Interview with Kaliya Young (co-founder of the Internet Identity Workshop and author of the Domains of Identity)
If you follow Kaliya Young on social media, two things are immediately strikingly clear: Kaliya is one of the world’s foremost experts in Digital Identity and she is a strong advocate and a firm believer in a more diverse, inclusive and humane tech industry.
Mark Zuckerberg is famous for his motto of “move fast and break things”. This hacker mindset, which favoured speed and disrespect for the status quo in order to build, learn and blitzscale quickly, spread like wildfire in Silicon Valley.
According to Reid Hoffman, co-founder at Linkedin: “early-stage startups are a lot like pirate ships. Pirates do not convene a committee to decide what to do – they strike quickly, break rules and take risks. And you need this buccaneering spirit to survive when the cannonballs are flying and the odds are against you”. (source)
Start-ups became romantically associated with pirate imagery and spirit. (Steve Jobs even coined the phrase: “It’s better to be a pirate than to join the navy” and hanged a jolly roger in the Apple offices). Entrepreneurs were swashbucklers abiding to no law and order with only one focus in mind: grow their ship.
Kaliya, co-founded the Human First Tech movement with Shireen Mitchel. They think this mindset actually “broke democracy and bulldozed key aspects of social systems that are good for human communities”.
The Human First Tech stands for three key changes in the tech culture:
- Humanness has to come first in all stages of tech development. Tech has to be “rooted in emotionally healthy adulthood with good boundaries, and clear agreements first”.
- Actively center communities that have been marginalized in the creation of Web 1.0, Web 2.0 and Social Media and involve them in the tech creation process.
- Anticipate and design with awareness of threat models and “bad actor behavior” that may inevitably arise rather than be surprised by it.
A reflection on the culture of tech is necessary as a revolution in tech infrastructure is approaching.
Self-Sovereign Identity, a model of identity management where users are in control of their digital personal data, will change how people interact with institutions, companies and with each other. Being in total control of that relationship. For the first time, users can be the sole owners of their data and be able to decide who to share it with and how much of it to share. Enabling a safe and private interaction online. Kaliya is a proponent, one of the first ones, of Self-Sovereign Identity but also one of thinking consciously about who is sitting at the table where the decisions on this new technology are being made. As this seismic shift in the tech infrastructure has to serve “a broad and inclusive group of people” and avoid repeating the error of prioritizing tech over people. With a purposeful deliberation on “who should create, control and benefit from people’s identity information”.
This moment, the infancy of Self-Sovereign Identity, is the best time to act.
The Domains of Identity
Kaliya Young is, along with Phil Windley and Doc Searls, the co-founder of the Internet Identity Workshop. An event that “has been finding, probing and solving identity issues twice every year since 2005”. She holds a Masters of Science in Identity Management and Security and was named one of the most influential women in tech by Fast Company Magazine. Kaliya is the co-author, along with Heather Vescent, of the Comprehensive guide to Self-Sovereign Identity and her Masters report, Domains of Identity, provides us with a framework on the several domains of identity where personal data is stored in databases.
Using that framework, Kaliya walks us through the idea that identity is socially constructed and contextual. It’s who we see ourselves to be, who we present ourselves to be and how we are seen by others. It depends on social contexts such as family, groups, institutions and organisations we are part of. All these contexts attribute us different identifiers. The government attributes us an ID number or a passport. The University gives us a student number. For the hospital we have a patient number.
She states that the proliferation of the internet brought us even more identifiers. Such as usernames and passwords, emails or URLs. But these digital identifiers are not truly ours. We are renting the url name to a domain provider or our phone number to the phone company.
With no control over our identifiers we have no control over our personal data. So how do we own our digital identifiers? This is the question that Kaliya has been trying to answer for 15 years.
The 16 Domains of Identity, as described by Kaliya, are:
1) Me and My Identity: where and how the individual stores his own personal data.
2) You and My Identity. The cases where a person – like children or elders – need their identity management delegated to someone else.
3) Government registration. Including the registrations our parents do on our behalf and all those we do for ourselves (i.e driver’s license).
