Disrupted loyalties; how identity management will disrupt GAFA
Taking identity management back from big business
Hard as it might be to imagine, on the horizon are technologies that have a very real chance of disrupting GAFA (google, apple, facebook, amazon). Each of the GAFA companies have network effects as a core part of their business model, which depend (partially) on loyalty. The problem with networks for users is that, over time, if your loyalties become divided for any reason (e.g. you become uncomfortable with the level of information one network has) the only option you have is to leave the network. Most often this will mean also leaving your data in that network.
So in many ways loyalty is intertwined with identity, and identity management is on the verge of a fundamental re-think. Current computing networks rely on organisational supplied servers storing and protecting our data (as best they can): effectively a ‘walled-garden’ we ask organisations to defend. New decentralised peer-to-peer technologies now permit encryption at the record level, which means no need for servers, which means no need for the companies that protect them.
It’s about identity
We live in a strange and paradoxical world when it comes to digital identity. On the one hand, rigorous laws exist to preserve the confidentiality and privacy of our personal data, yet we regularly sign away and waive those rights contractually through ‘terms of service’ that, let’s face it, few of us read. This then permits a staggering amount of our data to be sold and shared.
From an organisation’s viewpoint, the situation is equally bizarre: as organisations get more clients (and therefore get more successful), they will likely find themselves in a position with disproportionately increasing data maintenance costs. This is made worse by a progressively stricter legal and regulatory backdrop on how that data is maintained. Organisations justifiably get frustrated with this administrative burden as it is a distraction from their main business but with a real threat of litigation if it goes wrong.
Anecdotally, our collective understanding of the implications and importance of identity vary enormously from paranoid to apathetic, to ignorant. This also tends to change depending on both demographics and nationalities. I find it particularly interesting that generation Y(whose adult lives are likely to be completely digital) seem to be far more aware of personal data infringements but also less concerned, provided they know they can control ‘write’ access. Personally, I think this is a worrying state of affairs for them: I have a bit of a passion for issues relating to identity and privacy as I fear that long periods of stability serve to weaken the importance societies place on both. This is particularly relevant right now, amplified by online technology and services moving at such a pace that leaves most in the uneasy position of having to accept the current status quo as there is no alternative to access the services we want. This problem is further accentuated by the fact that most of the ‘free’ online services and content we all use is funded through advertising which many do not fully appreciate or understand.
What is needed is identity management at the edges of connected networks, not at the centre. Historically there has been no such option from a technology perspective, but that is about to change.
Advances in peer-to-peer technology, cryptography, blockchain and decentralised contributed-computing resources are about to offer us a new paradigm of digital identity and data management. These have the potential to impact the entire world around us; from the way governments are run and how we vote for them, how we conduct business, to how we fund and access curated content and how we manage our finances.
What does identity mean?
Before I go into the technology, it is worth highlighting some of the high level issues that surround identity. In order to go about our (complicated) lives, we need both privacy and transparency to permit, restrict and enforce permanent and temporary information; it is these conflicting objectives that cause confusion. The reality is we all need/want the potential to be different personae, in different situations, at different times. We also need to be able to accept and reject others’ created personae.
It is for these reasons that the current fragmented management of online identity which creates dozens if not hundreds of accounts and identities is not necessarily a complete disaster, albeit inefficient and insecure. At the very least, it has allowed for us to keep some degree of segregation between our various personae.
However, we’re at a tipping point. If nothing else, the sheer number of online accounts and identities we’re trying to manage is impractical and therefore risky (for example through weak passwords). To make matters worse, we now have a long and infamous list of organisations that have failed to protect personal data.
To combat these failures, there has been a noticeable increase in identity-based businesses, in addition to well-publicised efforts by the likes of Google, Facebook and Apple to facilitate single sign-on services. Whilst I applaud the efforts of some of these companies, I equally believe that there is a fundamental long-term disconnect between these corporate motivations and identity based services with the interests of users at their core. Even if current motivations are pure, no-one knows with certainty how these companies will behave in the future. Without significant compromise it is unavoidable over the long-run for any identity platform to be anything other than a utility: ongoing maintenance should be open source where costs are borne by the users and transparent.
