S2 E7 - The Future of Trust and Identity with Tim Bouma - The 311 Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Paul Bellows (00:31):
This is the 311 Podcast.
I'm your host, Paul Bellows.
This is a show about the peoplethat make digital work for the
public service.
If you'd like to find out more,visit northern.co.
Today my guest is Tim Bouma.
Tim is Canada's public sectordigital identity expert.
He's held key roles in thefederal government for years and

(00:53):
was a key player in thePan-Canadian Trust Framework,
which brought together regionaland federal government players
to define standards and bestpractices for digital identity.
Tim now sits as a specialadvisor to Canada's Digital
Governance Council, Conseil deGouvernance Numérique, a member
driven nonprofit working onresponsible design,
architecture, and management ofdigital technologies for the

(01:15):
public service.
For what it's worth, I'm also amember of the Digital Governance
Council, which is one of theways Tim and I know each other.
A bit of table setting for ourconversation.
If you're not from Canada ormaybe if you are, we're often
confused in our governancestructure with the United
States.
There are similarities anddifferences.
Like the US, we are afederation, but unlike the US we

(01:39):
are an asymmetrical federationof provinces, territories, and
indigenous nations.
This means that unlike theStates, which are all quite
equal, the various constituentsof Canada's federation have
varying levels of power andresponsibility.
And unlike the states, each ofwhich joined an existing Union,
Canada's federation was designedfrom the ground up to bring

(02:00):
together separate colonies andregions into a stronger
federation.
What this means is that overCanada's history since 1867,
there has been a constant tug ofwar in terms of power and
responsibility, both betweenregions and the federal
government and between theregions themselves.
This means that when we look atsomething like digital identity,
it's unclear who is bestpositioned to own the

(02:22):
responsibility.
In my mind, this actually makesCanada an ideal testing ground
for concepts like digitalidentity.
We've got the expertise to dothis, but the real world
complexity that's required totest the concepts of federated
identity exist here.
The second point to make is thatdigital identity itself is a

(02:42):
sprawling and complex technologyspace.
There are many competingtechnologies and goals.
Devices and operating systemplayers like Apple and Google
own biometrics and sign-ontechnology.
Platforms like Meta and YouTubeown your personality, taste,
hobbies, relationships.
Retailers own your spendinghabits and demographics.

(03:02):
Advertisers have a vastrepository of information about
where you travel, what you eat,what you wear, and your
political and social opinions.
All of this adds up to what somecall your digital twin or the
version of you that exists inCyberspace.
But government is different.
At key moments government needsabsolute assurance that the you
they are interacting withdigitally is really you, handing

(03:26):
out medical information,crossing a border, filing taxes
and more key transactions areexamples.
But unlike other digitalpractitioners, government
doesn't want to own or even beaware of your digital twin.
There's an intentional anonymityto our relationship with the
government that we all want topreserve.
One exception is law enforcementwhere certain information may be

(03:49):
tracked securely for riskmitigation purposes.
Either way, government has asecurity and privacy mandate
that vastly outstrips theprivate sector's burden.
Tim is someone I've been lookingforward to speaking with for
years.
We met up in the public space ofCanada's National Art Center in
Ottawa following a DigitalGovernance Council meeting where

(04:10):
we were planning for an upcomingG7 summit hosted by Canada.
It was a great space for what Ihope you'll find to be a
fascinating and occasionally inthe weeds discussion of digital
identity and government today.
Here's my conversation with TimBouma.

Tim Bouma (04:26):
My name is Tim Bouma.
I am a special advisor with theDigital Governance Council.
It's a not-for-profitorganization here in Canada.
It focuses on developingstandards and is actually
developing conformity assessmentprograms.
I'm actually a public servant.
I've actually been on what'scalled an interchange program

(04:47):
where the government of Canadalent me out, if you will, or
assigned me to work on theoutside of government.
And so I'm in this very uniquerole.
It's almost like a liminal spacewhere I'm in between the public
sector and in thenot-for-profit, but have quite a
bit of exposure to the privatesector as well.
I joined the public servicemid-career.

(05:08):
Before that I was in thesoftware industry and actually
the management consultingindustry.
So I fell into the area of whatwas then called identity
management, which is evolved todigital identity, which is now
sometimes called self-sovereignidentity.
Different labels when I joinedthe federal government, they
recognized the work I had doneon identity management and I

(05:31):
ended up at Treasury BoardSecretariat, which is a central
agency of the Government ofCanada, and actually developed
all of the digital identitypolicy like from ground zero.
This is going back more than 15,15 years longer than that, maybe
almost 20.
And then logically followingfrom that.
I did a lot of work with theprovinces and territories and

(05:51):
worked on what we call thePan-Canadian Trust Framework.
As most Canadians know, wouldknow, maybe not outside of
Canada where Canada's afederation, where there's very
autonomous provinces andterritories, indigenous
communities.
And so we always have achallenge of developing policies
and approaches that respect thesovereignty of the provinces and

(06:12):
the territories, and respect thedifferences across the country.
And I was in the middle of that,of developing an approach, if
you will, or a framework thatwould enable the federal
government to take advantage ofthe capabilities of the
provinces and territories.
So I did that work and then thepandemic hit lots of changes and
that decided I wanted to make achange.

(06:32):
And then the opportunity came upwhere I could go on interchange
to the Digital GovernanceCouncil, which again, it's a
not-for-profit.
And I actually work on nationalstandards and conformity
assessment programs.
My specialty, my proclivity isaround digital identity, but
I've also done work onelectronic transferable records
setting up a conformityassessment program.

