Despite all the hype, we don’t know what the metaverse will eventually look like. But whatever its eventual visual form, questions of identity should be ironed out now, at the formative stages.
We can assume that the metaverse will be a richer and more complete form of virtual reality, or augmented reality, than anything we’ve seen so far.
The main technology enablers will be more compute power, better mobile technology, better connectivity, and better AI to create lifelike experiences.
Let me say up front, though, that I don’t believe there’s any fundamental call for decentralisation technology, shared ledger, blockchain, or NFTs. Indeed, none of that is even helpful here.
These new VR/AR platforms will be centrally managed for any number of commercial and performance reasons. Any decentralisation technology in a metaverse hosted by data companies will only be for show and to allow them to brag “We’re on the blockchain”.
Far more important will be the authenticity and reliability of data about people and other entities in the metaverse. And by “data about people” I mean much more than “identity”.
Yes, it’s important that we can know reliably that the animated avatar we’re chatting with does indeed represent our friend Sarah Turner. But we might also need to know that her avatar is currently under her proper control, that her physical location is where she says it is, and that her pleas to send money are genuine.
Data about people and things will need to be radically more reliable than in Web1 and Web2 today. That will be an enormous challenge.
Indeed, in a wholly synthetic metaverse, what does “authentic” even mean?
Some of the questions we need to answer are deeply philosophical. So far there are few answers.
What does “identity” mean in an unreal world? Will we have to agree on what counts as a “real” identity under the covers? Will there always be biological or “legal” identities behind every metaverse entity? What happens when metaverse entities create completely synthetic digital children? Will there be levels of identity that bottom out somewhere?
I want to shift the focus away from these mind-bending puzzles about identity and focus on data and the truth. That in turn will lead us to consider issues such as data quality and data protection.
If you’re dealing with a digital entity in the metaverse: What do you need to know about it? Where will you get the knowledge you need? How will you be sure the knowledge is true, or at least true enough?
These questions are subtly different from identity, and I’ve tried to frame the questions independently of “reality”.
What is “real” in the metaverse anyway? Does it even matter? Maybe “real” only means “we are confident this entity has a corresponding physical twin” — although at this stage it isn’t clear to me that physical twins will always be needed for every kind of entity.
What we definitely need, though, is agreement on the sources of truth for data. We therefore need properly reliable data supply chains.
If you or your metaverse entity have some data about another entity, then you need to know where that data has come from, whether it has been processed, and by who, using what algorithm.
You’ll need to know its age, and any terms and conditions for its use. In many cases it will be sensible to have warranties over data, so that the data supplier will accept responsibility for its quality.
We therefore need more than algorithmic transparency. We need complete data supply chain traceability.
In most cases, if not all, virtual entities in a metaverse will need to have corresponding cryptographic keys, with assurance of the quality of those keys, and of their ongoing custody or possession.
Maybe one day fully autonomous virtual entities will have their own keys — but I hope that for the foreseeable future, those entities will be anchored to real-world high-quality cryptographic keys.
Web3 actions are going to get richer, faster, deeper, more automated and more impactful very quickly, so we need to protect the human users with more energy and clarity than we do today on Web1 and Web2.
We therefore need to very gently ease our way into these new augmented and virtual realities. We need sound, transparent and accountable anchors between the virtual and the physical.
Let’s assume that fully synthetic realities are a long way off and that, at least for now, every metaverse entity will have a corresponding real-world twin — some individual or other legal entity that can be held responsible for things that happen in the metaverse.
The challenges where are both conceptual and technical.
Conceptually, we didn’t think clearly enough about identity in Web1 and Web2. We over-egged identity, making it too complicated online.
Technically, we didn’t have the proper focus and determination to harden identity data against theft. Identity and authentication are treated in a piecemeal fashion in every use case, with no consistency.
Identity as a technology has become costly and confusing, and thanks to all the soft spots and weak links, it sets people up to fail at the hands of identity thieves.
We can solve the conceptual and technical issues at the same time by framing the problem in terms of verifiable claims and attributes.
Our approach to payment card data illustrates this approach.
The payments world has worked hard on a consistent set of cryptographic standards so that all cards are verifiable and all card-present transactions are digitally signed.
Mobile wallets now have the same security as cards confirming to the EMV-standard (Europay, Mastercard, Visa) thanks to secure elements in handsets. New web browser payments protocols are bringing consistency and cryptographic strength to internet payments.
If we treated digital identity as another form of data, we could make all personal data just as secure as payment cards, and just as portable. We should.
Ultimately, I envision a new taxonomy of metadata so that all data in the metaverse, about all the things both “real” and “virtual”, comes with signals about its origin, terms and conditions, reliability, warranty, and so on.