June 13, 2023 • 25 mins
Self-sovereign identity, digital wallets, risk management, federated identity, and a recap of the Identiverse 2023 conference are among the topics discussed in this episode of Making Data Better. George and Steve complete their landscape view of data quality and security.
Identiverse 2023 reflected those topics, indicating a shift toward digital wallets, passkeys, and verifiable credentials as essential components of a resilient digital ecosystem. We discuss these and what's not being addressed to date.
So take a listen as we set the table for Making Data Better and begin our series. We will speak to practitioners of the latest in data protection, tell the stories of data quality initiatives that have succeeded—and failed—and regularly rise above the weeds to provide perspective.
With so many moving parts and so many changes, Making Data Better keeps it all in context.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Right back at you.
Listen to us two coffee, oldgeezers.
Speaker 2 (00:17):
Welcome to Making Data Better, a podcast about
data quality and the impact ithas on how we protect, manage
and use digital data critical toour lives.
I'm George Peabody, partner atLockstep Consulting, and thanks
for joining us, and with me isLockstep founder Steve Wilson.
Hi, steve, hey, george, how areyou Very, very well And glad to
(00:39):
see you.
I really enjoyed actuallyseeing you in person because
last week we were together in ofall places, las Vegas for the
Identiverse Conference and itwas great to see you in the real
world and have you caught upwith the time zone changes yet?
Speaker 1 (00:54):
I have.
indeed, it was the very realworld, wasn't it?
We exposed ourselves to allsorts of real world interactions
, and some of them viral, someof them otherwise.
Speaker 2 (01:04):
That's right.
Speaker 1 (01:06):
And we know that the earth is not flat, because time
zones and jet lag are vividproof.
Good to reflect on, identiverse, wasn't it?
There were several themes thatwe'll come back to as we talk
today, but, as always, i thinkit was very interesting to see
the difference between identityand identification and the
(01:28):
business of identification.
The business of enterprise.
Log on the bread and potatoes,the meat and potatoes of the
identity industry is goingstrong, but we keep seeing these
mixed signals, don't we, aboutthe future of identity and the
meaning of identity and thephilosophy thereof.
Speaker 2 (01:45):
Well, let's close up with that.
But we made a promise in thefirst episode to sort of finish
covering well at least a broadswath of the waterfront that we
care about in terms of makingdata better.
So in the first episode wediscussed data privacy, data
ownership and verifiablecredentials.
(02:06):
We also talked about who ownsthe risk at some length and how.
Risk is very much an individualassessment And it may also be
allocated or assigned based onbusiness rules or regulation.
And the example I used inepisode one was to talk about
today's fast push paymentsystems.
In Australia has one, the UShas got.
(02:30):
Well, it's about to launchanother national one.
If I send money to the wrongindividual because they fooled
me by scamming me, by rule I'mon the hook for the loss.
My bank doesn't have to make mewhole.
And, on the other hand, just toillustrate the power of rules,
if I make a purchase with mycredit card and what gets
(02:52):
shipped to me as a box of rocks,the rules say I can charge that
back.
So well, payment systems havegot very different sets of rules
, and so risk allocation is abig aspect here when we're
talking about the identificationuse case.
So, steve, one of the big topicsin the identity industry and
I'm putting identity in quoteshas been this term referred to
(03:16):
as self sovereign identity, andI'll confess, when I heard that
label, i was somewhat bemused.
I mean, i do love the notion ofbeing sovereign over my own
identity And then, well, i am.
I mean, and from any humanpoint of view, we are who we are
as we define ourselves, as ouractions declare us to be out
(03:38):
there in the world, but online,in the digital domain, who's
going to believe what I sayabout myself?
So what's this self sovereignmovement?
I've heard it also referred to.
What's it all about?
Speaker 1 (03:53):
It's definitely a movement.
I think it's fair to call it amovement because it's political,
and I do not mean partypolitical.
I mean that it is about power,the self sovereign movement.
My take on this is that it's anunderstandable revolt against
the excesses of the digitalindustry and indeed big
government for the last 10 or 20years.
(04:14):
So people feel as though theyown their identity in the real
world And we have this intuitionthat our precious analog
identity should be continuous aswe make the conversion to
digital.
Now a few things follow fromthat.
The idea that you could controlyour own identity or control
(04:35):
your own ID.
We've actually had that idea inthe industry for a long time.
It was called BYOD for a longtime.
Byod bring your own identity.
It's technically very difficultAnd it's a similar problem to
the double spending problem thatwas solved by blockchain.
So we'll come back to that.
Very interesting that the selfsovereign movement is wrapped up
(04:57):
with blockchain.
In some people's minds they areone and the same.
A lot of the more advancedthinking in self sovereign tries
to break the blockchainshackles, because blockchain
obviously has a lot of baggage.
The idea that you could controlhow you are known merges then
with the hope that you couldcontrol how your data flows.
(05:20):
That's the big misstep that Iwant to talk about for just a
minute.
The idea that, even if youcould control your own identity
and BYO ID, the idea that thatwould then force anybody to
control data about you in aparticular way, i think, is a
false hope.
My take on this is that mostpersonal identity about me is
(05:41):
created behind my back, for goodor for worse.
