Virtual Salon: Decentralized Identity & Privacy
The first RWOT Virtual Salon, on Decentralized Identity & Privacy, gave participants the opportunity to discuss the intersection between decentralized digital identity and privacy, with the goal of producing a single statement that the entire salon was able to agree was an important statement on the future of identity.
Key Topics
Participants briefly spoke on a variety of topics, which were roughly grouped into the following categories of discussion:
- Abuse. How do we counter abuses, often by large corporations, such as coercion to reveal information?
- Accountability. How do we protect the marginalized, disenfranchised, and otherwise vulnerable?
- Advocacy. How can we convince people of the needs or demands of privacy?
- Community. Can we have privacy while also supporting communities?
- Correlation. What do we do with identity solutions that create correlation?
- Culture. What are different cultural expectations about privacy? How can we support them?
- Perspective. How can we view privacy in different ways?
- Portability. How do we create a healthy and moral environment for privacy competition?
- Regulation. Is regulation sufficient to protect privacy?
- Relationships. How do we release information in different relationship contexts?
- Security. How do we review and certify privacy?
- Technology. How do technologies like decentralization or blockchains impact privacy?
- Usability. How do we create privacy without sacrificing usability?
These are not all of the topics that were discussed, nor even all of topics within these categories. Nonetheless, they represent a cross-section of the topics at the salon.
The Statement
To arrive at a group statement, we voted on three categories that we felt were the most important. They were: abuse (14 votes); accountability (11 votes); and culture (7 votes). We then divided into three groups, each of which created 1-3 statements related to these categories as potential releases for the salon. We then voted on the statements, to determine which had both strong interest and rough consensus. We agreed on the following statement:
“Privacy for decentralized identity must support the full range of social collaboration: individuals, life partners, families, small firms, corporations, communities of interest, neighborhoods, nation-states, and other forms of association.
“No matter how ephemeral or long-lived these collaborations, we need solutions that safely enable all forms of individuals acting alone or in concert.
“For example, a group of friends should be able to plan and pay for a vacation using any number of services, without sharing usernames and passwords, revealing unnecessary information, or being subject to undue bureaucracy.
“This is a joint statement from contributors at the Decentralized Identity & Privacy 2021 salon, organized by Rebooting the Web of Trust http:/weboftrust.info/salons/decentralizedprivacy2021”
Other statements with high interest, but where we could not reach rough consensus without our time frame, related to the need to hold the powerful accountable (where our prime disagreements came in saying how to do so proactively, without forcing victims of privacy violations to be lightning rods for corporate displeasure) and the importance of local context to identity statements (where we couldn’t agree on whether the statement was concretely meaningful and where we stumbled over how to deal with abusive contexts, such as authoritarian systems). Obviously, with more time each of these topics could turn into interesting statements or even papers of their own, but we were seeking rough consensus over a three-hour salon.
An Overview
The following graphics capture the major topics and outputs:
Key Quotes
People spoke adroitly on these topics over the course of the salon. What follows are statements from individuals which we felt were interesting, insightful, or clever. We’ve probably missed as many as we collected. These quotes and paraphrases have been categorized after the fact, and represent individual thoughts, not the consensus of the salon. Some quotes been cleaned-up or paraphrased, to retain the original thought (and as much as possible the original words), but to make them more readable as an excerpt.
The Importance of Privacy
“Privacy forms the foundation of our freedoms.”
Designing Identity
“How we build an identity system that is not implicitly a violation of privacy is one of the big problems I see ahead of us.”
“I see some people making arguments that any use of a public ledger is incompatible with privacy.”
“I’ve seen a lot of differences when you’re running a digital identity system that is user-led versus issuing a self-sovereign or a digital-identity account that you manage on behalf of individuals.”
Describing Identity
“I’m increasingly thinking of attributes like the reflections on Plato’s cave: your identity is on the other side, and all you are seeing are the shadows dancing on the wall.”
“We can mistake the attributes that we’re dealing with for the person who is underlying them.”
Controlling Identity
“The owner of the identifier should not necessarily be the controller of all opinions about them.”
Designing Privacy
“The physical and digital worlds both came without privacy.” “We’ve had privacy in the physical world for long as we’ve been human beings. We’ve made another world here.”
“If we’re relying on others alone to provide us with privacy, we’re not going to get any.”
“We have to bake in privacy at the deepest level, so that anyone can use it, especially the vulnerable.”
“How can we build our tech so that people feel less of a need for privacy?” “How do we stop the privacy arms race?”
“We just want to make sure that the privacy that we all want is implemented in such a way that it doesn’t create other negative consequences.”
“I think it’s a certainty that there are privacy technologies that we simply do not have yet and that we might have in the future.”
About Abuse
“We’re going to see egregious things happening in the digital frontier.”
About Abuse of Personal Data
“There is a mindset of automatically demanding PIIs.”
