Self-sovereign identity, digital wallets, risk management, federated identity, and a recap of the Identiverse 2023 conference are among the topics discussed in this episode of Making Data Better. George and Steve complete their landscape view of data quality and security.
Identiverse 2023 reflected those topics, indicating a shift toward digital wallets, passkeys, and verifiable credentials as essential components of a resilient digital ecosystem. We discuss these and what's not being addressed to date.
So take a listen as we set the table for Making Data Better and begin our series. We will speak to practitioners of the latest in data protection, tell the stories of data quality initiatives that have succeeded—and failed—and regularly rise above the weeds to provide perspective.
With so many moving parts and so many changes, Making Data Better keeps it all in context.
Right back at you. Listen to us two coffee, old geezers.Speaker 2:
Welcome to Making Data Better, a podcast about data quality and the impact it has on how we protect, manage and use digital data critical to our lives. I'm George Peabody, partner at Lockstep Consulting, and thanks for joining us, and with me is Lockstep founder Steve Wilson. Hi, steve, hey, george, how are you Very, very well And glad to see you. I really enjoyed actually seeing you in person because last week we were together in of all places, las Vegas for the Identiverse Conference and it was great to see you in the real world and have you caught up with the time zone changes yet?Speaker 1:
I have. indeed, it was the very real world, wasn't it? We exposed ourselves to all sorts of real world interactions, and some of them viral, some of them otherwise.Speaker 2:
That's right.Speaker 1:
And we know that the earth is not flat, because time zones and jet lag are vivid proof. Good to reflect on, identiverse, wasn't it? There were several themes that we'll come back to as we talk today, but, as always, i think it was very interesting to see the difference between identity and identification and the business of identification. The business of enterprise. Log on the bread and potatoes, the meat and potatoes of the identity industry is going strong, but we keep seeing these mixed signals, don't we, about the future of identity and the meaning of identity and the philosophy thereof.Speaker 2:
Well, let's close up with that. But we made a promise in the first episode to sort of finish covering well at least a broad swath of the waterfront that we care about in terms of making data better. So in the first episode we discussed data privacy, data ownership and verifiable credentials. We also talked about who owns the risk at some length and how. Risk is very much an individual assessment And it may also be allocated or assigned based on business rules or regulation. And the example I used in episode one was to talk about today's fast push payment systems. In Australia has one, the US has got. Well, it's about to launch another national one. If I send money to the wrong individual because they fooled me by scamming me, by rule I'm on the hook for the loss. My bank doesn't have to make me whole. And, on the other hand, just to illustrate the power of rules, if I make a purchase with my credit card and what gets shipped to me as a box of rocks, the rules say I can charge that back. So well, payment systems have got very different sets of rules, and so risk allocation is a big aspect here when we're talking about the identification use case. So, steve, one of the big topics in the identity industry and I'm putting identity in quotes has been this term referred to as self sovereign identity, and I'll confess, when I heard that label, i was somewhat bemused. I mean, i do love the notion of being sovereign over my own identity And then, well, i am. I mean, and from any human point of view, we are who we are as we define ourselves, as our actions declare us to be out there in the world, but online, in the digital domain, who's going to believe what I say about myself? So what's this self sovereign movement? I've heard it also referred to. What's it all about?Speaker 1:
It's definitely a movement. I think it's fair to call it a movement because it's political, and I do not mean party political. I mean that it is about power, the self sovereign movement. My take on this is that it's an understandable revolt against the excesses of the digital industry and indeed big government for the last 10 or 20 years. So people feel as though they own their identity in the real world And we have this intuition that our precious analog identity should be continuous as we make the conversion to digital. Now a few things follow from that. The idea that you could control your own identity or control your own ID. We've actually had that idea in the industry for a long time. It was called BYOD for a long time. Byod bring your own identity. It's technically very difficult And it's a similar problem to the double spending problem that was solved by blockchain. So we'll come back to that. Very interesting that the self sovereign movement is wrapped up with blockchain. In some people's minds they are one and the same. A lot of the more advanced thinking in self sovereign tries to break the blockchain shackles, because blockchain obviously has a lot of baggage. The idea that you could control how you are known merges then with the hope that you could control how your data flows. That's the big misstep that I want to talk about for just a minute. The idea that, even if you could control your own identity and BYO ID, the idea that that would then force anybody to control data about you in a particular way, i think, is a false hope. My take on this is that most personal identity about me is created behind my back, for good or for worse. Mostly for good.Speaker 2:
