What if your digital identity could be as secure and under your control as your physical ID? Join us on The MoneyPot as we explore the cutting-edge world of reusable digital IDs with our esteemed guest, Aravind Narayan from the London Stock Exchange. We'll transport you back to the early days of the internet, tracing the evolution of digital identity verification from the wild west of passwords to the more sophisticated federated identities supported by tech giants like Google and Facebook. Aravind introduces the game-changing idea of reusable digital IDs, where user-controlled wallets that leverage selective disclosure and decentralization could revolutionize security and privacy. We also delve into the fascinating concept of verifiable credentials, which use blockchain technology to compile your digital claims—such as educational and employment history—into a secure, easily manageable identity.
But that's not all! We tackle the regional complexities of digital identity systems, comparing centralized models like India's Aadhaar with the privacy-centric approaches seen in Europe. Our conversation explores the cultural and governmental barriers to digital ID adoption in the UK, shedding light on the evolving role of governments and the implications these technologies might have on personal privacy and state power. Wrapping up on a lighter note, we discuss the whimsical idea of household robots taking over mundane chores, such as doing the dishes, and reflecting on the unsettling nature of certain TV shows. Don't forget to stay connected with us on your preferred podcast platforms, LinkedIn, and the Money 2020 website for more insightful discussions and updates.
Follow us on LinkedIn
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Rachel Morrissey (00:03):
This is Asc ential Audio.
Welcome to T the Money Pot.
I am Rachel Morrissey.
I am one of the hosts of theMoney 20/20 podcast, the Money
Pot.
We are here at the Amsterdamshow and it is stunning.
It is so beautiful, if I do sayso myself.
(00:24):
I know I I work for M many20/20, but I don't get to plan
all of this stuff.
I get to look at it at all andit's amazing.
Micky Tesfaye (00:30):
So I am here with my co-host, mickey tesfaya
hello, rachel, and you areabsolutely right, it looks
beautiful, we've got trees,we've got the money pot we do.
Rachel Morrissey (00:41):
We have the money pie.
It's amazing.
We also are here with a guest.
We've got Aravind, is that howyou say it?
Aravind Narayan (00:48):
Yes, that's, right oh thank goodness.
Why don't you?
Rachel Morrissey (00:52):
tell me your last name, so I don't butcher it
Narayan.
Narayan, aravind Narayan, andhe is here with the London Stock
Exchange and we're going to betalking about reusable digital
IDs, right?
So let's dig into that.
Mickey, why don't you begin?
You can drive this.
Micky Tesfaye (01:11):
Sure, let's just start at the top.
First of all, how are you doing, erwin?
Aravind Narayan (01:15):
Very, very good .
You're absolutely right.
I can say this is buzzing, asalways, just like last year,
even better.
Micky Tesfaye (01:22):
Awesome, that's what we like to hear.
Tell us a little bit aboutreusable IDs.
Aravind Narayan (01:28):
Yeah, I'll just do a bit of a trip down the
memory lane, nice, probablystarting from cassettes and VHS
and all that stuff.
Rachel Morrissey (01:37):
Oh my goodness , okay, we're going to go back.
I'm going to almost feel un-old.
Aravind Narayan (01:44):
Okay, go ahead, right, I'm going to almost feel
un-old, right?
So back in the 80s, when abunch of cybersecurity
scientists started to build fora defense project, they built a
network that can connect andtalk to different machines, and
that was called ARPANET beforeinternet.
And the idea was how canMickey's laptop talk to Av's
(02:08):
iPhone?
Or okay forget iPhones, butlaptops.
Rachel Morrissey (02:11):
Their computer .
Aravind Narayan (02:13):
Yeah, two systems talk to each other.
But what it didn't do at thetime was it didn't actually
identify if it was Mickeyoperating that laptop.
So, there was never an identitylayer built into this when
internet was built and that justgot carried forward, so it was
all the way through without anidentity layer.
It was just a TCP IP typeprotocol that allowed systems to
(02:36):
talk to each other Great.
But now fast forward.
We have come to a stage wherean average business user
probably pre or post-pandemicholds about roughly 200
passwords and about 150 apps ontheir smartphones.
Rachel Morrissey (02:55):
I know Google likes to tell me I have 136
matching passwords.
Aravind Narayan (02:58):
There you go.
That's because I can't memorize136 different things, exactly.
So the passwords, obviously allthese internet service providers
and all of them start to putidentity, like stitch up
identities on top of these andstart to give you like a one.
So it started, let's say, withone-to-one password which is
(03:20):
like Mickey's Facebook has apassword.
Mickey's Google has a password.
So every website in Facebookhas a password.
Mickey's Google has a password.
So every website in your worldhad a password.
Then Google, facebook, all ofthem came along and they're like
let's do some federatedidentity which we now go to any
websites like do you want to useyour Facebook login?
Micky Tesfaye (03:40):
Game changer.
That was a game changer, let'sbe honest.
However, for fraudsters, too,that was a game changer, let's
be honest.
However, for fraudsters, too,that was a game changer.
Yeah, exactly, they were likeyes yes, enjoy this Mickey.
Aravind Narayan (03:51):
Exactly so 2022 , I think.
Facebook was hacked.
About 850 million user detailswere stolen.
Linkedin was hacked Again.
I was part of the LinkedIn hackback in 2011.
Rachel Morrissey (04:09):
You were hacked.
Aravind Narayan (04:10):
You were not part of the hacking team.
Micky Tesfaye (04:12):
please no complaints here.
Okay, that's correct, yeah.
Aravind Narayan (04:15):
So then there was we are still in that era
where it's federated.
People still use Google andFacebook and LinkedInin and the
rest apple ids to log intodevices and websites.
