Are you really in charge of your digital identity?

Kevin Montalbo  |  July 7, 2021


Kaliya Young, “The Identity Woman”, shares why we should have control over our own digital identities.

Discussions around human identity can be a complex exercise, as it can be analyzed in various fields of study, such as biology, psychology, and philosophy.

As the world becomes increasingly digital, a new field of study around identity has emerged. This identity links our physical “real world” identities to our virtual ones.

It is called our digital identity.

However, most of it is fragmented and managed by third parties – which begs the question: are you really in charge of your own digital identity?

What is your “digital identity”?

A widely accepted definition of digital identity was written by Kim Cameron, the originator of The Laws of Identity.

He defined digital identity as “a set of claims made by one digital subject about itself or another digital subject”.

To have a clearer idea of what this is, we spoke to Kaliya Young, author of the books "A Comprehensive Guide to Self Sovereign Identity" in 2018 and "Domains of Identity" in 2020.

Known as “The Identity Woman”, Young first describes digital identity as something that’s “really complex”.

“When we started out back in the good old days of the Internet Identity Workshop, we were really approaching it from the perspective of consumers on the internet showing up and connecting to a place like Yahoo [and] Web 2.0 was just emerging. So, all of those: the usernames and passwords that you have to connect with different accounts is one shape of the digital identity.” Young shares during an interview on the Coding Over Cocktails podcast.

Why is digital identity so complex?

Just like the concept of identity itself, discussions around digital identity could become complicated, simply because your digital identity could be shaped in various ways and found in the various accounts that you use to connect to the internet. You could also easily get into several ethical and philosophical debates with regards to digital identity.

“One of the challenges has been that, because of that paradigm of getting an account from lots of places,  you could think of your phone number as a type of digital identity. It's an identifier in a network. When you call it, it rings you. An email address [is] the same thing, but all of those have this pyramid structure where you're getting your identity identifier for that particular context, and they could take it away from you.” Young explained.

To address these issues and the complexities that lie therein, Young co-founded the Internet Identity Workshop in 2005, to answer questions such as “How could we show our own autonomous digital identity in cyberspace that we could carry with us between different websites?”

“That turns out to be a hard problem that I think we've got a lot of promising emerging solutions for with SSI. But it's just a different paradigm. It's more like, ‘How do I have a digital body that I control in a similar way to how I control my physical body in physical space?’” she shares.  

The road to consumer federation

The aforementioned Internet Identity Workshop eventually became the backbone of standards such as oAuth 2.0 and OpenID Connect – standards which made it possible for digital identity to achieve a level of consumer federation.

“Consumer federation wasn't really possible before. You know, some people told us after we succeeded with both OAuth and OpenID, ‘Declared victory, go home!’ And we're like, ‘Yeah!’ – but we still haven't figured out this problem of how do I have my digital ‘me’, that's really mine and can't be just taken away, because someone decides I no longer have an account.” she recalls.

That someone, Young explains, could be big identity providers, such as Google and Facebook.

“Well, if Google takes away my digital identity, what recourse do I have? Zero. Because I have a terms-of-service contract with them that says they're allowed to do that. And I think as the digital becomes more and more important, that paradigm doesn't make sense anymore. Why should they have the right to terminate my digital representation?”

Advocating for the rights of our digital selves

Young continues to explain our digital identities are “too important to delegate to giant corporations or governments”.

She says that one of the critical things that we can do for the next five years is to make systems put the people at the centre, instead of corporations or governments.

“I was born in the province of British Columbia in Canada. British Columbia is the authoritative source of my birth date, and the name on my birth certificate, and the location of my birth. They’re the authoritative source. The question is: how can I get that information from that government? And then use it [in] other places because other places want to know my name and date of birth?”

“Should the system be architected in the similar way that OpenID is, where the identity provider is this province of British Columbia and every time I want to share my birthday, they have to phone home to that identity provider, to the province to find it out and believe it's true? Well, if that's the case then the government is becoming this hub that I have to go to all the time and it knows everywhere I share my birthdate and that's none of their business, even though they're the authoritative source of it.” she says.

While trying to make this point, Young stresses how governments are still authoritative, and this concept of decentralised identity doesn’t take that authority away.

“It doesn't make sense if I, as a citizen, need to prove those things that the government's in the way of all those sharings. And that's kind of what decentralised identity architecture is about. It’s that the individual is the pivot point for federation sharing, not the entities that hold the information or the authoritative source.” Young explains.

This form of decentralisation and control with respect to our identity is known as self-sovereign identity (SSI).

Understanding Self-sovereign Identity

The originator of the term, Devon Loffreto, states that Self-sovereign identity references the “individual human identity as the origin of source authority”.

In her book, “A Comprehensive Guide to Self-Sovereign Identity”, Young defined Self-Sovereign Identity (SSI) as “technologies [that] give individuals and organisations the ability to control and manage their own digital identifiers and manage relationships with governments, corporations, businesses, and individuals.

It is further described as an “identity layer that gives individuals the ability to assert their own identity, ask for, and receive credentials from government, corporations, and educational institutions, and securely and privately share data.

SSI is also based on a set of “standards and protocols that use blockchains to store immutable records, or to make privately stored data available to only those who have current authority to access.” This data can then be verified or revoked.

During the podcast, Young stresses that SSI and the technologies that surround it makes the individual “as the pivot” when trying to verify identity information while also preserving privacy.

“The verifiable credentials technology gives any issue or the ability to sign cryptographically—signed information that they give to you in a digital form. And you can present it to any requester, any verifier that you want based on what you're trying to do. And it's up to you to share it and not up to an airline to connect to your medical system for example –  you have the power to share it. You’re the point of federation.” she explains.

To learn more about digital identity, its various domains, as well as self-sovereign identity, you can listen to the entire podcast episode with Kaliya Young or read the transcript at the Coding Over Cocktails webpage.

The episode is also available for streaming in various streaming platforms such as SoundCloud, Apple, Spotify and more.


You might also like

Exploring the

Exploring the "edge" of the internet

The industry is currently witnessing the rise of edge computing, where local devices that capture and store data are becoming more and more ubiquitous.

Intimidated by OAuth

Intimidated by OAuth? Here’s why you shouldn’t be

According to the OAuth website, 'OAuth is the industry-standard protocol for authorization', which focuses on simplicity while providing specific authorization flows for web applications.

The risks and rewards of going cloud-native

The risks and rewards of going cloud-native

The cloud has provided the world with a new consumption model for information technology, significantly changing the way that software and servers are procured and deployed.

cta-left cta-right

Want a ringside seat to the action?

Book a demo to see how our fully integrated platform could revolutionise your organisation and help you wrangle your data for good!

Book demo