(06:52):
And then, I pursue passions onthe side.
I've been focused on someprojects on decentralized
identity or decentralizedprotocols.
Being an engineer in my trainingI like to build stuff and kind
of learn you, learn frompractical experience and been
involved in some interestingprojects there off the books, so
to speak.

Absolutely.
I.
Yeah so you have a little bit ofexperience in this space.
No, I love it, Tim.
And as a funny little anecdote,the way you first came into my
sphere of people I was aware ofI was talking with someone who's
a shared friend of ours, I thinkAshley Casovan.

Tim Bouma (07:26):
Oh, yes, yes.

And she was a guest on our first season of the
podcast with an AI perspective.
And I was talking with herafterwards.
I said, look, I wanna know who'sthe guru at Government of Canada
about digital identity, whoreally knows what they're
talking about.
She said you just gotta talk toTim Bouma.
And so I've been watching you.
And then we ended up together onthe Digital Governance Council
and actually got to meet, andthat's how we ended up in our
conversation here today.
So I appreciate your time andthank you, by the way, just for

(07:48):
anyone who's listening.
We're in the lobby of theNational Arts Center of Canada,
and it is a gorgeous building.
And if you hear anyone wanderingby it's because it's a very
popular destination too.
But we've got a, we've got awonderful spot here, so thanks
for suggesting the locationcelebrating Canada's long
history of the arts as well asdigital progress.

Tim Bouma (08:04):
Yeah.
They like to call this theliving room of the nation.
So if you ever come to Ottawaand you need a wifi landing
spot, come to the National ArtsCenter.

There you go.
It will now be on my list ofplaces I can camp when I'm
traveling and working not justcoffee shops.
So Tim, I wanna kinda go back alittle bit here.
'Cause I think identitymanagement is a space where
there's just, there is so muchinformation and it's just such a
wide space that as we get intopublic service and digital
identity, it, it is reallydifferent from what you might
see in a retailer or acommercial context.

(08:32):
The problems to solve are justdifferent problems.
So I wanna dive in a little andmake sure the audience for the
podcast really gets into thedepth of why this is a
challenging space and why it'smore complex than what we call
single sign-on, or just givingpeople access to systems.
And so do you have a workingdefinition with a public sector
lens of what digital identitymanagement is?

Tim Bouma (08:54):
Yeah, we defined it in the policy just I don't have
the definitions verbatim in mymind, but with the Treasury
award policy we came up we had,a definition for identity.
And the definition we had foridentity was a reference or
designation that for a uniqueindividual, we didn't define it
in terms of attributes.
It's basically I need areference to you and how that

(09:15):
gets implemented as an ID numberor a set of attributes or
whatever.
We would leave that to theimplementation.
And then as we evolved thepolicy suite we introduced the
concept of a trusted digitalidentity.
And the idea there was it was anidentity that could be accepted
for the purposes of providingservices on behalf of the
Government of Canada.

(09:35):
And again, I don't remember theexact definition, but the key
thing is that we did all thatdefinitional work, all that
policy work.
And we codified that and then webrought that into a national
standard with the DigitalGovernance Council, like an
accredited national standard.
So if you go to the digitalgovernance council site, you can

(09:56):
find all the standards andyou'll find all the definitions
there.
We have definitions forcredentials, credential
verification, identityverification.
We came up with very precisedefinitions because when you're
called on to interpret policyyou're almost like a lawyer
where you have to, decisionshang off these definitions.
So you have to be pretty.
I always say precisely vague,you wanna have a definition that

(10:18):
has enough cogency around it,but it actually gives you enough
latitude to account for thedifferent types of
implementation.
I dunno if that answers yourquestion.

It starts to for sure.
And I think say, starts to,'cause it is a large and
sprawling space.

Tim Bouma (10:29):
Yeah.

And it's a lot of new concepts.
The concept of trust itself.
Do I trust so you said,government needs a way to
interact with an individual, aperson, as defined under the law
what is a person.
And we need to be able tointeract around communication,
around services.
So it's essential for everythingthat government's trying to do
digitally.
Why is the word trust importantin that definition?

Tim Bouma (10:50):
So the precursor to trust was assurance, and we
formerly defined that way backin 2012 with a guideline on
defining authenticationrequirements.
This is in the very early daysof the identity management
policies.
The definition that we had forassurance was a level of
confidence that something wasgenuine and genuine or true.

(11:13):
And then we developed like whatwe call an assurance level
assessment tool.
And we took the idea that.
What's the impact when somethinggoes wrong, what's the level of
impact?
And we made it very clear thatthis was different than a risk
assessment where you have, alikelihood times level of
impact.

(11:34):
We said just assume likelihoodis one.
If you're in the business ofproviding service to a Canadian
providing service, you willfail, period.
Okay?
So we want to know, yourservice, if your service fails
what's the impact on theindividual?
And then we came up with fourlevels.
And again, I, it's been a while,but, level one was, yeah,

(11:56):
whatever, it's not a big deal.
Level two is oh, inconvenienceit's, annoying.
Level three is it's a prettyserious situation.
Then level four, it could beirreversible damage.
So we just came up with thatgradation.
So always the question was that,if you're providing a service,
like issuing a passport, forexample, likely falls into level
three because if you give it tothe wrong person, it could be

(12:17):
very serious consequences.
Didn't really get into too manylevel four scenarios.
I think one of them.
That we talked about, waswitness protection, for example.
But the majority would fit intolevel two or level three.
So we formalized that asassurance levels and had an
assurance level regime toactually categorize the service.

I think it's really useful, and I love just
the principle of, with internetsecurity, it's never if it's
when or

Tim Bouma (12:42):
Yeah.

When it has already happened more often.

