World Economic Forum: Why We Need to Regulate Digital Identity in the Metaverse

On the internet, most people don’t have a digital identity that they own. Instead, they deposit information about themselves with a website or app, which then can use that data in several ways, one way being the ability to monetise it. If users are to move across multiple digital platforms and the metaverse as themselves – in terms of their digital identity, rather than as fragments of information held by other parties – then they will need a unique digital identity, owned or controlled by them. In a sense, one aspect of this already exists, in being able to log in/authenticate to one site using credentials from another, such as Facebook, Google or LinkedIn.

However, this portability of authentication does not create a digital identity owned, managed and controlled by the human being to whom that information and identity belong, and is still a facet of someone else’s data monetization programme. If users become the owners of their digital identity, then there will have to be standards so that they can be recognized and authenticated in different places. It is not yet clear who will create these standards, or how such standards bodies might be funded.

Corporations that hold user data are subject to rules and regulations in their handling and use of that data. That those rules and regulations could be considered too little and too late shows the lag between the speed of governments and the speed of technological innovation.

Issues of digital identity regulation in the metaverse

If in the metaverse users are the custodians of their own data and digital identity, what, if any, rules and regulations will apply to them? How do they maintain and protect their data? What recourse would they have if some or all of it, even their entire digital identity itself is stolen, modified, or cloned?

If users as individuals aren’t the final guardian of this information – their digital twin – then who is and can they be trusted? If it is the users themselves, we must consider what obligations and responsibilities that places on them rather than/in addition to that that third parties currently hold on aspects of their identities and behaviours.

Much has been made of blockchain as a mechanism whereby we could store not just our identity, but all our interactions. But where would a user’s blockchain be stored and how would it be authenticated?

If someone other than the user, such as a corporation or government entity holds it, can the user be sure that their digital identity is both safe and won’t be used against them? Someone must own the first block in the chain and the incidence of crypto theft suggests there is much to be done in the area of cybersecurity, as well as the sheer breadth of its task and issues of trust, regulation and ensuring users are aware of their rights and risks.

Would users really want to store everything? Would they have the ability or, as some would argue, right to be forgotten and what happens to that data when they die? Will there be an opt-out ability? The question of who can add to a user’s digital identity – and what can be added or deleted – is likely to remain open for some time.

Similarly, where do the boundaries lie between a digital history such as proof of purchase or of being in a particular digital place at a particular point in time, with the right to privacy, while at the same time being open to abuse by actors of all sorts?

Will a digital history allow authorities to go on ‘fishing expeditions’ of the type expressly prohibited under US law? To repeat the earlier question, in the Metaverse, how long will users’ digital trails stretch and how comprehensive will they be? If blockchain is the core technology, potentially very long indeed.

Will users be able to have multiple identities, or adopt new ones? Although it’s easy to assign nefarious or criminal motives to such actions, the ability to escape from oppression, bullying and abuse are arguments in their favour. So where does the balance lie, and who decides?

Who will manage and regulate digital identities? Can someone, or some organization, be trusted to be who they say they are, just because they say it? And if not them, then in whom do we place our trust? Trust, together with confidence, is everything. We should be mindful to create systems that minimize the risk of falsification of information, yet without the computational overhead of a bitcoin or similar.

Many of the same questions could be asked when it comes to the corporations, businesses and public entities that will exist, either in multiverses, or in creating their own. Who can be trusted to own, and to relinquish ownership of, the digital identity of a multi-billion dollar metaverse business? Again, who controls the first chain in the block?

Digital identity could be based on existing physical ones

One possibility is that, like a user’s identity in the physical world, their digital identity will be composed, at least in part, of existing methods of authentication such as a driver’s licence, national insurance or social security number, passport, or retinal and fingerprint information for individuals, while corporations could refer to a company number or operating licence. These could perhaps exist as an object or marker within an overall digital identity that serves as a mark of authenticity, not dissimilar to a stamp in a passport, for example.

It seems highly possible that in the future a user’s digital identity will not be a single entity, but rather a unique core linked to a myriad of other digital entities, resulting in a web of highly complex and inter-connected information strands. Data fragility potentially comes into play here, especially where deletion or falsification of data in one record or system creates potentially large waves of data inconsistency and broken connections in associated data strands.

Resiliency of systems and systems of record to withstand these inevitable events will arguably need to be built into digital identity architectures at inception.

Source: WorldEconomicForum