“Revealing personal data in order to gain access to services is going to become ubiquitous, it’s going to be abused, especially as the technology allows it to become frictionless.”
“We need counter measures against eight-hundred pound gorillas that force you to surrender your verifiable credentials.”
About Aggregation & Correlation
“As you share your Verifiable Claims and your knowledge, there are data aggregators who might be buying up all this data, and as long as your identifier is the same, you end up in the same issue, where you have a big silo of your data that is being sold all over the place.”
“No matter how they try to do them [even trying to make them anonymous and distributed], trackers for advertising are identifying and indelible.”
“Any information that’s out there that’s correlatable will be correlated.”
About Advocacy
“There is so much focus on surveillance and tracking that people are losing faith in our ability to preserve privacy in any way.” “There are so many ventures taking place right now that are going to preserve privacy, protect data, etc.” “We want people to believe that, yes, you can preserve privacy.”
“How do you get people to get away from that convenience of just being able to reset a password, going to managing keys and actually playing an active role in identity?”
About Community
“I think we’ve gone overboard on the individual perspective.”
“Focus on individual privacy neglects families, neighborhood, and relationships.”
“There are many other stories where people have come together to share information in order to do something for the common good.”
“There are other points of view where community and authenticity and vulnerability are an asset.”
“Society is myriad, and we have to support all the ways that society manifests.”
“How do we do surveillance socialism instead of surveillance capitalism?”
About Culture
“The preconceptions about what’s possible and what’s not possible are really very different around the world.” “There are different community norms.”
About Decentralization
“We need decentralize so that the control of what I disclose to whom and under what rules resides with me.”
About Individualism
“There are some things that only an individual can do. It’s not the same thing as being obsessed with individualism.”
“We have to assign to the social the things that can only be social, to the regulatory the things that can only be regulatory, and to the individual the things that can only be individual.”
About Lock-In
“A lot of privacy tools are blatantly anti-competitive.”
About Regulations
“Under the GDPR, we are only data subjects. We have to opt in or opt out of everyone else’s privacy provisions. That’s a very broken system.”
“Regulation is not enough to protect user privacy in user data systems.” “I believe that the technology itself needs to provide some avenues for recourse.”
About Relationships
“For relationships, we tend to think about the nodes and not the connections.”
“The extent of privacy we’re having depends on who you’re connecting with when exchanging information.”
About Rights
“We have a variety of civil rights in the real world. A lot of countries are not confirming those same rights exist in the digital world.”
“It turns out that the digital world is owned. It’s property law.”
About Usability
“Technology is just giving us options, new technology is giving us new options, but we also need to limit options so that it doesn’t become unusable.”
About the Vulnerable
“Right now there’s no incentives, there’s no money, for doing security reviews that include the vulnerable. We have to gift it.”
Questions about the Salon
What is RWOT?
RWOT is Rebooting the Web of Trust. We held nine in-person design workshops from 2015-2019. Our goal was to produce actual work product at the workshops, which has resulted in the production of over 50 white papers on the future of identity of the internet, including incubation of the DID standard. We’ve also produced a few code libraries and demonstrations.
We are planning to return to in-person workshops in 2022. This was our first virtual salon.
What is a Virtual Salon?
A virtual salon is a meeting of interested people to discuss a topic. In keeping with the work focus of RWOT, our goal is to drive each salon toward producing a short statement which we think speaks to the future of identity on the internet.
How Many People Attended?
We had approximately 30 participants and a facilitation team of about a half-dozen.
Who Attended?
Our participants were worldwide. In the US, we had participants from Hawaii and California to Boston, New York, and Puerto Rico. Worldwide, participants also came from Brazil, Canada, France, Germany, Japan, the Netherlands, and the UK.
How Did You Run Your Virtual Salon?
We used Zoom for our conversations, supplemented by Mural digital whiteboards, which we laid out in advance with post-its for participants to write statements on and with space to organize and re-organize those digital post-its. We also used Zoom breakout rooms to support smaller discussions where everyone could have a say.
What Were the Guidelines for the Conversations?
All conversation was protected by the Chatham House Rules:
“The Chatham House Rule reads as follows: When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”
Credits
- Facilitated by: Cynthia Vasiliu
- Producer: Erica Connell
- Co-Producer: Will Abramson
- Topic Lead: Joe Andrieu
- Editor-in-Chief: Shannon Appelcline
- Graphic Recorder: Veera Hyytia
Participants
Will Abramson, Christopher Allen, Joe Andrieu, Shannon Appelcline, Jon Callas, Ann Cavoukian, Raghav Chawla, Erica Connell, Scott David, Darrell Duane, Kim Duffy, Dave Fields, Mei Lin Fung, Ryan Grant, Micha Kraus, Paul Mersky, Andre Muta, Dan Pape, Przemek Praszczalek, Eric Schuh, Doc Searls, Shigeya Suzuki, Vaner Vendramini, John Wunderlich, and Brent Zundel.