 Hello everybody. Thanks for coming to learn a little bit about identity. I just watched Sina talk and I've actually I read Sina's work and it's awesome and I think that it was what he talked about was at the kind of the technical level how we're gonna actually implement this stuff with this technology is super important and a lot of super cool use cases there. However this talk is a level or a layer up. Talking a broader sense about identity, what exactly are we trying to solve when we say we have identity problems or the identity on the internet is broken or Ethereum doesn't have proper standards for identity. What does all of that mean and then what is kind of the mental or conceptual framework that we can apply to kind of solve this problem. So I don't know if you know since this is kind of just an identity talk but this is actually under the design track here at DevCon and before I dive into that a little bit about myself I work on Uport. I'm product designer. I've been working on Uport for a little over a year and we do self-sovereign identity work and a number of things. We have a mobile app, we have developer resources, we do the ERC thing and try and submit standards and make suggestions about the protocol but ultimately our vision is to bring self-sovereign identity to the world in a practical, usable and universal way. Something that even is outside of Ethereum because people have real identities outside of Ethereum too and creating a silo inside of Ethereum isn't going to work and we want to make it a standard and not a standard in the sense that we submit something and it becomes standardized in code but a standard way of operating in the world where people get decentralized identities in an accessible way. So why is this in the design track? Well as a designer we typically one of the questions I always ask I think a lot of other designers kind of ask it is are we solving the right thing first and then are we or are we building the right thing and then are we building the thing right and a lot of times I think that things get conflated in this space around identity and we say we want to solve Ethereum's identity problems. Now I think on Uport we want to use Ethereum to solve some of the world's identity problems and those two things can coexist but they are not exactly the same and you can think about them in different ways and if we only solve Ethereum's identity problems we're at risk of not making this whole thing accessible and universal and we're at risk of rebuilding Web 2 problems into Ethereum. So I want to focus on that and I want you to picture some of the people and picture them maybe this is in five years 2023. Take Sarah for instance so imagine this is four years in the future she is now having to flee Myanmar or some conflict zone and she received aid before as a UN refugee the last time she had to escape and during that time she got a decentralized ID and the UN issued her a claim saying that she has refugee status and they issued that to her Ethereum address right she returns once the conflict has kind of settled down she returns home. Now things degrade again socially and she is now at risk again and the government wants to persecute her and people like her and now they can identify her incredibly easily they just have to look at the chain right they can verify that she indeed is the type of person that they're looking for right and now because she received aid and that was put on chain immutably tied to her forever she is now exposed herself some privacy lost privacy lost protection and it was good at the time but nobody thought about the long consequences of what you're doing and what you're putting on chain and when you tie it to a self-sovereign ID. So that's the type of thing we want to avoid and these problems are all over the place. In Texas I'm from Dallas they're using the churches right now in Dallas have made an agreement with the local immigration police and the police force in Dallas that says if an undocumented immigrant presents a parishioner ID being part of the Catholic Church that they can get easily just by going to the church they the police won't enforce immigration laws upon them for now and so this has become controversial and all of this stuff and this is something that could be done and put on chain however if you put it on chain if though if the situation changes you've now put that person at risk the same thing happens with somebody who maybe you're working in the adult industry you're on spank chain right and you're a performer and you receive reputation and accolades and tokens and all this stuff on spank chain in the future maybe and now you can't separate that persona from the rest of your life in the real world you're being able to correlate all parts of your life together and being one single person in every single context is like not a natural way that humans operate in the world so I'm going to establish some context and we'll talk about problem I'll present a solution so the first thing is how do actual people think about their identity so like I said you have these different places where you interact in the world you have a professional identity of a family your friends your different people at least slightly in all of these contexts but you're able to move information between them all but you can keep some things private from some groups right and these are really there is no essential quality to identity identities kind of like this emergent thing there's no root basis this is what philosophers have been debating about forever Hume John Locke Descartes they've kind of found that there really is no core atomic unit yet online we need a core atomic units so that's that's kind of what we're wrestling with so if you imagine all these different phases of identity all these different spheres of influence you have they just they numerate and they come together and they overlap in interesting ways they form you and that's his unstructured data that we're trying to put in tables and rows and that's a way I like to think about this which is good it's a hard problem to solve start from the individual which we just kind of talked about and move out words into these layers of abstraction called social digital decentralized hopefully sovereign so socially how do we what happens when identities interact with each other regularly well I think this is where you establish something like reputation and reputation is just identity times time right so as an identity accrues information about itself and other people can see that information they can make judgments about that identity and that's what we call reputation so that's really what we care about when we talk about all of this identity I