Tim Bouma (12:44):
Yeah.

We usually discover these things after the
fact.
And then yeah, like having aclassification framework to talk
about, what is the nature ofthis service?
What is the potential risk thatcould happen?
So you understand what actionsor what posture to take towards
that service.

Tim Bouma (12:55):
Yeah.

Yeah.
Okay.
That's really helpful.
I like that.
So a classification scenario isessential.
Trust framework being, do peoplebelieve that you've taken the
appropriate actions?
And that the, does this appearto me as a citizen, can I trust
this service?

Tim Bouma (13:09):
So trust is related to assurance and, this is where
we introduce the concept of atrusted digital identity and the
idea from the federal point ofview, is that we're willing to
accept a digital identity fromanother provider, namely a
province or a territory.
And what do we need------to whatdo we need to do to accept it?
As our own if you will.

(13:29):
And then we put together withthe Pan-Canadian Trust
framework, we put together awhole assessment framework that
would look at a program top tobottom.
What's your identity proofingpractices?
How do you define identity?
What's your identity informationhow do you do authentication?
We came up with, I think intotal about 400 criteria that we
would analyze.
It would take months and months,a better part of a year to

(13:50):
assess a program.
So when we did Alberta and BC itliterally took months to go
through.
At the end of the day you can'tfail and trust is paramount,
especially for publicinstitutions.
So you have to do all that duediligence upfront.
You just can't say we, wefailed.
We didn't, didn't take this intoaccount and too bad, so sad.

(14:10):
In the private sector, typicallyyou can just fix that with
through financial remedies.
You can't do that in the publicsector institutions.
We always erred on the side ofsuper due diligence and ensuring
that, that we always maintainthe trust of Canadians.
Some might criticize, oh, you'regoing too slow or whatever, but
that's the fact of life.

You gotta go slow and whoops is a nuclear event.

Tim Bouma (14:32):
Yeah.

No, absolutely.

Tim Bouma (14:32):
Yeah.

So in Canada, with the fact that we are a
federation and so much ismanaged at a provincial level,
but there's such a strongrelationship to the federal
level, Canada's an interestinglens for other jurisdictions who
are looking at this to say,there is often this federated,
like federation being apolitical concept or an
organization concept, but also atechnology concept of federated
technology where we bringtogether multiple systems into

(14:54):
common technologies.
So I think Canada provides areally interesting lens for
other jurisdictions and why thisidentity management thing is
hard.

Tim Bouma (15:01):
Yeah.

So Alberta and BC are, I think, two, the early
movers in digital identity herein the country.
Both have done different things,but I know they're looking at
each other right now andlearning from each other.
Right now there's a lot ofinformation sharing happening.
Where do you see practicesemerging here in Canada that you
think are promising.

Tim Bouma (15:20):
Practices emerging in Canada that are promising?
So we sit in between theAmerican approach and the
European approach.
The American approach is marketdriven, Wild West.
Okay.

Plus their real ID measures where they've brought
in a level of like biometricauthentication and an ID level,
et cetera.

Tim Bouma (15:41):
Yeah.

They have that piece.
It's still pretty new.

Tim Bouma (15:44):
Yeah.
They have the federal, like thereal ID act.
There's really no coordinatedstrategy in the US, but it's
very technologically driven.
Very, state by state.
It's it's different.
And like the vendors like Googleand Apple are very active in
that.

Absolutely.

Tim Bouma (16:01):
Your European approach is much more top down,
like they have the digitalidentity legislation, eIDAS
version 2.0.
They've come up with a wholebunch of implementing acts,
they're trying to legislatebefore implementation, so it's
okay that approach might work.
We sit in the middle where I'dsay we are taking a grassroots

(16:21):
market driven approach, butwe're very quietly putting in a
policy framework that actuallysupports like a Pan-Canadian
approach and just keeping it onunder the radar screen and just
quietly developing standards.
For example, the nationalstandard that we developed, the
Digital Governance Council, wetook all the federal work and
literally took the old wine andpoured it into a new wineskin.
But it's all the materialsverbatim.

(16:43):
And then letting the rest of theworld see this and see if it
applies in their context.
A lot of the original work, whatwe did a number of years back
was publish it directly onGitHub.
So it was totally available.
And it's quite often people knowof me because of the work that
I've done and the work that Iposted publicly, and it's oh,
okay.
That's really interesting.
So a lot of people are payingattention.

(17:04):
It's like an open sourceapproach.
Working out in the open, havingpeople see it.
And yeah, just moving forward,like just very carefully and
very incrementally.

Yeah.
It is one of those hallmarks ofgovernment digital work, which
is, unlike commercial spaces, wedon't exist with competition.
What works for Canada may workfor someone else, but there's no
advantage to Canada keeping thatclosed or confidential.

Tim Bouma (17:25):
Yeah.

So open.
If someone can improve it, ifsomeone can benefit from it,
there's no threats to Canadafrom that.

Tim Bouma (17:30):
Yeah.

And in fact, keeping it open, we'll probably
expose it to the threats that wewant it to be exposed to.
To make sure it is maturetechnology, mature ideas.

Tim Bouma (17:37):
Yeah.

So I know BC has done their trust over ip
framework.
Alberta started with a more of acommercially driven digital
identity platform, the ForgeRockplatform there that is now
evolving to bring more opensource in, but I think one of
the things with identitymanagement is I don't think for
government there is an off theshelf solution really ready.

Tim Bouma (17:55):
So one of the observations is that actually
the technology figures verylittle into the equation.
Alberta had a traditional SAMLSecurus search of markup
language ForgeRock solution.
BC so it wasn't trust over ip,that's a foundation.
But they had the BC servicescard and they developed like
their own app.
They developed their ownservices.