A lot of the identity that you use, or we use, to inform another party about who we are are really. What we're doing is giving them attributes that have been given to us by government agencies our driver's license, our Medicare or Social Security numbers, or whatever.Speaker 1:
Being our memberships, our qualifications, our affiliations, all attributes that come from different communities, and they're given to us. We don't actually own them. We carry them and we control the way that they are presented. This idea of control breaks down in different ways. I want to be able to control the presentation of my driver's license from me to you. That's decentralized in a sense, a peer-to-peer proof of who I am my driver's license without calling home to base and without leaving digital breadcrumbs. I think that's a powerful idea. This idea of who owns these bits and pieces is actually a big red herring. Most information about me is created behind my back my trading history, my transaction history, my health history. These are things that I don't actually have a lot of hope of controlling. I don't think I want to control those things. I think I want an orderly digital society where there are restraints on how information about me is used. Those restraints are applied on my behalf by regulators and advocates and so on. The idea that I would watch every bit and bite about me moving from A to B to C to E to Z it's pretty hopeless.Speaker 2:
It would be exhausting, right?Speaker 1:
Oh man, you think that clicking on cookie accept is exhausting enough, but literally controlling the way that information flows? we can't do that. That's not civilized.Speaker 2:
I think civilization would suggest that we ought to have our permission to release data about us. That's where we hear about consent management.Speaker 1:
Back to the self-sovereign piece We heard the referred to a little bit at Identiverse. Was the connection between self-sovereign and blockchain is because blockchain is immutable and then therefore my identity is immutable. Was that the connector there?Speaker 1:
Kind of. The more unique thing about blockchain is that it's solved. What I've come to understand is the originality problem. So, on its face, blockchain solved the double spending problem where, when your money is purely digital and therefore it can be copied, you've got a wicked problem about how do you know if my digital coins have been used more than once. And so the famous blockchain algorithm solved that problem in a decentralized way for the first time. We had systems like Mondex 30 years ago. That was an electronic purse and that solved double spending, but it was essentially managed, and so the self-sovereign movement did not want essentially managed currency wallet. They wanted to have your own wallet. So the guts of blockchain is that it provides originality. I can create a public-private key pair out of thin air using open source algorithms. Everybody can do this. I can create a key pair. The trick, then, is how do I convince the world that it's my key pair and it doesn't belong to anybody else? So the very first time that I create my key pair, i send a message out to the world. I sign something with my private key. I send it out to the world and say, hey, this is Steve's, this is Steve's origin event, and that starts, for example, a Bitcoin wallet, or it can start a self-sovereign identity.Speaker 2:
I thought you were going to say it needs to be started with by presenting your driver's license.Speaker 1:
Well, well, that's the funny thing, isn't it? The ID is not the most interesting part of the puzzle. The most interesting part of the puzzle is your driver's license or your proof of age or the fact that you're a board certified cardiologist, and those facts and figures are not sovereign. Really, trust me to say I'm a cardiologist because I'm not Bring your own identity is actually not a particularly interesting thing, because what happens after you in this self-sovereign world, once you have your own BYO ID, your proud self-sovereign identity? what you need to do is to hang a whole lot of other things off of that identity. You need to have any control over those things, the interesting things, the attributes. You don't control those, so they need to sit in a wallet. It's a good idea to control your wallet, but whether or not you own your wallet or not, it's really ceremony, it's really for appearances.Speaker 2:
I say the other side of that is the relying party, the risk owner, who?Speaker 1:
needs to get these signals.Speaker 2:
They've got to be happy with the signals that they get. They get to choose what they use to make an assessment.Speaker 1:
Well, that's the funny thing about control is that this is not a politically correct observation. But even if I did control all of my identities and all of my attributes, I can't control what the relying party makes of those facts and figures, because it's the relying party, as we call them, the risk owner. They are on the hook for those facts and figures being fit for purpose. I can have the best wallet in the world. I can't make a relying party take my word for it. They are, in fact, sovereign over their own decision-making about the risks that they are prepared to take about the people that they're dealing with. This is actually why federated identity has come unstuck.Speaker 2:
Let's define federated identity first.Speaker 1:
Federated identity. Is this well-meaning idea that I should be able to reuse my identity? I go to a lot of effort to identify myself to one bank through the infamous KYC processes. It's a big investment that I make. Why shouldn't I be able to reuse that investment, bootstrap or Streamline or simply reuse that identity somewhere else? It turns out to be a false intuition, because identity is just the surface of the identification that I've gone through. Identification is the way that somebody gets to know enough about me to do business with me. At the end of that process, they'll give me a bank account number or a customer relationship number or whatever. I get an ID and that stands for the fact that I've done identification. Federation is this intuition that I should be able to reuse that process elsewhere? And it is tantamount to having a bank outsource identification to somebody else. Take somebody else's word for who Steve Wilson is And when you express it in those terms, it's not so simple, is it? Because a bank normally satisfies itself about all those bits and pieces about me. It puts together a story about who it thinks Steve Wilson is, to its own satisfaction, and it's actually very tricky to try and take somebody else's word for that whole story And that's why Federation is breakdown. We've had some really big public private Federation partnerships over the last 15 years, things like INSTIC, united States National Strategy for Trusted Identities, and Cyberspace. We've had the UK Verify project very, very similar. They impanel multiple identity providers with the hope that once you get a certified identity from one of those providers, then any other relying party in the family is going to rely on them, and it just doesn't work. For 10 years we've seen this become a manifest market failure, because it's very difficult for an organization to simply trust somebody else's word for who I am.Speaker 2:
Well, every party, each one of us, every enterprise gets to make a decision about what our risk profile is.Speaker 1:
Federation. To some degree it undermines the autonomy that an organization has to make up its own mind about who you are And, like you said, risk management is always done locally. If you're a professional organization onboarding accountants, you have a lot at stake to make the correct decision that George P B D is an accountant before you go and board certify them, and that's actually a sovereign process. That's why each country has its own professions, each country has its own membership rules And it's a devil of a job to in fact get mutual recognition across borders of professional bodies.Speaker 2:
It's hard enough to share those credentials within the country.Speaker 1:
Exactly So. Look, i'm not. You know it's bad and it's unfortunate. The friction is terrible, but the friction is a natural consequence of autonomy in risk management, and everything flows from that. What flows is that organizations that are on the hook will make their own minds up about who people are, and there's no way that we're going to change that.Speaker 2:
That's right. One of the key questions a board of directors makes board members make looking at the company that they are responsible for, is around risk management, And every company has its own unique set of risk concerns. It's no wonder that risk is idiosyncratic in that respect. That's it, Yep, A lot of moving parts. So we'll be covering, of course, these moving parts at greater depth in upcoming episodes with more guests. But now let's take a little return to where we were last week, Steve, and talk about what we heard at Identiverse. And well, I definitely noticed a difference between last year and this year. So I want to ask you what do you think of the? what are the trends that make data better that you heard about And then we saw this year?Speaker 1:
Well, let's remind the audience that Identiverse is probably the world's preeminent digital identity industry conference. It has been running now for 12 or 13 years. We saw the biggest ID to date, about 3,000 delegates, i think, in Las Vegas. It covers everything from the bread and butter of digital identity, which is like log on and two-factor authentication and multi-factor. The stuff that every enterprise needs these days Circle Cloud identity or customer identity and access management is the category C-I-A-M, all the way through some really interesting leading edge public-private partnerships around mobile drivers, licenses and electronic passports, to some architectural and political Again, not party political, but how do we deal with identity at scale and what does it even mean? So it's a really lively event. Now. Last year