The other option is self-sovereign identity.<p>We desperately need to break the assumption that email is your identity. It’s like saying your postal address is your identity and if it changes everything gets messy. It doesn't work: it’s not universal and some people don’t even have addresses.<p>The problem is not that email is privatized (though I agree I’d love to see ssn@id.gov as a usable recovery address), it’s that we’re tied to it as the only way to identify people online. Hopefully webauthn will change this and as long as services accept any signature, we aren't tied to blessed identity providers. So in my book, legislation and political effort need to focus around the “right to self-sign”.<p>Less abstractly, we cannot allow Google, Apple, and Facebook to become the de-facto blessed ID providers. It’s silly and there’s no meatspace equivalent because it would be absurd like the article points out. We need to require that services accept any email (side rant and any oauth provider url so you can run self-hosted oauth) and, as webauthn proliferates, any signature.<p>Finally, we need a political solution here because this is not behavior that has or will come naturally. Platforms want to own identity for profit and lock in. Other companies using identity want to only trust certain platforms/oauth providers/vendors for “security” and product simplicity. Nobody is thinking about protecting users’ rights so we must take that upon ourselves.
Falsehoods programmers believe about digital identity: it exists.<p>Attempts at creating digital identity will invariably be gored by one of the two horns of the bull: either it is <i>recoverable</i> like a password-protected account and therefore anyone who can pass the recovery check can steal that identity, or it is <i>non-recoverable</i> like a crypto wallet address and therefore it can be lost due to carelessness.<p>Our philosophical concept of an identity is not stealable (you cannot actually become someone else, you can only pretend to be them in some way, and they don’t stop being themselves when you do) nor is it losable (you can’t stop being yourself).<p>Note that “recoverable” and “non-recoverable” are mutually exhaustive. There really is no third way here.<p>You might think you can asymptotically approximate a digital identity by making it exponentially hard for anyone except you to pass the recovery check; if you do, you’re also making it harder for <i>you</i> to pass the recovery check - you’re just offloading into the “non-recoverable” failure state (loss).<p>Likewise, you might think you can asymptotically approximate a digital identity by making it extremely easy to keep the access code so it won’t get lost; if you do, you’re also making it easier for anyone else else to steal the access code - you’re just off-loading into the “recoverable” failure state (theft).<p>It fundamentally cannot be done. Instead, everything must be built to work without a Single Source of Identity Truth.
If you use the same ID with multiple websites then it can easily be used to connect them, for better or worse.<p>Meanwhile, even if you somehow had secure, irrevocable ownership of some kind of identifying name or number, websites could still cancel your account with them for any reason and keep you from logging in with that ID. They can use the ID to more easily share reputation information, similar to credit scores. Your ID could be put on a list, similar to what happens with ad blockers and lists of spammers.<p>By itself, ownership of a name or number doesn’t get you much. If you use Google to log in to a website, what it’s really providing is a minimal kind of reputation, sort of like how a captcha vouches that you’re probably not a bot. For an ID to be useful, there needs to be reputation attached, and that isn’t something you can do yourself; other people or entities need to vouch for you. It’s also not permanent. Good reputations can go bad if people decide they don’t like you anymore.<p>Instead of centralizing using a single ID, there’s a lot to be said for having having multiple identities (alts) for when you don’t need reputation and you don’t want what you’re doing to affect unrelated activities.
My argument to all of this, at least in the US, is you don't need the internet to do things or be a person. Yes, it's 1000x more convenient (and cheaper) but you don't need to be online to do things with the government.<p>Maybe that changes in the near future but the internet is only as real as you make it.
Thought provoking. I like it.<p>I've long supported the "right to be forgotten".<p>But, until this essay, I had never considered the corollary "right to be remembered".<p>This real world concern is timely, relevant.<p>Nicely done.
I put lot of blame for the current situation on the shortsightedness of turn of the century internet activists (cryptoanarchists and hackers and whatnot) who were extremely vocally rejecting any sort of government involvement on the internet
They're already doing it in Estonia [1].<p>Is it impossible to do in the US? Why? Zero trust in government (at all levels)?<p>[1] <a href="https://e-estonia.com/solutions/e-identity/id-card/" rel="nofollow">https://e-estonia.com/solutions/e-identity/id-card/</a>
It would be trivial for governments to create email addresses for their citizens, and it would be a good idea for general digital enfranchisement.<p>The problem is that there needs to be laws preventing private companies from <i>requiring</i> this identity, otherwise it would devolve into yet another unique identifier for the surveillance industry to abuse. And in the US context, we don't even have basic privacy laws. So until the abuse of basic identifiers like social security and driver's license numbers gets reigned in, having the government create digital structure just feeds into the surveillance industry.
