May 20, 2024 • 28 mins
Lockstep's Steve Wilson just appeared on the NAB Digital Next podcast with host Alysia Abeyratne. NAB has kindly allowed Making Data Better to repost the podcast here.
If you want to understand how to untangle the knots we’ve tied around identity and identification online, take a listen.
Alysia asks important questions and Steve provides really crisp answers and explanations on:
- The evolution of digital identity
- Verifiable credentials
- Commentary on Australia’s Digital ID legislation.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:12):
Welcome to Making Data Better, a podcast about
data quality and the impact ithas on how we protect, manage
and use the digital datacritical to our lives.
I'm George Peabody, partner atLuckstep Consulting, and I'm
here to plug and play a recentepisode of the NABD Digital Next
podcast with host AliciaAbratney and my partner at
Lockstep, steve Wilson.
(00:32):
If you want to understand howto untangle the knots we've tied
around identity, take a listen.
Important questions and Steveprovides really crisp answers
and explanations on theevolution of digital identity,
verifiable credentials andincludes some commentary on
Australia's digital IDlegislation.
(00:53):
So let's get to the NAB DigitalNext podcast.
Speaker 2 (01:01):
Hi, I'm Alicia Aberatney and welcome to NAB
Digital Next.
Today, we have the privilege ofbeing joined by Steve Wilson, a
true pioneer in the field ofdigital ID.
Steve is a leadinginternational authority on
digital ID, cyber security anddata protection, with over 35
years experience as an innovator, researcher and advisor, and
has been doing digital ID sincewell before.
(01:22):
It was cool.
Steve holds six patents, threeof which are in public key
security.
Steve is a co-founder ofLockstep Consulting and advises
governments globally, including,most recently, helping to
develop a mobile credentialswallet for the US Department of
Homeland Security and advisingthe New South Wales government
on their leading digitaldriver's license initiative.
(01:43):
In 2018, steve was described asone of the most original
thinkers in digital identity inthe world today, something which
certainly continues to ringtrue.
I first had the great pleasureof meeting Steve at a roundtable
NAB hosted on Digital ID lastyear, where he generously shared
so many gold nuggets and wisdom, which we can get into later in
the episode.
(02:04):
But without further ado,welcome Steve.
Thanks so much for being on NABDigital Next.
Speaker 3 (02:09):
Oh, what a pleasure, Alicia.
It's great to be here.
Thanks for having me.
Speaker 2 (02:13):
Thanks, Steve.
So one thing that reallyinterests me about digital ID
and this field is the diversityof journeys to working in this
area.
Before we dive in, it'd begreat if you could share what
was your on-ramp to digital IDand what drew you to dedicate
much of your career to workingin this arena.
Speaker 3 (02:31):
Oh, wow, thanks for setting this up so nicely.
So everybody's got a differentbackground, for sure.
Some of us come from like hardengineering, so my start was
software engineering.
I worked for a pioneeringmedical company in Australia
developing software forpacemakers.
So you know very highreliability, what we call
(02:54):
tightly constrained, like notvery powerful computers and not
much memory to play with.
So I learned the art of qualityand hard engineering, which
were skills that kept comingback as we get into security.
But then I flipped accidentally.
I needed to change jobs and Ipicked up a job running software
(03:17):
development for a startupcompany in Australia.
It went on to become BaltimoreTechnologies, which was a famous
PKI and smart card companypublic key infrastructure.
So I was there at the dawn ofe-commerce.
This is 1995.
And Australia was leading inthe area, leading in PKI.
We were part of the APEC TEL,the Asia Pacific Economic
(03:41):
Corporation, working one-signatures and
e-authentication and some prettyweird stuff, even before we
were buying much online.
So I was lucky to be in theroom as we were developing the
world's first e-signaturelegislation.
That was around about 2000 thatAustralia passed a technology
neutral e-signature law.
(04:02):
Pki was there.
It was dominated by defencethinking.
It was actually thought to be anational security technology.
So we wound up with a lot ofonerous operational standards.
Some of them are still with ustoday when you look at things
like TDIF.
But more importantly, we hadthis really naive metaphors for
identity.
Back in those days we weretalking about passports and
(04:24):
signatures and all sorts ofstuff.
That is just ways of helpingpeople to think about some new
stuff.
I saw the potential back thento be talking about credentials
and I think it was 2003.
I wrote an article aboutelectronic business cards and
ever since then I've beenconscious of language and
conscious of the mental modelsand conscious of the way that we
(04:44):
think about problems.
So here we are today stilltrying to rethink the problems
of identity.
Speaker 2 (04:52):
It's a fascinating journey.
Steve, and your sentimentsabout the importance of language
and shaping thoughts and how weapproach problems.
That really resonates and I'mkeen to pick up on this thread
later on in the conversation.
But I guess to pivot slightlyas an early innovator and
someone who you know had so manyprescient ideas in digital ID,
(05:12):
I'm curious about how you seethe problem space that this
technology can solve for.
Speaker 3 (05:18):
Thanks, alicia.
It is a bit of a story and Ithink we learned from history.
There's an old I think it's anIndian proverb why are things
the way they are?
And the answer is that they gotthat way.
So we need to look at thehistory and the evolution of
digital identity.
You know, we started, as I said, with these naive metaphors
(05:40):
about a passport.
There was even a product calledPassport and it was thought
that we could have an electronicthing that would allow us to go
from place to place incyberspace and prove who we are
and get on with things.
It turned out to be really hardto have a general purpose proof
of identity.
So we got smarter and I guess,starting about 15 years ago, we
(06:01):
started looking at assertionsand attributes and claims, which
are words that are more or lesssynonymous.
But you know, I boil it down towhat do you need to know about
somebody?
And that varies fromapplication to application.
What else do you need to knowabout the credential?
So it's really important toknow who the issuer is of a
credential, and that's whythere's no universal identity,
(06:23):
because every credential, everyimportant fact, is issued by
somebody else.
So that evolution has got us towhere we are today.
We have a very sophisticatedtechnology, which we'll talk
about verifiable credentials.
It lets you know wherecredentials come from.
It tells you the history of acredential.
It even tells you how acredential has been carried, so
(06:44):
you know.
We need to know the differencebetween smart cards and
passwords.