Mostly for good.
Speaker 2 (05:46):
A lot of the identity that you use, or we use, to
inform another party about whowe are are really.
What we're doing is giving themattributes that have been given
to us by government agenciesour driver's license, our
Medicare or Social Securitynumbers, or whatever.
Speaker 1 (06:06):
Being our memberships , our qualifications, our
affiliations, all attributesthat come from different
communities, and they're givento us.
We don't actually own them.
We carry them and we controlthe way that they are presented.
This idea of control breaksdown in different ways.
I want to be able to controlthe presentation of my driver's
license from me to you.
That's decentralized in a sense, a peer-to-peer proof of who I
(06:30):
am my driver's license withoutcalling home to base and without
leaving digital breadcrumbs.
I think that's a powerful idea.
This idea of who owns these bitsand pieces is actually a big
red herring.
Most information about me iscreated behind my back my
trading history, my transactionhistory, my health history.
(06:52):
These are things that I don'tactually have a lot of hope of
controlling.
I don't think I want to controlthose things.
I think I want an orderlydigital society where there are
restraints on how informationabout me is used.
Those restraints are applied onmy behalf by regulators and
advocates and so on.
The idea that I would watchevery bit and bite about me
(07:15):
moving from A to B to C to E toZ it's pretty hopeless.
Speaker 2 (07:22):
It would be exhausting, right?
Speaker 1 (07:24):
Oh man, you think that clicking on cookie accept
is exhausting enough, butliterally controlling the way
that information flows?
we can't do that.
That's not civilized.
Speaker 2 (07:36):
I think civilization would suggest that we ought to
have our permission to releasedata about us.
That's where we hear aboutconsent management.
Speaker 1 (07:47):
Absolutely.
Speaker 2 (07:48):
Back to the self-sovereign piece We heard
the referred to a little bit atIdentiverse.
Was the connection betweenself-sovereign and blockchain is
because blockchain is immutableand then therefore my identity
is immutable.
Was that the connector there?
Speaker 1 (08:07):
Kind of.
The more unique thing aboutblockchain is that it's solved.
What I've come to understand isthe originality problem.
So, on its face, blockchainsolved the double spending
problem where, when your moneyis purely digital and therefore
it can be copied, you've got awicked problem about how do you
know if my digital coins havebeen used more than once.
(08:30):
And so the famous blockchainalgorithm solved that problem in
a decentralized way for thefirst time.
We had systems like Mondex 30years ago.
That was an electronic purseand that solved double spending,
but it was essentially managed,and so the self-sovereign
movement did not wantessentially managed currency
(08:53):
wallet.
They wanted to have your ownwallet.
So the guts of blockchain isthat it provides originality.
I can create a public-privatekey pair out of thin air using
open source algorithms.
Everybody can do this.
I can create a key pair.
The trick, then, is how do Iconvince the world that it's my
key pair and it doesn't belongto anybody else?
(09:14):
So the very first time that Icreate my key pair, i send a
message out to the world.
I sign something with myprivate key.
I send it out to the world andsay, hey, this is Steve's, this
is Steve's origin event, andthat starts, for example, a
Bitcoin wallet, or it can starta self-sovereign identity.
Speaker 2 (09:36):
I thought you were going to say it needs to be
started with by presenting yourdriver's license.
Speaker 1 (09:42):
Well, well, that's the funny thing, isn't it?
The ID is not the mostinteresting part of the puzzle.
The most interesting part ofthe puzzle is your driver's
license or your proof of age orthe fact that you're a board
certified cardiologist, andthose facts and figures are not
sovereign.
Really, trust me to say I'm acardiologist because I'm not
(10:07):
Bring your own identity isactually not a particularly
interesting thing, because whathappens after you in this
self-sovereign world, once youhave your own BYO ID, your proud
self-sovereign identity?
what you need to do is to hanga whole lot of other things off
of that identity.
You need to have any controlover those things, the
interesting things, theattributes.
You don't control those, sothey need to sit in a wallet.
(10:28):
It's a good idea to controlyour wallet, but whether or not
you own your wallet or not, it'sreally ceremony, it's really
for appearances.
Speaker 2 (10:36):
I say the other side of that is the relying party,
the risk owner, who?
Speaker 1 (10:40):
needs to get these signals.
Speaker 2 (10:44):
They've got to be happy with the signals that they
get.
They get to choose what theyuse to make an assessment.
Speaker 1 (10:52):
Well, that's the funny thing about control is
that this is not a politicallycorrect observation.
But even if I did control allof my identities and all of my
attributes, I can't control whatthe relying party makes of
those facts and figures, becauseit's the relying party, as we
call them, the risk owner.
They are on the hook for thosefacts and figures being fit for
(11:13):
purpose.
I can have the best wallet inthe world.
I can't make a relying partytake my word for it.
They are, in fact, sovereignover their own decision-making
about the risks that they areprepared to take about the
people that they're dealing with.
This is actually why federatedidentity has come unstuck.
Speaker 2 (11:34):
Let's define federated identity first.
Speaker 1 (11:38):
Federated identity.
Is this well-meaning idea thatI should be able to reuse my
identity?
I go to a lot of effort toidentify myself to one bank
through the infamous KYCprocesses.
