Chapter 2. Why Self-Sovereignty Matters
By John H. Clippinger
It has been said that “he who enrolls, controls.” Any “authoritative” party that defines and selectively confers “credentials” to access valued resources, privileges and rights – e.g., a bank, state, religious body or social website – exercises enormous power, often with little democratic oversight. Since such powers are extremely difficult to oversee and regulate, they eventually become a point of institutional failure. The old adage Who guards the guards themselves? (Quis custodiet ipsos custodes?) ultimately rears its ugly head and the “guards” become the overlords, a clique of self-perpetuating, self-serving beneficiaries. It is a historically tried dictum that the human oversight of human frailties inevitably succumbs to human frailties.
The Rise of Self-Correcting, Evolvable Institutions
In the struggle to give people greater dignity and control over their online lives (which increasingly encompass their offline lives as well), the classic institutions of authority – financial, educational, enterprise, religious, governmental – are failing. They are variously too slow, hierarchical, corrupted or socially disconnected to perform their assigned tasks as conscientious policymakers and respected guardians of their segment of the social order.
This failure of authoritative institutions constitutes one of the biggest challenges to human freedom in the digital era. It is such a fundamental point of failure across all sectors that it is unlikely to be resolved within existing institutional structures. Yet growing public alarm over unchecked governmental and corporate surveillance and control is spurring the quest for innovative forms of governance that can effectively protect and express human rights.
A case in point is the “alpha geek” community’s enthusiasm for Bitcoin, Ripple, digital currencies and encrypted peer-to-peer services. These services and protocols are instances of what I call The ODESS Stack (Open-Distributed-Emergent-Secure-Self-Reflexive), a set of distinctive software endowed with autonomous features. The fervent popularity of ODESS services arises from the fact that they do not require external institutional authorities – i.e., corruptible human third parties – to function. Rather they are “self-reflexive” in that they contain within themselves the necessary mechanisms to host, verify and clear transactions, and to audit themselves and self-correct errors and breaches. By virtue of their inherent design, they cannot violate their own policies and they are highly fortified against outside manipulation and intrusion. In Bitcoin’s case, this means that it will issue no more than 21 million bitcoins and it will have a “block chain” register that is complete and transparent. To their supporters, these “algorithmic” “math-based institutions” are more trustworthy than their flesh-and-blood counterparts, such as Central Banks and governments.
It is tempting to dismiss the interest in ODESS protocols and services as a simple case of Digital Libertarianism, especially because there is certainly an Ayn Rand faction within these circles. But the ODESS approach to authority and legitimacy really transcends the traditional left/right ideological spectrum. The growing shift to algorithmically complete and self-contained services represents a more pragmatic, performance-based approach to governance and institutional design. In systems that are inherently experimental, empirical and technologically based, traditional ideological presumptions have little standing. Pragmatic outcomes and personal empowerment are the sine qua non.
ODESS protocols and platforms are really outgrowths of a new generation of communications and control technologies. It turns out that the convergence of open platforms, social networking, Big Data and encryption innovations allows us to address many social and economic problems that simply could not be seen or addressed under the regnant system of authoritative institutions.
Never before has it been possible to self-consciously design and test at scale new forms of social technologies with rapid iterations and innovation. Before it was possible to represent and express human activities digitally, the social and economic sciences were profoundly constrained in what they could imagine theoretically or test experimentally. This is no longer the case. Now it is possible to self-consciously design and test at scale new forms of social technologies with rapid iterations and ongoing improvements. Much of today’s large-scale social and economic innovation is not being done within academia or government, but by technologically innovative companies that have the sophistication to exploit open networks, social networking and Big Data.
