A Critique of Gav's Personhood Mechanism Requirements

At his recent talks at Decoded and web3summit 2024, @gavofyork has introduced his ideas about digital personhood from problem statement to web3 requirements to one particular proposed solution called proof-of-ink. In the following, I’d like to reflect on the requirements he mentioned (and implied), not so much on the solutions - unless necessary to make a point.

Gav uses the term “Digital Individuality Mechanisms” (DIMs) to refer to potential solutions to the problem of digital personhood in web3 - on Polkadot specifically.

Requirements

In summary, I’d cite and/or paraphrase Gav’s requirements to:

R1 sybil-resilience: one person should be able to maximally maintain substantially less than 10 personhoods (an “order of magnitude”)

R2 no common confessional: One should not need to give up their privacy to an authority to get attested (like KYC service providers)

R3 no common key-keeping authority: No authority should have power to alone attest by use of their authorized keys (like governments issuing digital passports or web2 platform accounts, no trusted/certified hardware)

R4a generally accessible (inclusive): the mechanism shouldn’t require assets or unreasonable expense.

R4b scalable: must scale to 1 million users in first incarnation and be extensible to billions.

R5 privacy: One should enjoy privacy when obtaining attestation and contextual pseudonymity when presenting it (a unique, unlinkable alias for each context)

R6 plurality: Multiple mechanisms should be supported because there is (probably) no one-size-fits-all

R7a universal individuality: No local or community-internal individuality statements which can’t be verified by an outsider

R7b binary individuality: An account is either attributed individuality or not. Nothing in between. Gav expresses this requirement indirectly by suggesting code ensure_person(origin, context) which leaves no room for confidence levels

R8* accountability / loss of deniability: It should be impossible (very hard?) to unlinkably change an alias within a context over time (Gav omitted to state this requirement specifically, but it can be implied from his earlier statements and design of proof-of-ink )

Criticism

I generally agree with requirements R1-R6 as guiding principles for a truly decentralized solution. Some of the other requirements, however, are highly opinionated and I think Polkadot has always tried to minimize opinionation to be most generally useful.

I do challenge R7b for multiple reasons. First, such a binary judgement can in practice only be obtained by applying a threshold on protocol level (like a simple majority of citizenry judging proof-of-ink-evidence). A threshold on protocol level should be avoided whenever possible. The application layer can apply thresholds along the needs of each application. Some use cases may prefer a less strict but more inclusive confidence threshold, others may need more stringent thresholding.

Secondly, I sense a contradiction between R6 and R7b: If we allow multiple mechanisms we shouldn’t attempt binary judgements on protocol level because different mechanisms will come with different tradeoffs in commitment and effort by individuals. Attempting to apply a single threshold can only weaken the overall resilience or inclusivity.

With R7a, Gav implicitly states that global consensus is an indisputable goal. I think this is overly theoretical and irrelevant for many practical use cases. And it can only be upheld within the assumption of Polkadot becoming the single world computer - or at least the one-to-rule-them-all. What if someone copies the proof-of-ink mechanism to Ethereum instead of bridging the judgements (format duplication, but different part of body)? Which global consensus do you consider relevant then in a multichain world? And how to apply thresholds universally? This also undermines R1.

R7a also neglects the concept of subsidiarity. While the Internet is global and doesn’t care about borders, culture and circumstances are local. IMO, many real-world web3 use cases will have very local context. Why should local communities submit to the universal DIM-X if they would prefer DIM-Y which doesn’t satisfy R7a? They might still benefit from using Polkadot - if their preferred DIM wasn’t excluded because of R7a. Subsidiarity here means that the choice for a particular set of DIMs is made on the lowest possible level, by those who are affected by this choice for that context.