know that you port isn't explicitly a reputation system but having an identity the reason you want one is so that you can get a reputation and you can do something with it you can leverage it so we care about identities in so far is that we can predict their future behavior whatever information helps us predict their future behavior becomes reputation that's what people want to leverage that's what we need to give them the ability to control that information set let's see what's next so this applies to crypto blockchain because it's fundamentally a peer to peer technology you have identities interacting with each other if you didn't then there'd be no reason for this to exist now Bitcoin I'll talk a little bit more about what it did for this problem later but it's only one half of an economic trade right it's one of the assets you want you want to get something for your Bitcoin and that still requires two parties to interact and that has to be mediated by some reputation and trust to perform the full action of giving somebody Bitcoin and getting whatever it is you want from it so probably seen this movie Indiana Jones he's trying to do what I essentially would call an atomic swap in the real world but there are no atomic swaps in real life right you see it all the time and something like like a imagine a prisoner swap the reason that there's so much overhead there and all of these contingency plans are made it's because both parties can't guarantee that both things happen at the same time right and when you can't guarantee this because it's not code in the real world you have to have trust that trust is based on the reputation so you care about who you're interacting with so if you're buying mangoes on using blockchain right there's you haven't solved the trust problem by just using blockchain you've moved it you've to other places you've made it but and you still haven't solved the trust problem in the actual physical moving of the goods between participants maybe there's some like Sina was talking about way to stake your reputation and use some game theoretical concepts to enforce these things over time but that's a probabilistic approach still you're still trusting that people will care about those things so the role of identity is often overlooked when we think about the mechanics of trade and that's I think kind of the reason why identity is important in this space so everything is reputation in my opinion and reputation is trust that's what gives rise to trust and so I have this really this is supposed to encapsulate just how hard the problem is and it's this crazy word vomit of a sentence that kind of illustrates exactly what we're dealing with and then we'll move into some of the more tangible things after this so identity is this amorphous contextual dynamic property that interacts with other identities to give rise to a sea of probabilities that we refer to as reputation and when an interaction happens an exchange of reputational information occurs the result of which is some amount of trust between the participants and determines the amount of friction that needs to be added to this interaction for it to be successful that is what that all meant those previous slides but this is really hard to put into computers so that's the problem and what is it like to be online what's the state of this problem as it exists today especially digitally where these problems manifest themselves most often well we know these companies they are our overlords and among others and their information is siloed we know this this is why we're probably all sitting here is because this is the problem that we think about a lot they they have made some the thing that is interesting about what they've done is they've made it easy in some regards they've created an incredible user experience on the front end of the experience it's the long-term consequences the externalized consequences from these actions up front therefore from that good UX that is the problem so how do we keep that good part but solve the long-term consequences I wanted to point out that when we talk about like something like Facebook and what their business model is I think what their business model is is reputation as you do more things on Facebook your reputation your history goes up on Facebook and the switching cost then goes up it makes it harder to choose a different platform and that's how they lock you in right raise your hand if you have a Facebook account even though they've been hacked and even though we hate them right I still have a Facebook account and I have all my privacy settings on but I don't really know what to think and that's because there's nowhere to go with my information they don't make it easy and they want to not make it easy so we have to solve that and that's where Ethereum comes in and an open identity standard comes in that can solve that problem while we keep the great UX so this is from a researcher named Rebecca Ricks I always always bring it to these presentations because it's just so crazy this is a graph of what happens when you make a transaction on PayPal and all of these nodes are the different companies that's that transaction metadata gets sent to let it play out for a second and on her site you can actually see which metadata each one of these parties gets since they've acquired Venmo I'm sure this is happening with Venmo too there's probably even more things and it can only just goes on and on so that's that's the state of how your of your identity how it gets spread around today I'll go ahead and skip because it there's a lot so web identity is not the best thing we can do it's done a lot of good things in some ways and we need to preserve those like I said but Ethereum could solve some of the some of the problems at the root of it all one thing that has happened in the real world with regulators is something called GDPR so if you're not familiar with it and you're working on these problems or you're handling user identities this is something to be aware of GDPR is a lot of it's a European regulation it's a general data protection regulation I think I might have one of those words wrong but basically what it says is gives these it establishes these rights for users interacting online the ability to move your data the ability to request and know exactly how it's being used and one really critical one which is which is the right to erasure which is the ability to request that your information be deleted and and if the company doesn't comply with this they're in violation of GDPR and they'll attempt to enforce this law and it's I think it's a fine of 4% of revenue for the year or 20 million dollars or 20 million pounds so it's it could it could