(18:16):
They used some of the newerprotocols like Open Id Connect.
But the way that we developedthe trust framework, it was
technology agnostic.
We said, we want to accept atrusted digital identity.
What we expect from theprovinces is a unique identifier
that resolves to one and onlyone individual.
We want a few attributes, namelythe name, the date of birth, and

(18:38):
maybe a few other attributes.
And we wanna make sure that whenthat stuff comes across the
wire, it's correct.
As for the province and we knowit's actually that individual
that's at the other end of theline.
And then the technologies couldbe wildly different.
Alberta was more of atraditional legacy system and BC

(18:58):
were using later more modernprotocols, if you will, and they
had an app.
But at the end of the day whenthat trusted digital identity
came across the wire, we had theassurance that it was actually
coming from the right place andit actually mapped to the right
person.
So the technology piece wasactually pretty small.

That's really helpful to hear, I think.
'cause I think people get sowrapped up in what system do we
use, how do we buy it, how do weinstall it?
But it really is the broadpractice and almost the
philosophy of identitymanagement.
And I love that you start tolook at who are the actors in
this space.
You come down to who issuesidentity, right?

Tim Bouma (19:29):
Yeah.

It's like a driver's license is an identity,
A passport is an identity.
One of those is issued by aprovince here in Canada or a
state in the US or ajurisdiction.
But a passport's issued by thefederal government.
So both of those are identityissuers and then they be,
there'd be some sort of adigital credential connected to
that can push up to the internetlayer to authenticate you into
systems.

Tim Bouma (19:50):
I also maintain that like identity actually exists
outside of the system.
And what's inside of the systemare identifiers and attributes
and just to make some likedistinctions like that.
So like we would make very clearlike passport's, not an identity
document.
It has identity, but it's atravel document.
A driver's license is a driver'slicense.

(20:10):
And that's where we had thenotion of a trusted digital
identity.
It wasn't associated with aparticular document issuance.
In fact, with the provincialprograms, usually what happens
at their digital identityprogram evolves is an umbrella
program over other agencies thatare carrying out functions like
registration, like Alberta haslike the registration agencies,

(20:32):
and then there's health BC andso on and so forth.
And they get coordinated inproviding that digital identity,
as you said, like the issuer.
That's one of the key things,and from the federal standpoint.
We wanted to make sure it was atthe provincial level, at the top
level.
You're the one providing it tous, like it's not coming from
your driver's licensing agencyor your health agency or

(20:52):
whatever.
You have to figure out how tocoordinate that internally to
provide that as a whole to thefederal government so that those
were some of the concepts.
So when we negotiated theagreements between the federal
government and the provinces wasat that time her majesty in
right of Canada with her Majestyin right of Alberta, for
example.
And we just made it very clearthat we wanted to have

(21:13):
everything at the top level.

Absolutely.

Tim Bouma (21:15):
Yeah.

That's helpful too.
There, there's a concept thatcomes slightly outta sci-fi.

Tim Bouma (21:19):
Yeah.

But I think it's a useful metaphor for no model is
perfect, but some are useful.

Tim Bouma (21:23):
Yeah.

So it, it's useful for photography, the concept of
a digital twin.
You know that there's me livingin meat space,

Tim Bouma (21:28):
yeah.

The person I am.
But then at the internet level,there's everything, the internet
knows about me.
There's everything thegovernment the different systems
know about me.
Which forms sort of a twin of mein this space.
And, part of the work of digitalidentity is trying to find where
are the edges of that person,that digital version of me and
all the systems I interact withsuch that we can say, yeah
that's Paul, that this entitydigitally.

(21:50):
So I know that's an abstractconcept, but as you think about,
the work of identity management,what the federal government's
trying to do, do you thinkthere's a place for that concept
in terms of just how youactually look at the citizen and
how you understand.
I guess the reason I bring it upis people are afraid of the
government knowing too muchabout them.

Tim Bouma (22:07):
Yeah.
I'm lukewarm on that concept.
I think it's good for as Iunderstand digital twins, like
if you're modeling a building ormodeling a piece, an asset or
whatever's out in the realworld, and you have the
corresponding asset digitallyrendered in a system, you can
actually use that to predictbehavior and that, I'm not so
sure that's an appropriate termfor people.

(22:28):
My, my idea is that I need toknow that I'm actually talking
to you or communicating with youand that the intentions you're
communicating are yourintentions.
They haven't been likesurveilled, they haven't been
adjusted or whatever but I justknow that I'm dealing with you

(22:49):
in the moment.
And so I look at it from thatpoint of view of simplified
Trust frameworks of actuallyhaving two layers.
There's what I call theinstrumental layer, which is all
the technology, all the coolstuff that, that wires
everything together.
And then there's what I call theintentional layer is making sure
that those intentions areconveyed truly and at the

(23:11):
highest fidelity possible.
So digital twin might figure inthere somehow, but I don't
really see that as a conceptthat I would pursue,
vociferously in relation topeople.

I actually bring it up'cause I think it's almost
a dark pattern in from a publicservice lens,'cause I also live
in a world of digital where,there are people that do
marketing and there's retail.
They very much want to know whoam I as Paul, what are my
preferences?
Do I have children?
They wanna know a lot about me.

Tim Bouma (23:36):
Yeah.

