1993: “on the internet, nobody knows you’re a dog.”

Since 1993, the internet has taken the world. Identity and Access Management (IAM) systems know span a wide variety of uses, that include customers too. Privacy regulations define what is allowed and what isn’t, as far as individual data processing and storage is concerned.

Most of these systems are still very much centralized. Since passwords are creating large security gaps, protocols such as OAuth2 enabled the reuse of social accounts. People login through facebook/google/github/etc. The obvious downside is that those large networks get to know everything you authorize.

As a result, an internet of behaviors (IoB) is emerging, as many technologies capture and use the “digital dust” of peoples’ daily lives. The IoB combines existing technologies that focus on the individual directly — facial recognition, location tracking and big data for example — and connects the resulting data to associated behavioral events, such as cash purchases or device usage.

Gartner predicts that by year-end 2025, over half of the world’s population will be subject to at least one IoB program, whether it be commercial or governmental. As we already discussed in a previous article on surveillance capitalism, one can expect extensive ethical and societal debates about the different methods employed to affect behavior, and whether that’s even a legitimate approach in the first place.

Technologists should embed those new issues into their identity work. As an example, a new IETF protocol called GNAP, currently being specified, embeds a privacy by design approach to mitigate those issues (disclaimer, I’m one of the co-editors). End-user…