It's a big investment that Imake.
Why shouldn't I be able toreuse that investment, bootstrap
or Streamline or simply reusethat identity somewhere else?
(12:01):
It turns out to be a falseintuition, because identity is
just the surface of theidentification that I've gone
through.
Identification is the way thatsomebody gets to know enough
about me to do business with me.
At the end of that process,they'll give me a bank account
number or a customerrelationship number or whatever.
(12:22):
I get an ID and that stands forthe fact that I've done
identification.
Federation is this intuitionthat I should be able to reuse
that process elsewhere?
And it is tantamount to havinga bank outsource identification
to somebody else.
Take somebody else's word forwho Steve Wilson is And when you
(12:44):
express it in those terms, it'snot so simple, is it?
Because a bank normallysatisfies itself about all those
bits and pieces about me.
It puts together a story aboutwho it thinks Steve Wilson is,
to its own satisfaction, andit's actually very tricky to try
and take somebody else's wordfor that whole story And that's
(13:05):
why Federation is breakdown.
We've had some really big publicprivate Federation partnerships
over the last 15 years, thingslike INSTIC, united States
National Strategy for TrustedIdentities, and Cyberspace.
We've had the UK Verify projectvery, very similar.
They impanel multiple identityproviders with the hope that
(13:27):
once you get a certifiedidentity from one of those
providers, then any otherrelying party in the family is
going to rely on them, and itjust doesn't work.
For 10 years we've seen thisbecome a manifest market failure
, because it's very difficultfor an organization to simply
trust somebody else's word forwho I am.
Speaker 2 (13:47):
Well, every party, each one of us, every enterprise
gets to make a decision aboutwhat our risk profile is.
Speaker 1 (13:55):
Federation.
To some degree it underminesthe autonomy that an
organization has to make up itsown mind about who you are And,
like you said, risk managementis always done locally.
If you're a professionalorganization onboarding
accountants, you have a lot atstake to make the correct
decision that George P B D is anaccountant before you go and
(14:16):
board certify them, and that'sactually a sovereign process.
That's why each country has itsown professions, each country
has its own membership rules Andit's a devil of a job to in
fact get mutual recognitionacross borders of professional
bodies.
Speaker 2 (14:33):
It's hard enough to share those credentials within
the country.
Speaker 1 (14:36):
Exactly So.
Look, i'm not.
You know it's bad and it'sunfortunate.
The friction is terrible, butthe friction is a natural
consequence of autonomy in riskmanagement, and everything flows
from that.
What flows is thatorganizations that are on the
hook will make their own mindsup about who people are, and
(14:59):
there's no way that we're goingto change that.
Speaker 2 (15:02):
That's right.
One of the key questions aboard of directors makes board
members make looking at thecompany that they are
responsible for, is around riskmanagement, And every company
has its own unique set of riskconcerns.
It's no wonder that risk isidiosyncratic in that respect.
That's it, Yep, A lot of movingparts.
(15:22):
So we'll be covering, of course, these moving parts at greater
depth in upcoming episodes withmore guests.
But now let's take a littlereturn to where we were last
week, Steve, and talk about whatwe heard at Identiverse.
And well, I definitely noticeda difference between last year
and this year.
So I want to ask you what doyou think of the?
(15:46):
what are the trends that makedata better that you heard about
And then we saw this year?
Speaker 1 (15:52):
Well, let's remind the audience that Identiverse is
probably the world's preeminentdigital identity industry
conference.
It has been running now for 12or 13 years.
We saw the biggest ID to date,about 3,000 delegates, i think,
in Las Vegas.
It covers everything from thebread and butter of digital
(16:15):
identity, which is like log onand two-factor authentication
and multi-factor.
The stuff that every enterpriseneeds these days Circle Cloud
identity or customer identityand access management is the
category C-I-A-M, all the waythrough some really interesting
leading edge public-privatepartnerships around mobile
(16:38):
drivers, licenses and electronicpassports, to some
architectural and politicalAgain, not party political, but
how do we deal with identity atscale and what does it even mean
?
So it's a really lively event.
Now.
Last year happened to be thelaunch of FIDO Passkey The idea
(17:00):
of being able to have soft,private key management
synchronizing your FIDOcredentials across different
platforms and applications.
Now that Passkey, we've got 12months of experience.
There was a lot of case studiesof Passkey at at the end of it,
so it was fabulous.
Let's remember that FIDO hasbrought together the three major
(17:20):
platforms Microsoft, google andApple are now co-operating,
speaking publicly perhaps forthe first time about these
technology standards, it's very,very exciting.
Now we started to see a bitabout wallets last year data
wallets or digital identitywallets, credential wallets and
that was really the talk of thetown.
I reckon this year a lot oftalk about wallets.
(17:43):
There are the built-in walletswith the mobile phone, which
most people are familiar withnow for carrying credit cards
and boarding passes and COVIDcertificates.
The European Union isofficially moving to make their
electronic ID available in Appleand Google wallets and mobile
driver's licenses The TAP andPROVE NFC wireless driver's
(18:08):
license standards coming to thewallets as well.
That was huge.
Wrapped up with that isverifiable credentials.
How do you take things likeyour proof of age or your trade
qualifications or youraccountancy?
