This interview series explores different technology choices applied by business, academia, and non-profit organizations as well as innovative technology entrepreneurs to contribute to a thoughtful debate on digital identity policies, practices, and technologies.
In the second feature in the series we talk to Natalie Smolenski at the start-up Learning Machine. They are leading the way in creating open standard documentation that allows people to own the data and proof of their achievements and certifications and makes it simple for organizations to issue and verify them.
Tell us about Learning Machine - what is it you do and who do you work with?
Learning Machine is a software firm that specializes in verifiable digital credentials at population scale. So we work with governments, educational institutions like universities, Vocational Education Training (VET) training providers, and others to issue verifiable records anchored to a blockchain as a secure, global digital notary.
We developed the Blockcerts open standard for blockchain credentials with MIT. That project was open sourced in 2016, and since that time multiple institutions around the world have used the open standard to build their own software for issuing and verifying official records. Blockcerts has become a way for people around the world to demonstrate their achievements – educational and professional – and share the official records of that easily with organizations that need to check those records.
One of our guiding principles when building this technology is digital self-sovereignty. What that means is that the individual is in control of their data. They have administrative discretion over how it’s used in the world, and their access to it is unmediated.
This lack of mediation is very important because we live in a world where people are more global and mobile than they ever have been before. The existing paradigm is that a digital platform owns your data on your behalf as a service. But that’s changing now thanks to the advent of public blockchain technology, which serves as an independent verification infrastructure for the web.
So all sorts of new, interesting applications in the identity space are popping up because of that. Unmediated ownership of personal data is one of them.
My view is that personal data is akin to your body, and your rights over it should be inalienable. So in the same way that we have laws against unjust incarceration or selling of a human body, we should have laws or regulations – or even just social norms – around the inalienability of critical personal identity data.
Whether issued by a state government or by private organizations, IDs are required for social personhood today. You can’t participate in the global financial system without verifying your identity. You can’t work safely and be remunerated well without a verifiable identity. You can’t own and sell property safely and fairly without a verifiable digital identity. In short, we need verifiable forms of digital identity that individuals own so they can join the global, digital economy and build up both financial and social capital.
The ways that governments sometimes want to implement ID systems can be problematic. Sometimes, verifiable identity is provided as a service in exchange for real compromises to the privacy of their own citizens. Similarly, software platforms often compromise the privacy of their customers in the same way. The services of verification and data custodianship are exchanged for privacy.
So that is the model that we’re disrupting. With self-sovereign identity, you still have identities and credentials, but now the end user has certain rights, including the presupposition of ownership; that data belongs first and foremost to them, not to the platform. This means that their privacy and data can’t be violated with impunity.
So can you tell us more about the problem that your technology at Learning Machine is trying to help solve, and how it works?
One of the main problems we’re trying to solve is that most records today – most valuable, high-stakes official records – are still issued using traditional technologies: paper and PDFs. The problem is that not only is it really easy to issue fraudulent paper and PDFs, they’re also easy to lose and destroy.
As an example: if you’re a refugee fleeing your country, even if you’re able to somehow salvage your paper documents, verifying those records is difficult because the institutions that issued them no longer exist or the records have been destroyed.
Or another example: when Hurricane Maria devastated Puerto Rico, tax records, property titles, and vital records were simply wiped out.
These legacy formats – paper and PDFs – do work and people are comfortable with them, but they also present real drawbacks, such as the profound loss of human capital when they are destroyed or rendered inaccessible or unverifiable. When records are destroyed or lost, people who are highly-trained professionals have to basically start from scratch. They can’t validate their identity or their achievements with their records, which become effectively worthless.
To solve this problem, we need records that are digital, portable, private, held by the recipient, and independently verifiable. Meaning that there’s no one you have to call, no one you have to pay, no one you have to seek permission from to verify these official documents. That’s what we provide.
In some ways, this new form of digital record is like paper – you can take it with you anywhere, and once it’s issued, it’s yours forever. But unlike paper, it has decentralized verification properties that mean that even if the software vendor used to issue them goes away, or even if the issuing institution goes away, the records will remain verifiable indefinitely.
What do you think makes a digital identity "good?" And to what extent has this influenced the design of Learning Machine’s technology?
So the essential characteristic of Good ID from my point of view is that it’s user-centric. That means as few middlemen as possible.
This is why Blockcerts are issued in a peer-to-peer manner, directly by the issuing institution, which is one kind of user, to the recipient, which is another kind of user. Each of them have their stamp on that record.
The issuer digitally signs the Blockcert in the same way that digital signatures are used today all over the world for legally enforceable records. The issuer’s unique identifier, a public key, is also embedded in the certificate.
The recipient’s unique identifier is also embedded in the certificate, and it is sent directly to them. They then own it for life, and can prove it was issued to them, and to no one else.
So that user control – where the software vendor stops being the intermediary – is an example of an infrastructure that allows any other software provider to provide the same service. Any vendor can build their own Blockcerts issuer, giving customers a choice about which vendor they want to use. This allows software vendors to compete on enabling a peer-to-peer commerce that is critical for the globalizing world.
