As we begin to live and work in digital spaces, we must design an identity system that is safe, secure, and decentralized like the web. A combination of the blockchain and digital certificates seems like the best design.
In the beginning, the web was mostly read-only, so we were all mostly anonymous. We didn’t need to login when visiting sites, because it was just the information on the site we were after. And even today, logging into a website is a nuisance that we often do only to pay for something or enter a shipping or delivery address.
But that is all about to change: VR will let us work and play in places where there are many other people, so we will need to have a way to identify ourselves to those people. Some of them will be people we know, like our friends, family, and co-workers, but like in the real world, many of these will also be new people that we will meet for the first time in virtual spaces. We need a new kind of identity system that works for these new places, and we will need that identity system to be very well designed.
Social networks, like Facebook or LinkedIn, require that your identity be your real-life name, do not support any kind of anonymous access, and offer very little in the way of partial disclosure of identity. But this will not work in the Metaverse: When you are shopping in a store or walking down the street or going to a movie, would you be OK if everyone nearby could see your full legal name, floating above your head? Would you be OK if your kids had their names over their heads whenever they were outside? You probably would not, and you will not be OK with that being true in the Metaverse, where you will often be in ‘public’ around lots of other people you don’t know, and don’t necessarily want to disclose your identity to. Identity disclosure needs to be an individual choice, and anonymity needs to be one of the possible choices. Additionally, giving someone your name is an important social ritual, and should not be forced on us.
But simply being anonymous isn’t sufficient, either: To enter a virtual place, for example, you will often minimally need to prove things such as that you are a certain age, or work for a certain company, belong to a group, or are deemed to be reasonably trustworthy (and deeper ideas on this last one I will take up separately in a future post). This doesn’t necessarily mean that you need to give out your real name, but it means that you may need to prove something about your identity to another person or place that you visit. So we need a system that lets you disclose pieces of your identity, but not all of it.
Being partially anonymous doesn’t mean you will be able to do whatever you want: There will be ratings systems (probably more than one) that allow other people to up-vote you or lodge complaints in the same way we have Yelp pages on businesses today. If anything, you will probably feel more responsible for your actions in the Metaverse, because it will be easier to tie back events or actions to identity than in the real world (e.g. throwing your beer bottle in the bushes). Also, it is likely that many servers will not allow you to visit or to make changes to things unless you have a good reputation (and for a fun meditation on how terribly wrong this could go if implemented incorrectly… there is of course a Black Mirror episode). But an important thing is that those avatars and their associated reputations not always be linkable back to real-world identities.
Who can we trust to store this identity information for you? This is a serious problem, and the best answer is — no one. Pretty much every company storing account information suffers serious data breaches at one time or another, and even if there are not breaches, individual employees of that company have day-to-day access to dangerous amounts of your personal information. For example, consider that it would be possible today to threaten or blackmail an employee of a large MMO to give out the name and home address of a specific player in the game. This hopefully hasn’t happened yet with MMO’s, but what about when those players become avatars running multi-billion dollar corporations or famous virtual celebrities? Ideally, different pieces of identity need to be stored securely in different places, and not be connectable by anyone other than the owner of the identity.
Another important issue is who can update information regarding your identity? For example, if there is some kind of rating system that says how popular people are, and those scores are stored in some company database somewhere, a malicious employee could potentially edit that database to harm someone else. As an example of the seriousness of these risks, consider that in the U.S., credit reporting companies are overseen by a federal agency. Ideally, identity information should be updated only by the person who owns that identity, with validation provided by third parties as needed to confirm the information.
A Proposed Solution
In building the identity system for High Fidelity, which we hope will be a candidate to be the open source platform for these shared digital spaces, we think these needs can be addressed by using a combination of trusted digital certificates and a blockchain as a distributed database.
Without diving into the all the gory details here, a quick summary is that blockchains are essentially a distributed public database, where records can be written into the database for a small fee that is then distributed amongst the many people helping to provide storage and computing power. By writing records into the blockchain that are signed by identity owners and validated as needed by other third parties, we can achieve all the goals described above, creating an identity system allowing rich identity information to remain under the control of the identified individuals, with no risk of accidental disclosure due to breach or malicious intent.
How it Works:
So, for example, let’s say you want to prove that you are really the person who owns a certain email address — this is a very common part of identity systems today, and a perfect example of what we need to make really secure. Here is how that would work:
First, you go to a website of a trusted third party that validates information for storage in the blockchain. Let’s say for this discussion that this is Google, but it could as easily be Verisign, or of course High Fidelity. You can pick whatever company you want, provided that they are well enough trusted that the people you will ultimately want to prove your identity to are likely to believe them. Google puts up a web page where you can give them the email you want to prove that you own. They then send a code to that email, which you reply to, in the same way that might happen when you create a new online account today. But instead of putting that transaction in a database somewhere (which would potentially compromise you later on), Google writes an entry into the blockchain which says “Google, Inc. certifies that the owner of the following public key is also the owner of this email address” Google doesn’t need to know anything else, and they don’t associate your email address with any other account information. This is a service that Google, as a trusted third party, is willing to do for you (and probably something for which they charge you a small fee).
Now, later on, let’s say you want to attend a private group meeting in VR and are trying to prove who you are to get in to the meeting. When you arrive for the meeting, you give the server a string that proves that you own that public key, along with a link to the entry that Google made for you into the blockchain. By looking at these two things, anyone can securely validate that you are the person who has that email, which is enough security to get you into that meeting. But they don’t need to get any other information about you.
If you needed to prove something else (like your phone number or real-life name), you could give the requesting person (or server) a different string and public database entry that lets them see that someone at some point verified that you were the person with that RL name. But because these two pieces of information are not stored together — they are two unrelated pieces of information in the blockchain — there isn’t any database that could be hacked to associate them.
So, by storing bits of certified personal information in the blockchain, and then proving that you own different ones when you want to login somewhere, a decentralized identity service can be created without needing to trust or store sensitive data in any one location or company database.
Further, the existence of historical records in the blockchain (which also stores a distributed history of all these certificates) makes it difficult for anyone to lie about your identity. For example, if you have a history of good credit ratings generated by some well-trusted agency and written into the blockchain, it would be harder for someone to single-handledly destroy your reputation with new entries you disagreed with, because the old ones can’t be erased and are still there forever for everyone to see.
And of course, this sort of identity system might someday even work well for real-world things, like who can vote, or keeping track of who owns parcels of land. It seems likely that a distributed database like this, applied to identity information, could be a bigger value to people than the current applications which have been mostly for virtual currencies like Bitcoin. There are even organization like Democracy.earth that are looking at how these kinds of decentralized databases could replace parts of government entirely.
As a first step, I’d like to suggest that people and companies building virtual worlds engage in a discussion about the feasibility and merits of this kind of blockchain-based identity. We will be attempting to implement this approach for identity in High Fidelity in the coming months.