It seems obvious, but thecryptocurrency people actually
fell into that one.
It took them a long time tounderstand how important
hardware wallets are compared topasswords and hard drives, and
that's why they lost so muchBitcoin in the old days.
So let's sort of recap I thinkwe've got to a place where,
(07:08):
instead of talking aboutidentity, we ask design
questions like what do I need toknow about you, alicia, right
now to be able to transact withyou?
And if we're doing somethingimportant, I don't trust you.
I need to know where yourcredentials have come from.
So you're trying to tell methat you're a cardiologist and
you're going to implant apacemaker.
Well, great, but I need to knowwhere your cardiology
(07:30):
credentials have come from and Ineed to know that the pacemaker
is genuine and I need to knowthat it's been clinically tested
.
So all of that you know.
It's called provenance.
Where does the data come from.
How do you know that it's true?
And that's where we've landed.
I'm excited that you see thesame pattern recurring through
digital credentials, artificialintelligence, iot.
(07:51):
We need to know about IoTdevices, we need to know about
the software, we need to knowtheir history.
So that pattern what do youneed to know about somebody?
Where are you going to get thedata from?
I think it's a super importantpattern and that's where we are.
This is what we call identity.
Now, it's really about data andthe story behind the data.
Speaker 2 (08:14):
I love that, steve, and I think your point around
data provenance and I knowyou've captured it in other
terms before the metadata thatyou speak to I think that's
something that is so fundamentaland oftentimes I find that it's
missing from the conversationaround digital ID, so I'm
grateful that you've drawn thatout here.
(08:34):
You've drawn that out here.
I'm going to shift gears a bitnow.
There is a lot of technicalterminology in digital ID, as
with many areas.
For those who maybe aren'tfamiliar, it would be great if
you could break down the conceptof verifiable credentials,
which I think we're hearing alot more about now and as this
technology perhaps becomes a bitmore, dare I say, mainstream,
(08:58):
it would be great if you couldjust break down what is
verifiable credentials.
How should we understand thatterm?
Speaker 3 (09:03):
Yeah, very cool.
And let's remember to look backat the end of this little story
about mainstreaming verifiablecredentials, because they're
more mainstream than peoplethink already.
So credentials, I think inEnglish we know what a
credential is normally andthere's all sorts of different
credentials.
There's, you know, driver'slicenses and and trade licenses.
(09:24):
So plumber's credentialssomebody comes to my door to fix
the tap and I, you know, wantto know that they have a
credential.
Um, so credential is a wordthat we know and we also know
that credentials come fromissuers.
So university credential, you,you know it's almost like the
brand of the credential, theprestige or the reputation of
the university matters.
(09:44):
So we know all that withcredentials.
Driver's licences can only comefrom a driver's licence issuer.
Other credentials can come frommultiple sources.
You know there's differentsources of trade qualifications
et cetera.
So we kind of know all of that.
Now we're going to throw incryptography and call it a
verifiable credential.
Now, all we mean by that is isthere like a mathematical trick
(10:07):
to bake in the brand of thecredential?
So how do you know who issuedit for sure?
So that's what the verifiablepart is.
It's done.
This is the only technicalthing I'm going to say it's done
with digital signatures andthose need keys.
The best digital signaturescome out of hardware and you
know in banks we know that ATMsand EMV chip cards, chip and PIN
(10:31):
cards these things are allbased on standards-based
hardware with cryptography andkeys and certification and
standards.
So all of that stuff is wellknown in banking.
The same principles apply inthis thing called verifiable
credentials.
We want digital signaturescreated with cryptographic keys.
You want those signatures to bereliable.
You want them to come fromhardware, ideally.
(10:54):
Now there's an extra twist tothis.
The verifiable credential issigned by the issuer, so it's
like a brand or a stamp.
But every time I have averifiable credential I'm
carrying it in my smartphone,for example.
Every time I present it, I wantthe verification of the
presentation as well, so that ifthe credential is stolen or
copied and counterfeited intosome other sort of format, you
(11:19):
want to make sure that it'suseless if it falls into the
wrong hands.
So there's another key and it'sin my smart card or my
smartphone and when I present averifiable credential then it's
signed again.
It's countersigned by theholder.
So that's as complicated as itgets.
Now I was going to come backand talk about how sort of
(11:39):
mundane some of this technologyis.
We've actually had a type ofverifiable credential almost all
of us for over 30 years, andit's called a SIM card.
So a SIM card is a chip in yourphone and it's digitally signed
by the telephone company Telstraor Optus, and it's a signed
(11:59):
assertion of the fact that youare a telephone customer of that
company.
Every time you pick up yourphone and dial a number at the
start of the call, the SIM cardsigns the start of the call.
It signs a message to thenetwork that says hey, this is
the telephone number 1234.
It's been signed by Telstra andthe start of this call is
(12:20):
timestamped and it sends thismessage into the network.
The network might be in Japanor anywhere in the world.
The destination network picksup that signed message.
It knows that the origin of thecall is genuine.
It knows which origin networkis involved.
It's got all of the data thatit needs and the metadata to
(12:43):
create a bill.
It's as simple as that.
Worldwide roaming and worldwidebilling depends on the SIM
cards sending little signedmessages at the start of every
call, sufficient to create billsand sufficient to know where
the calls come from.
So a verifiable credential.
It's a very special purpose.
(13:03):
It only does one thing itstarts phone calls.
But that idea that you've got achip and you control the chip
and you unlock the chip in yoursmartphone and you use the
cryptography to send a message,that's all there is to it, and
we've been doing this for yearsand years and years.
What's happened recently isthat this technology is becoming
more widespread.
(13:23):
It's becoming open sourced,it's becoming available to
different applications so thatwe can, instead of just
verifying our phone number, wecan verify all sorts of other
things.
Speaker 2 (13:35):
I love the way you broke that concept down, steve,
in such a clear way and reallydemystified it the fact that we
have this in our phones, we'vebeen using this for such a long
time and these credentials, asyou say, they're limited to the
use cases that they're relevantto.
So I think that ability toselectively share is something
(13:55):
which is so powerful, really,from a privacy and data
minimisation perspective,something which I think if more
people were aware of, they wouldall be great champions of
digital ID.