Unmediated access is also critical so you have access to your records and ID directly. You don’t need to have a vendor login, and you don’t need to pay money to view, share, or store your own documents. There’s no gatekeeper between you and your own data. That is critical.
Privacy is also critical. From our point of view, privacy means not only end-user discretion ( i.e. that I get to choose when and how my data is disclosed, and I self-disclose it) but also that I have real privacy-protecting infrastructure that I can use. With this in mind, the Blockcerts Wallet that we developed is a device-specific, private portfolio of records that no one else has access to. Learning Machine doesn’t have access to it, no other software vendor does; the issuing institution doesn’t either. It’s only the end user who has that access and only they choose what goes out of that wallet to share with the world.
And how does basing your technology on blockchain influence this? Is it possible to do "bad ID" on blockchain?
Absolutely. In fact, it’s possible to do terrible ID based on blockchain. Blockchain is powerful new infrastructure, and it contains extraordinary emancipatory capabilities. It also contains the potential for unprecedented social control.
There are a lot of unscrupulous vendors out there who traffic in "blockchain," thinking that the market doesn’t understand the difference between good applications of blockchain and truly terrible ones. To some extent they’re right! Most people are not technologists, so they don’t know how to evaluate these many different competing blockchain implementations.
What we always say is that, if it’s going to be emancipatory, blockchain must be coupled with a few other types of technology. First and foremost: open standards. What we don’t want to do is to recreate the worlds of the big technology giants but now on blockchain.
That would be making the same problems around data privacy and ownership worse. It would be the case that now not only do platforms own your data, but it’s in an immutable ledger (i.e. un-deletable) that they control. Any emancipatory use of blockchains precludes creating a mega database of personal data that is immutable and distributed.
Can you tell us more about the end users? Who are the people and organisations who are benefitting from your implementation of self-sovereign ID at the moment?
Some examples first on the recipient side.
One of the things Blockcerts will allow for in the long term is doing away with the need for the Apostille process which currently is extraordinarily time-consuming. Depending on the country, it can take 12 weeks to do all the paperwork associated. The document has to be reissued by the issuing body, stamped by a state representative in the country of origin. It then has to be stamped by a representative of the state in the destination country. And that whole process is very time-consuming and can destroy the official credential in the process – make it unusable for anything else.
MIT has been using Blockcerts for their digital diplomas since 2017. We recently heard a story of one of their MBA graduates who took her diploma to apply for a job with the government of Mexico. Because they were able to instantly validate it, she got to skip over the Apostille process. It’s a powerful illustration of the access that this technology provides.
Blockcerts also facilitates employment even when you don’t need an Apostille process. Our other customers have reported that students graduating from skills-based training programs, like coding boot camps, are taking their Blockcerts to software firms, having them validated and gaining employment that way. These are just a couple of examples.
On the issuer side, if I’m working in an organization that needs to issue credentials, I can bring that whole process in-house. So rather than outsourcing credential issuance to a whole bunch of different vendors, I now have oversight over it, and I keep all the digital documents my institution has issued over time. Also, when someone else needs to verify a record I’ve issued, they no longer have to check with me. So I can reduce my internal verification costs to virtually zero.
What is your sense of the role that self-sovereign technology could play in the wider effort to ensure that Good ID adopted and shared globally?
I think the self sovereign digital identity community is, and has been, articulating the salient principles of Good ID. It has a long history going back to the 80s and 90s through the "cypherpunk" movement, and culturally with the publication of influential books like The Sovereign Individual. There are many different political orientations that the self-sovereignty movement appeals to.
But the concept, at root, of self sovereign identity is a set of unifying principles that are really taking the social technology that is available today, whether that’s blockchain or web technology, as well as whatever comes next, and saying "how can we use these technologies to scale sovereignty down to the individual? And what does that mean? What does sovereignty mean?"
In political theory, sovereignty is often defined as control over a certain territory, in other words domination. I would define if differently.
Sovereignty comes in the ability to literally platform yourself and to defend yourself. So defending the integrity of the body, whether that’s an individual or a collective. And in an age of militarized hyper-surveillance where everyone is watching you at all times, the individual needs to reassert those boundaries.
Self-sovereignty can’t be a conscious act, because then the moment you’re not paying attention, you’re vulnerable. People can’t be spending all of this effort constantly protecting their own privacy and integrity. What does that mean? It means that we need to build infrastructures that do that on their behalf.
That’s what I see self sovereignty as.
What excites you about the possibilities of this technology?
I think the main thing that I’m excited about is that we’re seeing real cultural momentum behind empowering users. People genuinely want to own their data.
Whether they are individuals or institutions, they hate thinking about silos, interoperability, difficulties, having to pay for something that’s really theirs. You earned your achievements and the documents that prove them. Your identity is yours just by virtue of you being born. I think we’re at a cultural moment right now where receptivity to this technology is very high. We just need to act on it.