Some Random Nerd

View Original

How might 'Metaverse Identities' work- and what's in it for Meta?

Among the various definitions and interpretations of 'the metaverse', there is a common thread of being able to "move seamlessly between virtual spaces".

“The Metaverse is a massively scaled and interoperable network of real-time rendered 3D virtual worlds which can be experienced synchronously and persistently by an effectively unlimited number of users with an individual sense of presence, and with continuity of data, such as identity, history, entitlements, objects, communications, and payments.”
Framework for the Metaverse — MatthewBall.vc

Today at Connect 2021, Mark Zuckerberg laid out our vision of the metaverse as the successor to the mobile internet — a set of interconnected digital spaces that lets you do things you can’t do in the physical world.
Connect 2021: Our vision for the metaverse - Meta

While defying precise definition, the metaverse is generally regarded as a network of 3-D virtual worlds where people can interact, do business, and forge social connections through their virtual “avatars.” How the Metaverse Could Change Work - HBR

These devices are gateways to the metaverse, a futuristic digital world where people move from virtual to augmented versions of reality almost seamlessly. To Build the Metaverse, Meta First Wants to Build Stores - The New York Times

For now, lets put aside the idea of the actual spaces - whether they are physical, virtual or 'mixed' realities, 2D or 3D, experienced through some sort of goggles or headset, or simply through something like a smartphone. Those are issues around how we interface with a particular 'space' - this post is focussing on what moving between 'spaces' or 'worlds' actually means, and how it might work at a technical level without some sort of centralised "identity provider".

But first - there's stuff that matters because users need to understand it, and there's stuff that matters that users don't really need to know. For example, TCP/IP technology is fundamental to how the internet works, but you don't need to understand it to actually use the internet or download a smartphone app; its part of the technical infrastructure, layers below the user experience. Operating on top of TCP/IP is the World Wide Web - which includes technologies like HTML and HTTP. You don't need to know HTML to surf the web, or to know about TCP/IP to write HTML and build web pages. I doubt that the kind of technology I'm talking about here is something anyone is going to need to understand to be able to actually 'use the metaverse'. But for a functional, decentralised metaverse to exist in the first place, it will be essential for these kinds of protocols to exist. Perhaps more importantly - once they exist for 'the metaverse', they will exist - and have important implications - for the 'normal' internet.

A Virtual Identity

Today, we have all kinds of 'virtual spaces'- the issue is that there is rarely any kind of networking or connectivity between them. For that to work, there needs to be some sort of 'virtual you' that can move from one space to another. Part of that is what you would actually see (or what others would see of the 'virtual you') - things like names, avatars etc.

But there needs to be some sort of 'identity layer' beneath all that- the unique 'thing' that actually moves between spaces (that might be running on different systems, with different owners etc.) If "you" are going to buy some sort of virtual goods in one place and take them somewhere else, then there needs to be a "virtual you" to link those virtual goods to.

At an absolute minimum, that simply means a unique identifier - an "ID" that corresponds to the 'virtual you'.

Proving your real-world identity.

As a starting point, lets consider how this works in the physical world. At its most basic, people recognise faces (a physical authentication, of sorts) - but thats not much use when we're dealing with systems at scale.

I need to prove my identity on a near-daily basis; when I want to spend money in my bank account, when I want to go into my office, when I need to convince a police officer that I'm allowed to drive my car, what I will usually do is pull out my wallet, and take out a piece of plastic measuring 85.60 mm x 53.98 mm, most likely conforming to the ISO standard

The standard works well - whether you know it exists or not - because it means anyone can make a card that will work with existing wallets, and anyone can make a wallet that will work with existing cards. Those weird measurements for identity cards look odd because they are old - in the imperial measurement system of inches (and eighths of inches) they are nice round numbers, which should give you a sense of how long those standards have been in place.

Where it starts to get complicated isn't so much about the cards, but what happens when they work together in unexpected ways. One example; I have several 'contactless' payment cards, and I have a contactless office key card; I want to leave the key card in my wallet but just hold my wallet up to the sensor - that stopped working when I got contactless payment cards, and they interfere with one another. (But I've learnt that if I keep them on opposite sides of the wallet, it works fine.)

Another example; I have credit cards (with my name, the card number, expiry date and CVV number on the card), and a drivers licence (with my home address) - individually, there is a limited security risk in either of them falling into the wrong hands - but in combination (ie. in my wallet), they have all the information someone would need to fill in a form on a website and charge something expensive to my credit card. If that someone could take and replace my wallet without me knowing, the first I would probably know about it would be when my next credit card bill arrived. (This is why two-factor authentication is so important!)

Virtual identities today

Today, you probably have a whole collection of 'virtual identities'; maybe a Microsoft identity that you use in Minecraft, and Epic Games identity that you use in Fortnite, a PlayStation identity that you use in console games, a Facebook identity that you use in Oculus/Quest. (I'm sticking with 3D spaces for this example, but this could also apply to your bank account, LinkedIn, Twitter, Reddit, emails, music subscription, SVOD subscriptions, any website that has a username/password etc. You probably have dozens- maybe even hundreds. I have over 300 passwords saved in Chrome right now.)