How do you take those facts anddigitize them and make them
really secure and private in awallet?
There's a lot of talk aboutverifiable credentials.
(18:30):
What people are not talkingabout is the acceptance of these
things.
Once you've got a wallet fullof credentials, how do you
present those privately andsecurely to a relying party?
How do you convince a relyingparty that these credentials are
true?
The acceptance of verifiablecredentials is something that
we're now grappling with.
(18:50):
How do you scale these thingsup?
How do you learn the lessons ofthings like the credit card
industry which does acceptanceseamlessly, obviously at scale.
Speaker 2 (19:00):
That's because there's a network there which
has rules and technology andbrand.
But the first two are whatgives it the power?
I think you're pointing at thegap between okay, i've got a
digital wallet, but how are thecredentials sourced?
What's the provenance of thecredentials that get into the
(19:21):
digital wallet?
Then to your point ofacceptance.
well, the two go together,don't they?
How do I deliver thosecredentials and release them, if
you will, to the party thatneeds to inspect them?
Speaker 1 (19:35):
Yeah, the two do go together.
It's a two-sided exercise,thank you.
I like to bring people back totheir mobile phone wallet.
Whether it's Google or Apple,have a look.
Most of us have now got acredit card or two in our mobile
phone wallet.
Have a look at it.
It's carrying, it's stillcarrying the brand.
The Visa or the Mastercard isprominent in your mobile phone
(19:57):
wallet, so that's pretty cool.
But that means, though, is thatApple has co-ordered, or Google
have cooperated with Visa orMastercard respectively.
So, scheme to scheme, thoseschemes have got together behind
the scenes, and the lawyershave thrashed out agreements
where they're going to open uptheir APIs and share the magic
(20:18):
data.
That is not trivial.
It's a beautiful experience forme.
I mean, it's easy to have aVisa card in my Apple wallet,
but I forget how hard it was forthose organizations to get
together to agree on uploadingthe magic keys into the wallet.
Then, conversely, i can tap andprove.
I think I bought you lunch lastweek, and I wave my Apple phone
(20:39):
in front of a.
We had some nice Lebanese food.
Now, that vendor doesn't knowme, the vendor doesn't know my
bank, but the vendor system doesknow Visa, and it knows the
Apple wallet.
So behind the scenes, all ofthat magic happens so that my
wallet can send ones and zerosto the terminal and the terminal
(21:04):
can rely on the data.
So we've got good data goinginto a wallet and we've got
dependable data coming out ofthe wallet, and that's the real
magic of acceptance and scale.
Speaker 2 (21:15):
We'll talk about in another upcoming episode how,
actually, the card system, thenetwork made that data better on
the strength of theavailability of a smartphone.
I raise that just to illustratethat it's a two-sided problem.
There's the wallet problem,which is what we heard about.
This is wallet technology.
We heard a lot about that atlast week.
(21:35):
The network has to facilitatethe release of that and
distribution of that information.
That, too, was a body of workthat needed to be done.
Any other impressions?
Well, i think that that'scoming.
Speaker 1 (21:49):
I think that the realization of the need for a
network to connect these walletstogether, that's coming Data
and metadata, facts and proofs.
The currency of theself-sovereign movement is about
claims and proofs.
A lot of fabulous technology,zero-knowledge proofs.
How do I prove something aboutme?
(22:10):
and only that thing.
How do I prove to you that I'mover 21 years old?
and don't prove anything else?
That's a zero-knowledge proof.
It's pretty cool, but it's anaked fact.
It's a promise that I'm over 21.
It's an empty promise unlesspeople are prepared to pick up
that promise and ingest it andrely on it.
(22:30):
That's that networking thatyou're talking about.
The Open Wallet Foundation wassomething that was gestated last
year at Identiverse.
It was launched this year.
It's a new effort.
It's a standardization of APIsthat's housed by the Linux
Foundation.
We also heard from the OID, theOpenID Foundation, which is
working on I think they called asmart wallet and APIs and
(22:54):
interoperability and blah, blah,blah.
Now I don't want to belittlethat It's a really important
work, but it is not sufficientfor these wallets to be
recognizable and legible atscale around the world.
We are seeing this blind spot.
I think to the importance ofnetworks and schemes.
(23:14):
We did a lot of research.
Georgie on me with otheridentities at Identiverse.
We know that there's a hugeamount of interest in the need
for networks to support thewallet.
I think that we're going to seemore of that next year.
Speaker 2 (23:28):
Well, that's part of why we're having this
conversation right now.
Well, okay, steve, let's leaveit there.
Great to speak with you, andour thanks to you for listening
as we begin this expedition tounderstand the many sides of
data quality.
So much of what we're talkingabout is making facts available
on which to make a decision.
I saw a new story today about aparticular party here in the US
(23:52):
actually, a particularcandidate of a particular party
in the US making use of anAI-generated image to tell a lie
.
Now that we have that AIgeneration of images, audio and
video, we can't trust our eyesand ears any longer.
They're insufficient, so weneed a way of having facts enter
(24:16):
our digital lives as afoundation, rather than run the
risk of this technical nonsense.
Yeah, so for more of ourthinking, take a look at
lockstepcomau and let us knowwhat you think.