And then the way in which theseverifiable credentials are
tamper-resistant that'ssomething that relying parties
really need right to be able totrust the legitimacy of those.
Speaker 3 (14:20):
Exactly.
You know the problems that weface with the vulnerability of
data when it's breached andpeople can know secrets about me
.
They shouldn't be secrets.
My driver's licence, mypassport, my Medicare number
these should not have to besecret.
But we are vulnerable when theyfall into the wrong hands
because they can be used behindour back.
But that idea of a SIM card anda verifiable credential all
(14:44):
we're doing is taking thoseprinciples and making them more
widely available now, so thatdriver's licenses and Medicare
numbers and when we presentthose things online, when we put
them into forms, the relyingparty can be sure that the data
is original and it hasn't beenstolen and it's been presented
by the person who controls it.
Speaker 2 (15:05):
So I just want to pick up on what we were talking
about earlier around theimportance of language in
framing the problem space.
You've been fairly vocal aboutthe need to take identity out of
the picture when we're talkingabout digital ID, and you've
been an advocate for nuance inlanguage.
Why do you think this is soimportant?
Speaker 3 (15:25):
It's really great to see organisations like NAB.
You know the roundtable thatyou referenced before last year
and this year those roundtableevents have really been
concentrating on the meaning ofwords and language and making
sure that it's clear, so that'sgreat to see.
There is a lot of nuance here,but I'm a bit famous for being
non-nuanced.
I've written blogs in the pastthat says forget identity or
(15:47):
identity is dead, and you know Ihave a turn of phrase that
tries to catch some attentionsometime.
The thing I'm trying to attendto is this problem of what are
you trying to solve?
For what do you really need toknow about somebody?
And when you put it out likethat, we all know intuitively
that the less you know about methe better.
(16:08):
I want to identify myself aslittle as possible as a customer
to you, the bank, and usuallyyou know once I've done KYC.
All you need to know about meis an account number or if I'm
shopping and using a bank creditcard, all the merchant needs to
know is the bank issued creditcard number.
So we want to take identity outof it.
(16:30):
We know that Technically it'scalled data minimization or
disclosure minimization orpurpose specification.
The privacy law has got allsorts of words for it.
It all boils down tominimisation or disclosure,
minimisation or purposespecification.
You know the privacy law hasgot all sorts of words for it.
It all boils down to the needto know principle.
What do you really need to knowabout me?
And it's almost never myidentity.
That came clear in the firstroundtable that we did at NAB.
(16:50):
So if you don't need to know myidentity, we shouldn't be
calling this thing digitalidentity.
It's as simple as that.
Speaker 2 (17:02):
That makes a lot of sense to me.
Now.
We've spoken a lot about thefact that many of these concepts
like verifiable credentialshave been around for a long time
, and you've been in digital IDfor over three decades.
Why do you think it remainssuch a hard nut to crack in many
places?
If you do agree with thathypothesis, and what have you
(17:25):
maybe seen change in more recenttimes which might give you some
hope that we are in fact makingsome progress here?
Speaker 3 (17:34):
It is a hard problem, alicia.
There's no backing away fromthat.
It's famously that, empirically, it's the hardest corner of
cyberspace, that we've beentalking about this for 30 years
and meanwhile cyber technology,and security in particular, goes
ahead in leaps and bounds whilewe're still talking about
identity.
So I think that we've made ithard for ourselves by using bad
(17:55):
metaphors.
There's no, getting around it,it's not identity ourselves by
using bad metaphors.
There's no getting around it.
It's not identity.
We need to know things aboutpeople and if it's not identity,
then let's call it what it is.
It's usually credentials, it'susually like specific facts and
figures, maybe like just anaccount number.
Like I said, I think that weneed to acknowledge and always
(18:18):
have in mind that it's not justthe data, but the metadata, the
issuer, all of the other details, the secondary details around
the data, and if we always framethe question around that, then
I think that things become a lotclearer.
So we are making progress.
We've got white labelverifiable credentials.
They're just data structuresthat can be loaded onto wallets
(18:38):
and smartphones and they can becustomized.
And the really cool progress isthat now that we've got new
standards you know the WorldWide Web Consortium, the W3C,
the mobile driver's licensestandardization using this
technology specifically fordriver's licensing, but also
broadening it to what they callMDocs mobile documents.
So that's another standard.
(19:00):
The standards are nice and firm.
Now, correspondingly, we'reseeing white label services, so
you can get verifiablecredentials customized to an
enterprise's need and thenissued in bulk from a cloud
service, and I think that that'sa really powerful business
model that's emerging and thatwill commoditise this thing
called verifiable credentials.
(19:21):
Enterprises will be able toconvert employee IDs,
universities will be able toconvert student IDs.
Banks, of course, will be ableto convert credit cards and
other banking instruments intoverifiable credentials, load
them onto wallets, digitalwallets and have people present
exactly what people need to knowwhen they go about their
(19:43):
business online.
Speaker 2 (19:44):
That's fantastic and it's great to hear about these
advancements.
Speaker 3 (19:49):
Yeah, it's good to be in the middle of all of this
and to see in many ways some oldbusiness models are now being
more thoroughly digitized,creating verifiable credentials
in the first place, with thehardware and the cryptography.
This is specialised stuff andyou can do it at home.
You can roll your own.
You can get open sourcesoftware.
We've seen that movie before.
We used to do PIC AI in theenterprise and then there were
(20:13):
PIC AI cloud services.
You can do your own magneticstripe photo IDs if you like,
and big businesses used to dothat.
You know a new employee wouldgo up to HR and sit down with
their hair nice and neat andtidy and get a photo taken and a
photo ID with a barcode,whatever you know, all of that
stuff would arrive in your inboxand then you'd flash it every
(20:35):
time you go to work.
Well, it's the digitalequivalent of that now, and
there's a business model where,instead of taking photos and
producing plastic cards in theoffice, then you outsource that
to a verifiable, credentialcloud service.
So it's really cool seeing thisstuff come to fruition in a way
that replicates the good stuffof the old business models.
(20:58):
It conserves so much of the waythat we deal with people.
It conserves the meaning of acredential, but it allows you to
digitise it and keep itscontext when you take it around
online.
It's fantastic.
