Summary: Until we value freedom and independence in the digital world, we will yield up control of our digital lives to others who will act in their own interests, not ours.

In response to a post on X about China's social credit system, Paul Conlon said:

Digital ID is ultimately about access control where those who impose the system are the ones determining what you are required to be and do.

Provision of resources and liberties become conditional upon the whims of the affluent. Doesn't sound safe or convenient to me.

From X
Referenced 2024-08-28T08:10:31-0400

How Paul said this struck me because I've been thinking a lot about access control lately. I believe that we build identity systems to manage relationships, but, as Paul points out, in many cases the ultimately utility of identity systems is access control.

This isn't, by itself, a bad thing. I'm glad that Google controls access to my GMail account so that only I can use it. But it doesn't stop there. If I use my Google account to log into other things, then Google ultimately controls my access to everything I've used it for. This is federation's original sin¹.

Paul's comment points out the primary problem with how we build identity systems today: when access control is centralized, it inherently shifts power towards those who manage the system. This dynamic can lead to a situation where individuals must conform to the expectations or demands of those in control, just to maintain their access to essential services or resources. While we often accept this trade-off for convenience—like using Google to manage multiple logins—the broader implications are troubling.

The more we rely on federated identity systems, with their tendency to centralization, the more we risk ceding control over our digital lives, reducing our autonomy, and increasing our dependence on entities whose goals may not align with our own. This is why the principles of self-sovereign identity (SSI) are so compelling. SSI proposes a model where individuals maintain control over their own identity, reducing the risks associated with centralized access control and enhancing personal freedom in the digital realm.

Critics of SSI will claim that giving people control over their identity means we have to accept their self assertions. Nothing could be further from the truth. When someone wants me to prove I'm over 18, I use a driver's license. The state is asserting my age, not me. But I'm in control of who I show that to and where. Sovereignty is about borders and imposes a system of relationships.

Now, China could use decentralized identity technology to build their social credit system. One credential, controlled by the state, that is used to access everything. Technology alone can't solve this problem. As a society, we have to want a digital world, modeled on the physical one, where individuals are the locus of control and use information and assertions from a variety of credentials to build and interact in authentic peer-to-peer relationships. Until we value freedom and independence in the digital world, we will yield up control of our digital lives to others who will act in their own interests, not ours.

Notes

1. For similar reasons, I think federated social media systems are a bad idea too, but that's another blog post.

Photo Credit: Papers Please from DALL-E (public domain). Prompt: Draw a rectangular picture of police checking identity papers of people on the street

Tags: identity access+control ssi

This paper systematically discusses the security and privacy concerns for e-learning systems. A five-layer architecture of e-learning system is proposed. The security and privacy concerns are addressed respectively for five layers. This paper further examines the relationship among the security and privacy policy, the available security and privacy technology, and the degree of e-learning privacy and security. The digital identity attributes are introduced to e-learning portable devices to enhance the security and privacy of e-learning systems. This will provide significant contributions to the knowledge of e-learning security and privacy research communities and will generate more research interests.

Sophia Antipolis, 14 April 2023

Today we expect to be able to communicate anywhere, with everyone, at anytime, on every device and at the same time use various services that will help us save time in our daily life.

Read More...

Policy framework including principles for digital identity infrastructure

In order to reach its goal of completely eliminating identity-based attacks, the seucrity vendor will champion a new standard that it hopes will define how devices, applications, and systems authenticate and manage digital identity.

Ramesh Babu emphasizes the transformative potential of decentralized identity solutions. By empowering individuals and reducing dependence on centralized entities, these systems promise a secure, private, and user-centric approach.

(The Paypers) Scrive, a Nordic e-sign and eID services provider, and

(The Paypers) Acuant, a global identity verification solutions provider, has teamed up with