Even for a global scope I question universality and the need for global consensus. Let’s assume we want to use a range of DIMs for global democracy, maybe for one-person-one-vote petitions.
Let’s assume a bipolar “cold-war-like” world. Compare the trustworthyness of the following petitions with the same request:

• a global consensus petition using strictly “universal” DIMs
• two petitions: one in alliance A, the other in Alliance B, operating on their own forks
• thousands of local petitions entangled by a web-of-trust among communities rather than global consensus

Would you trust the first one on a controversial matter? Whichever alliance happens to dominate governance power in Polkadot consensus will be able to bend this result in their favor. The second option is only marginally better. I’d claim that the local community WoT is actually enhancing resilience here.

Last but not least, global consensus on Polkadot reflects economic power, not democratic representation. I would not bet on this to ever change after reading this.

Dangers

After these musings I’d like to raise a more tangible concern about the dangers of potential digital indivitduality mechanisms satisfying R8.

R8 can enable a credit score which is very interesting for applications needing a personal track record or reputation, like i.e. undercollateralized loans (mentioned by Gav in this interview). A statement like “I have never let down investors previously” could then be verified onchain. Today, there is no way how an individual can prove the absence of past loan defaults or other misbehaviours and that’s why i.e. crypto loans always require overcollateralization which does limit their usefulness. With R8, one could no longer change their alias after defaulting on a loan. You can see this as a feature: they are held accountable to their loans.

But beware! We are talking about an immutable ledger here and are discussing the introduction of a lifelong, sticky reputation system which may effectively deny any second chances. Moreover, history has shown that the same evidence can be judged quite differently in different times within your lifetime. Breaking with one’s past is a fundamental aspect of human freedom and is crucial for personal growth and dignity.

I would strongly advise against the use of DIMs which satisfy R8, such as proof-of-ink, worldcoin or other biometrics-based mechanisms.

“But beware! We are talking about an immutable ledger here and are discussing the introduction of a lifelong, sticky reputation system which may effectively deny any second chances. Moreover, history has shown that the same evidence can be judged quite differently in different times within your lifetime. Breaking with one’s past is a fundamental aspect of human freedom and is crucial for personal growth and dignity.”

We just need usable pallet for KYC. Let different chains build their own kyc, for different use cases. I hardly agree on an single kyc system. We just need a kyc or reputation system similar to stackoverflow and wikipedia in most cases. Strict kyc based apps are undesirable.

If someone want to wipeout history and create a new account delinking the old, they should be allowed to do so. Blockchains can remove those data through pruning.

Also different apps need different type of information of a person. So, just biometric or proof of ink is not enough for apps. e.g. I would have used KILT protocol kyc for my app, but it doesn’t solve the problem which I need.

Is R8 as concerning as you are making it out to be?

We live in a world where we do have a permanent identity, and actions of your past do have permanent effects (like bankruptcy and credit scores).

I don’t think the world is particularly harmed by these mechanisms today.

I do think though that under-collateralized loans are the basis on which you build a middle class society. Small towns are likely entirely populated by small businesses, which received a loan to bootstrap themselves, and provide a much higher amount of value back to their community.

In many ways, creating all of these identity systems are for the purpose of allowing for under-collateralized loans, and thus we need R8. (or an alternative which can provide the same)

Overall I really appreciate your post! Would love to see what @gavofyork thinks

Not so much where I live. The Swiss “debt enforcement register” purges default history after 5 years under certain conditions (like eventual debt fulfillment or judge ruling).

And national bureaucracy is much less efficient than a standardized database in practice which effectively yields some freedom in breaking with your past, i.e. by moving simply somewhere else. That may be a high price, sure. But it can save lives.

The other DIMs will be established through non-permanent (but maintenance needed) Sybil resistance mechanisms. Thus, it would be possible to give up your old personhood identifier, and form a new one with enough time and effort, by basically starting at ground zero again.

So you mentioning something like purging of history on the order of years could be replicated here. Indeed, proof-of-ink, may not work for this, and may not be appealing to some (or most) people, but is a perfectly valid starting point for these kinds of things.

But thankfully, the system so far is designed with the ability to create many different DIMs.