4) Government Transaction. Where we use the identity provided to us by the government to access other services (i.e: car registration).
5) Civil Society registration. Comprising all the organisations and institutions the individual has a relationship with. Schools, health facilities, sports teams, etc. All these institutions issue their own identity credentials.
6) Civil Society transactions. Where the individual uses the identity provided by the above mentioned institutions to access services.
7) Commercial registration. An identity registration used to access commercial services. Cases such as a loyalty card, airline miles, etc.
8) Commercial transactions. Using the identity provided by the commercial entities to access services from them. Like using discounts, using the airline miles, etc.
On the domains pertaining to Surveillance, Kaliya specifies that there are 3 types of surveillance – Voluntary Known, Involuntary Known, Involuntary Unknown – and each domain has levels of each one.
9) Government Surveillance.
10) Civil Society Surveillance. Examples of voluntary known would be CCTV from a school or a heart monitor.
11) Commercial Surveillance.
12) Employment registration. Job applications and the consequent process of being onboarded in a company (where the company will attribute credentials to him or her).
13) Employment transactions. Using the above mentioned credentials to do work.
14) Employment Surveillance.
15) Data Broker Industry. Using data from all the above mentioned entities and reselling it to the commercial sector.
16) Black Market. When criminals or state actors take advantage of personal data from all the above mentioned domains and use it on the black market.
Self-Sovereign Identity would allow for the individual to be at the center of all these relationships and manage them in a less complex, more private and secure way.
Note: the Domains of Identity are CC licensed with attribution.
You’ve been a leader in the community of User-Centric Identity/Self-Sovereign Identity for the past 15 years. What are the most positive changes you’ve seen happen during those 15 years?
We have created open standards that have been widely adopted (OpenID, OAuth, SCIM).
We have, through the processes of iteration and experimentation, grown community based knowledge about what “doesn’t work” or at least is unlikely to work from past experiences (Information Cards and Mozilla Persona being two examples).
In the past several years we have collectively innovated the emerging standards around self-sovereign and decentralized Identity.
In the field of Digital Identity, what is the question that people should be asking more but aren’t?
This may sound weird… but step way way back and figure out what you are actually talking about.
Much of the material from the World Bank talks about “Digital Identity” but in this they think of it as a government issued ID in digital form, and primarily one that resides in a centralized government database. This is indeed one type of digital identity but the community around what was called user-centric digital identity that I got my start in begins with the premise of people having digital representations of themselves in “an online world” and then asks the questions how are they actually under the control of the person and can they be “owned” by the person instead of the company or site that that person is interacting with.
Can the digital avatar created in one (digital) place be ported by the person who created it to another (digital) place – just like bodies in the physical world can move from one location to another. Still another definition of digital identity centers on how enterprises manage the ID of the people who are their employees. I wrote the Domains of Identity. I just signed a contract with Anthem press and it is coming out as a real book this winter.
Right now the questions need to be about what do the customers who will be early adopters of this technology really need.
How do we really make this stuff interoperable?
Specific roadblocks other people in this space should look out for?
Not actually doing technical due diligence on systems.
Not understanding the deeper motivations of different actors in the systems.
What are your hopes for the future of Self-Sovereign Identity?
We can live with the tensions between those who believe permissions vs those who believe in permissionless systems. They will both exist in the future no matter what.
We can continue to innovate via collaborative highly participatory forums.
We can center the needs of real people. We can broaden the diversity, equity and inclusion in our community so that the whole range of human experience is in the room.
What is the book (or books) you have recommended most to others?
Obviously my book on Self-Sovereign Identity 🙂
My forthcoming book on the Domains of Identity.
I would recommend folks read the Augmented Social Network: Building Identity and Trust into the Next Generation Internet. This is what inspired me to work on digital identity way back in the beginning. It’s well worth the read today.
Tykn is a digital identity company. If you’re keen on reading more we suggest:
- – Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)
- – This Definitive Guide to Identity Management with Blockchain.
- – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
- – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.