I Am A Person: The Bank Says So
If you want to know who I am, ask someone who already knows.
Dateline: London, 19th November 2024.
When you go to a website and are asked to distinguish between a moped and a motorcycle or some stairs and ladder in order to prove that you are an actual person (rather pointlessly, as it happens, since robots are already better at doing these puzzles than people are) don’t you wonder if there might be a better way? I mean, couldn’t someone just tell the social media site, the internet dating app or the online review service that you are actually a person?
The Botnet
Pretty soon people will be in a minority online, if they are not already. Nearly half of all internet traffic came from bots last year and for the fifth consecutive year, the proportion of web traffic associated with “bad bots” grew (it is now a third of all traffic) while traffic from real human people continued to fall. We’ve been fighting hard with spam filters and firewalls and what not, but AI means that our defences are about to be overwhelmed and pretty soon the majority of internet traffic will be bots talking to other bots. Without some significant changes in the infrastructure, the web will be unusable and fade from human attention.
(The Canadian author Cory Doctorow has a nice turn of phrase around this. He notes that since “botshit” can be produced at an astonishing scale — Amazon has had to cap the number of self-published "books" an author can submit to a mere three books per day — we are facing a crisis of ”coprophagic AI”.)
Whether it is about writing books, submitting reviews, finding a date online, or anything else, the problem of knowing whether a user is a person or not is a problem that has plagued the Internet from the earliest days and there are plenty of initiatives underway to try and do something about it from Mr Musk’s blue ticks to Worldcoin’s eye scanners, but none have yet transformed the mass market.
I think that the solution has been obvious for many years though. Why not have some kind of certificate that attests to the fact that you are a real person and that can only be used by you? This is what identity people call a “verifiable credential” and I am very much in favour of the use of verifiable credentials that contain important attributes that are necessary to allow transactions to occur but that do not contain any personally identifiable information. A simple virtual identity with the credentials IS-A-PERSON and IS-OVER-18 would serve most people for most purposes most of the time.
Given that there are good reasons for thinking that the existence of an IS-A-PERSON credential might be the trigger for the evolution of a more comprehensive identity infrastructure suited to the modern age — because for advertisers, journalists, voters, shopkeepers and to many others, the IS-A-PERSON credential will be an essential prerequisite for all kinds of transactions — you might imagine that the problem has already been solved, but it has not.
with kind permission of Helen Holmes (CC-BY-ND 4.0)
I remember seeing identity guru Eve Maler, the former CTO of Forgerock, give a keynote at the Identiverse conference and say that IS-A-PERSON is the most important credential of all. She is, as you would expect, absolutely right. So who will provide this critical element of digital public infrastructure?
Who Says?
There are plenty of candidates. There is the Post Office I suppose. And customers. And my doctor. In fact, there are lots of people who could testify to my existence. But a rather obvious place to start in the developed world is with my bank. So, when I go to sign up for something online, instead of trying to work out whether I am real or not by showing me indistinct pictures of American school buses, the web site can bounce me to my bank (where I can be strongly authenticated using existing infrastructure) and then the bank can send back a token that says “yes this person is real and one of my customers”. In other words, cryptographically unforgeable testament to the attribute IS-A-PERSON that can be easily verified by checking the digital signature. The bank should not say which customer, of course, partly because that is none of the website’s business unless I choose to tell them and partly because when the website gets hacked it won't have any customer names or addresses: only tokens.
This resolves a fundamental social media paradox: now you can set your social media preferences against bots if you want to, but the identity of individuals is protected. X, for example, could mark my account as of being of unknown origin (i.e., I might be a human or a bot army) until it sees this attribute. Of course, X will want to see it in the form of a verifiable credential signed by someone who they can sue if it turns out I am not a person after all, but you get the point. So, when I sign up to X, I am “unknown”. When they get a valid IS-A-PERSON credential from me, then my status changes to “person”.
Personhood
The potential here is why I was so excited to see that a broad coalition of researchers from Harvard, Microsoft, MIT, the Decentralized Identity Foundation (DIF), and other organisations has put forward a major new proposal for a digital credential that would give human beings a powerful new tool for proving their authenticity online, while also ensuring strong privacy. Rather than my IS-A-PERSON suggestion, they call it the “personhood credential,” or PHC, but the functionality is the same: a service provider (e.g., my bank) issues me with a credential that identifies me by a service-specific pseudonym and attests to my existence but nothing else.
Instead of asking me to distinguish a grainy photograph of a cod from a grainy photograph of a dogfish, a website can simply ask my browser to provide a personhood credential: maybe I would then see a pop-up menu of the relevant credentials, choose one (e.g., my bank) and then use my face or fingerprint on my phone to confirm that is it my credential and away we go. Now the site knows that I am a person and even has a unique identifier that they can use for CRM (i.e., the public key in the credential), but does not know who I am, thus providing both security and privacy with no need to compromise either.
Are you looking for:
A speaker/moderator for your online or in person event?
Written content or contribution for your publication?
A trusted advisor for your company’s board?
Some comment on the latest digital financial services news/media?