The automation of key control functions in trains, missiles, planes, boats and cars is already upon us, and fully autonomous terrestrial and aerial drones are not that far off. The march of autonomous control and self-organizing technologies is leading to a whole new class of services and protocols that obviate the need for traditional “authoritative” institutions for governance and control. Instead of presuming the need for active human oversight, whether through physical, regulatory or legal means, the goal that is emerging among so many ODESS systems is autonomic design: social and economic control/governance mechanisms that are intended to perform to an explicit standard and that can correct and improve their performance when they fail. Self-adaptive machine learning makes it possible for systems to learn from their mistakes and evolve to improve their performance.
In the face of institutional failures, respectable opinion generally focuses on reforming traditional “democratic” processes such as voting, legislation, adjudication, licensing, litigation and regulatory procedures. But these modes of governance are increasingly ineffective artifacts of a bygone era. They presume social realities that may not exist (perfect information, rational consumers) while failing to take account of ubiquitous new realities such as socially driven behavior using digital technologies on open networks.
Fortunately, ODESS platforms are pointing the way to entirely more competent, participatory and trustworthy types of authority systems and institutions. Self-correcting, evolvable institutional designs are starting to provide more effective, adaptive and resilient social and economic institutions. This goal should be the focus of governance design and innovation in the future.
How Does Self-Sovereign Authentication Work?
Let us circle back for a moment to explain the “atomic foundation” upon which the new ODESS services and institutions are based: self-sovereign authentication. As long as some third party – whether it be a state, a bank or a social media site – is the source of an individual’s identity credentials, that individual’s freedom and control over their identity and personal data are limited. If anything should be inalienable, it should be one’s identity – the right to assert and control who you are. Relinquish, delegate or appropriate that control, and what is left but servile dependency.
Yet the big question remains, Can one be self-sovereign? That sounds like a contradiction. How can one have an identity credential issued that is authoritative, independent, incorruptible, and universally accepted by others? It is vital that no single entity, public or private, should have the power to issue a global identity credential. But who then should vouch for a person’s identity if not the state or some “international agency”? That question has been answered convincingly by the universal success of the open source software movement. By combining the norms of autonomy, security and innovation of the open source movement with the transformative powers of ODESS protocols and services, a genuinely new environment for institutional and governance innovation is possible.
The Bitcoin and Ripple algorithms are both open and not owned by anyone, and yet there are also shared protocols that serve as a type of social contract among participants in the system. So it shall be with ODESS platforms and services: algorithms for computing global identities will be open to review and not owned by any party, and self-organized communities will be capable of issuing and enforcing their own identity credentials, independent of states, banks, and other authority institutions. This will enable a whole new class of institutions to self-organize and develop organizational capacities and protections for solutions to fundamental issues of human rights and dignity that previously were simply not conceivable.
Here is how self-sovereign authentication can work: An algorithm would have to compute a unique credential for everyone on the planet based upon something that is uniquely identifying to them. Fortunately, people have many biological and behavioral markers that are unique to them, ranging from how they move or shake a phone, to their daily movements and interactions, to the rhythm and pace of their typing and speaking. All of these markers can be digitally captured. Indeed, with recent advances in genomics, the genome itself is one such “unique identifier” which is digitally captured by default.
While in some cases, a single biological or behavioral marker may not be uniquely identifying, a combination of such markers can produce a unique and distinctive marker. Unlike a fingerprint, retina scan or similar “one time” biological markers that are fixed and therefore potentially appropriated by third parties, these new markers change dynamically over time as the behavior and the biology of the individual changes over time – and they can correspondingly be verified in real time. By having a dynamic and evolving credential that changes with the individual, the resulting credential is not only more credible and perishable, it also makes the individual the living custodian of the credential. As a living credential, it cannot be easily appropriated by someone else and it ceases to be valid when the individual is no longer living. In this sense, it is truly inalienable and is a living digital representation of an individual.
