Taking identity management back from GAFA (Google, Apple, Facebook and Amazon)
Although perhaps hard to imagine, there are currently technologies on the horizon that have a significant chance of disrupting the domination of GAFA
All the GAFA companies require network effects for their business models, which in turn require loyalty. The problem for users is that, over time, should your loyalties become divided for any reason (for example, you become uncomfortable with the level of personal information a single network has), the only option you have is to leave that network, therefore leaving all that personal data behind. Loyalty is therefore intertwined with identity but technology will soon create a fundamental change to that structure of identity management.
Current computing networks rely on organisational supplied servers storing and protecting our data, effectively a ‘walled-garden’ that users expect organisations to defend. Yet new decentralised peer-to-peer technologies now permit the encryption and authentication of individual data elements. This means not only no need for servers but also no need for the companies that protect them.
It’s all about identity
We live in a paradoxical world when it comes to digital identity. Rigorous laws exist to preserve the confidentiality and privacy of our personal data, yet we regularly sign away and waive those rights contractually through ‘terms of service’ that few of us read. By doing this, we then permit a staggering amount of our data to be sold and shared. Anecdotally, our collective attitude towards identity management seems to vary enormously, from paranoid to apathetic to ignorant. These attitudes tend to change depending on both demographics and nationalities. It is interesting that Generation Y, whose adult lives are likely to be heavily digitised, seem to be far more aware of personal data infringements but also less concerned, provided they know they can control ‘write’ access.
This is a worrying state of affairs, since history shows us that very bad things can happen when we relegate privacy to a ‘nice to have’ status. There is a long list of historical evidence, for example the Rwandan genocide of 1994 or the administrative efficiency in the Netherlands prior to the Second World War, which directly contributed to a high percentage of the Dutch-Jewish population (75 per cent) being identified, found and murdered during the years of German occupation.
Long periods of stability serve to weaken the importance that societies place on identity and privacy, which is particularly relevant right now. The current structure of the internet, combined with the rapid pace of change in technology and services, mean we all have to accept terms we’d probably rather not. The risks and consequences of doing so are amplified by the fact that most of the ‘free’ online services and content we consume is funded through targeted advertising. The implications of this are not fully understood by most people, which is why it is no accident that legislation is changing to ensure businesses now pay attention instead.
Conflicting identity objectives
Before I go into the technology, it is worth highlighting some of the high level issues that surround identity. In order to go about our complicated lives, we need both privacy and transparency, yet it is these conflicting objectives that cause complexity and confusion. We all both need and want the potential to be different persona, in different situations and at different times. It’s for this reason that the current fragmented management of online identity, which allows any individual to create any number of accounts and identities, is not necessarily a complete disaster. While this system is inefficient and insecure, at the very least, it has allowed for us to keep some degree of segregation between our personae.
However, we’re at a tipping point. The sheer number of online accounts and identities we all try to manage is impractical and runs the risk of weak password protection. To make matters worse, there is a long and infamous list of organisations that have failed to protect our personal data.
Is data an asset or a liability?
In the internet age, the gathering of data has always been considered an asset. That is about to change. Take, for example, the new EU General Data Protection Rules (EU GDPR), which impose a number of fairly punitive obligations on all companies as to how they (and their commercial relationships with whom they share data) handle the private data of EU citizens. The EU GPDR is a much-needed piece of legislation in a world that says one thing but does another with private data. It is inevitable that companies will be taken to court over breaches relating to the EU GPDR and when this happens, the idea of this data being a liability will begin to permeate through big business.
To combat these identity management failures, there has been a noticeable increase in identity-based businesses, in addition to well-publicised efforts by the likes of Google, Facebook and Apple to facilitate single sign-on services. While I applaud the efforts of some of these companies, there is a fundamental long-term disconnect between these particular corporate business motivations and the interests of the users at their core. Even if current motivations are pure, no-one knows with certainty how these companies will behave in the future. Without significant compromise, it is unavoidable over the long-run for any network or service to have anything other than the protection of personal data at its core.
Let’s do it differently
What is needed is identity management at the edges of connected networks rather than at the centre. To date, this has always been technically impossible but it is this that is about to change. Advances in peer-to-peer technology, cryptography, blockchain and decentralised contributed-computing resources are about to offer us a new paradigm of digital identity and data management. These have the potential to impact the entire world around us, from the way governments are run and how we vote for them, to how we conduct business, how we fund and access curated content and how we manage our finances.
We’re at a very interesting time in computing history. Live working examples exist of decentralised peer-to-peer computing systems that enable the electronic transfer of assets, including the agreement and settlement of contracts through technologies such as Ethereum, Bitcoin and Tendermint.
There is a great deal of excitement surrounding the commercial application of these type of technologies but they currently tend to come at a cost. Specifically, the trusted provenance of these networks tends to also come with pseudonymity rather than true anonymity. Although you can interact with the networks under a name other than your own, your identity to the network will be the pseudonym you assume. While it is possible for a single user to create many pseudonyms, it is equally possible that over time, this user’s traffic or history could be used to identify them. Note that this is not inherently bad, indeed it can be desirable. It is just not desirable all the time in all circumstances.
It is for these reasons that I think blockchain technologies are an important and necessary ingredient of identity management but that they are not the complete solution. The missing link is nearly here – Decentralised Encrypted Networked Computers (‘DENCs’). The combination of both DENCs and blockchains will create the right conditions needed for identity management. It will permit the appropriate balance between transparency and anonymity, transitory records and permanence. It will allow individuals to truly control their data by permitting the appropriate level of disclosure to whatever data they choose under agreed and transparent terms.
The end of GAFA?
It is hard to overstate the impact this would have were it to happen. At the very least it would lead to a rethink of certain business models. In the same way that ad-blocking web browsers are creating panic among online businesses that rely on advertising as their primary source of revenue, an identity-based configuration as described above could have a not-dissimilar impact on the GAFA companies.
Other established businesses would also be in the firing line. A good example is Microsoft, as its dominance of corporate IT systems is partly predicated on its directory services, which could very quickly become redundant.
User loyalty to GAFA companies and other household names may be about to shift. How will that affect us all? Only time will make that apparent.
Ian Gass is co-founder of Distributed Vision, a blockchain consultancy