We've got blogs there and alsoa link to makingbetterdatacom,
which is where our podcasts live.
(24:38):
So go ahead and tweet, steve.
Hashtag making data better.
Let us know your thoughts ordrop us an email.
Speaker 1 (24:45):
Thanks, steve.
No worries, george, good stuff,Great talking to you.
Thanks everybody.
Right back at you.
Listen to us two coffee, oldgeezers.
Speaker 2 (00:17):
Welcome to Making Data Better, a podcast about
data quality and the impact ithas on how we protect, manage
and use digital data critical toour lives.
I'm George Peabody, partner atLockstep Consulting, and thanks
for joining us, and with me isLockstep founder Steve Wilson.
Hi, steve, hey, george, how areyou Very, very well And glad to
(00:39):
see you.
I really enjoyed actuallyseeing you in person because
last week we were together in ofall places, las Vegas for the
Identiverse Conference and itwas great to see you in the real
world and have you caught upwith the time zone changes yet?
Speaker 1 (00:54):
I have.
indeed, it was the very realworld, wasn't it?
We exposed ourselves to allsorts of real world interactions
, and some of them viral, someof them otherwise.
Speaker 2 (01:04):
That's right.
Speaker 1 (01:06):
And we know that the earth is not flat, because time
zones and jet lag are vividproof.
Good to reflect on, identiverse, wasn't it?
There were several themes thatwe'll come back to as we talk
today, but, as always, i thinkit was very interesting to see
the difference between identityand identification and the
(01:28):
business of identification.
The business of enterprise.
Log on the bread and potatoes,the meat and potatoes of the
identity industry is goingstrong, but we keep seeing these
mixed signals, don't we, aboutthe future of identity and the
meaning of identity and thephilosophy thereof.
Speaker 2 (01:45):
Well, let's close up with that.
But we made a promise in thefirst episode to sort of finish
covering well at least a broadswath of the waterfront that we
care about in terms of makingdata better.
So in the first episode wediscussed data privacy, data
ownership and verifiablecredentials.
(02:06):
We also talked about who ownsthe risk at some length and how.
Risk is very much an individualassessment And it may also be
allocated or assigned based onbusiness rules or regulation.
And the example I used inepisode one was to talk about
today's fast push paymentsystems.
In Australia has one, the UShas got.
(02:30):
Well, it's about to launchanother national one.
If I send money to the wrongindividual because they fooled
me by scamming me, by rule I'mon the hook for the loss.
My bank doesn't have to make mewhole.
And, on the other hand, just toillustrate the power of rules,
if I make a purchase with mycredit card and what gets
(02:52):
shipped to me as a box of rocks,the rules say I can charge that
back.
So well, payment systems havegot very different sets of rules
, and so risk allocation is abig aspect here when we're
talking about the identificationuse case.
So, steve, one of the big topicsin the identity industry and
I'm putting identity in quoteshas been this term referred to
(03:16):
as self sovereign identity, andI'll confess, when I heard that
label, i was somewhat bemused.
I mean, i do love the notion ofbeing sovereign over my own
identity And then, well, i am.
I mean, and from any humanpoint of view, we are who we are
as we define ourselves, as ouractions declare us to be out
(03:38):
there in the world, but online,in the digital domain, who's
going to believe what I sayabout myself?
So what's this self sovereignmovement?
I've heard it also referred to.
What's it all about?
Speaker 1 (03:53):
It's definitely a movement.
I think it's fair to call it amovement because it's political,
and I do not mean partypolitical.
I mean that it is about power,the self sovereign movement.
My take on this is that it's anunderstandable revolt against
the excesses of the digitalindustry and indeed big
government for the last 10 or 20years.
(04:14):
So people feel as though theyown their identity in the real
world And we have this intuitionthat our precious analog
identity should be continuous aswe make the conversion to
digital.
Now a few things follow fromthat.
The idea that you could controlyour own identity or control
(04:35):
your own ID.
We've actually had that idea inthe industry for a long time.
It was called BYOD for a longtime.
Byod bring your own identity.
It's technically very difficultAnd it's a similar problem to
the double spending problem thatwas solved by blockchain.
So we'll come back to that.
Very interesting that the selfsovereign movement is wrapped up
(04:57):
with blockchain.
In some people's minds they areone and the same.
A lot of the more advancedthinking in self sovereign tries
to break the blockchainshackles, because blockchain
obviously has a lot of baggage.
The idea that you could controlhow you are known merges then
with the hope that you couldcontrol how your data flows.
(05:20):
That's the big misstep that Iwant to talk about for just a
minute.
The idea that, even if youcould control your own identity
and BYO ID, the idea that thatwould then force anybody to
control data about you in aparticular way, i think, is a
false hope.
My take on this is that mostpersonal identity about me is
(05:41):
created behind my back, for goodor for worse.
Mostly for good.
Speaker 2 (05:46):
A lot of the identity that you use, or we use, to
inform another party about whowe are are really.
What we're doing is giving themattributes that have been given
to us by government agenciesour driver's license, our
Medicare or Social Securitynumbers, or whatever.
Speaker 1 (06:06):
Being our memberships , our qualifications, our
affiliations, all attributesthat come from different
communities, and they're givento us.
