Lately, there's been a lot of talk about Ethereum Single Sign on:
Here's what the most important next steps are for this project, and what we can expect the problems to be ๐
๐ค What is it?
Know those "Sign in with Google" buttons?
That's called Single Sign On (SSO). You have one account, and you can use it for everything.
In a way, it's like a password manager. You have one password you need to remember (your Google accounts) and you can use it everywhere.
But the problem is ownership. You do not own your Google account. Google does.
What happens when Google deletes your account one day? You can no longer sign into any of your other accounts!
This centralised ownership gives Google a firm grip over your digital life.
Another aspect is giving Google more data than it needs. Google will know what other sites you use, and what you use them for.
The sites you sign up for will know personal details about you from your account.
Ethereum Single Sign on is meant to solve this. Let's look into it.
๐ What is Ethereum SSO?
Instead of being tied to a conglomerate, you can now be tied to your wallet. Assuming Ethereum doesn't do anything too bad (it's decentralised, so it'd have to be approved first) you effectively have an SSO that you control.
A very simple implementation would be to take your wallet address and use that to sign into an account.
Wallet addresses are also keys, so you get PGP too (which is important for mass adoption of cryptography!)
No one can delete it. It's yours forever. The only risks are:
- There is no adoption of Ethereum SSO and/or Ethereum dies out (unlikely).
- You forget your private key (social recovery wallets are trying to fix this problem).
Another advantage is that crypto fixes the bankless problem. People without full access to banks can use cryptocurrencies, provided they have a means of using it like a phone; you can use paper & pen for a cryptocurrency account but what's the point? We could use cash at that point.
It's a good idea. It solves many of the problems we currently have with SSO. But, it introduces more problems.
I feel like the cryptocurrency community isn't cynical enough about itself, so I'm going to show you the facts and let you decide.
๐ค Money, money money
The biggest downsides to using Ethereum single sign-on is the fact that companies can see how much money you have.
Imagine going to book train tickets and Trainline sees you have ยฃ19,000 in your account.
At that point, companies algorithmically increase how much products cost to purchase in line with how much money you have.
Some people would argue that money should be open, but in most Western countries it is not.
Advertising how much money you have can only go badly. Your family and friends will annoy you. You may even get threats / robbed for it.
Ethereum SSO is meant to only be known to you and the company, but whose to say a leak won't happen? Who is to say that your friends don't own the site? Who is to say your very public address isn't shared amongst your friends?
๐ช What are ya' buying?
On top of seeing how much money you have, companies will have a second-by-second transaction history of you. Every single thing you brought will be recorded.
Currently, it is only what stores you brought at.
As an example:
- You spend ยฃ500 at a store with an address of XYZ
- That address belongs to Bad Dragon, the finest purveyors of 30" erect Dragon Dildos.
Now, we've arrived at a problem:
Your boss knows you are into Bad Dragon.
Any place you sign up with SSO at will know you are into that too.
That you spent ยฃ500 there on the 6th of January, 2020.
Now, let's gaze into the future a bit more.
NFTS are wonderful technology for proving you own something. Usually with rare items you can potentially get an NFT for it. So:
- You have it physically.
- You have a digital receipt proving you have it.
Now what if these digital receipts were to be expanded? What if we got an NFT for everything we brought? In some ways, it'd be cool. It'd solve some problems around:
- Tax evasion
- Paying less tax (you need to keep receipts)
- No paper!
- You will always know when it was brought
- In the future where everything is crypto, we could very potentially not have email (and/or use smart contracts for messaging in the very distant future)
Now we have exact receipts attributed to your account. Ignoring my future speculations, if you brought a villa in Italy for ยฃ20,000,000 your account may show you are poor (no money) but your NFT receipt says you are not.
This is open to abuse. The lucky among us will be abused far more than the unlucky. And without them, mass adoption fo crypto is pretty much non-existent as they run the companies which rule mass adoption.
On top of that, discrimination happens at all levels. Even a ยฃ100 gift may make you discriminated against.
A similar problem occurs when buying a house or verifying your transactions.
A key part of financial crime is monitoring your transactions. Your bank looks at them, mortgage providers look at them, -- and even your government looks at them!
Now, disregarding whether or not this is a good thing, every single company you use SSO for will know how good you are with money.
Your incomes, expenses, and what you own.
Your entire life is out there, in the public, for all to see.
Wasn't cryptocurrencies meant to be anonymous?
๐ฏ Have another one!
The simple solution to this is to have 2 accounts. One for your purchases and money, another for your SSO.
Ethereum makes it easy for this, right?
Yes, but also no. This is a stupid idea. It's single sign on. Not "have multiple accounts" sign on.
Let's look at why.
โ๏ธ Pen and Paper
Earlier we discussed how cryptocurrency could be adopted. You don't even need a phone! Just pen & paper.
As you can imagine, double the pain of maintaining a paper account by two. It's just not going to work.
Paper is too easily lost.
You can't view your transactions unless you have a computer.
Because Ethereum is volatile you'll live every day without knowing how much money you have.
