Why Identity Joined the W3C

News, Opinion

Late last month, Identity.com became a member of the World Wide Web Consortium. Also known as the W3C, it is the standards body for the World Wide Web, and provides standards on everything from HTML to CSS and HTTP to XML. These open standards are what ensures that a single browser can access every website, giving users simple access to every location on the Web.

Tim Berners-Lee, the inventor of the Web in 1994, later went on to write a few principles of the design of the Web, which included simplicity, modularity, decentralization, tolerance and the Principle of Least Power. 

Let’s start with decentralization. 

Decentralization

In the aforementioned list of principles, Tim describes decentralization:

This is a principle of the design of distributed systems, including societies. It points out that any single common point which is involved in any operation tends to limit the way the system scales, and produces a single point of complete failure.

While Tim was describing the appropriate architecture of the Web, the same bottlenecks apply to digital identity. Centralized identity systems are the systems we’re all familiar with – government issued passports, email, Twitter handles and more. All of these credentials are issued by centralized authorities, be it governments or technology companies, and have the problem of a single point of failure. Additionally, federated identities (sign-in with Facebook, etc) leverage existing identity databases from centralized services like Facebook, Apple and Google, increasing usability but still relying on a single service. As evidenced in the October 4, 2021 Facebook outage, a single “command issued by an engineer during routine maintenance” can disrupt hours of operation due to network disruption. Not only did this take down Facebook, Instagram and WhatsApp, it stopped users of Login with Facebook, in accessing thousands of supported services. 

Decentralized identity systems do not suffer from the same single point of failure issues. 

Honeypots and Surveillance

Each centralized identity system enforces its own security and privacy policies (no two are the same) and require you to create new accounts. Not only does this place a mental tax on users, who need to remember all of their account login details, often resorting to using the same password to reduce the mental load. The issue remains that this data is stored in massive identity ‘honeypots’. These honeypots are prime targets for hackers, resulting in regular identity breaches (CAM4, First American, LinkedIn, Twitch and more). It is clear that centralized identity solutions are increasingly under attack and are having to increase the friction for users to improve security such as enforcing arbitrary password requirements and hardware-based two-step authentication. Yet, without an alternative, users have no choice but to create new accounts with their personal information. To paraphrase Balaji Srinivasan, “The government should not require you to store something that you cannot secure.” Decentralized identity stores nothing on-chain or in honeypots. 

Federated identity systems, while improving user experience, still leverage these centralized systems and do not solve the issue around setting and remembering secure passwords. Additionally, the federated model adds another party in between you and the centralized service, called an identity provider, and this middleman is able to track your login movements. Not only is this surveillance an invasion of privacy, it creates another target for hackers to leverage. Modern Know-Your-Customer (KYC) requirements suffer the same fate, again storing credentials in these centralized locations.

Decentralized identifiers aim to solve these issues, with identity honeypots becoming a relic of the past.

Decentralized Identifiers

Decentralized identifiers, also known as DIDs, are a type of identifier that enables a verifiable and decentralized digital identity. Between the Decentralized Identity Foundation (DIF, of which we are also a member) and the W3C DID Working Group, the foundational standards are being designed and developed, with our very own CTO, Martin Riedel, participating in the Claims and Credentials Working Group. 

At the most basic level, a DID is a type of globally unique identifier, which is simply a string of characters that identifies a resource, which is anything that can be identified: a person, organization, product, computer, car and so on. The string looks like any other web address, except it begins with did rather than http, as seen below:

did:sol:WRfXPg8dantKvUBe3HX99

This URL, a string of characters, can ultimately identify any resource, on or off the web, secured by the Public Key Infrastructure (PKI). While no Personally Identifiable Information is stored on the blockchain, it references your credentials, stored securely on your phone (or some other device). In order to access or view any aspect of your credential data, you need to first approve. Importantly, this access can be revoked at any time and any access is documented.

This brings us to Self Sovereign Identity.

Self Sovereign Identity

Self Sovereign Identity, also known as SSI, refers to giving users control of their digital identities. SSI has become the key acronym within the internet identity industry. While Christopher Allen has written the Path to Self Sovereign Identity (I highly encourage you to read his 10 Principles of Self Sovereign Identity), the key concept to me is control: You must be in control of your identity, including securing the location of your PII and the ability to choose what to disclose and to whom. 

DIDs and Verifiable Credentials (VC) are of paramount importance to SSI, and to the future, with decentralized identity taking a front row seat to the underpinning of Web3. 

Web3

There are numerous definitions for Web3, but I like how Mark Sullivan summarized it in this Fast Company article:  

While there’s no one official definition of the term, when people say “Web3” they usually mean a decentralized, blockchain-inspired web architecture that gives users more control over their digital content and currency, and where transactions depend far less on trusting a central authority such as a bank or a tech platform operator.

Web3 might be an amalgamation of technologies, including cryptography, blockchain, and even philosophy, but it is also an ethos: decentralized, open source, data privacy, ownership, SSI, and permissionless. It is a composable world, where augmenting apps is not only encouraged, but expected, and the lines between products blur.  

Right now, you are reading this on a browser running on Web2. Web1, the ‘OG’ web, was decentralized and static. A significant amount of commercialization brought about Web2, and with it we got centralization, Ajax, interaction, and companies that provide services for your personal data. Web3 is back to decentralization, but this time, with ownership, privacy and an identity layer. 

Identity Layer

The Internet was created without a native identity layer. It was built without a way to know who and what you are connecting to. This was because, (1) the number of users of the internet was initially small and (2) because the first use cases were mainly read-only and did not require identity verification. As discussed above, this relegated the task to websites and applications, and eventually centralized identity providers. Not only is this data owned by these centralized providers, it is often in their business model to sell it. And since you don’t own your online identity, you remain at risk of being hacked, manipulated, censored or lost. 

Web3 is a chance to rewrite the script and build a native identity layer. With it, users would  be able to access any services with their DIDs, streamline economic transfers, transfer their digital/physical ownership of an item or reputation across services, and so much more. This is why we decided to join the W3C, so that we can help ensure that a native identity layer is baked into the future of the internet. A future where every account is based on a digital identifier that is unique to you and is owned by no one. 

Why did Identity join the W3C? 

On 1 Sep 2021, after multiple revisions and years of design and development by the W3C DID Working Group, the Mozilla Foundation filed a formal objection to block approval of the Decentralized Identifiers (DIDs) v1.0 specification. This is years after the Mozilla Foundation’s Internet Health Report stated:

The Internet remains decentralized, but the things we do on it every day are controlled by just a handful of global technology giants. These companies are starting to look more and more like monopolies of the past. Given the importance of the Internet in our lives, this is not healthy.

Soon after, it became public that two other formal objections were also filed. This time by Google and Apple. This means that three of the four biggest browser vendors had voted to block the DID 1.0 Specification. 

These vendors blocked the specification because of their fear of the future. Web3 will not allow these entities to have control over their users or their data, ending the decades long surveillance and user data acquisitions. 

When the vote was blocked, we at Identity.com, who have followed along, and even participated, in the design of the DID v1.0 specification, were disappointed and wanted to upset the status quo. 

We joined the W3C because we wanted to join the fight for the future of the web. The future is Web3.