Proof of Personhood

The unique-human problem

A digest of What do I think about biometric proof of personhood? by Vitalik Buterin.

The unique-human problem

One of the trickier, but potentially one of the most valuable, gadgets that people in the Ethereum community have been trying to build is a decentralized proof-of-personhood solution.

Proof of personhood, aka the unique-human problem, is a limited form of real-world identity that asserts that a given registered account is controlled by a real person (and a different real person from every other registered account), ideally without revealing which real person it is.

There are two main forms of proof of personhood: social graph and biometric.

  1. Social graph proof of personhood relies on some form of vouching: if Alice, Bob, Charlie and David are all verified humans, and they all say that Emily is a verified human, then Emily is probably also a verified human. Vouching is often enhanced with incentives: if Alice says that Emily is a human, but it turns out that she is not, then Alice and Emily may both get penalized

  2. Biometric proof of personhood involves verifying some physical or behavioral trait of Emily, that distinguishes humans from bots (and individual humans from each other).

Most projects use a combination of the two techniques. Three efforts at tackling this problem are:

  • Proof of Humanity: you upload a video of yourself, and provide a deposit. To be approved, an existing user needs to vouch for you, and an amount of time needs to pass during which you can be challenged. If there is a challenge, a Kleros decentralized court determines whether or not your video was genuine; if it is not, you lose your deposit and the challenger gets a reward.

  • BrightID: each person holds an ID and makes connections with people they know. A social graph is formed connecting IDs and sharing personal information peer-to-peer (not with servers or apps). Fake identities are detected by analyzing the whole graph.

  • Idena: you play a captcha (common sense test) game at a specific point in time (to prevent people from participating multiple times); part of the captcha game involves creating and verifying captchas that will then be used to verify others.

Some of them come with a Universal Basic Income (UBI) token, and some have found use in Gitcoin Passport to verify which accounts are valid for quadratic voting. Zero-knowledge tech adds privacy to many of these solutions.

Universal Basic Income

Universal basic income (UBI) is a social welfare proposal in which all citizens of a given population regularly receive a guaranteed income in the form of an unconditional transfer payment. It would be received independently of any other income.

Critics claim that a basic income at an appropriate level for all citizens:

  • is not financially feasible

  • would lead to fewer people working

  • is socially unjust since everyone should receive the same amount of money regardless of their individual need

Proponents say a basic income:

  • is indeed financeable, arguing that such a system, instead of many individual means-tested social benefits, would eliminate a lot of expensive social administration and bureaucratic efforts

  • would make unattractive jobs to be better paid and with improved working conditions because there would have to be an incentive to do them when already receiving an income

  • is fair because it ensures that everyone has a sufficient financial basis to build on and less financial pressure, thus allowing people to find work that suits their interests and strengths.

Worldcoin

More recently, we have seen the rise of a much larger and more ambitious proof-of-personhood project: Worldcoin.

Worldcoin was co-founded by Sam Altman, who is best known for being the CEO of OpenAI. The philosophy behind the project is simple: AI is going to create a lot of abundance and wealth for humanity, but it also may kill very many people's jobs and make it almost impossible to tell who even is a human and not a bot, and so we need to plug that hole by:

  1. creating a really good proof-of-personhood system so that humans can prove that they actually are humans, and

  2. giving everyone a UBI

Worldcoin is unique in that it relies on highly sophisticated biometrics, scanning each user's iris using a piece of specialized hardware called the Orb. The goal is to produce a large number of these Orbs and widely distribute them around the world and put them in public places to make it easy for anyone to get an ID.

The Worldcoin project includes:

  • World ID: a privacy-preserving digital identity designed to help solve important, identity-based challenges, including proving an individual’s unique personhood.

  • Worldcoin token (WLD): a token providing utility and giving users a say over the direction of the Worldcoin protocol. WLD is globally and freely distributed to people just for being a unique individual.

  • World App: an app that enables payment, purchases and transfers globally using digital assets and traditional currencies

Worldcoin has also committed to decentralize over time. At first, this means technical decentralization:

  1. the Worldcoin token is distributed over Optimism, an L2 on Ethereum

  2. users' privacy is protected with zero-knowledge proof technology (ZK-SNARKs): a registered user can prove to be in the database without revealing any other information (in particular their identity).

Later on, it includes decentralizing governance of the system itself.

Biometric vs social graph proof of personhood

There are four major risks that immediately come to mind when thinking at Worldcoin and more generally to any biometric solution of the unique-human problem:

  1. Privacy. The registry of iris scans may reveal information. At the very least, if someone else scans your iris, they can check it against the database to determine whether or not you have a World ID. Potentially, iris scans might reveal more information.

  2. Accessibility. World IDs are not going to be reliably accessible unless there are so many Orbs that anyone in the world can easily get to one.

  3. Centralization. The Orb is a hardware device, and we have no way to verify that it was constructed correctly and does not have backdoors. Hence, even if the software layer is perfect and fully decentralized, the Worldcoin Foundation still has the ability to insert a backdoor into the system, letting it create arbitrarily many fake human identities.

  4. Security. Users' phones could be hacked, users could be coerced into scanning their irises while showing a public key that belongs to someone else, and there is the possibility of 3D-printing "fake people" that can pass the iris scan and get World IDs.

Proponents of social-graph-based verification often describe it as being a better alternative to biometrics for a few reasons:

  • it does not require collecting biometric data, making it more privacy-friendly

  • it does not rely on special-purpose hardware, making it much easier to deploy

  • it is potentially more friendly to pseudonymity, because someone can chooses to split their digital life across multiple identities and keep them separate from each other

  • biometric approaches give a binary score of "is a human" or "is not a human", which is fragile: people who are accidentally rejected would end up with no UBI at all, and potentially no ability to participate in online life. Social-graph-based approaches can give a more nuanced numerical score, which may of course be moderately unfair to some participants but is unlikely to "un-person" someone completely.

However, it's worth also taking into account the weaknesses of social-graph-based approaches:

  • Bootstrapping: for a user to join a social-graph-based system, that user must know someone who is already in the graph. This makes large-scale adoption difficult, and risks excluding entire regions of the world that do not get lucky in the initial bootstrapping process

  • Privacy: while social-graph-based approaches avoid collecting biometric data, they often end up leaking info about a person's social relationships, which may lead to even greater risks. Zero-knowledge technology can mitigate this, but the interdependency inherent in a graph and the need to perform mathematical analyses on the graph makes it harder to achieve the same level of data-hiding that you can with biometrics

  • Inequality: each person can only have one biometric ID, but a wealthy and socially well-connected person could use their connections to generate many IDs. Essentially, the same flexibility that might allow a social-graph-based system to give multiple pseudonyms to someone (eg. an activist) that really needs that feature would likely also imply that more powerful and well-connected people can gain more pseudonyms than less powerful and well-connected people

  • Risk of collapse into centralization: most people are too lazy to spend time reporting into an internet app who is a real person and who is not. As a result, there is a risk that the system will come over time to favor "easy" ways to get inducted that depend on centralized authorities

What we should ideally do is treat these three techniques as complementary, and combine them all. Biometric bootstrapping may work better short-term, and social-graph-based techniques may be more robust long-term, and take on a larger share of the responsibility over time as their algorithms improve.

PreviousSocial identityNextApps

Last updated