Digital identity and social media – the big picture
By Ingo Rübe, founder of KILT Protocol
Digital identity on the internet is fundamentally broken. Our data is scattered across the web, out of our hands and impossible for even the most security-conscious to track. But before we can create viable alternatives to the present system, we first need to address the fundamentals – how identity is understood.
Because of the way we use language, identity is often confused with things like an identity card. But this is not our identity, this is a credential.
Identity is more than that. Your identity includes your name and your nationality, your education, your job, your family, all the other things that distinguish you as an individual.
Identity is represented by a combination of a core identifier and many credentials attached to it. That’s how identity works in the physical world. The identifier is something we control – our face, fingerprint, or signature – something that is not given to us by any government or institution. These things are naturally decentralized and fully generated, controlled and owned by the individual. The identifier is linked to our credentials – my passport has a photo of my face.
Credentials are issued to us by external (preferably trusted) sources such as the government, universities, clubs, or favorite stores, and together they make up who we are. These credentials are also owned and controlled by the individual. Your credentials are in your wallet or in a drawer in your home, and you decide when to show them, to whom and for what reason. Also, the credentials are worthless without your identifiers, which makes them pretty secure. Only I can use my passport because the picture does not match anybody else’s face.
In the digital world this model has been broken. Currently our identities are spread across sites, apps and services and no longer under our control. Huge platforms control and sell our data for profit, putting our privacy at risk by storing our information in data silos.
The core problem is the identifier. Digital identifiers are entries in databases of platforms. They are generated, owned and controlled by these platforms; not by individuals. And unlike faces and fingerprints, they are stored in central databases, which are a very attractive target for attackers. When the credentials which add to an individual’s identity are then issued and stored by the same platform, we end in a system which transfers all the rights of the individual to a small set of companies. This is what the internet brought us: progress in convenience paid with a huge regress in sovereignty.
To break this cycle of centralized data collection, we need a new form of digital identity that is created in a way that we can manage our own identity and store it on our local devices.
To be truly effective, this identity needs to be decentralized and mimic the real world, with an identifier under the control of its owner, and credentials added to this core, building identity. The identifier must not be issued or controlled by an institution or body. Only the individual can be allowed to do this. Otherwise the institution or body might delete the identifier, which would erase the whole identity.
In the last five years more than 300 international companies and organizations have made a huge effort to design and standardize such a system in the Decentralized Identity Foundation (DIF). The result was a definition of decentralized identifiers (DIDs) and verifiable digital credentials (VCs). W3C, a standardization organization most famous for the definition of HTTP, recognized DIDs and VCs an industry standard in July 2022.
DIDs are created on the individual’s device and serve as a ‘face’ and a digital signature mechanism at the same time. They always remain under the control of the user. DIDs represent the individual.
Verifiable credentials can then be added to this DID by trusted entities like governments, companies or trusted individuals. Just like in the physical world, the credentials are issued to an individual and then stored by the individual on their own device. In this way users can regain control of their data, not handing it over to large corporations. Data hacking becomes less attractive as instead of hacking one centralized place for thousands of identities, the attacker would have to attack single wallets which only include one identity each.
With trusted credentials verifying data such as the user’s email or social media accounts, social media platforms could create log-ins that interact directly with the email credentials of the user, bypassing intermediaries and reducing data storage. In this way we can preserve the convenience of the internet while regaining control over our identity.
About the author
Ingo Ruebe is the founder of KILT Protocol, a blockchain identity protocol for issuing self-sovereign, decentralized identifiers (DIDs) and verifiable credentials. KILT provides practical, scalable, secure identity solutions for enterprise and consumers. Decentralized identity services built on KILT include SocialKYC certification for email addresses and social media accounts, and DIDsign, a private way to sign any type of digital file directly in your browser.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.