An important paper on digital identity has just been released. “Personhood Credentials: Artificial Intelligence and the Value of Privacy-Preserving Tools to Distinguish Who Is Real Online,” published by researchers at a wide range of institutions, including OpenAI, Harvard Society of Fellows, MIT, and Collective Intelligence Project, explores how Personhood Credentials (PHCs) can enhance safety and privacy for humans on an internet where AI users outnumber humans. DIF, including DIF members Microsoft and SpruceID, is honored to have contributed to this paper, and we share this as a call to action to the decentralized identity community and beyond, and an opportunity to build PHC systems the right way.
The PHC paper addresses the risks posed by AI advances to traditional identity verification methods, such as the ability to solve CAPTCHAs and create realistic human-imitating videos. The implications are clear: our existing verification methods are becoming less reliable, and we must act quickly to reduce harms associated with deceptive fakes at scale. At the same time, we must avoid overcorrecting in ways that could compromise privacy and civil liberties.
We need a new building block that allows people to prove they are human, without revealing additional personally identifying information. The paper proposes “Personhood Credentials” (PHCs) as a solution, and further establishes requirements to mitigate privacy harms that could be introduced upon issuance and use of the credentials.
These requirements are thoughtfully designed to ensure both effectiveness and privacy:
1. Credential limits (1 credential per person per issuer): The PHC issuer aims to issue only one credential per person and provides ways to mitigate the impact of transfer or theft of credentials.
a. Issuers check one-per-person requirement at enrollment: The issuer has an effective check of whether a person has already received a personhood credential from them.
b. Expiry or regular re-authentication: To mitigate the theft or transfer of credentials, there is a periodic process designed to reduce credential use by someone other than the original holder
2. Unlinkable pseudonymity (privacy): PHCs let a user interact with services anonymously through a service-specific pseudonym; the user’s digital activity is untraceable by the issuer and unlinkable across service providers, even if service providers and issuers collude.
a. Minimal identifying information stored during enrollment: The issuer associates minimum necessary identifying information between a specific personhood credential and its holder.
b. Minimal disclosure during usage: When a user presents a personhood credential to a service provider, it reveals to the service provider nothing more than “this person holds a valid PHC” or, with the user’s authorization, “this person holds a valid PHC not yet used with this service.”
c. Unlinkability by default: By default, service providers or issuers cannot trace or link usage activity across uses, even if issuers and service providers collude. The issuer, by default, learns nothing when a PHC has been used. Service providers do not learn anything when a PHC that has been used with their service is used with another service.
Verifiable Credentials and decentralized identity standards are ideally suited to these requirements – in particular interoperability challenges posed by a multi-issuer PHC ecosystem – and the time to build is now. I strongly encourage you to read the PHC paper, as it addresses broader challenges that will demand action from governments, technologists, standards bodies, and the public.
DIF's long-standing dedication to privacy-preserving digital identity, combined with our focus on Proof of Personhood in the Credential Schemas group and our work in the Applied Cryptography group, aligns directly with these principles and is focused on addressing these challenges.
We invite you to join DIF in this work. The challenges ahead are significant, but with thoughtful design and collaboration, we can build identity systems that meet the needs of the future while upholding the values of decentralization and user control.
Next steps:
- Read the paper: https://arxiv.org/pdf/2408.07892
- Join DIF: https://identity.foundation/join/
- Sponsor the Personhood Credential challenge in our upcoming hackathon: hackathon@identity.foundation
- Contact: contact@identity.foundation