Comment by mattlondon
4 years ago
> We need some way of saying “who we are” on the internet in a consistent manner. That way we can communicate with others in a verified way and associate with digital data that we own. We also often need that data to be interoperable between different web properties.
Do we really need this? Do we really want to permanently tie identity across websites like this? I find this initial "need"/justification/requirement questionable.
I have a login on HN that is totally unique to e.g. Twitter and Instagram and <shudder> LinkedIn. Same with work vs personal. This is deliberate. I do not want to have the same identity here as I do elsewhere. There are many hopefully obvious reasons for this - mostly privacy (both in terms of immediate "in the moment" privacy, but also temporal privacy in the sense that I might not want some potentially ill-advised comments I made on some website 15 years ago to come back and bite me), but also it offers protections against "cancel culture" and general cyber-stalking and doxxing etc as that would become a whole lot easier if you can just run some query on a blockchain and find every single website I've ever used and dredge up my comments/content/etc. Being able to do that sounds very dystopian to me - why don't we just tattoo a barcode on our necks and be done with it?
So the thing about this is that there is no need to permanently tie identity across all sites and services you used (and provide), rather, the ability to do so when and where you need to do it.
There's nothing requiring a user to use the same identity across every service they interact with, but the option should be there. I wouldn't want my matrix username(s) and my fediverse account(s) tied to my HN username(s), but I might want a github/gitlab/codeberg account tied to a social/messaging account while having different "personas" for different applications. Overall it's a useful tool to have in your belt, so long as it doesn't limit you in other ways.
So if you are not going to go whole-hog and have one true identity for everything, why bother using anything apart from an email address?
The argument seems to be that consistency allows you to prove ownership and re-use all of your content etc across the web by tying everything back to one verified identity. If you are having different identities on different sites then that benefit disappears, and I fail to see how it is then any better than using email addresses? You end up with different wallet IDs each with their own island of content, just like you have with email addresses.
Sure you could chose to "move" content with one of your many identities by just logging in with the ID (presumably losing all of your existing content), but we have copy-paste for that already (and I am only half-joking saying that...)
Well I thought I explained it effectively, but there are numerous scenarios where you'd want to use the same identity across multiple services, cross sharing of data, provable rights, etc. But that doesn't mean you're limited to one, or that you want to use it for every service you use. The benefit doesn't disappear, the benefit only applies when you want it. It isn't all or nothing.
12 replies →
Email addresses aren't really good for this. It's really easy to sign up for a service with someone else's email address, for example. Sure, if that person ever finds out they can potentially claim ownership of the account through a password reset, but it doesn't erase the fact that you have been using their "identity" for some time.
5 replies →
For one thing, I don’t have to deal with every new website’s crappy signup and email confirmation flows, broken password reset flows, login forms that deliberately break password managers, etc. Obviously Web3 has nothing directly to do with these things, but a consistent auth system becoming ubiquitous could be inherently nice.
1 reply →
It doesn't give you that ability though. The reason we use Google and Facebook OAuth is because Google and Facebook did their due diligence with the account. We would just accept any OAuth provider if we didn't care about that validation.
And again, with these web3 identities, centralized services would still be providing the authorization even if they did not provide the authentication. I don't see what web3 identities provide.
Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Mostly what I care about is logins and payments which are addressed by password managers and form filling for credit cards. I just want a friction free experience for setting up an account, logging back into it, and maybe purchasing something.
And ideally I'd like to self-host, maybe with a service that looked like a NAS appliance hanging off a guest network on my router with a forwarded port through the firewall and some method for tracking my IP address (dyndns or similarish).
And ideally payments happen by a handshake between the service I run, the processor and the merchant in a way that my actual credit card details are never used. And for recurring payments I have the ability to just switch them off. Bringing all the control back to me and not leaking out reusable PII everywhere.
Of course corporations would aggressively hate that since it would destroy their business models of recurring payments for services the user is no longer using and the requirement of calling up the business and having to convince some phone operator that you really want to cancel.
> Yeah I think it is mostly businesses that think this is a huge problem to solve to have identities matched across everything seamlessly.
Your comment just gave me a thought - just imagine the online advertisers using this for tracking purposes!
At the risk of spreading FUD, it would not surprise me to learn that perhaps this web3 thing is being fuelled/funded by the existing crop of online advertising networks or their close associates? (or at the very least they are watching this situation develop with an incredibly close level of detail)
Who needs cookies if you have a 100% reliable & long-lived (potentially immortal?) ID that the user takes with them everywhere they go online (and is the same on every site they visit) and for every purchase they make (using that wallet) online and offline?
This would be advertising networks' absolute dream situation if it becomes widespread - users voluntarily creating their own unique tracking fingerprint and using it on all the sites they visit, as well as helpfully logging all of their purchases they make with that ID on a public ledger that anyone can mine the data from.
It really does not get much better for the online advertising industry than that.
If you want a cynical take on web3 and are looking for your next billion dollar startup idea, then web3 ad tracking & targeting might be your best bet :)
It's much like the Shadowrun SIN system. Anyone who was SIN-less basically didn't exist in the Shadowrun world. It meant you couldn't get housing, reliable work, food, or medicine. Basically, you were a nobody and everyone made sure you knew it. Similarly, mailing addresses have had similar effects in society and now not having a permanent digital presence will become another barrier to block people who found themselves not able to setup such a presence in the past or can't even afford to get online with a cheap phone. All because the corps demand a means to uniformly know who you are beyond your name.
1 reply →
> At the risk of spreading FUD, it would not surprise me to learn that perhaps this web3 thing is being fuelled/funded by the existing crop of online advertising networks or their close associates?
Hardly FUD, of course these companies are watching. They have more cash than they know what to do with. They will acquire anything that even remotely takes off (even by the low standards of crypto).
Google acquired their way into all of their major businesses. None of the following were built by them:
- Google Ads (DoubleClick, acquired 2005)
- Google Analytics (Urchin, 2004)
- Youtube (acquired 2005)
- Android (also 2005)
The dates are off the top of my head, so I could be off by a year or two.
1 reply →
This sounds ideal. Especially the self hosted part.
I agree that we don't need unique identities across everything, but even if that is a real problem it is also solved by public key cryptography without a requirement of a blockchain.
Sure but the blockchain env like Ethereum gives you that for free along with a few slick chrome extensions like Metamask and a JS library (web3.js) that make all of this super easy to build on.
You don't need to make any transactions or whatever, but you're inheriting all these tools for free.
The reviews on the metamask chrome extension are pretty scary. And it has access to view all data on all sites you visit. Is there a better way?
Private keys are cheap to make. There's no reason you couldn't have a different one for every site. Of course, then it's on you to keep track of them, but it's already on you to keep track of the credentials you're using now. At least this way, the default of "use the same creds everywhere" is secure, if not more private.
This is already solved by existing crypto wallet tooling too, you can create an infinite number of keys all derived from a single root key (usually a 12-20 word phrase in modern wallets). A service with access to a single child public or even private key can't tie them to the sibling keys.
Exactly, we do not need it. If it weren't for job negotiations I'd be making all my contributions on the net masked.