Is data an asset or a liability?
Something else has been niggling me for a little while which may seem counter-intuitive: personal data is seen as an asset for most companies but as technology evolves, I think it will be considered more and more of a liability.
Take, for example, the new EU General Data Protection Rules (“EU GDPR”) which impose a number of fairly punitive obligations on all companies as to how they (and their commercial relationships with whom they share data) handle the private data of EU citizens. For transparency, I think the EU GPDR is a much needed piece of legislation in a world that says one thing but does another with private data. However, it is inevitable that companies will be taken to court over breaches relating to the EU GPDR, and when this happens the idea of this data being a liability will begin to permeate.
So is there an answer? I believe there is. We’re at a very interesting time in computing history. We now have live working examples of decentralised peer-to-peer computing systems that enable the transfer of assets, and the agreement and settlement of contracts (through technologies like ethereum, bitcoin, tendermint, etc). There is a great deal of excitement surrounding the commercial application of these type of technologies but they currently tend to come at a cost. Specifically, the trusted provenance of these networks tends to also come with pseudonymity rather than anonymity. Although you can interact with the networks under a name other than your own, your identity to the network will be the pseudonym you assume. Whilst it is possible to create many pseudonyms, it is equally possible that over time your traffic or history could be used to identify you. I should stress that this is not inherently bad, indeed it can be desirable. It is just not desirable all the time in all circumstances.
It is for these reasons I think blockchain technologies are an important necessary ingredient of identity management...but something extra is required.
A new hope
The missing link is very nearly here: Decentralised Encrypted Networked Computers (‘DENCs’). A carefully constructed combination of both DENCs and blockchains (possibly including other peer-to-peer technology like IPFS (https://ipfs.io/)) will, I believe, be the panacea the world needs for identity management. It should permit the appropriate balance between transparency and anonymity, transitory records and permanence. It will permit the appropriate permission-set to be attached to different personae, whilst allowing private individuals to truly control their data by permitting the appropriate level of disclosure to whatever data they choose when they choose.
One example of a DENC which is on the verge of going live is SAFE Network (Secure Access For Everyone) https://safenetwork.org/ by Maidsafe http://maidsafe.net/. SAFE is a new way to interpret the way we currently think of computing, it eliminates the need for servers on a network instead using the unused hard drive space, processing power and data connection of its user base. It has many desirable properties but the one relevant to this discussion is an identity layer which requires users to self-authenticate to participate in the network. Crucially, unlike blockchains, the SAFE network is not intended for use as a mechanism for transferring value or enforcing contracts, it is not designed for data provenance. This means that users really do both own and control their data: if they want to keep it private forever they can. Maidsafe describe SAFE as a ‘crowdsourced internet’ but importantly an internet where security of your personal data goes above all else.
It is the combination of blockchain and DENCs (like Maidsafe) that hold the greatest promise for the future of a digital identity environment we all need. Using the right combination of identities within both blockchains and DENCs will allow for the flexibility and control that needed to properly manage and protect our digital identities. I fully expect new companies to emerge over time that help users manage their digital identity set-up, but crucially these will be fully transparent paid-for services which the user will still ultimately control.
The end of GAFA?
It is hard to overstate the impact this would have were to this to happen. At the very least it would lead to a rethink of certain business models. In the same way that ad- blocking web-browsers is creating panic amongst online businesses that rely on advertising as their primary source of revenue, an identity-based configuration as described above could have a not-dissimilar impact on the GAFA companies; it isn’t completely out of the question however absurd it may seem today.
However it is not all doom and gloom for companies. On the contrary, these developments have the potential to enable companies to better target customers. For example, it will allow for much more precision in the effectiveness of advertising and customer loyalty programmes because only those wanting to be contactable will be, and at the times and under the conditions they find acceptable.
For anyone interested in learning more about this vision of the future, you might want to follow an open source project that is currently in stealth mode called ‘Mia Idento’ at www.miaidento.org. Mia Idento is looking to implement just such a vision. In addition, there is some interesting work being coordinated through initiatives like the Open Identity Exchange (www.oix.com) and I encourage everyone to follow their output.