And I think a lot of the concepts of marketing
that are around personalizationor, tuning content.
I think those are actuallyreally dark patterns in
government, who wants thegovernment to know that much
about them?
That's not the purpose of myrelationship with the
government.
It is very transactional when Ineed it.
I want you, and I need you, Ineed to issue a birth
certificate.
I need to, get something done tomy house and I need a building

(23:57):
permit.
I need to get a travel document'cause I'm leaving the country.
And then I really want yourknowledge of me to stop.
So I think it's almostrefreshing that you had a
negative reaction to that.

Tim Bouma (24:06):
Yeah.

As someone sits in the digital identity space.

Tim Bouma (24:08):
So like privacy and collection authorities are taken
very seriously at the federalgovernment level.
And if you're only mandated tocollect a certain amount of
information, that's it.
And there's what's, what arecalled privacy impacts.
They err to the side ofcollecting as little as possible
about you.
And some might argue that wellknow that's a bad thing.

(24:28):
But then on the other side ofthe spectrum, you've got other
organizations that knoweverything about you and they
feed you ads that you wouldn'tdream of seeing.
But then when you see them go,Hey that's really interesting.
As I said, we always zeroed inon the absolute minimal
information that we needed toactually make sure that we're
dealing with you, period.
Full stop.

(24:49):
And it's actually collectedwithin the appropriate
authorities of the program.
That's that again, it's easy to.
You have to be really careful ifyou overstep your authorities,
over collect information becausethen you could be like a sitting
duck if that information getscompromised and it could just
make the problem like a thousandtimes worse.

It takes all those classifications and it raises
the level of all of them.
The more you have, the more riskyou're creating.

Tim Bouma (25:14):
Yeah.
Like I view, every piece ofpersonal information you collect
is a liability period.

It's a great mindset.

Tim Bouma (25:19):
Yeah.
Yeah.
Just it's a liability.

So from where you sit here, representing Canada in
this conversation, looking atother jurisdictions, we talked a
little bit about the US who havereally, I think, taken a bit of
a hands-off approach to thiswhole thing.
There isn't really a strong,either on the privacy side or
the identity management side, astrong push in any federal
jurisdiction in the states.
But I know some other countrieshave done really well at this
and have boasted great outcomes.

(25:42):
I think the longtime hero wasEstonia, who have their program,
the mythological kind of earlymover in that space.
But I think a lot of otherjurisdictions have really
eclipsed what or at least caughtup with, or maybe in, in certain
contexts eclipsed.
Who's doing well globally inyour perspective?

Tim Bouma (25:56):
The thing is that every, everything is appropriate
within their context.
So it's really hard, like theone big lesson that I've learned
is that you can't compare onecountry to another.
'cause you have no idea thesocioeconomic or the
institutional context.
You don't, you have no idea ofthe challenges or the
opportunities that they'refacing.
Like Estonia is great because,the, I guess that was in the

(26:17):
late eighties, early ninetiesthe Soviet Union basically
bugged out completely and left averitable greenfield for them to
develop something right fromground zero.
And they took advantage of that.
There were some very, visionaryfolks and they built a system
like, and a lot of times, likesmall jurisdictions can be very
nimble.
I think like Ottawa has morehospitals than Estonia, for

(26:39):
example.
It's a very small jurisdictionnot to take away from what
they're doing, but when you havea smaller population, you can
really move quickly.
You don't have a lot of themachinery and baggage of
institutions that we have here.
And there's a bit of a differentmindset too a lot of the
continental European countriesare quite comfortable with
centralized systems andcomfortable with civil law,

(27:01):
Napoleonic code kind of thing.
And whereas when you're dealingwith commonwealth countries like
Canada and the US it's very muchmore decentralized.
And so they're not very trustingof centralized authorities.
I'd say that's pretty much thecase in the US, in Canada, but a
little less.
You were in India recently.
Yep.

And India has done some things that I was really
shocked by.
I had no idea how far they'vemoved on payment, on identity,
on centralized services.
Having not been to the country,having not seen it on the
ground, I'm reading theirinformation on it and everyone's
proud of what they've done.
Do you get to experience any ofthat while you were on the
ground there?

Tim Bouma (27:34):
Yeah.
Like first of all, it's acountry of 1.4 billion people.
The city of Delhi is some morepopulation than Canada or Delhi
in the outlying region.
It's a huge population comparedto four 40 million versus 1.4
billion.
They have the Aadhaar program,which is a centralized program.
Everybody gets an ADHAR number,and again I don't know all the
details.
I saw like examples of theuniversal payment system as

(27:57):
well, the UPI and what can Isay?
Some countries are quite happyto rule ahead on identity
systems and the citizens justbasically have faith in it and
they're quite happy to, happy toabide by what the federal
government's doing.
It's interesting in India youcould see that there's how could
I describe it?
Some tendencies, likeauthoritarian tendencies, which

(28:21):
just, wouldn't go over inCanada, present your passport at
this point.
And foreigners pay this amountand domestic people pay this
amount.
That's really interesting.
Different pricing.
When you go to a touristattraction, you the foreigners
pay three, five times as muchversus what the domestic person
would pay.
And that's okay, but I'm justnot quite used to being, being

(28:41):
differentiated on stuff likethat.
It's different values and yeah Ireally can't comment beyond
that.
And again, I have to respectwhat they've done.
It probably wouldn't work in theCanadian context, but that's
what they've done.

Yeah.
I, culture is as important in as

Tim Bouma (28:54):
Yeah,

this is and, social norms is as important in
this is the technology impactfar outstrips the value, the
importance of the technologyitself.
But with that, it's impossibleto not be aware of
cryptocurrency, which of coursecomes from a, like a blockchain
or a decentralized model.
I know that's important in yourthinking in some of the, the
early pioneering work you'redoing in this space as you said,

(29:15):
on your own time.
So as you look at, decentralizedidentity management,
decentralized, whether it's aledger was what.
How does this concept ofdecentralization, which is much
more akin to how the internetworks

Tim Bouma (29:28):
Yeah.