Now the future, which is thereuse of light entity that we
are talking about, is the worldwhere I will have I will have a
(04:39):
identity wallet on his phone andhe'll only allow certain
websites to log in that hethinks is allowed to actually
see my information.
Okay, so it becomes selectivedisclosure.
It becomes, uh, fully givingthe user back the control.
So there's no hacks.
If you were to hack that in adecentralized manner, you have
(05:02):
to hack millions of smartphones.
Micky Tesfaye (05:05):
Okay, maybe can I just stop you there for a
second, because I guess, broadly, we started talking about
reusable identity and then areyou talking about a very
specific type of technologylayer for this?
I'm guessing it's ablockchain-based solution,
perhaps.
Aravind Narayan (05:19):
Yeah.
So I'll just tell you when wedive into reusable ID.
Before you go into what thereusable ID is, I'll just dilute
that a little bit.
We want to talk about whatverifiable credentials are Now,
to know what verifiablecredentials are, you want to
know what a decentralized ordigital ID is.
So let's take an example.
(05:40):
I graduated, after my MBA, fromBradford School of Management
and all I have is a papercertificate that says I
graduated my MBA, nothing else.
Now convert that into a digitalcredential and put that into a
ledger and then call that as aclaim to say I've graduated his
(06:03):
MBA from this university.
So that's a claim.
Now imagine a number of suchclaims together which says like
I work for London Stock Exchange, I graduated MBA from Bradford
and all of these things bring ittogether and that becomes
unique Because you're the onlyone that would have those
competitions and that becomes averifiable credential.
(06:25):
So the universities, thecompanies you work for, et
cetera, send you that claim tosay, yeah, he's right, he's
actually claiming this and, yes,he's correct.
So that becomes a verifiableset of credentials.
Now put all those credentialstogether and that becomes a
reusable identity.
Now, where do they sit?
They sit in your wallet, likehow you have your physical
(06:47):
wallet.
It actually sits in yourdigital wallet, which is why we
say we need to have adecentralized way of doing it,
because unless you have a verygood technology like blockchain
governing all this, there's agood chance of honeypot,
centralized attacks and, likethe Facebooks, like the Aadhaar
in India, et cetera, breachesalways are going to happen if
(07:10):
it's not decentralized.
Rachel Morrissey (07:12):
Right.
Here's something that I'mcurious about.
So if you're looking at digitalidentities, there's a few
places that have issued digitalidentities and, for various
reasons, right.
Digital identities and, forvarious reasons, right.
One of the cases that I findpretty inspirational and pretty
(07:33):
interesting is the case whereIndia did the.
Aadhaar, aadhaar ID, and I'mcurious about that, because a
lot of that was also sort ofreversed right.
It was a little bit of likewhere people didn't actually
have a digital presence at alland they needed one because the
country was about to go ascashless as it could.
(07:55):
It was trying to really limitand therefore it needed to
enable people to have a digitalpresence when they didn't have
any kind of digital presence atall.
So what do you think about thenature of that?
How does that work?
(08:16):
How would that work in theWestern world?
We've got oh, you've got 5million passwords.
You definitely have a digitalpresence.
You might have too much digitalpresence.
We're going to steal part of itor all of it or some of it.
And then how does that work inthis?
Aravind Narayan (08:32):
area.
Rachel Morrissey (08:34):
What do you take from their system or their
lesson that we could apply overhere?
Aravind Narayan (08:40):
Yeah, no, that's a very good question,
rachel.
So I think the main thing isAadhaar is fantastic the way it
was rolled out, in the sensethat it was top-down and it was
just like one day to next you'regoing to be cashless and you've
got to have this one digital IDscheme that will drive every
(09:00):
transaction around, everythingyou do in your daily life.
The only challenge is that theprivacy aspect of it didn't
really like, if you think aboutit, essentially makes India
almost like a surveillance state, because you start to like I
mean government can say it'scentralized again.
(09:20):
Yeah, so one.
It's prone to hacks and I thinktwo years after it was rolled
out, I think about a couple ofmillion ADAR IDs were stolen as
part of a hack.
Rachel Morrissey (09:34):
Woohoo.
Aravind Narayan (09:35):
Yeah, exactly.
So, from a lessons learnedperspective, that is definitely
one thing that Europe took whenthey redrafted the EIDAS, which
is the new regulation they'rerolling out now, which basically
said oh, hold on, if wecentralize it, we're going to
face the exact same problem aswhat India faced.
And secondly, government canpretty much see everything.
(09:57):
They do Everything, like I'musing Adar card to get a mobile
phone, to get this, get that,every transaction, my, my salary
, my tax, everything and myentire journey.
So that to me was not theappropriate way of doing it.
Uh, because again you'restarting to become the privacy
(10:17):
has gone out of the door.
So europe again kind of lookedat it and said okay, in that
case, again, this is still aregulation.
We don't know how the 27 statesare going to implement it, but
the general guidelines is around.
Okay, you take this legislationand what we're going to say is
(10:41):
you want to apply a privacy bydesign principle on top of this,
in the sense that we will nevertrack anything you do, because
everything is going to sit inyour wallet.
And you've got that.
What I said earlier selectivedisclosure.
So, if I don't know, you'regoing to a car leasing company
and you're going to a carleasing company and you're going
(11:02):
to say, hey, I would like tohire a car.
Oh, show me your driver'slicense.
Why?
Because I want to know ifyou're eligible to drive and if
you're over 18.
Okay, I'll show you enoughinformation.
I don't need to show you myaddress.
I don't need to show you myface.
I just need to show you that Iam, let's say, in the UK.
(11:23):
It's DVLA.
I'm going to show you that I'vegot a valid driver's license
that is DVLA certified, whichwill show almost like a trust
mark against my name to say,yeah, I am DVLA certified and
I'm over 18 to drive.
