While scanning my kid’s birth certificate this AM, my mind wandered to Digital ID, x509 pki, and Facebook. Am I guilty of overthinking things a bit? Sure. But this time, I wrote a post about it.
Anyway, here is the child partition’s birth certificate with all the important bits obfuscated:
Just look at that thing. It’s beautiful…everything about my kid is right there on a single beautiful, crisp, official document:
- Full Legal name
- Home address
- The hospital he was born at
- Various unique identifier numbers
- Physical Description and birth weight
- The physician who helped bring him into the world
- Mom & Dad’s details, including where and when they were born
Embedded within the birth certificate is data about the authorities that issued it. Across the top blue banner is the highest authority: the State of California. Immediately below that (one might say almost chained to it), is in effect, the issuing or intermediate authority, the County of Los Angeles’ Registrar-Recorder’s office. The Seal of the County is visible in the background near the middle of the document and in the lower right corner. And of course the Great Seal of the State of California is in the lower left. Near the bottom of the document is a signature by the County Registrar-Recorder/County Clerk (an elected office) that testifies to the document’s authenticity. And you can’t really see it here, but there’s a physical stamp on the document you can feel if you run your fingers over it that serves as, in effect, the fingerprint of the issuing authority. In fact, the whole document feels more like a crisp & clean $20 banknote than it does a piece of paper. There are ridges and subtle impressions all over this thing beautiful document signifying when my son came into the world!
With this single document, my child is entitled to the following:
- He is automatically an American citizen
- He is automatically a resident of the State of California
- He can apply for and receive a United States Passport
- He is entitled to attend public school at no cost
- He is entitled, when of age, to legally work in this country, to vote, to marry, to serve in its armed forces, and to contribute to and receive various social benefits
The United Nation’s Convention on the Rights of a Child says that registering every child born is so important it is a human right. To borrow a term from my 80s self, this is pretty heavy stuff.
Now if you’re a technologist, like I am, some of the words above might have tickled your spidey senses. Certificate. Issuing or Intermediate Authority. Seals. Signatures. Chained. Stamps. Authenticity. Identity. Authority. We practitioners of technology are quite familiar with these terms and how they work in the digital world thanks to the Elders of the Internet who developed, over time, the standards we all depend on today for security & identity on the internet: x509 Public Key Infrastructure.
I think x509 PKI is one of the least appreciated yet most important systems ever designed by humans, more important even than the plumbing technologies on which the internet depends on today. x509 PKI is an incredibly elegant system that provides encryption over untrusted networks (the how), identifies with cryptographic certainty the parties involved in digital transactions (the who) and bundles it all up into a neat digital organization chart that anyone can inspect and look at any time (the what).
But x509 PKI is much more than just an elegant set of tech standards. It functions as a digital overlay of our existing, stable and analog identity system, which begins with the Birth Certificate issued to you when you are born and ends with a Death Certificate issued to your family when you die. In this way, x509 PKI is a profoundly democratic and empowering system that takes our real world identity system and makes it available to us over the world’s largest untrusted network, also known as the internet.
The problem is nobody knows that, nobody cares and even those who do aren’t entirely comfortable with extending it past the way it’s currently used.
We have a big problem on the internet today: all of us operating on the internet lack any sort of Digital ID that mirrors the real world identities that have been issued to us by our nation-states. Much of the angst and concern and outright abuse on the internet could be solved if we the people had a Digital ID that, built upon x509 PKI, cryptographically proved our identity during certain important transactions on the internet.
How would that work and what would my Digital ID look like? That’s the beauty of x509 PKI, part of this has already been solved: a Digital ID would overlay the way in which you are identified by government & legal systems in the real world. As to the form it would take? It could and should be as simple as a credit-card sized device issued to you by local authorities, which you own and care for, and which identifies you and chains up from the local issuing authority to your state/province or nation, just like the Birth Certificate my son was issued.