And the architecture of the internet.
How do you think that plays intothe identity space and what
people have been traditionallydoing?

Tim Bouma (29:33):
You look at the internet today, it's just a
given, right.
And it works between friends andenemies.
Period.
And of course you do havefirewalls, you do have
partitioning in that, but it'sjust a capability.
Again, going to India, you go toa hotel or whatever, the first
thing you do is you get on awifi.
You have mobile data everywhere.
It's a capability that's there,period.
Full stop.
And I can communicate as easilyin India as I could in my house.

(29:58):
And so it's just ubiquitous and,the internet or the IP protocols
reasonably decentralized.
Of course there's some centralpoints of control, but it
actually just.
It's designed to route aroundlike adversarial points and that
and that I would say identitymanagement systems they've had
their original genesis and likecentralized administrative

(30:21):
systems, and that's how a lot oflike identity management systems
evolved.
Like either for like socialbenefits registration systems or
vital statistics registrationsystems.
But now you're starting to seeprotocols kinda what the
internet was 30 years ago thatare starting to emerge with some
new I don't wanna get too geekyhere.

(30:43):
Some new cryptographic.

This is the place for it though.

Tim Bouma (30:45):
Cryptographic primitives like the Bitcoin
blockchain.
Like what what was introducedlike in 2009 by Satoshi
developed a system that justbasically operated on
incentives.
They completely externalized thenotion of identity outside of
the system with hashed publickeys.
And it was an entirely newarchitecture and this system has

(31:07):
been running for 16, 17 yearsand nobody's taking it down.
It just like, and I last heard,I think it's the fifth most
valuable asset class right now.
In terms of US dollars, I thinkit's 1.8 trillion in value now.

Wow.

Tim Bouma (31:22):
And that's a system that just, it just works.
So if anything, when that reallytook off then that put a lot of
new interest and energy incryptography.
And what might the newarchitectures, be there, there
was, I would say, for the betterpart of a decade, a lot of
blockchain initiatives privateblockchains, public blockchains
with varying degrees of success.

(31:43):
I think ultimately the use casefor blockchain was basically
Bitcoin and that's the only onethat seems to have succeeded.
Other ones can just be done withlike databases and some of the
permission blockchains are notmuch better than just having a
database to begin with.
But coming outta that, some newconcepts of identity or public

(32:04):
private key pairs and, and a lotof experimentation on what might
be some of the new decentralizedprotocols to maybe not replicate
what Satoshi did with Bitcoin,but at least augment on that.
It's caused a whole wholesalerethink on what currency is,

(32:24):
monetary theory.
And now I'm starting to see thatthere may be some emergent
capabilities that, governmentsor commercial entities just
won't be able to stop.
And that's what I've beenactively looking at to see what

(32:44):
protocols might actually succeedand what protocols might
actually exist despitegovernment.
I think a good way to describeit is that there's if a fifth
realm emerging, you have likeland, sea, space and air, and
now you have cyberspace as well.
And we have to figure out how todeal with that fifth realm and

(33:05):
yeah.
It's a monumental challenge.

It's huge.

Tim Bouma (33:07):
Yeah.

So do you think as digital identity continues so
Bitcoin itself specifically asan implementation of blockchain
technology?

Tim Bouma (33:15):
Yeah.

Bitcoin still is an application that runs on top
of the internet layer onspecific machines, versus the
internet, which is, like awebsite runs on a specific
machine and is distributed,Bitcoin runs, on an aggregated
install base like Seti, theearly days Seti, and some of
these applications.
But then there's the idea ofinternet protocols themself,
which are the most abstractedand the most distributed.

(33:38):
Is there a missing protocol onthe internet for identity?
'cause the internet starts as afundamentally anonymous
environment outside of IPaddresses and specific computers
that connect to the internet.
The concept of identity isn'treally contemplated in the
architecture of the modern webyet.

Tim Bouma (33:53):
Yeah.

Is it going that direction or is it still gonna
be more like an application thatwe run?

Tim Bouma (33:57):
So the success of the internet.
Was the concept of likesegmented network addresses.
And again, not to get tootechnical, like the routing
protocols, like border gatewayprotocols.
So the idea is that you couldhave a mini networks, but at the
end it just looks like onenetwork.

(34:18):
And then you have things like,network address translations, so
on and so forth.
So when I communicate from hereat the National Arts Center to
somewhere else in the world.
There's a sub network here orlocal network here.
And the data gets magicallytranslated with the addresses
and that, and finally it gets tothe other point of the world
that's going to another localnetwork, but it just looks like
1 single network.

(34:38):
My view, like one of the geniusprotocols was the border gateway
protocol, that enabled the theinternet to look like a unified
whole.
Keep in mind, 30 years ago whenthe internet started to take
off, everybody started to createtheir own corporate intranets,
and it's look at my intranet.
It's better than the internet.
I have more resources and I'vegot my firewalls and only my

(35:00):
friends and friends can get inor my employees, but that's all
kind of melted away now.
So you don't think aboutboundaries anymore.
It's just a unified whole.
And so I think eventuallyidentity will get there.
Of course the key technology isthe, public key cryptography,
not PKI.
PKI is basically public keyinfrastructure that's built on

(35:21):
public key.
PKI has the idea of certificateauthorities and that, and
there's been like a, aninfrastructure or set of
services that have been built upover the past 30, 30 years or
so.

So like SSL where someone re releases you a key,
you have a certificate, there'sa signing authority.