That's enough.
I don't need to give you myaddress.
That's enough.
I don't need to give you myaddress.
Micky Tesfaye (11:44):
I don't need to give you any of my details, so
that, to me, is a big step inthe right direction.
Um, that's not.
This whole story around digitalidentity is fascinating for me
because it I feel like sinceI've started working in fintech,
it's been just like a very bigquestion and there are just some
interesting, like regionaldifferences that I'm not even
sure how they occur right like.
(12:05):
I think we talked about indiabeing fascinating, yeah, I think
the nordics are particularlyfascinating, yeah, and the
country we're in right now, thenetherlands, is particularly
fascinating because, within thecontext of the uk, for instance,
these countries private sectorhas solved some of it a long
time ago not necessarily to thedegree and the dynamism that
(12:28):
you're talking about.
With regards to, I think thekind of digital idea you're
talking about is maybe not eventhe type where you have to prove
you are 18 by showing thatyou're 18.
But it's more like the way thatthe information comes up is
absolutely right.
You're yeah, you're not evengiving information about
yourself.
It's just saying this part isit's all right, you don't need
(12:49):
to know what's in there, but forthe purposes of this service or
whatever, you're good, right,like if someone is buying
alcohol from amazon theywouldn't know the age now you
know that you're over 18.
Yeah, yeah yeah, right, sothat's more advanced than what's
maybe available with ideal inthe Netherlands or Scandinavian
(13:10):
countries.
But I guess my question, in aroundabout way, is these other
markets have made significantprogress that makes it even
culturally much more likely fordigital identity solutions that
are over the whole country orregion to occur.
What I remember growing up inthe uk back when the last labor
(13:30):
government was in power and Iwas young I was not, yeah, like
working or whatever.
I remember the conversationabout digital identity yeah,
digital id cards beingintroduced in the country and
everyone was like no, this isgovernment overstepping the
point you're talking about right.
So I wonder, why does that gapexist where the private sector
is not doing much in the UK,other markets, the government's
(13:52):
obviously, even if it wanted todo it, that barrier to adoption
is significant.
And we've seen it with digitalservices in the UK actually,
where the government has beennot great at trying to.
Rachel Morrissey (14:02):
Well, and there's always this trick,
because traditionally,governments have been the ones
to issue an ID that would beconsidered legitimate right
Driver's certificates, driver'slicenses.
In New York City, you can getjust a registered license, since
you're a citizen of the city.
Aravind Narayan (14:22):
Yeah.
Rachel Morrissey (14:23):
And so it has been part of the role of
government.
Aravind Narayan (14:28):
That's right.
Rachel Morrissey (14:29):
But having this new power right that
there's no way to kind of guide.
You know, I mean if anybody, Imean like in the U S, if
anybody's learning the lesson ofhaving to to work on trusting
the intentions of the peoplerunning the system, where we're
(14:50):
learning that lesson prettytough right now and um, and I
think about this like I never.
In reality, I never reallyworried about government
overstepping in my own life.
Micky Tesfaye (15:04):
Like I never.
Aravind Narayan (15:06):
I understood it .
Rachel Morrissey (15:07):
I understood it philosophically, I thought
about it, but I didn't thinkabout it like personally.
But now, now that I understandwhat is possible.
Talk about government, you know.
You talk about a digital ID,you talk about programmable
money, you talk about some ofthese other and you're like,
okay, well, now we're gettinginto a realm where there is a
(15:30):
real sense of personalinfraction.
And, like I said, I never reallyI mean governments.
You know, not all governmentscan be trusted, but even when a
government can be trusted, likethat's a lot of personal
infraction that we never had tothink about before this kind of
(15:52):
power existed.
Aravind Narayan (15:53):
Yeah, no, absolutely I think.
If you think about this in thespectrum of, like the sort of
tripods which is like there's anissuer, there's a holder,
there's a verifier, that'spretty much it in the ecosystem,
right.
But what we didn't have in thepast, which we're now starting
to look at, is a sort of a trustlayer in the middle, which is
(16:15):
completely sort of decentralized, in a way that the issuer never
gets to see what the holder isusing that issued credential for
.
You can't track back all of myactivities anymore, so the
issuer could even be agovernment issuing a driver's
license, but they will never getto see what I'm using it for,
(16:37):
because what happens is likeuser.
That's where the smartphoneadoption becomes a big thing,
because smartphone comes withfantastic features such as, like
the secure enclave where youstore the private keys and all
of that stuff.
So what happens is governmentjust get to put their sort of
verifying credentials in apublic blockchain and you are
(16:58):
the one who are kind of using aprivate key to authenticate, so
they never get to see what theusage is.
And the same thing applies forthe verifier.
A verifier, let's say a pub.
You walk in, you show youridentity, they just ask you a
question, but they never get tosee anything else, so there is
no revelation.
Micky Tesfaye (17:17):
It's like a yes to a no, but it's not the
detailed stuff.
Aravind Narayan (17:19):
Exactly so, I think else.
So there is no um, yes,revelation.
Yeah, it's not the detailedexactly so there's a.
I think that gives me a lotmore promise, and now, if you go
across the pond to the unitedstates, I think there's still.
I mean, eid has stood, or waslike a big leap forward, like
everybody never thought likeeurope would just jump ahead so
quickly until that point, Ithink.
In think in the US, it wasmobile driver's license, which
(17:40):
is now becoming a thing.
The only challenge with that,though, is that it still doesn't
stop you from it still doesn'tlet you do selective disclosure,
so you have to show everything.
It is just in a digital format.
Rachel Morrissey (17:56):
Right, that's pretty much it so we only have
time for one more yeah, question, I think I have this.
So my background.
Yeah, I did a.