Personally I think it would be pretty badass to have a system where you could get your stuff signed by government. Rather than a digital identifier you have, what I kind of want is a website where I can go & get a trust-token stamped on something I put out, at whatever level of identity I choose:<p>"This post is authentically produced by Ged Sparrowhawk, born in Gont, living at Roke Island, a student" or<p>"This post is authentically produced by a student" or<p>"This post is authentically produced by someone living in Gont" or<p>"This post is authentically produced by someone born in Roke" or<p>"This post is authentically produced by Ged Sparrowhawk"<p>Giving the user the ability to have an authenticating government stamp their items with whatever level of identifiers they want seems like a far preferrable solution to me than creating a strong identity system. Users can pick whatever fits their desire: residing on the planet Earthsea, the island Roke, the town Thwil, or the place the School of Wizards, or the room whatever there-at. Nation/state/county/town/area/street/address, whatever. Government can let us say what we want about ourselves. This is a far more interesting & flexible proposition to me than creating an identity system.
An authoritative digital address increases the power of the private sector. At present, I think it will always be easy to find a new ID-card provider if your current one locked you out for your cat-video-hating ways. Having a permanent authoritative ID could actually make it harder to get services because it would be easier for the private sector to share information about you.<p>Imagine you got that address assigned, 42@id.tld. Now, every private company you want to do business with wants you to register using that ID. Now, when you get banned, they can share that ban throughout their network. Because every company requires you to register using your national email address for password recovery, you've created a system that radically expands the power of the private sector to profile you and control your reputation, if not your identity.<p>Maybe very careful regulation could prohibit companies from asking you for your government email address, but I recall the (apocryphal?) quote by LBJ, "You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered."<p>I prefer your proposed solution of some regulation that treats email like phone or utilities so there are a few protections before services are terminated.
In my country, Italy, all online public services already must accept government-issued digital IDs only, by law.<p>They come in two forms: SPID (which is just username and password + TOTP, issued by private companies on behalf of the State, but allowing you to change your provider without becoming "a completely different person" [1]), and CIE (which is the new national ID card, and can be used as an electronic ID using any NFC reader).
Additionally, some services allow to log in using equivalent eIDs from other EU countries [2].<p>[1] <a href="https://www.spid.gov.it/en/frequently-asked-questions/" rel="nofollow">https://www.spid.gov.it/en/frequently-asked-questions/</a><p>[2] <a href="https://eid.gov.it/?lang=en-001" rel="nofollow">https://eid.gov.it/?lang=en-001</a>
The article completely ignores domain name registration. I own a myname.com domain and email address with that domain that I use wherever I need real ID. I also maintain the home page with my latest contact methods. My contacts only need one thing to put in their address book, <a href="https://myname.com" rel="nofollow">https://myname.com</a>. I can move registrars easily if needed. I am also not dependent on platforms since people can always find me here if I leave a platform.<p>Edit: It does not completely ignore this option but frames it a bit restrictively. I set mine for auto renewal and use my domain at an email provider. It is not necessary to run your own SMTP.
Our contribution to solving the digital identity problem is Coze, an open source
and cryptographic messaging specification. [<a href="https://github.com/Cyphrme/Coze">https://github.com/Cyphrme/Coze</a>]<p>We use Coze to sign messages that authorize user actions, such as uploading
images, logging in, and leaving comments.
If you think government is a purely coercive entity, dedicated to enslaving humanity, why would you want the id that it provides? The reason is to access the services it licences.<p>Government and its ids, licenses, laws and monopoly on force, is not there to help. And yet, despite all the examples of how government is by far and away the cause of most problems we experience, on hn you will find endless discussion on how to best assist it. Eg here - 'what type of id is best?'. It's amazing.<p>Programmers, technologists, etc seem to be hardwired to develop the enslavement structure of everyone, including themselves, for the sake of some perceived comforts, such as a nice holiday, better car. Its literally turkeys voting for Christmas, as we plan and develop the hardcore enslavement of the future.<p>Just think - do woodland creatures need id? Does any individual <i>need</i> an id? No. It is only useful if you want to control access to this or that for others. Ie you want to force your control on others who are doing you no wrong.