Speaker 2 (21:10):
Okay, steve, as a final question, casting your
gaze to the future, are thereany sort of developments in
digital ID?
You've alluded to a few, orperhaps some trends you're
seeing overseas that you'reexcited about or that you think
could be really game-changing.
Speaker 3 (21:26):
Well, the amazing game-changer is happening at
home, and I want to talk aboutthe digital ID bill, the
Commonwealth Bill.
It's actually now nearly an Actof Parliament, isn't it it?
certainly passed its legislativehurdles last week.
So digital ID it's a simplerconcept.
They're making it smaller.
(21:47):
I think that digital ID shouldbe as small as possible.
You know, the IDs that we haveare just database indexes.
My Medicare number is just anindex into a database.
We should conserve that.
We should conserve the meaningof employee numbers and driver's
licenses and credit cards andall of those different numbers.
That's what the digital ID billdoes.
(22:08):
The Australian Federal DigitalID Bill recognises that we have
IDs in real life and we shouldbe able to govern the digital
format of IDs in a much moresecure way.
So it's a response to the famousdata breaches in the last two
years, where stolen data justgets reused.
And you know why?
It's because we have thisridiculous pattern of using
(22:31):
plain text data, plain textidentifiers.
My driver's license I don'tknow, it's six numbers and two
letters.
I won't tell you what that is,but it's imprinted in my brain
and I hate having to change itand I just use it as plain text.
And even worse, people acceptit as plain text.
Businesses ask me my driver'slicense number as proof of
(22:53):
identity.
It doesn't prove anything.
It's just what geeks call ashared secret.
And after a data breach.
It's not secret anymore, butour only response to plain text
data breaches is to change theplain text and reissue
everybody's driver's licenses.
We have to stop that pattern.
It's ridiculous.
Now, 15 years ago, the banks didstop that pattern.
(23:16):
The banks went from plain textcredit cards, magnetic stripes
of plain text credit cards, andthey went to chip.
And the chip is anotherverifiable credential.
So the credit card number in achip card is signed by the bank
and every time I dip the card ata merchant terminal it's signed
again.
It's countersigned by my chip.
(23:36):
So that's the pattern that weneed.
We need to get away from plaintext to verifiable IDs, and
that's exactly what thegovernment has done.
I think that that's the gamechanger.
So it paints the way forward.
It actually shows sorry to getso excited about governance
(24:03):
shows sorry to get so excitedabout governance, but it shows
how you can govern IDs as aspecial form of data.
The government, in its wisdom,is giving the ACCC the power of
the digital ID regulator and theACCC say what you like about
CDR.
It's far from perfect, but it'sa good model.
It's a good first start.
I'm talking about the consumerdata right, the data sharing
regulatory regime.
It's got lots of teethingproblems, but the regulatory
(24:26):
model is in the right place andit's reproducible.
And the things that we're doingto protect data sharing are now
going to be done to protect IDpresentation, and I think that
that's game changing.
I think that it's turning outto be done to protect ID
presentation and I think thatthat's game changing.
I think that it's turning outto be world's best practice.
So if we can have a uniformapproach to data and metadata
(24:47):
like what do you need to knowabout me and how are you going
to know that it's true, if wecan govern that, then we're
going to do something that'smuch bigger and much more
important than identity andwe're going to look at the
quality of all data, becausethis pattern replicates in AI.
The wicked problems that we haveat the moment with deepfakes
boil down to you don't knowwhere the data's come from.
(25:08):
Now, if we could have agovernance regime where
important data so an image or anarticle, any piece of content
from an author and a publisherif you could be sure about where
that stuff has really come from, if you could be sure about its
provenance and if you could besure that authors and publishers
and AI algorithms are allanchored, rooted in a hardware,
(25:31):
verifiable credential, then youcould be sure where the data has
come from, you could be surethat it's intact and that it's
genuine.
And that's where we're heading.
We're heading towards agovernance regime for all
important data, so that we knowwhere data has come from, we
know what it was intended to beused for and we know that it's
always been in the right hands,so that, I mean, that's the game
(25:53):
changer and that's what we'resort of.
We're prototyping that inAustralia the governance regime
for digital ID and the work thatis happening through, like the
Nairb roundtable, flushing outuse cases and working out what
do you need to know about people.
That is a game changer.
Speaker 2 (26:11):
That's so exciting and I think a lot of what you've
said I totally agree with you.
I think it is exciting inAustralia, both the digital ID
bill going through the Senateand soon to be passed, hopefully
, and also what we're doing withthe consumer data right.
It really is world leading andfrom a privacy perspective I
feel like it is best practiceand a gold standard the way in
(26:33):
which individuals can sharetheir data for their own benefit
.
So I think that really isfantastic, that we're leading
the way on both of those fronts.
So absolutely echo all of that.
Steve, thank you so much.
I feel like we could easilyspend the whole day chatting
about this topic, because thereis so much to dig into.
We are going to have to wrap itup here.
(26:54):
I'm going to attempt tosummarise a few of the themes
that stood out to me there wereso many, I think.
Firstly, the importance oflanguage and how we label the
problem space, and then how thatimpacts the design of the
solution For digital ID.
You've talked about the factthat in most cases, we're not
(27:14):
interested in identity, hencethe move away from that
labelling, and you've given us areally important call to action
to start with the question ofwhat do you really need to know,
and I think that's so powerful.
I really love that youreference these fundamental
concepts of provenance, dataquality and knowing about the
(27:35):
lineage of that data, becauseoften I think that's either
forgotten from this discussionaround digital ID and, as you
say, it's going to be sorelevant in other contexts in AI
and where is this data from?
So I think that's reallyimportant.
And finally, we heard about theneed to move away from plain
text data and instead use thisreally amazing technology of
(27:58):
verifiable credentials, whichwe've had in many instances, but
now it's becoming moreubiquitous and accessible to
companies and individuals.
Steve, thank you so much foragain so generously sharing your
time and your knowledge andinsights.
It's been such a pleasurespeaking with you For our
listeners.
You can read more about Steve'swork on his website,
(28:21):
lockstepcomau, and Steve and hisco-founder, george Peabody,
have an excellent podcastthemselves called Making Data
Better, and you'll soon bechatting to one of our
colleagues, olaf Gru, which willbe a fantastic conversation.