Tim Bouma (35:36):
Yeah.
That, yeah.
You have to get a certificateauthority in that.
And you have to, the browservendors have these root programs
to say who are the goodcertificate authorities.
I think what I'm witnessing nowis, there's a way to decompose
those certificate authoritiesinto public private key pairs,
and then have those thingsactually sign whatever the heck
they want.

(35:57):
You can actually self generatethese public private keys
yourself.
You don't have to rely on acertificate authority.
So I'm starting to see thatcertificate authority model That
worked really well.
They took the, 19th, 20thcentury concepts like
certificates, actually goingback further probably to
medieval times and actually putthe new technology on it.

(36:20):
But now I am seeing where youcan go beyond that.
You can actually decouple thosecertificate authorities into
like public, private key pairsthat can sign anything.
Maybe I'm being a vague here,but I'm just seeing, now you can
blow apart that wholecertificate authority structure.
You don't actually have to worryabout someone making a trust

(36:41):
decision on your behalf and thenhaving them use that as an
authority over you.
You can generate your own publicprivate keys.
You can decide which ones totrust.
You can build your own network.
And, governments could buildtheir own network.
People can build their ownnetwork.
Businesses can build their ownnetwork.
And there's no way for one actorto push their agenda over

(37:05):
another actor.
I've been spending a lot ofthinking time around that.
There was a key advance about 10years ago what was called the
issuer holder verifier modelwith self-sovereign identity.
A lot of excitement around thatand a lot of key advances.
A lot of, the idea of verifiablecredentials came on the scene.
But when you start looking atthat stuff very closely, I

(37:28):
started to see problems withthat a couple years ago, get
some weird feelings that maybesomething wasn't quite right.
You could build out aninfrastructure.
But then what I started to seewas that it seemed to accord
special rights to the issuersand the verifiers, and left the
holders holding the bag.
And then, the issuers, namingcertificate authorities or

(37:48):
organizations or governmentsrealized that, this
technological approach actuallyhelps them maintain their
position of privilege.
And then it's oh yeah, we're allin because this is just gonna
maintain the status quo.
And the verifier say, yeah, itwe're all in because then we can
be gatekeepers and it's maybethat's not right.
So where a lot of my thinking isnow is that are there new

(38:10):
protocols or is there a way torecompose a problem that I as an
individual have no advantageover you?
Or a government organization ora government or a state has no
technological advantage over theindividual.
Where the advantage comes is aninstitutional advantage.
People trust you or whatever,but, and you take away that

(38:31):
technology advantage.
So that's where I'm putting alot of thinking to have is there
an architecture, is there aprotocol that completely levels
the playing field for everyone?

So maybe to bring you to a metaphor, which is my
unfortunate tendency, like we'vegot an old world where you've
got say a royal seal, whichmight be, or like a corporate
seal is like.
Someone has authority, by thatauthority they manufacture some
device that they stamp documentswith,

Tim Bouma (38:56):
yeah.

That gets credentialized the scarcity of
that device.

Tim Bouma (38:58):
Yeah.

To bestow.
But what you're talking about issomething more like a handshake
where two people are equals wecreate a handshake.
We've met, we've established ouridentity together.
We've struck a deal or westruck, but it's really the
presence of two people.
And there's no.
The authority has to be earnedback or bestowed by some other
external agency that theprotocol itself, the technology
itself is fully democratized inthat sense.

Tim Bouma (39:20):
Absolutely.
Yeah.
That's a great analogy.
That handshake has as muchauthority as that royal seal,
where the difference is theauthority that's vested in the
agents using those thetechnology doesn't give the
advantage.

Yeah.

Tim Bouma (39:35):
That's the key thing.
It's about the individuals.
And that's where I'm spending alot of time thinking about what
that might look like.

If you take a power theory view of this all,
it really eliminates the powerfrom the institution.
It puts the power back into theindividual's hand.

Tim Bouma (39:50):
Absolutely.
One of my arguments is thatissue holder verifier model
actually amplifies the powerimbalance.
And.
The ones that are on the goodside of that power imbalance,
just basically say, we're notgonna say anything because,
we're gonna say it's gonna givemore power to the individual.
It's gonna make things moreconvenient, but at the end of
the day, they're the ones thatare the gatekeepers in that.
And not necessarily a bad thing,but inappropriate advantages

(40:13):
usually end badly over the longrun.

I think that describes a lot of our world
right now.

Tim Bouma (40:18):
Yeah.

You showed me something yesterday that I was,
I just blew my mind, which issome of the technology you've
been working on.
And I know this is still earlystages and it's still in, in
your private world here.
Yeah.
But I know you probably won'twant to share some of this, but
you should be just an interfacewhere, you know, between two of
us just with having a phone andbeing a human, you could send,
your, your made up currency,it's, all currency is made up.

(40:40):
Yeah.
It's just, some of it isactually accepted by the
government.
Can you talk just a little bitabout what you're hoping to
achieve with that?
'cause this is, I think, areally good example of what
might be possible based on thisnew architecture, this new
model.

Tim Bouma (40:51):
Yeah.
So what I was showing you isactually real money.
It's actually backed by Bitcoin.
So as I said, it's only a matterof time before, like Bitcoin
becomes a reserve currency.
It's an asset.
I think we said earlier it's 1.8trillion.
A lot of the financial companiesare getting into it and
investing like crazy.
So it's something that you'll beable to trade across the world,

(41:13):
across boundaries, and then.
The nice thing is that unlikegold is something you can
transmit across the world at atspeed of light.
And then, so you have theBitcoin blockchain, you have a
lightning, which is a way ofopening channels to shuffle
value back and forth.
And then I've been experimentingwith another technology on top
of that, which is Chaumianecash, which was literally

(41:35):
invented in the late eighties,early nineties.
And the cryptography is wellunderstood.
Where it really failed was thatit still needed a centralized
clearing house, namely a bank toenforce the double spends in
that.
But now you can all do that withwith a Bitcoin and lightning.
And so now you have thissettlement and clearing network
that's global.
It works without banks and workswithout government.