It's likely they'll put their secret keys on the same bit of paper as their addresses (welcome to the real world, end users are lazy).
Now, let's look at it without pen & paper.
๐ Linking to you
Just one single transaction between your main account and your SSO accounts will link your two accounts together. Now companies will know more about you, and you've defeated the purpose of two accounts.
In the future, companies will prop up whose sole purpose it is to automatically link two accounts together for fincrime purposes. This already exists for regular bank accounts or social media accounts. It's not long until it happens for cryptocurrency accounts.
๐ฎโโ๏ธ FinCrime
Like it or not, but financial crime checking (FinCrime) is here to stay.
You know those people who say "we can't give government money out because what if terrorists get it and kill our own citizens?"
Well, that doesn't happen because of FinCrime. These people, bots, and APIs constantly check people to make sure all is okay. If there are any threats, they will be flagged and investigated.
FinCrime protects you the humans of this world. When child trafficking rings buy copious amounts of rope, FinCrime protects the children and saves them.
FinCrime is not going away. And it will become an essential part of any serious currency.
But, not only does your government now perform FinCrime checks on you but so does every other country. And even private companies.
Using Ethereum SSO will give them this look into your life.
Imagine being turned away at the airport because you brought a gun in America, you're too much of a risk for other countries.
These private companies can now more easily track you and your purchases, they know when you've been using competitor products or what you're interested in.
I believe in FinCrime, but I do not believe in letting Facebook perform their own analysis of me ๐
โ Checkmarks?
Whenever you sign up to a new exchange, you have to provide government identity to prove you are who you say you are.
People think decentralised exchanges will change this, but you still need to provide fiat currency.
And what about buying houses?
You saying "this address belongs to me" is not enough verification. Again, for FinCrime, you could be faking it or have stolen that address and are planning on using a new property for manufacturing drugs.
So, you need a way to verify you are who you say you are. That:
- You are real.
- Your Ethereum address is real.
- You are both connected and you own that address.
In a way, we now run into a cool application of Ethereum!
I can for-see a future where governments hand out Ethereum addresses, or they verify your address.
And once it's done? They give you a little NFT checkmark. Like a Twitter checkmark but for Ethereum.
Now anytime a company wants to see if this is your address and it's real, they have a little checkmark. Ignore the fact that you may need to have your address or date of birth on the blockchain, that regulation may change in the future.
But now! No longer do private companies like Coinbase need your ID. They see this checkmark and it's good to go.
You just have to prove that the person signing up for an account is the same one that owns that address. Perfect time to sign a message with your private key ๐
๐จโ๐ป Anonymous Accounts
Earlier we discussed having 2 accounts. One for transactions and one for SSO.
There is a future where if you do not have this checkmark, you simply cannot transact. Why would companies risk sending products to an unverified person? Why are they unverified?
The sad truth is that you wouldn't. If I ran a shop selling soap, why on earth would I send soap to someone that isn't verified?
An amusing video on Amazon Returns
I am willing to bet you that if you only sell to verified people, the packages will deliver and there will be overall less complaints than before. Customers complain about companies not delivering them parcels, but the same companies also face the opposite problem. The parcels being lost in transit, or the customer returning the product used.
Conclusion
Okay, so by now you should see that where we are currently heading is a dystopian nightmare that not even Black Mirror could dream of.
There's still hope, however! I believe the only way we can effectively go around doing this is by using private coins. But private coins do not have smart contracts (billion dollar idea for you there).
The 3 main problems are:
- Your balance is open.
- Your transactions are open.
- Ownership / identity / proof that you are who you say you are.
Perhaps we could use a proxy service.
This is similar to Tumbling
Many people can use this proxy to buy products, and on the proxy side it can "tumble" who brought what.
By anonymising the transactions, point (3) is easier to swallow for people who wish to remain anonymous.
But, there are 2 fundamental things we need still:
- A great single sign on solution
- Financial Crime Checks
We want to keep our transactions pseudonymous, but have them open enough for certain companies to check.
By using a tumbler / proxy service it's harder to perform FinCrime checks (unless the government runs the proxy) and sadly FinCrime checks are essential.
If the government ran the proxy services they could easily perform FinCrime checks, although typically private companies (such as Mastercard / your bank) perform these checks.
Alternatively, we could build the MasterCard of Ethereum. A bunch of proxy nodes which perform financial crime, take a small cut (interchange fee) and make sure everything is okay in the world.
For now, having 2 addresses works. But it's not a perfect solution, and we may not actually get one with Ethereum remaining public.
Overall, I think Ethereum Single Sign on is a great step in the right direction.
How would you go around fixing this? Any thoughts? Reply to this article on Twitter! :)
There's been a lot of talk recently around using Ethereum as a source of single sign on.
While it might make sense since your private key is your identity, there are some large issues to it.
Here are those issues, and what we can do to solve them ๐ ๐งต pic.twitter.com/qlNhhNiAiw
โ ๏ธ ๏ธ (@bee_sec_san) October 14, 2021