We'll also make sure we leave alink in the show notes to the
website and podcast so listenerscan check it out.
Thanks everyone for listeningto Navdigital Next and stay
(28:43):
tuned for more episodes to come.
Welcome to Making Data Better, a podcast about
data quality and the impact ithas on how we protect, manage
and use the digital datacritical to our lives.
I'm George Peabody, partner atLuckstep Consulting, and I'm
here to plug and play a recentepisode of the NABD Digital Next
podcast with host AliciaAbratney and my partner at
Lockstep, steve Wilson.
(00:32):
If you want to understand howto untangle the knots we've tied
around identity, take a listen.
Important questions and Steveprovides really crisp answers
and explanations on theevolution of digital identity,
verifiable credentials andincludes some commentary on
Australia's digital IDlegislation.
(00:53):
So let's get to the NAB DigitalNext podcast.
Speaker 2 (01:01):
Hi, I'm Alicia Aberatney and welcome to NAB
Digital Next.
Today, we have the privilege ofbeing joined by Steve Wilson, a
true pioneer in the field ofdigital ID.
Steve is a leadinginternational authority on
digital ID, cyber security anddata protection, with over 35
years experience as an innovator, researcher and advisor, and
has been doing digital ID sincewell before.
(01:22):
It was cool.
Steve holds six patents, threeof which are in public key
security.
Steve is a co-founder ofLockstep Consulting and advises
governments globally, including,most recently, helping to
develop a mobile credentialswallet for the US Department of
Homeland Security and advisingthe New South Wales government
on their leading digitaldriver's license initiative.
(01:43):
In 2018, steve was described asone of the most original
thinkers in digital identity inthe world today, something which
certainly continues to ringtrue.
I first had the great pleasureof meeting Steve at a roundtable
NAB hosted on Digital ID lastyear, where he generously shared
so many gold nuggets and wisdom, which we can get into later in
the episode.
(02:04):
But without further ado,welcome Steve.
Thanks so much for being on NABDigital Next.
Speaker 3 (02:09):
Oh, what a pleasure, Alicia.
It's great to be here.
Thanks for having me.
Speaker 2 (02:13):
Thanks, Steve.
So one thing that reallyinterests me about digital ID
and this field is the diversityof journeys to working in this
area.
Before we dive in, it'd begreat if you could share what
was your on-ramp to digital IDand what drew you to dedicate
much of your career to workingin this arena.
Speaker 3 (02:31):
Oh, wow, thanks for setting this up so nicely.
So everybody's got a differentbackground, for sure.
Some of us come from like hardengineering, so my start was
software engineering.
I worked for a pioneeringmedical company in Australia
developing software forpacemakers.
So you know very highreliability, what we call
(02:54):
tightly constrained, like notvery powerful computers and not
much memory to play with.
So I learned the art of qualityand hard engineering, which
were skills that kept comingback as we get into security.
But then I flipped accidentally.
I needed to change jobs and Ipicked up a job running software
(03:17):
development for a startupcompany in Australia.
It went on to become BaltimoreTechnologies, which was a famous
PKI and smart card companypublic key infrastructure.
So I was there at the dawn ofe-commerce.
This is 1995.
And Australia was leading inthe area, leading in PKI.
We were part of the APEC TEL,the Asia Pacific Economic
(03:41):
Corporation, working one-signatures and
e-authentication and some prettyweird stuff, even before we
were buying much online.
So I was lucky to be in theroom as we were developing the
world's first e-signaturelegislation.
That was around about 2000 thatAustralia passed a technology
neutral e-signature law.
(04:02):
Pki was there.
It was dominated by defencethinking.
It was actually thought to be anational security technology.
So we wound up with a lot ofonerous operational standards.
Some of them are still with ustoday when you look at things
like TDIF.
But more importantly, we hadthis really naive metaphors for
identity.
Back in those days we weretalking about passports and
(04:24):
signatures and all sorts ofstuff.
That is just ways of helpingpeople to think about some new
stuff.
I saw the potential back thento be talking about credentials
and I think it was 2003.
I wrote an article aboutelectronic business cards and
ever since then I've beenconscious of language and
conscious of the mental modelsand conscious of the way that we
(04:44):
think about problems.
So here we are today stilltrying to rethink the problems
of identity.
Speaker 2 (04:52):
It's a fascinating journey.
Steve, and your sentimentsabout the importance of language
and shaping thoughts and how weapproach problems.
That really resonates and I'mkeen to pick up on this thread
later on in the conversation.
But I guess to pivot slightlyas an early innovator and
someone who you know had so manyprescient ideas in digital ID,
(05:12):
I'm curious about how you seethe problem space that this
technology can solve for.
Speaker 3 (05:18):
Thanks, alicia.
It is a bit of a story and Ithink we learned from history.
There's an old I think it's anIndian proverb why are things
the way they are?
And the answer is that they gotthat way.
So we need to look at thehistory and the evolution of
digital identity.
You know, we started, as I said, with these naive metaphors
(05:40):
about a passport.
There was even a product calledPassport and it was thought
that we could have an electronicthing that would allow us to go
from place to place incyberspace and prove who we are
and get on with things.
It turned out to be really hardto have a general purpose proof
of identity.
So we got smarter and I guess,starting about 15 years ago, we
(06:01):
started looking at assertionsand attributes and claims, which
are words that are more or lesssynonymous.
But you know, I boil it down towhat do you need to know about
somebody?
And that varies fromapplication to application.
What else do you need to knowabout the credential?
So it's really important toknow who the issuer is of a
credential, and that's whythere's no universal identity,
(06:23):
because every credential, everyimportant fact, is issued by
somebody else.
So that evolution has got us towhere we are today.
We have a very sophisticatedtechnology, which we'll talk
about verifiable credentials.
It lets you know wherecredentials come from.
It tells you the history of acredential.
It even tells you how acredential has been carried, so
(06:44):
you know.
We need to know the differencebetween smart cards and
passwords.
It seems obvious, but thecryptocurrency people actually
fell into that one.
It took them a long time tounderstand how important
hardware wallets are compared topasswords and hard drives, and
that's why they lost so muchBitcoin in the old days.