I did a thesis on in my mediastudies yes, okay, so there you
go and um part of what I wastalking about was the nature of
us incorporating technology intoour body and incorporating the
(18:18):
body into technology.
Like I have this thesis mythesis was all about the nature
of.
We do not invent unoccupiedspace and physical.
We do not.
So the internet particularlywhen I wrote it like this is
2014, everybody.
But I was writing about how thefact, if you were going to
create a space called theinternet, and we were going to
(18:39):
call it a space, a places andall of these things and have
communities that physically wewere going to occupy this space
in some way.
And that, in doing so, we weregoing to incorporate it into our
physicality.
So, legally, if we're thinkingabout the adoption of the
smartphone and we're thinkingabout only revealing certain
(19:01):
things and having that,smartphone be kind of the keeper
.
Would we have to think ofprivacy and that smartphone as a
part of our corpus?
Absolutely and something thatmeans that we can't like in
American vernacular, we don'thave to testify against
ourselves.
That means the smartphone wouldbe part of us and not something
(19:23):
you can go break into.
Aravind Narayan (19:26):
That's right.
Rachel Morrissey (19:27):
So can't testify against us, Isn't that?
I mean, that's sort of aninteresting.
It is Kind of stretches that alittle bit.
Aravind Narayan (19:35):
Yeah, yeah, no, absolutely.
Rachel Morrissey (19:36):
I know, that's really heady, sorry.
Aravind Narayan (19:38):
No, no, no, no, I mean it's good.
Yeah, think of that.
It is true, it is aninteresting one.
Until your device gets stolenit's a totally different story,
but I think, if you look at thedifferent ways to approach this,
it's got like your bank.
I mean, who do you trust righttoday?
(19:59):
Do you trust your government?
Do you trust your bank?
Do you trust your smartphoneprovider, do you trust your
telco provider, or do you trusta private wallet provider?
I mean, it's a big question.
It's a big question and this iswhere this ecosystem probably
next year, if we are sittinghere, I would probably be
(20:21):
talking about guess what?
We have now 600 differentwallets around the world and we
are in a position where we don'tknow what to choose.
And it could very well, it canhappen, all right, and which is
why we say in this world it'slike from Flintstones to Jetsons
, you know, from Stone Age toflying cars.
It's a marathon and it's not asprint, and I think laying that
(20:47):
right foundation would probablyget us there.
But I think going forward, asmartphone adoption will be the
main driver behind this, andApple will definitely lead the
way um and google um, I, I knowrich said she had one more
question, but I have.
Micky Tesfaye (21:05):
I do want to ask one more, one more if you would.
Yeah, absolutely I guess I likeI don't know in terms of the
way that this is gonna evolveright.
It sounds like to me there's ainteresting set of challenges on
every side that have to beresolved right like.
You touched on a reallyimportant one that we probably
already started to see, which isfragmentation of identity
(21:25):
solutions, so they end upcausing the same issue right,
we're going to go back to themultiple password issue right.
Then, on the other hand, one ofthe things we see, even in the
last 20, 30 years, right,growing distrust in institutions
like governments and whatnot.
So governments, probably, themore that they do that, the
greater their risk, right?
So we've got these two issuesalready.
(21:46):
The other thing is, in a weirdand roundabout way, like banks
have become one of the mosttrusted institutions over the
last 20 years, right.
Aravind Narayan (21:54):
So now we've got another potential Until
Santanto was hacked about, Ithink, a couple of days ago.
Okay, so you're way ahead.
Hey, hey, I've been on site.
Okay, I've been on site.
Micky Tesfaye (22:08):
I can't be looking at it.
So now it seems like there arethree kind of again these layers
, right.
So I wonder, is part of theproblem not that we're so
focused on trying to find thisperfect solution?
Would there not be a better wayforward, for instance, for
private banks to come togetherand say, hey, look, at the end
of the day, the more we competeagainst each other, one we're
(22:28):
going to be, we're never goingto take on the big technology
players because I mean, they'vegot how much to blow on all of
these things?
yeah, and then, two, it getsmore cannibalized and then you
end up with the same situation.
Aravind Narayan (22:39):
Absolutely so.
This is interesting because oneof the things that when EU
Commission rolled out theregulation and in the UK for the
digital ID trust framework, thecommon theme was we need to
have common protocols andstandards.
So as long as you have W3Cverified by credential standard,
(22:59):
with FIDO2 encryption and JSONweb tokens etc there's a lot of
tech jargons in there, but ifyou have sort of a clear layer
that actually is across thewallet and it's standardized and
governments around the worldapprove with their trust mark to
say, use that wallet, thatwallet, not that one, I think
(23:22):
even if you have, let's say, sixdifferent wallets in your phone
, if they are interoperablekeyword here it makes a big, big
difference across.
And again, that's what EU istrying to do, because when they
launched the first EID schemeback in the day bank IDs, it's
me, all of that stuff the onlychallenge was it's working in a
(23:43):
certain country.
You go outside the country,that government doesn't know who
you are.
So all that data you furnishedin Belgium means nothing for
France.
So, that is what we are tryingto build bridge the gap.
And you can only do it bysaying common protocol,
standards across the globe andhave the same security layer so
we trust every wallet equallyand government certifies it.
(24:05):
That's probably the way forward.
Rachel Morrissey (24:08):
It has to be.
Aravind Narayan (24:08):
Yeah.
But that sounds like a longroad it is a long road, but, as
I said, you know we are not inthe Jetson Zero yet, so we're
slowly getting there.
Rachel Morrissey (24:19):
I want a robot to do my dishes.
Aravind Narayan (24:23):
Have you watched Human Humane?
Oh yeah, that's scary.
Micky Tesfaye (24:27):
There you go.
I don't want to be scared.
I'm not going to tell you aboutthis.