really screw up whatever you're doing as a startup Facebook went so far as to separate all of their user data that's European into an entirely different location in the world they built a whole new data store just for European information to separate it so the way that applies to blockchain is do not put personal identifying information on chain those stories that we that I talked about before about the refugees immigrants people who work in marginalized or or stigmatized communities when you put their information on chain forever it reduces their control it puts them at risk and generally a theory or an axiom is that decreasing the privacy of the community increases the marginalization of at-risk groups and that's something if we really want to build an open financial system we really want to do all of these really world-changing important things we have to keep that in mind now before we build an identity system that de facto excludes them so GDPR is an attempt to do that with regulation I know we all don't really like regulation and we you know scoff at it and maybe we'll just ignore it but the spirit of the law is I would say good it's trying to return rights to all of us right and protect us from the overlords we talked about so what do we need to do in this new system increase privacy like I talked about preserve that flexibility of being able to be different people in different contexts so the ability for you to be your professional self on LinkedIn and your social self on Twitter or an even worse person on Twitter and be a model on Instagram be an influencer somewhere else be a gamer somewhere else we have to preserve that flexibility you don't want to be that same identity in every place we need to facilitate the portability so that's the that's the switching cost problem we've reduced competition when we increase these switching costs it creates a inefficient economic market for this data and for identities we have to ensure recoverability I'm not going to talk a ton about that today but obviously you don't want to have a fragile system where if you just lose your key which people do all the time as we know you lose your life right lose every access to your health records and all of your accolades and all of your reputation it cannot be that fragile has to be resilient at the user level and we have to improve accessibility the ability to get one of these identities do you have to be living in America and have access to the nicest phone and everything to get a decentralized self-sovereign identity I don't think you should have to do that because that is again a de facto marginalization of some groups so we should re-biddle it and that's where we get to what is you know self-sovereign identity exactly and how what what what are the mechanics of it well self-sovereign identity is when an entity kind of define it I think this is my own kind of working of the definition there really isn't a standard one in the industry of what exactly self-sovereign identity is but this is the way I've been thinking about it which is an identity is self-sovereign when the entity to which the identity refers retains the most control over any given aspect of that identity they don't retain complete control I don't think we want a system where you have complete control over the data or the or you don't have the ability to give up some control voluntarily right this is the ability we would need that for something like liquid democracy that we want to do right the ability to have somebody do something on your behalf right so in these situations the identity just needs to have the most control over any of these interactions when Facebook issues you and identity and identifier they have the most control you have some control but they have the most we have to flip that paradigm so there's kind of these principles that were put forth by Christopher Allen an identity researcher that I liked I'm not gonna go through them all and explain them but you can see this list the two that two of the technologies we have now Bitcoin and Ethereum address and fulfill some of these principles in different ways and the last two minimalization and protection are largely what this talk is about and that's that last piece kind of a self-sovereign identity that we that's really critical to figure out it can make or break this whole thing so Bitcoin what did it do to I just want to recap what it kind of did in moving self-sovereign identity for because it did some important things it made existence go up right you could generate a key on your side you didn't have to ask anybody that gave you control the ability to generate your own identity means you're in control of it and that that fulfills one of the principles transparency because it's the we have our immutable ledger that everybody shares you have transparency over how many identities are in the system at some level of transparency of what is happening with those identities which transparency again it kind of conflicts with privacy right so that's that delicate balance and I'll get to it in a second but I think that's something that we can we can address at the UX level and then persistence the ability to not be deleted from that ledger not be censored not be kicked you know you can be kicked off of Facebook or Twitter and everything you've done there is gone and for some people that's a really big deal that's a huge part of their economic viability in the world so then we have Ethereum and that brought us smart contracts and that did some more things that fulfilled these principles it gave us the ability to access other identities in a in a more complex way then it gave us the ability to consent to certain things perform a variation of different actions on the data and and and broadcast our intents about our actions to the world portability it gave us the ability to you know we've done a bunch of stuff with linking smart contracts together and storing lots of keys and in controller contracts or registries and this gives us this ability to move data around but keep that persistent identifier and then interoperability when we when we that's why we want to establish kind of a standard way of doing this so that we have this interoperability and and what Ethereum has done with smart contracts and us all having the same protocol has been great for interoperability so that's good and like I said the last two things left are this minimization minimization is a principle that when I share information with you I just need to share the very minimum amount of information that is needed to reduce the friction in our interaction and the classic example is going to a bar you want to prove that you're 21 you just need to prove that you're 21 they