There's a protocol called OAuth thats in fairly wide use today. The problem that it solves is wanting to confirm your identity with one service to another, but without giving the other service your password. (eg. if you want to use a 3rd party Twitter app, but don't want to give that app your Twitter password.) Another example of this in use in virtual 3D spaces might be if you play Fortnite on a PlayStation and want to visit their website; you log into the Epic Games website using your PlayStation identity, and OAuth makes this possible without Epic Games needing to see your PlayStation password- the authentication process tells Epic Games 'this is my PlayStation ID, and you can access my data' (Or at least, some of it.)

This is great for linking pairs of identities, but it doesn't work well beyond that; you end up with a collection of 'identity pairs'- not a network of identities.

Suppose I log into Epic Games with my PlayStation identity; I now have one linked pair (almost- I'll come back to this point)- but both remain unconnected to my Microsoft identity. If I then log into Epic Games with my Microsoft identity, I now have two linked pairs; Epic Games can link all three identities - but PlayStation and Microsoft have no way of knowing that my PlayStation and Microsoft identities belong to the same person. For that to happen, either Epic Games takes on the role of being an 'identity hub' and link the two, or I need to create a second identity pair by logging into the PlayStation network with my Microsoft identity (or vice versa). Three identities - three connections.

Add another platform - say, Facebook. Four platforms means six pairs that I need to connect. Add another - now there are ten pairs that I need to connect to make sure that five platforms are correctly linked to one another.

Oh - and this is assuming that the platforms all play nicely together; that if I sign into Epic Games with my PlayStation ID, that Epic Games don't just link my PlayStation identity with my Epic Games identity in their own database, but that they will also tell PlayStation about my Epic Games identity for them to link in their own database as well. If you need to log into both services - for five platforms to link up one pair at a time means creating twenty 'identity pairs'. (For the mathematically minded; each additional platform adds n*(n-1) new directional edges to the identity network.) OAuth is - as I understand it - only a one-way connection...

So- it scales very badly, centralising 'power' within the network (because its much less effort to link platforms owned by the same company- ie. Meta can link your Facebook/Instagram/WhatsApp identities much more easily/securely than Meta and Google linking your Facebook/YouTube identities because they don't need to do a two-way link). Suppose you're with three friends in one 'space' and all want to move to another- where you're not necessarily 'friends' with both of the people you're with, and one might have never used this platform before. There's going to be friction, and it isn't going to work well.

So- there needs to be a better way of managing identities, if 'moving seamlessly between spaces' is going to be possible.

Idea for a Virtual Wallet

Suppose I have a virtual wallet, that contains a virtual 'ID card' for various online services. Each 'card' has an identifier (eg. user number) for a website/service. But its public- anyone can see my wallet, and the data that it contains. (So - no names, addresses/email, phone numbers etc.) So, I could have a YouTube ID and a Facebook ID in the same wallet, and it would let YouTube see my Facebook 'identity' without me needing to provide an 'authorisation step'.

There's a problem here - if this is my wallet that I'm in control of, whats stopping me from making my own 'Facebook card' with someone else's Facebook ID? One solution might be for Facebook to also have a list of wallet IDs and user IDs- but that kind of makes me having my own wallet in the first place redundant.

Cryptography offers a solution. Public/Private key encryption works by giving users a pair of keys that work together - messages encoded with one key can be decoded with the other, and vice versa. That means if I encode a message with my private key, anyone can decode it with my public key - the fact that it works means that they can trust that the message is truly from me (or rather, from someone with my private key - which, if I keep it private, effectively means it could only be from me.) It also works the other way around - someone can encode a message with my public key, and only I can decode that message; the encoded message can be out in public, safe in the knowledge that nobody other than me (if I look after my private key) can actually decode it.

So- Facebook has my user ID, their own private/public key pair, and I give them my wallet ID. They encode the two IDs with their private key - so only Facebook could have created the message (ie. even though it doesn't live on Facebook's server, you can trust that the message came from Facebook)- and I store that message in my wallet. Anyone who can access Facebook's public key can than get my Facebook ID from my wallet, and trust that it is actually my Facebook ID.

What if I don't want a single, consolidated online identity?

Obviously, in the real world, not everyone wants everything to be seamlessly and publicly connected. We all have secrets, with varying levels of 'secrecy' that aren't necessarily connected to what we make 'public' (For example, I might want someone interviewing me for a job to see all my LinkedIn posts, but not want them to be looking at all my Instagram photos or TikTok videos- the same way I wouldn't want someone in an interview to see what I'd wear in public on a beach.) I'm old enough that I didn't have to worry about phones with cameras and internet connections when I was an irresponsible teenager- but I'm pretty confident that this kind of public/private issue is more important the younger you are.