Rachel Morrissey (24:31):
So that's all we've got time for.
I just want to thank you somuch for joining us today in the
Money Pot.
And Vicky, like always, I themoney pot.
And uh, nikki, like always, Ilove having you here with me,
thank you anyway.
So, uh, thank you to all of ourlisteners and just know that
you guys can always find us onany place that you listen to
your podcasts, and you can findus on the money 2020 website.
(24:53):
So go find us and dig out allof this extra information.
We'll be putting on arinformation.
Well, where you can find it?
On LinkedIn?
Micky Tesfaye (25:02):
Not fully identifiable.
Yeah, that's right.
Rachel Morrissey (25:05):
And thank you, and we love our fintech nerds.
This is Asc ential Audio.
Welcome to T the Money Pot.
I am Rachel Morrissey.
I am one of the hosts of theMoney 20/20 podcast, the Money
Pot.
We are here at the Amsterdamshow and it is stunning.
It is so beautiful, if I do sayso myself.
(00:24):
I know I I work for M many20/20, but I don't get to plan
all of this stuff.
I get to look at it at all andit's amazing.
Micky Tesfaye (00:30):
So I am here with my co-host, mickey tesfaya
hello, rachel, and you areabsolutely right, it looks
beautiful, we've got trees,we've got the money pot we do.
Rachel Morrissey (00:41):
We have the money pie.
It's amazing.
We also are here with a guest.
We've got Aravind, is that howyou say it?
Aravind Narayan (00:48):
Yes, that's, right oh thank goodness.
Why don't you?
Rachel Morrissey (00:52):
tell me your last name, so I don't butcher it
Narayan.
Narayan, aravind Narayan, andhe is here with the London Stock
Exchange and we're going to betalking about reusable digital
IDs, right?
So let's dig into that.
Mickey, why don't you begin?
You can drive this.
Micky Tesfaye (01:11):
Sure, let's just start at the top.
First of all, how are you doing, erwin?
Aravind Narayan (01:15):
Very, very good .
You're absolutely right.
I can say this is buzzing, asalways, just like last year,
even better.
Micky Tesfaye (01:22):
Awesome, that's what we like to hear.
Tell us a little bit aboutreusable IDs.
Aravind Narayan (01:28):
Yeah, I'll just do a bit of a trip down the
memory lane, nice, probablystarting from cassettes and VHS
and all that stuff.
Rachel Morrissey (01:37):
Oh my goodness , okay, we're going to go back.
I'm going to almost feel un-old.
Aravind Narayan (01:44):
Okay, go ahead, right, I'm going to almost feel
un-old, right?
So back in the 80s, when abunch of cybersecurity
scientists started to build fora defense project, they built a
network that can connect andtalk to different machines, and
that was called ARPANET beforeinternet.
And the idea was how canMickey's laptop talk to Av's
(02:08):
iPhone?
Or okay forget iPhones, butlaptops.
Rachel Morrissey (02:11):
Their computer .
Aravind Narayan (02:13):
Yeah, two systems talk to each other.
But what it didn't do at thetime was it didn't actually
identify if it was Mickeyoperating that laptop.
So, there was never an identitylayer built into this when
internet was built and that justgot carried forward, so it was
all the way through without anidentity layer.
It was just a TCP IP typeprotocol that allowed systems to
(02:36):
talk to each other Great.
But now fast forward.
We have come to a stage wherean average business user
probably pre or post-pandemicholds about roughly 200
passwords and about 150 apps ontheir smartphones.
Rachel Morrissey (02:55):
I know Google likes to tell me I have 136
matching passwords.
Aravind Narayan (02:58):
There you go.
That's because I can't memorize136 different things, exactly.
So the passwords, obviously allthese internet service providers
and all of them start to putidentity, like stitch up
identities on top of these andstart to give you like a one.
So it started, let's say, withone-to-one password which is
(03:20):
like Mickey's Facebook has apassword.
Mickey's Google has a password.
So every website in Facebookhas a password.
Mickey's Google has a password.
So every website in your worldhad a password.
Then Google, facebook, all ofthem came along and they're like
let's do some federatedidentity which we now go to any
websites like do you want to useyour Facebook login?
Micky Tesfaye (03:40):
Game changer.
That was a game changer, let'sbe honest.
However, for fraudsters, too,that was a game changer, let's
be honest.
However, for fraudsters, too,that was a game changer.
Yeah, exactly, they were likeyes yes, enjoy this Mickey.
Aravind Narayan (03:51):
Exactly so 2022 , I think.
Facebook was hacked.
About 850 million user detailswere stolen.
Linkedin was hacked Again.
I was part of the LinkedIn hackback in 2011.
Rachel Morrissey (04:09):
You were hacked.
Aravind Narayan (04:10):
You were not part of the hacking team.
Micky Tesfaye (04:12):
please no complaints here.
Okay, that's correct, yeah.
Aravind Narayan (04:15):
So then there was we are still in that era
where it's federated.
People still use Google andFacebook and LinkedInin and the
rest apple ids to log intodevices and websites.
Now the future, which is thereuse of light entity that we
are talking about, is the worldwhere I will have I will have a
(04:39):
identity wallet on his phone andhe'll only allow certain
websites to log in that hethinks is allowed to actually
see my information.
Okay, so it becomes selectivedisclosure.
It becomes, uh, fully givingthe user back the control.
So there's no hacks.
If you were to hack that in adecentralized manner, you have
(05:02):
to hack millions of smartphones.
Micky Tesfaye (05:05):
Okay, maybe can I just stop you there for a
second, because I guess, broadly, we started talking about
reusable identity and then areyou talking about a very
specific type of technologylayer for this?
I'm guessing it's ablockchain-based solution,
perhaps.
Aravind Narayan (05:19):
Yeah.