The approach taken here is a variant of forms of security and privacy analyses called L-Diversity, k-Anonymity, Trace analysis and Differential Privacy. In the simplest of terms, the challenge of creating a unique identifier for a person is the inverse of re-identification (determining a person’s identity from anonymous data). In the case of geolocation data gleaned from mobile devices, for instance, de Montjoye et al. have found that it takes only four unique coordinates from cellular phone data to identify a person with 95% accuracy. The power of this technique, however, depends upon the density of the populations and groups being analyzed. For instance, if there were few people in sparse locations with few roads, then the opportunity for variability-uniqueness would be more limited, and hence, the “identity distance” between individuals more limited. If on the other hand, it were a highly dense and diverse population with multiple local, regional, national and even international routes, then the opportunity for identity diversity would be significantly greater.
All this suggests that any algorithm based upon movement and interactions would also have to consider not just the size and entropy of the population in which the individual resides or works, but the richness and diversity (entropy) of roads and modes of interaction. This measure could be augmented by adding more signature dimensions in the form of orthogonal behavioral and biological markers – such as, cardiac, gesture, typing, and voice signatures. It is also possible to have a “sliding scale” of credential reliability tied to the level of risk or value in a given transaction. In emerging mobile markets where transaction volumes and amounts are infrequent and under $25 in value, the KYC (Know Your Customer) and AML (Anti-Money Laundering) authentication algorithm could be lighter, but as the volume and amounts of transactions increase, more rigorous credentials and real-time authentication methods could be used.
In the near future it is very likely that many people will have their own sensor platform “bracelets” like the Nike FuelBand, a universal tool for measuring all sorts of a person’s activities. These sensor platforms can provide more accurate and unique location, movement and biometric data than phones alone and could be used for more secure forms of authentication and sharing in the near future.
Under any circumstances, an individual’s identity signature would be stored in an encrypted personal cloud that could only be accessed through a secure API to upgrade the signature and to allow third-party verification. Moreover, such a root signature could use homographic encryption so that it could be queried without having to be decrypted. It would be from this root signature that a “root” password would be generated by another Open Algorithm, which in turn would generate an OpenID OAuth 2.0 token to create a secure universal password. Should an individual lose or change the password, another could be generated. Since it is generated off the same root identity signature, it could not be “spoofed” because it would be derived from the encrypted root credential that only the individual has access to. This would obviate the problem of individuals forgetting or losing their password and not being able to recover or use their data or a service, because they could easily recover and regenerate a credential based upon their own actions. It may take time for full authentication to take place so there could be a “watch period” until the full richness of the credential is (re)created and verified.
Personas and Contextual Identities
In practice, humans have multiple identities; we are many people to different people; we are parents, spouses, workers, citizens, friends, patients, learners, buyers, makers, etc. Some of these different worlds overlap, but in many cases they do not, and in some cases, it is important that each context not be aware of the other or knows everything about the other. This compartmentalization of lives and information is a core component of privacy and essential for both personal and social freedoms.
Such contextual identities we call personas. They are derived from one’s root identity but are defined by specific attributes and credentials that are needed to function in those contexts. For example, in a family context, the key attribute is relatedness – parent, child, husband, wife or spouse. These can be biological and socially asserted roles dependent upon specific social conventions and customs. In either case, they cannot be asserted by the individual but need to be asserted and verified by the group defining the context. One person can have many personas, each contextually defined and each wholly independent of the other to the outside world. In some cases, a persona my be legally prescribed by a nation state, such as citizenship and a passport with required picture, certified birth certificate, and residency. In other cases, the persona may be based upon some attributes of mutual interest to everyone in a group or community –such as age, residency, income, education. Whereas there are many organizations such as banks, credit bureaus, government agencies, schools, health care organizations and the like which claim to be authorities for the verification of certain attributes, such as FICO scores for creditworthiness, many of these services themselves are subject to manipulation.
Open Algorithms for Personas
Again, there is a significant opportunity to have independent and open algorithms to calculate persona proxy attributes that can be derived from behavioral and biometric data to verify certain claims about people – such as their residence, employment, creditworthiness, sociality, health, affinities, activities and interest. Such data would be solely under the control of the individual and be shared in their personal cloud or Trusted Compute Cell (TCC). Using the Open Mustard Seed platform (OMS) these personal data could be shared at the discretion of the individual through their own open source Trusted Application Bundles.