We don't actually own them.
We carry them and we controlthe way that they are presented.
This idea of control breaksdown in different ways.
I want to be able to controlthe presentation of my driver's
license from me to you.
That's decentralized in a sense, a peer-to-peer proof of who I
(06:30):
am my driver's license withoutcalling home to base and without
leaving digital breadcrumbs.
I think that's a powerful idea.
This idea of who owns these bitsand pieces is actually a big
red herring.
Most information about me iscreated behind my back my
trading history, my transactionhistory, my health history.
(06:52):
These are things that I don'tactually have a lot of hope of
controlling.
I don't think I want to controlthose things.
I think I want an orderlydigital society where there are
restraints on how informationabout me is used.
Those restraints are applied onmy behalf by regulators and
advocates and so on.
The idea that I would watchevery bit and bite about me
(07:15):
moving from A to B to C to E toZ it's pretty hopeless.
Speaker 2 (07:22):
It would be exhausting, right?
Speaker 1 (07:24):
Oh man, you think that clicking on cookie accept
is exhausting enough, butliterally controlling the way
that information flows?
we can't do that.
That's not civilized.
Speaker 2 (07:36):
I think civilization would suggest that we ought to
have our permission to releasedata about us.
That's where we hear aboutconsent management.
Speaker 1 (07:47):
Absolutely.
Speaker 2 (07:48):
Back to the self-sovereign piece We heard
the referred to a little bit atIdentiverse.
Was the connection betweenself-sovereign and blockchain is
because blockchain is immutableand then therefore my identity
is immutable.
Was that the connector there?
Speaker 1 (08:07):
Kind of.
The more unique thing aboutblockchain is that it's solved.
What I've come to understand isthe originality problem.
So, on its face, blockchainsolved the double spending
problem where, when your moneyis purely digital and therefore
it can be copied, you've got awicked problem about how do you
know if my digital coins havebeen used more than once.
(08:30):
And so the famous blockchainalgorithm solved that problem in
a decentralized way for thefirst time.
We had systems like Mondex 30years ago.
That was an electronic purseand that solved double spending,
but it was essentially managed,and so the self-sovereign
movement did not wantessentially managed currency
(08:53):
wallet.
They wanted to have your ownwallet.
So the guts of blockchain isthat it provides originality.
I can create a public-privatekey pair out of thin air using
open source algorithms.
Everybody can do this.
I can create a key pair.
The trick, then, is how do Iconvince the world that it's my
key pair and it doesn't belongto anybody else?
(09:14):
So the very first time that Icreate my key pair, i send a
message out to the world.
I sign something with myprivate key.
I send it out to the world andsay, hey, this is Steve's, this
is Steve's origin event, andthat starts, for example, a
Bitcoin wallet, or it can starta self-sovereign identity.
Speaker 2 (09:36):
I thought you were going to say it needs to be
started with by presenting yourdriver's license.
Speaker 1 (09:42):
Well, well, that's the funny thing, isn't it?
The ID is not the mostinteresting part of the puzzle.
The most interesting part ofthe puzzle is your driver's
license or your proof of age orthe fact that you're a board
certified cardiologist, andthose facts and figures are not
sovereign.
Really, trust me to say I'm acardiologist because I'm not
(10:07):
Bring your own identity isactually not a particularly
interesting thing, because whathappens after you in this
self-sovereign world, once youhave your own BYO ID, your proud
self-sovereign identity?
what you need to do is to hanga whole lot of other things off
of that identity.
You need to have any controlover those things, the
interesting things, theattributes.
You don't control those, sothey need to sit in a wallet.
(10:28):
It's a good idea to controlyour wallet, but whether or not
you own your wallet or not, it'sreally ceremony, it's really
for appearances.
Speaker 2 (10:36):
I say the other side of that is the relying party,
the risk owner, who?
Speaker 1 (10:40):
needs to get these signals.
Speaker 2 (10:44):
They've got to be happy with the signals that they
get.
They get to choose what theyuse to make an assessment.
Speaker 1 (10:52):
Well, that's the funny thing about control is
that this is not a politicallycorrect observation.
But even if I did control allof my identities and all of my
attributes, I can't control whatthe relying party makes of
those facts and figures, becauseit's the relying party, as we
call them, the risk owner.
They are on the hook for thosefacts and figures being fit for
(11:13):
purpose.
I can have the best wallet inthe world.
I can't make a relying partytake my word for it.
They are, in fact, sovereignover their own decision-making
about the risks that they areprepared to take about the
people that they're dealing with.
This is actually why federatedidentity has come unstuck.
Speaker 2 (11:34):
Let's define federated identity first.
Speaker 1 (11:38):
Federated identity.
Is this well-meaning idea thatI should be able to reuse my
identity?
I go to a lot of effort toidentify myself to one bank
through the infamous KYCprocesses.
It's a big investment that Imake.
Why shouldn't I be able toreuse that investment, bootstrap
or Streamline or simply reusethat identity somewhere else?
(12:01):
It turns out to be a falseintuition, because identity is
just the surface of theidentification that I've gone
through.
Identification is the way thatsomebody gets to know enough
about me to do business with me.