So I'll just tell you when wedive into reusable ID.
Before you go into what thereusable ID is, I'll just dilute
that a little bit.
We want to talk about whatverifiable credentials are Now,
to know what verifiablecredentials are, you want to
know what a decentralized ordigital ID is.
So let's take an example.
(05:40):
I graduated, after my MBA, fromBradford School of Management
and all I have is a papercertificate that says I
graduated my MBA, nothing else.
Now convert that into a digitalcredential and put that into a
ledger and then call that as aclaim to say I've graduated his
(06:03):
MBA from this university.
So that's a claim.
Now imagine a number of suchclaims together which says like
I work for London Stock Exchange, I graduated MBA from Bradford
and all of these things bring ittogether and that becomes
unique Because you're the onlyone that would have those
competitions and that becomes averifiable credential.
(06:25):
So the universities, thecompanies you work for, et
cetera, send you that claim tosay, yeah, he's right, he's
actually claiming this and, yes,he's correct.
So that becomes a verifiableset of credentials.
Now put all those credentialstogether and that becomes a
reusable identity.
Now, where do they sit?
They sit in your wallet, likehow you have your physical
(06:47):
wallet.
It actually sits in yourdigital wallet, which is why we
say we need to have adecentralized way of doing it,
because unless you have a verygood technology like blockchain
governing all this, there's agood chance of honeypot,
centralized attacks and, likethe Facebooks, like the Aadhaar
in India, et cetera, breachesalways are going to happen if
(07:10):
it's not decentralized.
Rachel Morrissey (07:12):
Right.
Here's something that I'mcurious about.
So if you're looking at digitalidentities, there's a few
places that have issued digitalidentities and, for various
reasons, right.
Digital identities and, forvarious reasons, right.
One of the cases that I findpretty inspirational and pretty
(07:33):
interesting is the case whereIndia did the.
Aadhaar, aadhaar ID, and I'mcurious about that, because a
lot of that was also sort ofreversed right.
It was a little bit of likewhere people didn't actually
have a digital presence at alland they needed one because the
country was about to go ascashless as it could.
(07:55):
It was trying to really limitand therefore it needed to
enable people to have a digitalpresence when they didn't have
any kind of digital presence atall.
So what do you think about thenature of that?
How does that work?
(08:16):
How would that work in theWestern world?
We've got oh, you've got 5million passwords.
You definitely have a digitalpresence.
You might have too much digitalpresence.
We're going to steal part of itor all of it or some of it.
And then how does that work inthis?
Aravind Narayan (08:32):
area.
Rachel Morrissey (08:34):
What do you take from their system or their
lesson that we could apply overhere?
Aravind Narayan (08:40):
Yeah, no, that's a very good question,
rachel.
So I think the main thing isAadhaar is fantastic the way it
was rolled out, in the sensethat it was top-down and it was
just like one day to next you'regoing to be cashless and you've
got to have this one digital IDscheme that will drive every
(09:00):
transaction around, everythingyou do in your daily life.
The only challenge is that theprivacy aspect of it didn't
really like, if you think aboutit, essentially makes India
almost like a surveillance state, because you start to like I
mean government can say it'scentralized again.
(09:20):
Yeah, so one.
It's prone to hacks and I thinktwo years after it was rolled
out, I think about a couple ofmillion ADAR IDs were stolen as
part of a hack.
Rachel Morrissey (09:34):
Woohoo.
Aravind Narayan (09:35):
Yeah, exactly.
So, from a lessons learnedperspective, that is definitely
one thing that Europe took whenthey redrafted the EIDAS, which
is the new regulation they'rerolling out now, which basically
said oh, hold on, if wecentralize it, we're going to
face the exact same problem aswhat India faced.
And secondly, government canpretty much see everything.
(09:57):
They do Everything, like I'musing Adar card to get a mobile
phone, to get this, get that,every transaction, my, my salary
, my tax, everything and myentire journey.
So that to me was not theappropriate way of doing it.
Uh, because again you'restarting to become the privacy
(10:17):
has gone out of the door.
So europe again kind of lookedat it and said okay, in that
case, again, this is still aregulation.
We don't know how the 27 statesare going to implement it, but
the general guidelines is around.
Okay, you take this legislationand what we're going to say is
(10:41):
you want to apply a privacy bydesign principle on top of this,
in the sense that we will nevertrack anything you do, because
everything is going to sit inyour wallet.
And you've got that.
What I said earlier selectivedisclosure.
So, if I don't know, you'regoing to a car leasing company
and you're going to a carleasing company and you're going
(11:02):
to say, hey, I would like tohire a car.
Oh, show me your driver'slicense.
Why?
Because I want to know ifyou're eligible to drive and if
you're over 18.
Okay, I'll show you enoughinformation.
I don't need to show you myaddress.
I don't need to show you myface.
I just need to show you that Iam, let's say, in the UK.
(11:23):
It's DVLA.
I'm going to show you that I'vegot a valid driver's license
that is DVLA certified, whichwill show almost like a trust
mark against my name to say,yeah, I am DVLA certified and
I'm over 18 to drive.
That's enough.
I don't need to give you myaddress.
That's enough.
I don't need to give you myaddress.
Micky Tesfaye (11:44):
I don't need to give you any of my details, so
that, to me, is a big step inthe right direction.
Um, that's not.
This whole story around digitalidentity is fascinating for me
because it I feel like sinceI've started working in fintech,
it's been just like a very bigquestion and there are just some
interesting, like regionaldifferences that I'm not even
sure how they occur right like.
(12:05):
I think we talked about indiabeing fascinating, yeah, I think
the nordics are particularlyfascinating, yeah, and the
country we're in right now, thenetherlands, is particularly
fascinating because, within thecontext of the uk, for instance,
these countries private sectorhas solved some of it a long
time ago not necessarily to thedegree and the dynamism that
(12:28):
you're talking about.
