One of the great things about Gitcoin’s Passport vision is that passports can draw legitimacy from multiple credentials (pluralism), rather than de-duping via a single-point-of-failure such as the USA’s Social Security Number (SSN).
That said, “dual citizenship” presents a challenge if the end-user considers every “citizenship” as independently legitimate. (arguably, dual citizenship IRL is already overpowered even without this, but to a much smaller degree)
The fundamental choice is: if I have stamps from all of {PoH, Worldcoin, Idena, Bright ID, KYC, Web2}, what is the incentive for me to put all of these on the same passport, versus creating multiple passports?
The toy model I’ll assume here is:
- There are a number of “personhood score” algorithms
personhood(credential1, credential2, ..., credentialN)
each developer can use. - Each end-user application delivers a payoff of
payoff(personhood)
for a given personhood score. - Composing these functions implies a payoff function
payoff(credential1, credential2, ..., credentialN)
for the application. - If every application has their own passport registry, one may choose a different distribution of stamps across passports per app. If every applications checks the Gitcoin registry to dedup stamps, then users must use a consistent set of passports across all apps. In the latter case, each passport has a
total_payoff(credential1, credential2, ..., credentialN)
. - WLOG, we’ll just work with one
payoff
function.
When to split and when to merge?
If there is some partition of my set of credentials such that sum(payoff(credentials_i)) > payoff(credentials)
, then it is in my self-interest to maintain multiple passports along this partition.
If payoff
is convex, then this will never hold, due to multivariate Jensen’s inequality (in fact, the opposite would hold - if there is someone with an orthogonal set of credentials, I should merge with them). However, personhood is explicitly meant to support concave payoffs - the problem of splitting credentials mirrors the problem of splitting tokens across wallets, in that 2x the personhood shouldn’t give 2x the payoff.
In most cases (for example, cutoff-based systems where you get the max payoff for having a sufficient number of credentials), we’ll be incentivized to split.
Cross-credential linkability?
A natural way to approach this (other than accepting only one type of credential), would be to have e.g. a Worldcoin ID linkable to a Bright ID. That way, split passports can be detected and penalized.
Not only do we need to be able to detect this link, but we should be able to detect it post-anonymization. i.e. in the following diagram, the application must be able to deduce B without knowing C or D:
There are possibly some clever cryptographic ways this could be done, but at some point someone must know A. In practice this means that information linking a face, iris, social graph, Web2 handles, etc together would be out there somewhere.
One could argue that forming this profile is both inevitable (and presents no real harm) and a necessary precondition for Sybil resistance (otherwise, how do we prevent someone from using their iris for one account and their face for another?), and it is sufficient privacy to just not link this profile to any actual activity.
Another viewpoint could be that it is unviable for communities to accept outside credentials (especially anonymized credentials) without having their own additional screens.
I’m curious to hear thoughts on these viewpoints.