Having been issued a Digital ID along with a Birth Certificate, my son, once he was of age, would ideally have the choice of where and when to use his Digital ID on the internet. I say ideally because implementation of Digital ID is the fuzzy grey area problem that really needs to be solved in the public square. In my view, a Digital ID should not be required to use the internet (say to search it or read from it), but may be required by companies or institutions that provide services on the internet (such as posting information in a public forum in social media that requires real user names).
For instance, maybe a social media provider that requires users to post as themselves would require you to submit your Digital ID for verification. Public clouds might require your Digital ID whenever you make an assertion that you are who you say you are (such as when you ‘sign’ a digital PDF). You could use your Digital ID when you apply for a job online, or to digitally sign documents you own or any scripts or code you write**. It could be used for a lot of things, but it should be your choice when to use it, and ideally you’d have the right to revoke your Digital ID from any service you wish to part ways with.
Are there serious privacy and security concerns about Digital ID, even in my vision of it? Yes of course. I can’t present a solution for everything here, nor is it my job to. And I’m certain anarchist-techno-libertarians would fight to keep the internet fully anonymous, but I and a growing number of people aren’t happy with how those values have shaped the digital public commons we now collectively inhabit.
I am convinced existing democratic systems, with expert advice & counsel, could legislate a decent Digital ID system that maps most of the things I do online to my real-world identity and is owned by me and me alone. Moreover, I feel that there has been an incidental and favorable ‘split’ in how society uses the internet that suggests Digital ID could work to solve many of the problems. For instance, many people hardly use a browser or a PC at all anymore; their primary compute device is a mobile phone, and their only interface to the internet is the Facebook app. Many others are still using the internet as we’ve used it for the last 30 years: to search, find, and view information. Requiring a Digital ID to be used before posting information to the former would not necessarily mean it’s required while using the latter.
The problem is no one is having this conversation. Digital ID is not on the agenda anywhere in the west, and only India has embraced it at scale. That’s not only frustrating, it’s really dangerous because the only alternative to Digital ID is going to be something like China’s Firewall or outsourcing identity to a private corporation like…
Facebook is in the crosshairs on multiple fronts, and rightly so in my view. The sheer scale of Facebook is incredible.
Let’s do a little thought experiment so we can appreciate the scale of this thing: imagine Facebook as an online society rather than a multinational corporation, Facebook is populated with 2 billion humans and overseen by about 17,000. At the top of this online nation-state is a C-suite, just like other corporations. The Chief Executive of this online society is Mark Zuckerberg. With him at the top are boards of directors, but Zuckerberg calls the shots in the Kingdom of Facebook.
The two billion residents of this online society labor without compensation for Facebook, creating then giving data to the giant for free. Every photograph, video, along with data on all the things the residents like and dislike and talk about, is given by the residents to the people who own the kingdom. No compensation is given back to the residents of this nation-state for their work, which means Facebook is historically somewhere between a mercantilist nation-state or a kingdom that extracts wealth from its residents/subjects.
In return, the Facebook nation-state publishes news, information, and photos/videos/posts from other friends and family who are resident in Facebook. Lately, Facebook is under fire because it does zero to authenticate whether the information its residents consume is genuine. More than that though, it freely makes available to anyone anywhere at any time tools that allow bad actors to reach out and influence any group or sub-group of its residents for pennies.
The other important thing about the Facebook kingdom is this: unlike the stodgy old democracies of the real world, the residents of the kingdom of Facebook have no vote or say in how this mercantilist society is run. In the kingdom that Facebook runs, people do not have rights and there is no rule of law. There is only rule by fiat, so the rules tend to follow that which is good for shareholders.
Government issued Digital ID would solve much of this problem. Facebook knows it and the US Government knows it. But there’s more than enough hubris and conceit in Facebook & Silicon Valley in general that you can bet in the next six to 12 months, someone in Silicon Valley will propose the outsourcing of Vital Records to private tech industry players. And because of our dysfunction in Washington, we’ll likely let them.
I don’t like that future and we should be having a conversation about Digital ID to forestall it from happening.