At the end of that process,they'll give me a bank account
number or a customerrelationship number or whatever.
(12:22):
I get an ID and that stands forthe fact that I've done
identification.
Federation is this intuitionthat I should be able to reuse
that process elsewhere?
And it is tantamount to havinga bank outsource identification
to somebody else.
Take somebody else's word forwho Steve Wilson is And when you
(12:44):
express it in those terms, it'snot so simple, is it?
Because a bank normallysatisfies itself about all those
bits and pieces about me.
It puts together a story aboutwho it thinks Steve Wilson is,
to its own satisfaction, andit's actually very tricky to try
and take somebody else's wordfor that whole story And that's
(13:05):
why Federation is breakdown.
We've had some really big publicprivate Federation partnerships
over the last 15 years, thingslike INSTIC, united States
National Strategy for TrustedIdentities, and Cyberspace.
We've had the UK Verify projectvery, very similar.
They impanel multiple identityproviders with the hope that
(13:27):
once you get a certifiedidentity from one of those
providers, then any otherrelying party in the family is
going to rely on them, and itjust doesn't work.
For 10 years we've seen thisbecome a manifest market failure
, because it's very difficultfor an organization to simply
trust somebody else's word forwho I am.
Speaker 2 (13:47):
Well, every party, each one of us, every enterprise
gets to make a decision aboutwhat our risk profile is.
Speaker 1 (13:55):
Federation.
To some degree it underminesthe autonomy that an
organization has to make up itsown mind about who you are And,
like you said, risk managementis always done locally.
If you're a professionalorganization onboarding
accountants, you have a lot atstake to make the correct
decision that George P B D is anaccountant before you go and
(14:16):
board certify them, and that'sactually a sovereign process.
That's why each country has itsown professions, each country
has its own membership rules Andit's a devil of a job to in
fact get mutual recognitionacross borders of professional
bodies.
Speaker 2 (14:33):
It's hard enough to share those credentials within
the country.
Speaker 1 (14:36):
Exactly So.
Look, i'm not.
You know it's bad and it'sunfortunate.
The friction is terrible, butthe friction is a natural
consequence of autonomy in riskmanagement, and everything flows
from that.
What flows is thatorganizations that are on the
hook will make their own mindsup about who people are, and
(14:59):
there's no way that we're goingto change that.
Speaker 2 (15:02):
That's right.
One of the key questions aboard of directors makes board
members make looking at thecompany that they are
responsible for, is around riskmanagement, And every company
has its own unique set of riskconcerns.
It's no wonder that risk isidiosyncratic in that respect.
That's it, Yep, A lot of movingparts.
(15:22):
So we'll be covering, of course, these moving parts at greater
depth in upcoming episodes withmore guests.
But now let's take a littlereturn to where we were last
week, Steve, and talk about whatwe heard at Identiverse.
And well, I definitely noticeda difference between last year
and this year.
So I want to ask you what doyou think of the?
(15:46):
what are the trends that makedata better that you heard about
And then we saw this year?
Speaker 1 (15:52):
Well, let's remind the audience that Identiverse is
probably the world's preeminentdigital identity industry
conference.
It has been running now for 12or 13 years.
We saw the biggest ID to date,about 3,000 delegates, i think,
in Las Vegas.
It covers everything from thebread and butter of digital
(16:15):
identity, which is like log onand two-factor authentication
and multi-factor.
The stuff that every enterpriseneeds these days Circle Cloud
identity or customer identityand access management is the
category C-I-A-M, all the waythrough some really interesting
leading edge public-privatepartnerships around mobile
(16:38):
drivers, licenses and electronicpassports, to some
architectural and politicalAgain, not party political, but
how do we deal with identity atscale and what does it even mean
?
So it's a really lively event.
Now.
Last year happened to be thelaunch of FIDO Passkey The idea
(17:00):
of being able to have soft,private key management
synchronizing your FIDOcredentials across different
platforms and applications.
Now that Passkey, we've got 12months of experience.
There was a lot of case studiesof Passkey at at the end of it,
so it was fabulous.
Let's remember that FIDO hasbrought together the three major
(17:20):
platforms Microsoft, google andApple are now co-operating,
speaking publicly perhaps forthe first time about these
technology standards, it's very,very exciting.
Now we started to see a bitabout wallets last year data
wallets or digital identitywallets, credential wallets and
that was really the talk of thetown.
I reckon this year a lot oftalk about wallets.
(17:43):
There are the built-in walletswith the mobile phone, which
most people are familiar withnow for carrying credit cards
and boarding passes and COVIDcertificates.
The European Union isofficially moving to make their
electronic ID available in Appleand Google wallets and mobile
driver's licenses The TAP andPROVE NFC wireless driver's
(18:08):
license standards coming to thewallets as well.
That was huge.
Wrapped up with that isverifiable credentials.
How do you take things likeyour proof of age or your trade
qualifications or youraccountancy?
How do you take those facts anddigitize them and make them
really secure and private in awallet?
There's a lot of talk aboutverifiable credentials.
(18:30):
What people are not talkingabout is the acceptance of these
things.
Once you've got a wallet fullof credentials, how do you
present those privately andsecurely to a relying party?
How do you convince a relyingparty that these credentials are
true?