the bouncer does not need to know your full name your birth date your address your picture your height your weight whatever else is on there that is oversharing and that's not consistent with these principles of minimization so we need that flexibility and ID cards are not flexible they have that you can't you can't dynamically augment the information on a physical card right so that's why and the same thing kind of happens in in in Facebook when you hit login with Facebook you hit share my information this is this is where the UX becomes important because we all over share every time we do that right we say you get access to our contacts get access to all of our friends and that's what the Cambridge Analytica thing was they didn't actually do anything they may have done a couple of illegal things they did a lot of unethical things and one of those things was using kind of UX dark patterns to get people to over share and consent to things they didn't mean to and then taking advantage of that and so that falls on designers to have some perspective and some ethics around how to handle the sharing of data and the way identities take actions online so what's the solution well at Uport we think the solution for a lot of this is this idea of verifiable off-chain claims using things off-chain that are signed by your identity so they're rooted to the integrity of Ethereum but they preserve your privacy while still maintaining the ability to interact with other identities improve things about yourself you're able to control the amount of data you share which fulfills the minimization and because it's off-chain you have that privacy and you have more protection over your identity so the way we do this is supported by something called decentralized identifiers and I won't get into a ton of the tech no cold part here and well I got I got zero okay well I'll go fast decentralized identifiers I won't get into a ton of the tech but suffice it to say it's this long string it's your Ethereum address propended by a method and basically what a decentralized identifier allows us to do is create a resolver that lives somewhere points to where your data or how points to an object called a did document that has data in it and that can tell that can be keys it can be rules about keys and it could also be endpoints of telling the person that is looking for something about you who to ask where to ask and then that can point to something like you point where now the user is able to consent to things granularly and we fulfill some of these things in in a in a couple of ways this is kind of the UX portion so the some of the design principles at this level are one are consent so the ability to selectively and actively disclose things passive disclosure is a problem that's when you grant somebody access in perpetuity to some amount of your information and you just forget about it we all forget how many things we've subscribed to we all forget what the terms and services and agreements that we've entered into are because it's too much to digest in the moment we there is no future where we make users we expect them to read all of that information that's just not going to work and the legal system will take advantage of that if we don't design the experiences correctly so the next is transparency so we like to tell our users when they're doing something that is going to end up on chain most people this is this is a hard part because I think it's something that people are going to just have to learn kind of the way they had to learn certain things about the internet but there have we have to do a good job of educating the distinction about what's going on chain and what's staying off chain and how that relates to their risk so knowledge we track activity that happens right so I can't tell you I have no history anywhere centralized of everything that I've done and all the data I've shared with people using a paradigm like this you can easily have that repository on you at all times and you can be sure of the actions you took in the past and what you've done which I think is really important security reputation in interaction so this is the screen is us not recognizing or seeing a suspicious identity since there is no overlord the system needs to be able to identify and tell users when they're taking potentially risky actions and interacting with identities that they don't know it's gonna be in it's gonna be at the application level to do this right it can be done through blacklist it can be done through certain things like a reputational floor or ceiling of some sort but we have to tell we have to message this to users and then privacy this is non corollability which is one of the hardest and trickiest problems it's the type of thing when we talk about trust graphs and and and reputation and identity emerging from interactions that we watch on chain we have to reduce the core corollability of our identities right or else that all of that division where we get to be different people in different contexts goes away so one thing we do at you port is we want to create a new fresh aetherium identity for you with every interaction or give you the choice to right so that you can separate everything you're going to do in that session from the rest of your identity then just a final little recap so that was kind of the UX principles this is a recap kind of what we've covered which was a lot identity is an amorphous blob reputation is really what we care about reputation is the basis of trust decentralized IDs return control of reputation to the user and with control comes responsibility not only for the user but for the people designing the interactions right we are supposed to the designers of the way all of this manifests itself at the user level there in a way they have to put their trust in us right at the interface level if you haven't read anything about dark patterns they I would encourage you to these are UX things that unethical teams or designers do to try and get users to do something that is not in their best interest but in the best interest for the application and the stakes have just gotten really high when it comes to that right you can screw your whole life up now in a single interaction and we can mitigate all of that risk at the UX level that's why designers need to be thinking about how to handle identity and all of how to handle reputation in their platforms and think about how they can keep things off chain and do a lot of these things that we we just covered I think that's in the spectrum of things that the designers of these applications should be caring about and should be thinking about and with that I thank you for sitting through all of that that was a lot