Personal Data Assets and Exchanges
If individuals were able to collect and verify their own personal data in their own personal cloud or TCC, then they would have the opportunity to create asset value out of their own personal data. This is a new kind of asset class that has been priced and valued in standard markets such as those formed by data brokers and ad networks. For example, Acxiom, Experian, and Equifax make billion dollar markets in relatively low quality and incomplete data and individuals themselves do not realize value from their own data. Imagine how valuable fully complete, accurate, timely and consensual personal data would be. For the less advantaged individuals, it would be a way of creating social capital and real financial equity for both their data and their actions, and therefore, would be a powerful means for the “unbanked” to bootstrap themselves into a global digital economy.
Through the use of data asset exchanges where individuals and groups could make markets using their data assets, a new business model for web content and services would be possible. Such a business model might well displace the current advertising model where the financial incentives are to trick people out of their data and to push inappropriate offers at people. Imagine a world where people got fair value for their data and would be in charge of how they would be approached by vendors and third parties. That would not only change the “balance of power” between individuals corporations and governments, it would unlock new sources of innovation and greater service efficiencies by making the management of market and security risk based upon more accurate and complete data analytics.
None of this would be possible, however, if individuals were not self-sovereign and in charge of their own identities and personal data. If other parties, governments or corporations, are in charge of the enrollment process, then the old dictum of Quis custodiet ipsos custodies would assert itself once again and undermine the very trust and transparency needed to have a free and open digital ecology.
John H. Clippinger is co-founder and Executive Director of ID3 (Institute for Innovation & Data Driven Design), a nonprofit organization formed to develop and field test legal and software trust frameworks for data-driven services, infrastructures and enterprises. He is also Research Scientist at the M.I.T. Media Lab’s Human Dynamics Group. Previously, Dr. Clippinger was founder and Co-Director of The Law Lab at the Berkman Center for Internet & Society at Harvard University. He is the author of A Crowd of One: The Future of Individual Identity (2007) and The Biology of Business (1998).
 Bollier, David and John H. Clippinger, “The Next Great Internet Disruption: Authority and Governance,” available at https://idcubed.org/?post_type=home_page_feature&p=631. See also Clippinger, John H., A Crowd of One, The Future of Individual Identity (Public Affairs, 2007).
 Machanavajjhala, A., Kifer, D., Gehrke, J., and Venkitasubramaniam, M., “Diversity: Privacy Beyond k-Anonymity,” ACM Trans. Knowl. Discov. Data 1, 1, Article 3 (March 2007) [DOI=10.1145/1217299.1217302], available at http://doi.acm.org/10.1145/1217299.1217302; see also Lantanya Sweeney, “k-Anonymity: A Model for Protecting Privacy,” International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5) (2002), pp. 557–570, available at http://dataprivacylab.org/dataprivacy/projects/kanonymity/kanonymity.pdf.
 Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen and Vincent D. Blondel, “Unique in the Crowd: The Privacy Bounds of Human Mobility,” Nature (March 2013); and Lantanya Sweeney, “Uniqueness of Simple Demographics in the U.S. Population,” Technical Report LIDAP-WP4 (Pittsburgh, Pa.: Carnegie Mellon University, 2000), available at http://dataprivacylab.org/projects/identifiability/index.html.
 Ninghui Li, Wahbeh Qardaji, Dong Su, “Provably Private Data Anonymization: Or, K-Anonymity Meets Differential Privacy,” CERIAS Tech Report 2010-27, Center for Education and Research, Information Assurance and Security (West Lafayette, Indiana: Purdue University, 2010).
 Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen & Vincent D. Blondel, “Unique in the Crowd: The Privacy Bounds of Human Mobility.” Nature, (March 2013).
 World Economic Forum, Personal Data: The Emergence of a New Asset Class (2011).