part_of::[[Allen (2021) Principal Authority]]
Allen’s key move is selecting Laws of Agency rather than property law as the legal foundation for self-sovereign identity. This is not a technical choice but a constitutional one about how the state relates to individual identity.
Property law creates a sovereign grant relationship: the state issues property rights and retains ultimate authority through eminent domain and asset forfeiture. If digital identity were property, a government could theoretically seize or reclaim it — violating the very existence and control principles SSI requires.
Agency law creates a different structure. When a Principal delegates authority to an Agent, the state’s role is to recognize, respect, and enforce that relationship — not to be a party to it. The state acts as infrastructure (courts, enforcement) without becoming an authority over the identity itself. Wyoming’s 28-word definition accomplishes this structurally by saying a natural person has “principal authority” over their digital identity, not that they “own” it.
Allen reorganizes the original 10 SSI principles into three legally differentiated categories:
Category 1 — Rights of self-sovereign authority (implicit in being a Principal): existence, control, persistence, consent. These don’t require new legislation; they derive automatically from recognizing someone as a Principal with authority.
Category 2 — Duties of identity agents (require explicit codification): access, transparency, portability, interoperability, minimization, protection. These describe what agents holding identity data must do for their principals. Allen notes these are “best practices” that “need to be better codified to become true duties.”
Category 3 — Duties from Agency law (may be imported automatically): specificity, responsibility, representation, fidelity, disclosure. These are established Agency law duties that Wyoming’s definition might import without needing explicit statement, because they attach to any agency relationship under common law.
The distinction between Category 2 and Category 3 is significant. Category 3 duties have centuries of jurisprudence; Category 2 duties are new and must be developed as digital identity customs — a generational project.
Allen’s critique of banks, Facebook, and Google is precise: they are not bad actors so much as structurally misaligned. They were never structured as agents of their users; they are service providers, which carry no duty to act in the user’s best interest. The problem is architectural, not behavioral.
Under Agency law, these platforms would be prohibited from:
GDPR and CCPA address some of this but through a data protection framework, not an identity governance one. Allen’s argument is that the duty-based Agency framework is structurally superior: rights require individuals to assert them; duties require entities to fulfill them regardless.
The delegation structure is what makes Agency law work for SSI. When others exert Principal Authority over identity data, “they are doing so only as agents of the Principal.” This creates:
The revocability principle maps directly to portability: if a principal can revoke delegation at any time, agents cannot create lock-in. This goes further than GDPR’s data portability right by making it an ongoing duty rather than a claim individuals must assert.
Allen poses several questions requiring legal expertise he disclaims:
These are not rhetorical questions; they mark the boundary of what the article claims versus what requires follow-on legal scholarship.
Allen’s most sober observation: Agency law is built on Laws of Custom, which develop through common law over generations. Digital identity is too new to have such customs. The path from Wyoming’s legislation to a mature body of digital identity law runs through:
This process is explicitly generational. The article positions Wyoming’s legislation as a foundation, not a solution. Anyone reading this as a complete legal framework misreads the closing acknowledgment: “it’s still just a starting point.”