So let's sort of recap I thinkwe've got to a place where,
(07:08):
instead of talking aboutidentity, we ask design
questions like what do I need toknow about you, alicia, right
now to be able to transact withyou?
And if we're doing somethingimportant, I don't trust you.
I need to know where yourcredentials have come from.
So you're trying to tell methat you're a cardiologist and
you're going to implant apacemaker.
Well, great, but I need to knowwhere your cardiology
(07:30):
credentials have come from and Ineed to know that the pacemaker
is genuine and I need to knowthat it's been clinically tested
.
So all of that you know.
It's called provenance.
Where does the data come from.
How do you know that it's true?
And that's where we've landed.
I'm excited that you see thesame pattern recurring through
digital credentials, artificialintelligence, iot.
(07:51):
We need to know about IoTdevices, we need to know about
the software, we need to knowtheir history.
So that pattern what do youneed to know about somebody?
Where are you going to get thedata from?
I think it's a super importantpattern and that's where we are.
This is what we call identity.
Now, it's really about data andthe story behind the data.
Speaker 2 (08:14):
I love that, steve, and I think your point around
data provenance and I knowyou've captured it in other
terms before the metadata thatyou speak to I think that's
something that is so fundamentaland oftentimes I find that it's
missing from the conversationaround digital ID, so I'm
grateful that you've drawn thatout here.
(08:34):
You've drawn that out here.
I'm going to shift gears a bitnow.
There is a lot of technicalterminology in digital ID, as
with many areas.
For those who maybe aren'tfamiliar, it would be great if
you could break down the conceptof verifiable credentials,
which I think we're hearing alot more about now and as this
technology perhaps becomes a bitmore, dare I say, mainstream,
(08:58):
it would be great if you couldjust break down what is
verifiable credentials.
How should we understand thatterm?
Speaker 3 (09:03):
Yeah, very cool.
And let's remember to look backat the end of this little story
about mainstreaming verifiablecredentials, because they're
more mainstream than peoplethink already.
So credentials, I think inEnglish we know what a
credential is normally andthere's all sorts of different
credentials.
There's, you know, driver'slicenses and and trade licenses.
(09:24):
So plumber's credentialssomebody comes to my door to fix
the tap and I, you know, wantto know that they have a
credential.
Um, so credential is a wordthat we know and we also know
that credentials come fromissuers.
So university credential, you,you know it's almost like the
brand of the credential, theprestige or the reputation of
the university matters.
(09:44):
So we know all that withcredentials.
Driver's licences can only comefrom a driver's licence issuer.
Other credentials can come frommultiple sources.
You know there's differentsources of trade qualifications
et cetera.
So we kind of know all of that.
Now we're going to throw incryptography and call it a
verifiable credential.
Now, all we mean by that is isthere like a mathematical trick
(10:07):
to bake in the brand of thecredential?
So how do you know who issuedit for sure?
So that's what the verifiablepart is.
It's done.
This is the only technicalthing I'm going to say it's done
with digital signatures andthose need keys.
The best digital signaturescome out of hardware and you
know in banks we know that ATMsand EMV chip cards, chip and PIN
(10:31):
cards these things are allbased on standards-based
hardware with cryptography andkeys and certification and
standards.
So all of that stuff is wellknown in banking.
The same principles apply inthis thing called verifiable
credentials.
We want digital signaturescreated with cryptographic keys.
You want those signatures to bereliable.
You want them to come fromhardware, ideally.
(10:54):
Now there's an extra twist tothis.
The verifiable credential issigned by the issuer, so it's
like a brand or a stamp.
But every time I have averifiable credential I'm
carrying it in my smartphone,for example.
Every time I present it, I wantthe verification of the
presentation as well, so that ifthe credential is stolen or
copied and counterfeited intosome other sort of format, you
(11:19):
want to make sure that it'suseless if it falls into the
wrong hands.
So there's another key and it'sin my smart card or my
smartphone and when I present averifiable credential then it's
signed again.
It's countersigned by theholder.
So that's as complicated as itgets.
Now I was going to come backand talk about how sort of
(11:39):
mundane some of this technologyis.
We've actually had a type ofverifiable credential almost all
of us for over 30 years, andit's called a SIM card.
So a SIM card is a chip in yourphone and it's digitally signed
by the telephone company Telstraor Optus, and it's a signed
(11:59):
assertion of the fact that youare a telephone customer of that
company.
Every time you pick up yourphone and dial a number at the
start of the call, the SIM cardsigns the start of the call.
It signs a message to thenetwork that says hey, this is
the telephone number 1234.
It's been signed by Telstra andthe start of this call is
(12:20):
timestamped and it sends thismessage into the network.
The network might be in Japanor anywhere in the world.
The destination network picksup that signed message.
It knows that the origin of thecall is genuine.
It knows which origin networkis involved.
It's got all of the data thatit needs and the metadata to
(12:43):
create a bill.
It's as simple as that.
Worldwide roaming and worldwidebilling depends on the SIM
cards sending little signedmessages at the start of every
call, sufficient to create billsand sufficient to know where
the calls come from.
So a verifiable credential.
It's a very special purpose.
(13:03):
It only does one thing itstarts phone calls.
But that idea that you've got achip and you control the chip
and you unlock the chip in yoursmartphone and you use the
cryptography to send a message,that's all there is to it, and
we've been doing this for yearsand years and years.
What's happened recently isthat this technology is becoming
more widespread.
(13:23):
It's becoming open sourced,it's becoming available to
different applications so thatwe can, instead of just
verifying our phone number, wecan verify all sorts of other
things.
Speaker 2 (13:35):
I love the way you broke that concept down, steve,
in such a clear way and reallydemystified it the fact that we
have this in our phones, we'vebeen using this for such a long
time and these credentials, asyou say, they're limited to the
use cases that they're relevantto.
So I think that ability toselectively share is something
(13:55):
which is so powerful, really,from a privacy and data
minimisation perspective,something which I think if more
people were aware of, they wouldall be great champions of
digital ID.
And then the way in which theseverifiable credentials are
tamper-resistant that'ssomething that relying parties
really need right to be able totrust the legitimacy of those.
Speaker 3 (14:20):
Exactly.
You know the problems that weface with the vulnerability of
data when it's breached andpeople can know secrets about me
.