(41:56):
So I've quietly been building awallet system on top of that.
And there's some newerdecentralized protocols.
There's one called Nostr, whichstands for notes and other
stuff, transmitted by relaysthat's taken the Bitcoin
architecture and applied it tothe first use case of social
media.
And basically there's what arecalled events and they get

(42:17):
signed cryptographically, andthen they get relayed.
By relays similar to Bitcoinrelays and the architecture I
won't get into all the detailhere, but it's very versatile
because at its root, everythingis cryptographically signed and
every event is self validating.
Every event can existindependently.
So I've actually taken thatarchitecture of the and the

(42:37):
Nostra relays, and I actuallybuilt a component that.
Can live out there in thenetwork, independent of
applications and actuallyindependent of devices.
So I was spending a lot of timethinking about what a new
capability might look like.
And as I said I'm trying to makesomething that no one entity can
shut down, government'sincluded.

(42:58):
And people may say, oh, that'sreally bad.
But the fact of life is that ifit can be engineered, it can be
built, it will be built.
So I might as well just figureit out and then show to the
policy makers, myself included,what's, how are you gonna deal
with this?
How are you gonna deal with theinternet?
Like the first reaction was toshut it down.
And now it's just part ofeveryday life.
I see a day when anyone will beable to transact directly with

(43:20):
one another.
And I'm really focused onbuilding a capability that
empowers anyone.
And I've really boiled it downto the concept is that what
everybody wants is mobility.
They want to have physicalmobility.
They want have social mobility.
They want to have economicmobility.
Mobility is actually a term thatif you look at our charter and

(43:42):
rights and freedoms, there's aconcept of mobility rights that
you can move anywhere withinCanada.
You have the right to workanywhere in Canada.
You have the right to enter andexit Canada.
It's just basically in thecharter rights.
I'm looking at a capability thatmaximizes my mobility or my
digital mobility and enablingthat capability where nobody

(44:02):
gets in between.

I love that you brought up earlier the idea of
the fifth realm, of cyber beingthe fifth realm, because this
really speaks to, the metaphorsand the imagination that got us
solutions from a terrestrial,lens just simply don't apply.
You just start to have cybernative.

Tim Bouma (44:18):
Yeah.

Mindsets here.
I love it.
Now, Tim, Hey, I just wanna saythanks for your time today here.
This has been just fascinatingfor someone with your
perspective in the many yearsyou've spent in this space just
getting your experience.
I think this could be reallyhelpful for people that are on
the, in the earlier stages ofconfronting this stuff.
And hopefully this is useful forour folks in understanding where
identity is going.
So thanks for your time.

Tim Bouma (44:38):
Yeah.
Hopefully.
I made sense.

It doesn't always make sense.

Tim Bouma (44:43):
Yeah.

But I think you're in the space of the liminal
space of, the bleeding edges ofall of this,

Tim Bouma (44:47):
yeah.

And I think we need to confront that too.
'cause we're not done, in thismove towards digital identity.

Tim Bouma (44:53):
No I feel like the work that I'm doing it literally
feels like 1992 and, i'm justseeing, I remember back then the
early days of the internet I wasinvolved there and I just feel
like it's the same right now.
And I just wanna be part of thatnew wave.

Absolutely.
Let's bring it on.
Thanks so much for joining usfor this conversation.
Tim is a unique expert in thefield of digital identity, and
it was great to get hisperspective in this space.
Some of the points I want tounderline include: Canada's work
on digital identity through thePan-Canadian Trust framework is

(45:30):
now openly available asstandards published by the
Digital Governance Council.
You can find that on theirwebsite, dgc-cgn.ca.
Trust is essential for digitalgovernment initiatives and
identity management.
Along with the pair, practicesof privacy and security are
essential for getting digitalgovernment right.

(45:52):
Government organizations need tolearn to classify their data in
order to develop a maturedigital identity practice.
We've gotten upcoming podcastscheduled with an expert in data
classification, so watch forthat one coming later this
season.
For government, digital identitymanagement is more about
process, culture and governancethan the technology itself.

(46:12):
There are also manystakeholders.
This space is complex.
The internet itself was designedwith a certain anonymity built
in.
There is actually a missingidentity layer, and that's why
digital identity management isstill so challenging.
The future of digital identitymay lie in decentralized
systems, much likecryptocurrency, blockchain, and

(46:35):
Bitcoin.
Tim was able to share some ofhis early experiments in this
space.
I hope you enjoyed theconversation.
Please do subscribe and followus for more.
I'd like to thank my colleagueswho worked with me on this
podcast.
Kathy Watton is our showproducer and editor, Frederick
Brummer and Ahmed khalil createdour theme music and intro.

(46:55):
We are gonna keep havingconversations like this.
Thanks for tuning in.
If you've got ideas for guests,we should speak to, send us an
email to the311@northern.co.
The public service is about allof us, and when it's done right,
digital can be a key ingredientfor a better world.
This has been the 3 1 1 podcastand I'm your host, Paul Bellows.

All Episodes

S2 E7 - The Future of Trust and Identity with Tim Bouma

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

The Joe Rogan Experience

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}S2 E7 - The Future of Trust and Identity with Tim Bouma