With regards to, I think thekind of digital idea you're
talking about is maybe not eventhe type where you have to prove
you are 18 by showing thatyou're 18.
But it's more like the way thatthe information comes up is
absolutely right.
You're yeah, you're not evengiving information about
yourself.
It's just saying this part isit's all right, you don't need
(12:49):
to know what's in there, but forthe purposes of this service or
whatever, you're good, right,like if someone is buying
alcohol from amazon theywouldn't know the age now you
know that you're over 18.
Yeah, yeah yeah, right, sothat's more advanced than what's
maybe available with ideal inthe Netherlands or Scandinavian
(13:10):
countries.
But I guess my question, in aroundabout way, is these other
markets have made significantprogress that makes it even
culturally much more likely fordigital identity solutions that
are over the whole country orregion to occur.
What I remember growing up inthe uk back when the last labor
(13:30):
government was in power and Iwas young I was not, yeah, like
working or whatever.
I remember the conversationabout digital identity yeah,
digital id cards beingintroduced in the country and
everyone was like no, this isgovernment overstepping the
point you're talking about right.
So I wonder, why does that gapexist where the private sector
is not doing much in the UK,other markets, the government's
(13:52):
obviously, even if it wanted todo it, that barrier to adoption
is significant.
And we've seen it with digitalservices in the UK actually,
where the government has beennot great at trying to.
Rachel Morrissey (14:02):
Well, and there's always this trick,
because traditionally,governments have been the ones
to issue an ID that would beconsidered legitimate right
Driver's certificates, driver'slicenses.
In New York City, you can getjust a registered license, since
you're a citizen of the city.
Aravind Narayan (14:22):
Yeah.
Rachel Morrissey (14:23):
And so it has been part of the role of
government.
Aravind Narayan (14:28):
That's right.
Rachel Morrissey (14:29):
But having this new power right that
there's no way to kind of guide.
You know, I mean if anybody, Imean like in the U S, if
anybody's learning the lesson ofhaving to to work on trusting
the intentions of the peoplerunning the system, where we're
(14:50):
learning that lesson prettytough right now and um, and I
think about this like I never.
In reality, I never reallyworried about government
overstepping in my own life.
Micky Tesfaye (15:04):
Like I never.
Aravind Narayan (15:06):
I understood it .
Rachel Morrissey (15:07):
I understood it philosophically, I thought
about it, but I didn't thinkabout it like personally.
But now, now that I understandwhat is possible.
Talk about government, you know.
You talk about a digital ID,you talk about programmable
money, you talk about some ofthese other and you're like,
okay, well, now we're gettinginto a realm where there is a
(15:30):
real sense of personalinfraction.
And, like I said, I never reallyI mean governments.
You know, not all governmentscan be trusted, but even when a
government can be trusted, likethat's a lot of personal
infraction that we never had tothink about before this kind of
(15:52):
power existed.
Aravind Narayan (15:53):
Yeah, no, absolutely I think.
If you think about this in thespectrum of, like the sort of
tripods which is like there's anissuer, there's a holder,
there's a verifier, that'spretty much it in the ecosystem,
right.
But what we didn't have in thepast, which we're now starting
to look at, is a sort of a trustlayer in the middle, which is
(16:15):
completely sort of decentralized, in a way that the issuer never
gets to see what the holder isusing that issued credential for
.
You can't track back all of myactivities anymore, so the
issuer could even be agovernment issuing a driver's
license, but they will never getto see what I'm using it for,
(16:37):
because what happens is likeuser.
That's where the smartphoneadoption becomes a big thing,
because smartphone comes withfantastic features such as, like
the secure enclave where youstore the private keys and all
of that stuff.
So what happens is governmentjust get to put their sort of
verifying credentials in apublic blockchain and you are
(16:58):
the one who are kind of using aprivate key to authenticate, so
they never get to see what theusage is.
And the same thing applies forthe verifier.
A verifier, let's say a pub.
You walk in, you show youridentity, they just ask you a
question, but they never get tosee anything else, so there is
no revelation.
Micky Tesfaye (17:17):
It's like a yes to a no, but it's not the
detailed stuff.
Aravind Narayan (17:19):
Exactly so, I think else.
So there is no um, yes,revelation.
Yeah, it's not the detailedexactly so there's a.
I think that gives me a lotmore promise, and now, if you go
across the pond to the unitedstates, I think there's still.
I mean, eid has stood, or waslike a big leap forward, like
everybody never thought likeeurope would just jump ahead so
quickly until that point, Ithink.
In think in the US, it wasmobile driver's license, which
(17:40):
is now becoming a thing.
The only challenge with that,though, is that it still doesn't
stop you from it still doesn'tlet you do selective disclosure,
so you have to show everything.
It is just in a digital format.
Rachel Morrissey (17:56):
Right, that's pretty much it so we only have
time for one more yeah, question, I think I have this.
So my background.
Yeah, I did a.
I did a thesis on in my mediastudies yes, okay, so there you
go and um part of what I wastalking about was the nature of
us incorporating technology intoour body and incorporating the
(18:18):
body into technology.
Like I have this thesis mythesis was all about the nature
of.
We do not invent unoccupiedspace and physical.
We do not.
So the internet particularlywhen I wrote it like this is
2014, everybody.
But I was writing about how thefact, if you were going to
create a space called theinternet, and we were going to
(18:39):
call it a space, a places andall of these things and have
communities that physically wewere going to occupy this space
in some way.
And that, in doing so, we weregoing to incorporate it into our
physicality.
So, legally, if we're thinkingabout the adoption of the
smartphone and we're thinkingabout only revealing certain
(19:01):
things and having that,smartphone be kind of the keeper
.