The acceptance of verifiablecredentials is something that
we're now grappling with.
(18:50):
How do you scale these thingsup?
How do you learn the lessons ofthings like the credit card
industry which does acceptanceseamlessly, obviously at scale.
Speaker 2 (19:00):
That's because there's a network there which
has rules and technology andbrand.
But the first two are whatgives it the power?
I think you're pointing at thegap between okay, i've got a
digital wallet, but how are thecredentials sourced?
What's the provenance of thecredentials that get into the
(19:21):
digital wallet?
Then to your point ofacceptance.
well, the two go together,don't they?
How do I deliver thosecredentials and release them, if
you will, to the party thatneeds to inspect them?
Speaker 1 (19:35):
Yeah, the two do go together.
It's a two-sided exercise,thank you.
I like to bring people back totheir mobile phone wallet.
Whether it's Google or Apple,have a look.
Most of us have now got acredit card or two in our mobile
phone wallet.
Have a look at it.
It's carrying, it's stillcarrying the brand.
The Visa or the Mastercard isprominent in your mobile phone
(19:57):
wallet, so that's pretty cool.
But that means, though, is thatApple has co-ordered, or Google
have cooperated with Visa orMastercard respectively.
So, scheme to scheme, thoseschemes have got together behind
the scenes, and the lawyershave thrashed out agreements
where they're going to open uptheir APIs and share the magic
(20:18):
data.
That is not trivial.
It's a beautiful experience forme.
I mean, it's easy to have aVisa card in my Apple wallet,
but I forget how hard it was forthose organizations to get
together to agree on uploadingthe magic keys into the wallet.
Then, conversely, i can tap andprove.
I think I bought you lunch lastweek, and I wave my Apple phone
(20:39):
in front of a.
We had some nice Lebanese food.
Now, that vendor doesn't knowme, the vendor doesn't know my
bank, but the vendor system doesknow Visa, and it knows the
Apple wallet.
So behind the scenes, all ofthat magic happens so that my
wallet can send ones and zerosto the terminal and the terminal
(21:04):
can rely on the data.
So we've got good data goinginto a wallet and we've got
dependable data coming out ofthe wallet, and that's the real
magic of acceptance and scale.
Speaker 2 (21:15):
We'll talk about in another upcoming episode how,
actually, the card system, thenetwork made that data better on
the strength of theavailability of a smartphone.
I raise that just to illustratethat it's a two-sided problem.
There's the wallet problem,which is what we heard about.
This is wallet technology.
We heard a lot about that atlast week.
(21:35):
The network has to facilitatethe release of that and
distribution of that information.
That, too, was a body of workthat needed to be done.
Any other impressions?
Well, i think that that'scoming.
Speaker 1 (21:49):
I think that the realization of the need for a
network to connect these walletstogether, that's coming Data
and metadata, facts and proofs.
The currency of theself-sovereign movement is about
claims and proofs.
A lot of fabulous technology,zero-knowledge proofs.
How do I prove something aboutme?
(22:10):
and only that thing.
How do I prove to you that I'mover 21 years old?
and don't prove anything else?
That's a zero-knowledge proof.
It's pretty cool, but it's anaked fact.
It's a promise that I'm over 21.
It's an empty promise unlesspeople are prepared to pick up
that promise and ingest it andrely on it.
(22:30):
That's that networking thatyou're talking about.
The Open Wallet Foundation wassomething that was gestated last
year at Identiverse.
It was launched this year.
It's a new effort.
It's a standardization of APIsthat's housed by the Linux
Foundation.
We also heard from the OID, theOpenID Foundation, which is
working on I think they called asmart wallet and APIs and
(22:54):
interoperability and blah, blah,blah.
Now I don't want to belittlethat It's a really important
work, but it is not sufficientfor these wallets to be
recognizable and legible atscale around the world.
We are seeing this blind spot.
I think to the importance ofnetworks and schemes.
(23:14):
We did a lot of research.
Georgie on me with otheridentities at Identiverse.
We know that there's a hugeamount of interest in the need
for networks to support thewallet.
I think that we're going to seemore of that next year.
Speaker 2 (23:28):
Well, that's part of why we're having this
conversation right now.
Well, okay, steve, let's leaveit there.
Great to speak with you, andour thanks to you for listening
as we begin this expedition tounderstand the many sides of
data quality.
So much of what we're talkingabout is making facts available
on which to make a decision.
I saw a new story today about aparticular party here in the US
(23:52):
actually, a particularcandidate of a particular party
in the US making use of anAI-generated image to tell a lie
.
Now that we have that AIgeneration of images, audio and
video, we can't trust our eyesand ears any longer.
They're insufficient, so weneed a way of having facts enter
(24:16):
our digital lives as afoundation, rather than run the
risk of this technical nonsense.
Yeah, so for more of ourthinking, take a look at
lockstepcomau and let us knowwhat you think.
We've got blogs there and alsoa link to makingbetterdatacom,
which is where our podcasts live.
(24:38):
So go ahead and tweet, steve.
Hashtag making data better.
Let us know your thoughts ordrop us an email.
Speaker 1 (24:45):
Thanks, steve.
No worries, george, good stuff,Great talking to you.
Thanks everybody.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com