They shouldn't be secrets.
My driver's licence, mypassport, my Medicare number
these should not have to besecret.
But we are vulnerable when theyfall into the wrong hands
because they can be used behindour back.
But that idea of a SIM card anda verifiable credential all
(14:44):
we're doing is taking thoseprinciples and making them more
widely available now, so thatdriver's licenses and Medicare
numbers and when we presentthose things online, when we put
them into forms, the relyingparty can be sure that the data
is original and it hasn't beenstolen and it's been presented
by the person who controls it.
Speaker 2 (15:05):
So I just want to pick up on what we were talking
about earlier around theimportance of language in
framing the problem space.
You've been fairly vocal aboutthe need to take identity out of
the picture when we're talkingabout digital ID, and you've
been an advocate for nuance inlanguage.
Why do you think this is soimportant?
Speaker 3 (15:25):
It's really great to see organisations like NAB.
You know the roundtable thatyou referenced before last year
and this year those roundtableevents have really been
concentrating on the meaning ofwords and language and making
sure that it's clear, so that'sgreat to see.
There is a lot of nuance here,but I'm a bit famous for being
non-nuanced.
I've written blogs in the pastthat says forget identity or
(15:47):
identity is dead, and you know Ihave a turn of phrase that
tries to catch some attentionsometime.
The thing I'm trying to attendto is this problem of what are
you trying to solve?
For what do you really need toknow about somebody?
And when you put it out likethat, we all know intuitively
that the less you know about methe better.
(16:08):
I want to identify myself aslittle as possible as a customer
to you, the bank, and usuallyyou know once I've done KYC.
All you need to know about meis an account number or if I'm
shopping and using a bank creditcard, all the merchant needs to
know is the bank issued creditcard number.
So we want to take identity outof it.
(16:30):
We know that Technically it'scalled data minimization or
disclosure minimization orpurpose specification.
The privacy law has got allsorts of words for it.
It all boils down tominimisation or disclosure,
minimisation or purposespecification.
You know the privacy law hasgot all sorts of words for it.
It all boils down to the needto know principle.
What do you really need to knowabout me?
And it's almost never myidentity.
That came clear in the firstroundtable that we did at NAB.
(16:50):
So if you don't need to know myidentity, we shouldn't be
calling this thing digitalidentity.
It's as simple as that.
Speaker 2 (17:02):
That makes a lot of sense to me.
Now.
We've spoken a lot about thefact that many of these concepts
like verifiable credentialshave been around for a long time
, and you've been in digital IDfor over three decades.
Why do you think it remainssuch a hard nut to crack in many
places?
If you do agree with thathypothesis, and what have you
(17:25):
maybe seen change in more recenttimes which might give you some
hope that we are in fact makingsome progress here?
Speaker 3 (17:34):
It is a hard problem, alicia.
There's no backing away fromthat.
It's famously that, empirically, it's the hardest corner of
cyberspace, that we've beentalking about this for 30 years
and meanwhile cyber technology,and security in particular, goes
ahead in leaps and bounds whilewe're still talking about
identity.
So I think that we've made ithard for ourselves by using bad
(17:55):
metaphors.
There's no, getting around it,it's not identity ourselves by
using bad metaphors.
There's no getting around it.
It's not identity.
We need to know things aboutpeople and if it's not identity,
then let's call it what it is.
It's usually credentials, it'susually like specific facts and
figures, maybe like just anaccount number.
Like I said, I think that weneed to acknowledge and always
(18:18):
have in mind that it's not justthe data, but the metadata, the
issuer, all of the other details, the secondary details around
the data, and if we always framethe question around that, then
I think that things become a lotclearer.
So we are making progress.
We've got white labelverifiable credentials.
They're just data structuresthat can be loaded onto wallets
(18:38):
and smartphones and they can becustomized.
And the really cool progress isthat now that we've got new
standards you know the WorldWide Web Consortium, the W3C,
the mobile driver's licensestandardization using this
technology specifically fordriver's licensing, but also
broadening it to what they callMDocs mobile documents.
So that's another standard.
(19:00):
The standards are nice and firm.
Now, correspondingly, we'reseeing white label services, so
you can get verifiablecredentials customized to an
enterprise's need and thenissued in bulk from a cloud
service, and I think that that'sa really powerful business
model that's emerging and thatwill commoditise this thing
called verifiable credentials.
(19:21):
Enterprises will be able toconvert employee IDs,
universities will be able toconvert student IDs.
Banks, of course, will be ableto convert credit cards and
other banking instruments intoverifiable credentials, load
them onto wallets, digitalwallets and have people present
exactly what people need to knowwhen they go about their
(19:43):
business online.
Speaker 2 (19:44):
That's fantastic and it's great to hear about these
advancements.
Speaker 3 (19:49):
Yeah, it's good to be in the middle of all of this
and to see in many ways some oldbusiness models are now being
more thoroughly digitized,creating verifiable credentials
in the first place, with thehardware and the cryptography.
This is specialised stuff andyou can do it at home.
You can roll your own.
You can get open sourcesoftware.
We've seen that movie before.
We used to do PIC AI in theenterprise and then there were
(20:13):
PIC AI cloud services.
You can do your own magneticstripe photo IDs if you like,
and big businesses used to dothat.
You know a new employee wouldgo up to HR and sit down with
their hair nice and neat andtidy and get a photo taken and a
photo ID with a barcode,whatever you know, all of that
stuff would arrive in your inboxand then you'd flash it every
(20:35):
time you go to work.
Well, it's the digitalequivalent of that now, and
there's a business model where,instead of taking photos and
producing plastic cards in theoffice, then you outsource that
to a verifiable, credentialcloud service.
So it's really cool seeing thisstuff come to fruition in a way
that replicates the good stuffof the old business models.
(20:58):
It conserves so much of the waythat we deal with people.
It conserves the meaning of acredential, but it allows you to
digitise it and keep itscontext when you take it around
online.
It's fantastic.
Speaker 2 (21:10):
Okay, steve, as a final question, casting your
gaze to the future, are thereany sort of developments in
digital ID?
You've alluded to a few, orperhaps some trends you're
seeing overseas that you'reexcited about or that you think
could be really game-changing.