Would we have to think ofprivacy and that smartphone as a
part of our corpus?
Absolutely and something thatmeans that we can't like in
American vernacular, we don'thave to testify against
ourselves.
That means the smartphone wouldbe part of us and not something
(19:23):
you can go break into.
Aravind Narayan (19:26):
That's right.
Rachel Morrissey (19:27):
So can't testify against us, Isn't that?
I mean, that's sort of aninteresting.
It is Kind of stretches that alittle bit.
Aravind Narayan (19:35):
Yeah, yeah, no, absolutely.
Rachel Morrissey (19:36):
I know, that's really heady, sorry.
Aravind Narayan (19:38):
No, no, no, no, I mean it's good.
Yeah, think of that.
It is true, it is aninteresting one.
Until your device gets stolenit's a totally different story,
but I think, if you look at thedifferent ways to approach this,
it's got like your bank.
I mean, who do you trust righttoday?
(19:59):
Do you trust your government?
Do you trust your bank?
Do you trust your smartphoneprovider, do you trust your
telco provider, or do you trusta private wallet provider?
I mean, it's a big question.
It's a big question and this iswhere this ecosystem probably
next year, if we are sittinghere, I would probably be
(20:21):
talking about guess what?
We have now 600 differentwallets around the world and we
are in a position where we don'tknow what to choose.
And it could very well, it canhappen, all right, and which is
why we say in this world it'slike from Flintstones to Jetsons
, you know, from Stone Age toflying cars.
It's a marathon and it's not asprint, and I think laying that
(20:47):
right foundation would probablyget us there.
But I think going forward, asmartphone adoption will be the
main driver behind this, andApple will definitely lead the
way um and google um, I, I knowrich said she had one more
question, but I have.
Micky Tesfaye (21:05):
I do want to ask one more, one more if you would.
Yeah, absolutely I guess I likeI don't know in terms of the
way that this is gonna evolveright.
It sounds like to me there's ainteresting set of challenges on
every side that have to beresolved right like.
You touched on a reallyimportant one that we probably
already started to see, which isfragmentation of identity
(21:25):
solutions, so they end upcausing the same issue right,
we're going to go back to themultiple password issue right.
Then, on the other hand, one ofthe things we see, even in the
last 20, 30 years, right,growing distrust in institutions
like governments and whatnot.
So governments, probably, themore that they do that, the
greater their risk, right?
So we've got these two issuesalready.
(21:46):
The other thing is, in a weirdand roundabout way, like banks
have become one of the mosttrusted institutions over the
last 20 years, right.
Aravind Narayan (21:54):
So now we've got another potential Until
Santanto was hacked about, Ithink, a couple of days ago.
Okay, so you're way ahead.
Hey, hey, I've been on site.
Okay, I've been on site.
Micky Tesfaye (22:08):
I can't be looking at it.
So now it seems like there arethree kind of again these layers
, right.
So I wonder, is part of theproblem not that we're so
focused on trying to find thisperfect solution?
Would there not be a better wayforward, for instance, for
private banks to come togetherand say, hey, look, at the end
of the day, the more we competeagainst each other, one we're
(22:28):
going to be, we're never goingto take on the big technology
players because I mean, they'vegot how much to blow on all of
these things?
yeah, and then, two, it getsmore cannibalized and then you
end up with the same situation.
Aravind Narayan (22:39):
Absolutely so.
This is interesting because oneof the things that when EU
Commission rolled out theregulation and in the UK for the
digital ID trust framework, thecommon theme was we need to
have common protocols andstandards.
So as long as you have W3Cverified by credential standard,
(22:59):
with FIDO2 encryption and JSONweb tokens etc there's a lot of
tech jargons in there, but ifyou have sort of a clear layer
that actually is across thewallet and it's standardized and
governments around the worldapprove with their trust mark to
say, use that wallet, thatwallet, not that one, I think
(23:22):
even if you have, let's say, sixdifferent wallets in your phone
, if they are interoperablekeyword here it makes a big, big
difference across.
And again, that's what EU istrying to do, because when they
launched the first EID schemeback in the day bank IDs, it's
me, all of that stuff the onlychallenge was it's working in a
(23:43):
certain country.
You go outside the country,that government doesn't know who
you are.
So all that data you furnishedin Belgium means nothing for
France.
So, that is what we are tryingto build bridge the gap.
And you can only do it bysaying common protocol,
standards across the globe andhave the same security layer so
we trust every wallet equallyand government certifies it.
(24:05):
That's probably the way forward.
Rachel Morrissey (24:08):
It has to be.
Aravind Narayan (24:08):
Yeah.
But that sounds like a longroad it is a long road, but, as
I said, you know we are not inthe Jetson Zero yet, so we're
slowly getting there.
Rachel Morrissey (24:19):
I want a robot to do my dishes.
Aravind Narayan (24:23):
Have you watched Human Humane?
Oh yeah, that's scary.
Micky Tesfaye (24:27):
There you go.
I don't want to be scared.
I'm not going to tell you aboutthis.
Rachel Morrissey (24:31):
So that's all we've got time for.
I just want to thank you somuch for joining us today in the
Money Pot.
And Vicky, like always, I themoney pot.
And uh, nikki, like always, Ilove having you here with me,
thank you anyway.
So, uh, thank you to all of ourlisteners and just know that
you guys can always find us onany place that you listen to
your podcasts, and you can findus on the money 2020 website.
(24:53):
So go find us and dig out allof this extra information.
We'll be putting on arinformation.
Well, where you can find it?
On LinkedIn?
Micky Tesfaye (25:02):
Not fully identifiable.
Yeah, that's right.
Rachel Morrissey (25:05):
And thank you, and we love our fintech nerds.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com