There's no technical reason someone would be limited to a single wallet. I might have one for my professional life (say, with my LinkedIn ID and my 'work' Twitter ID) and another for my personal life (with, say, my Instagram, a 'personal' Twitter account, and TikTok). Perhaps wallets could be linked in a single direction - so my personal wallet (visible to close friends/family) links to my professional wallet (with a more limited view of my personal life), but without any way to look at my professional wallet and figure out where my personal wallet is or what is in it.

How would that work? Maybe a secondary wallet ID that is encrypted within the 'main' wallet, using the secondary wallet's private key- so someone would need to find the 'main' wallet- out of billions of potential wallets - and be able to decode the secondary wallet ID to find it. Not impossible - but computationally expensive. ("Security through obscurity" is never the best strategy - but this is more about a selective approach to privacy than security.)

Hang on... all this "wallet" and "keys" stuff sounds familiar...

Yes- I have been deliberately avoiding a couple of keywords so far. The technology to make all of this work already exists; its how cryptocurencies and NFTs work. Bitcoins and NFTs are unique - they can't be copied, and they exist in wallets, which 'live' on the Bitcoin blockchain. Anyone can see any bitcoin wallet, and every transaction that goes into or out of it exists on the public ledger of the blockchain. For me to actually access my wallet to move bitcoin into another wallet, I need to use public/private keys to verify that its my wallet and I have the authority to make those transactions.

A key point of cryptocurrencies is that people can make financial transactions securely, without needing to trust either each another or any intermediaries. (eg. I can buy an NFT from someone without needing to trust the seller that what they are selling me is 'authentic'- something very difficult if I'm buying physical art in the physical world where the seller might not even know if the artwork is a forgery - or, on the other side of the transaction, a buyer might be paying for it with forged banknotes.)

But a disadvantage with cryptocurrencies is the speed and cost of transactions - they take some time to process, and there can be a non-trivial financial cost involved in processing the payment. For an 'identity blockchain', frequency of 'transactions' are much lower so speed of change is less of an issue, and without being so closely tied to financial incentives, the costs involved - both financial and environmental - work out differently.

An important point here is that I can use any one of the many bitcoin services to buy and sell bitcoin without ever needing to know about the mechanics of how it works - you can make real money trading bitcoin without having any understanding of blockchains, public/private keys, NFTs etc. (If you use WhatsApp, or visited a website with an address that starts with "https:", then you've used public/private key cryptography.)

In the same way, an 'identity wallet' on a decentralised 'identity blockchain' could work beneath the surface - the user experience wouldn't necessarily be any different to authenticating with a single website or service today. The fundamental difference is that, just as I can switch from one piece of software to another to manage a bitcoin wallet (or use a paper wallet), I would be able to switch between identity providers without needing them to cooperate; my identity would 'belong' to me, rather than to a corporation. Like I said earlier - TCP/IP matters to the company that provides your internet service or builds your laptop, HTML matters to the person who builds your website - not to you, the user. But it still matters.

But why would Mark Zuckerberg want this?

There's an interesting twist here; today, Facebook has billions of users - probably more than any other service on the planet. At first glance, it would seem that a centralised identity system would benefit Meta most of all - so surely moving to a decentralised system would hurt them the most?

My feeling is that this is technology that is coming- sooner or later, there are tangible benefits that will drive adoption. For Meta, the value that they have isn't in the 'identity system' but the data behind it - a Facebook account has no intrinsic value without all that data about my identity (that they can use to sell targeted adverts against), the content I share (that adds value to Facebook for my friends) and the content I consumer (that creates the space for Facebook to actually put the advertising they sell into.)

In other words, if the "identifier" moved into a public space, but all the data attached to that identifier remained in Meta/Facebook's private database, then the value of that data would only increase. The big question is whether Meta would actually be able to capitalise on that value - and whether the barriers are technical, regulatory, political etc. One thing seems certain - being in control of that transition is the best place for Meta to be.

We've seen what happens before when a technology company resists this kind of progress; Microsoft's fixation of what Windows meant in the early 1990s caused them significant problems for them in the following decades as they struggled with the broader market transitions from "PC applications" to "web", from desktop to mobile, and the growth of open source. It was only when new leadership moved their business focus from 'Windows on the desktop' to 'Microsoft in the cloud' that things truly turned around. (See How Satya Nadella turned Microsoft around | The Economist)

Essentially, its the Innovator's Dilemma.

I think Zuckerberg is smart enough to know that today's Facebook's isn't going to have the same sort of role in a decentralised 'metaverse future', in the same way that Bill Gates knew that the Windows software platform/economy wouldn't have the same sort of role in the 'networked future'. The difference is the approach that they are taking to adapt to it- Zuckerberg is moving much earlier, and much faster. That $3 billion that Meta just "lost" is really a long-term investment (very different to the $30 billion in value that Zuckerberg personally "lost" due to Apple's ATT rule changes); whether its an investment that will eventually pay off still remains to be seen, but the value that could be lost from being too slow to adapt to a shifting future is something we'll probably never be able to put a number on.

(Besides, with the changing landscape around data regulations and technologies like cookies and ATT, Meta may well have a lot of work to do in the near-term around how its data is being used anyway.)