Speaker 3 (21:26):
Well, the amazing game-changer is happening at
home, and I want to talk aboutthe digital ID bill, the
Commonwealth Bill.
It's actually now nearly an Actof Parliament, isn't it it?
certainly passed its legislativehurdles last week.
So digital ID it's a simplerconcept.
They're making it smaller.
(21:47):
I think that digital ID shouldbe as small as possible.
You know, the IDs that we haveare just database indexes.
My Medicare number is just anindex into a database.
We should conserve that.
We should conserve the meaningof employee numbers and driver's
licenses and credit cards andall of those different numbers.
That's what the digital ID billdoes.
(22:08):
The Australian Federal DigitalID Bill recognises that we have
IDs in real life and we shouldbe able to govern the digital
format of IDs in a much moresecure way.
So it's a response to the famousdata breaches in the last two
years, where stolen data justgets reused.
And you know why?
It's because we have thisridiculous pattern of using
(22:31):
plain text data, plain textidentifiers.
My driver's license I don'tknow, it's six numbers and two
letters.
I won't tell you what that is,but it's imprinted in my brain
and I hate having to change itand I just use it as plain text.
And even worse, people acceptit as plain text.
Businesses ask me my driver'slicense number as proof of
(22:53):
identity.
It doesn't prove anything.
It's just what geeks call ashared secret.
And after a data breach.
It's not secret anymore, butour only response to plain text
data breaches is to change theplain text and reissue
everybody's driver's licenses.
We have to stop that pattern.
It's ridiculous.
Now, 15 years ago, the banks didstop that pattern.
(23:16):
The banks went from plain textcredit cards, magnetic stripes
of plain text credit cards, andthey went to chip.
And the chip is anotherverifiable credential.
So the credit card number in achip card is signed by the bank
and every time I dip the card ata merchant terminal it's signed
again.
It's countersigned by my chip.
(23:36):
So that's the pattern that weneed.
We need to get away from plaintext to verifiable IDs, and
that's exactly what thegovernment has done.
I think that that's the gamechanger.
So it paints the way forward.
It actually shows sorry to getso excited about governance
(24:03):
shows sorry to get so excitedabout governance, but it shows
how you can govern IDs as aspecial form of data.
The government, in its wisdom,is giving the ACCC the power of
the digital ID regulator and theACCC say what you like about
CDR.
It's far from perfect, but it'sa good model.
It's a good first start.
I'm talking about the consumerdata right, the data sharing
regulatory regime.
It's got lots of teethingproblems, but the regulatory
(24:26):
model is in the right place andit's reproducible.
And the things that we're doingto protect data sharing are now
going to be done to protect IDpresentation, and I think that
that's game changing.
I think that it's turning outto be done to protect ID
presentation and I think thatthat's game changing.
I think that it's turning outto be world's best practice.
So if we can have a uniformapproach to data and metadata
(24:47):
like what do you need to knowabout me and how are you going
to know that it's true, if wecan govern that, then we're
going to do something that'smuch bigger and much more
important than identity andwe're going to look at the
quality of all data, becausethis pattern replicates in AI.
The wicked problems that we haveat the moment with deepfakes
boil down to you don't knowwhere the data's come from.
(25:08):
Now, if we could have agovernance regime where
important data so an image or anarticle, any piece of content
from an author and a publisherif you could be sure about where
that stuff has really come from, if you could be sure about its
provenance and if you could besure that authors and publishers
and AI algorithms are allanchored, rooted in a hardware,
(25:31):
verifiable credential, then youcould be sure where the data has
come from, you could be surethat it's intact and that it's
genuine.
And that's where we're heading.
We're heading towards agovernance regime for all
important data, so that we knowwhere data has come from, we
know what it was intended to beused for and we know that it's
always been in the right hands,so that, I mean, that's the game
(25:53):
changer and that's what we'resort of.
We're prototyping that inAustralia the governance regime
for digital ID and the work thatis happening through, like the
Nairb roundtable, flushing outuse cases and working out what
do you need to know about people.
That is a game changer.
Speaker 2 (26:11):
That's so exciting and I think a lot of what you've
said I totally agree with you.
I think it is exciting inAustralia, both the digital ID
bill going through the Senateand soon to be passed, hopefully
, and also what we're doing withthe consumer data right.
It really is world leading andfrom a privacy perspective I
feel like it is best practiceand a gold standard the way in
(26:33):
which individuals can sharetheir data for their own benefit
.
So I think that really isfantastic, that we're leading
the way on both of those fronts.
So absolutely echo all of that.
Steve, thank you so much.
I feel like we could easilyspend the whole day chatting
about this topic, because thereis so much to dig into.
We are going to have to wrap itup here.
(26:54):
I'm going to attempt tosummarise a few of the themes
that stood out to me there wereso many, I think.
Firstly, the importance oflanguage and how we label the
problem space, and then how thatimpacts the design of the
solution For digital ID.
You've talked about the factthat in most cases, we're not
(27:14):
interested in identity, hencethe move away from that
labelling, and you've given us areally important call to action
to start with the question ofwhat do you really need to know,
and I think that's so powerful.
I really love that youreference these fundamental
concepts of provenance, dataquality and knowing about the
(27:35):
lineage of that data, becauseoften I think that's either
forgotten from this discussionaround digital ID and, as you
say, it's going to be sorelevant in other contexts in AI
and where is this data from?
So I think that's reallyimportant.
And finally, we heard about theneed to move away from plain
text data and instead use thisreally amazing technology of
(27:58):
verifiable credentials, whichwe've had in many instances, but
now it's becoming moreubiquitous and accessible to
companies and individuals.
Steve, thank you so much foragain so generously sharing your
time and your knowledge andinsights.
It's been such a pleasurespeaking with you For our
listeners.
You can read more about Steve'swork on his website,
(28:21):
lockstepcomau, and Steve and hisco-founder, george Peabody,
have an excellent podcastthemselves called Making Data
Better, and you'll soon bechatting to one of our
colleagues, olaf Gru, which willbe a fantastic conversation.
We'll also make sure we leave alink in the show notes to the
website and podcast so listenerscan check it out.
Thanks everyone for listeningto Navdigital Next and stay
(28:43):
tuned for more episodes to come.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com