happened to be the launch of FIDO Passkey The idea of being able to have soft, private key management synchronizing your FIDO credentials across different platforms and applications. Now that Passkey, we've got 12 months of experience. There was a lot of case studies of Passkey at at the end of it, so it was fabulous. Let's remember that FIDO has brought together the three major platforms Microsoft, google and Apple are now co-operating, speaking publicly perhaps for the first time about these technology standards, it's very, very exciting. Now we started to see a bit about wallets last year data wallets or digital identity wallets, credential wallets and that was really the talk of the town. I reckon this year a lot of talk about wallets. There are the built-in wallets with the mobile phone, which most people are familiar with now for carrying credit cards and boarding passes and COVID certificates. The European Union is officially moving to make their electronic ID available in Apple and Google wallets and mobile driver's licenses The TAP and PROVE NFC wireless driver's license standards coming to the wallets as well. That was huge. Wrapped up with that is verifiable credentials. How do you take things like your proof of age or your trade qualifications or your accountancy? How do you take those facts and digitize them and make them really secure and private in a wallet? There's a lot of talk about verifiable credentials. What people are not talking about is the acceptance of these things. Once you've got a wallet full of credentials, how do you present those privately and securely to a relying party? How do you convince a relying party that these credentials are true? The acceptance of verifiable credentials is something that we're now grappling with. How do you scale these things up? How do you learn the lessons of things like the credit card industry which does acceptance seamlessly, obviously at scale.Speaker 2:
That's because there's a network there which has rules and technology and brand. But the first two are what gives it the power? I think you're pointing at the gap between okay, i've got a digital wallet, but how are the credentials sourced? What's the provenance of the credentials that get into the digital wallet? Then to your point of acceptance. well, the two go together, don't they? How do I deliver those credentials and release them, if you will, to the party that needs to inspect them?Speaker 1:
Yeah, the two do go together. It's a two-sided exercise, thank you. I like to bring people back to their mobile phone wallet. Whether it's Google or Apple, have a look. Most of us have now got a credit card or two in our mobile phone wallet. Have a look at it. It's carrying, it's still carrying the brand. The Visa or the Mastercard is prominent in your mobile phone wallet, so that's pretty cool. But that means, though, is that Apple has co-ordered, or Google have cooperated with Visa or Mastercard respectively. So, scheme to scheme, those schemes have got together behind the scenes, and the lawyers have thrashed out agreements where they're going to open up their APIs and share the magic data. That is not trivial. It's a beautiful experience for me. I mean, it's easy to have a Visa card in my Apple wallet, but I forget how hard it was for those organizations to get together to agree on uploading the magic keys into the wallet. Then, conversely, i can tap and prove. I think I bought you lunch last week, and I wave my Apple phone in front of a. We had some nice Lebanese food. Now, that vendor doesn't know me, the vendor doesn't know my bank, but the vendor system does know Visa, and it knows the Apple wallet. So behind the scenes, all of that magic happens so that my wallet can send ones and zeros to the terminal and the terminal can rely on the data. So we've got good data going into a wallet and we've got dependable data coming out of the wallet, and that's the real magic of acceptance and scale.Speaker 2:
We'll talk about in another upcoming episode how, actually, the card system, the network made that data better on the strength of the availability of a smartphone. I raise that just to illustrate that it's a two-sided problem. There's the wallet problem, which is what we heard about. This is wallet technology. We heard a lot about that at last week. The network has to facilitate the release of that and distribution of that information. That, too, was a body of work that needed to be done. Any other impressions? Well, i think that that's coming.Speaker 1:
I think that the realization of the need for a network to connect these wallets together, that's coming Data and metadata, facts and proofs. The currency of the self-sovereign movement is about claims and proofs. A lot of fabulous technology, zero-knowledge proofs. How do I prove something about me? and only that thing. How do I prove to you that I'm over 21 years old? and don't prove anything else? That's a zero-knowledge proof. It's pretty cool, but it's a naked fact. It's a promise that I'm over 21. It's an empty promise unless people are prepared to pick up that promise and ingest it and rely on it. That's that networking that you're talking about. The Open Wallet Foundation was something that was gestated last year at Identiverse. It was launched this year. It's a new effort. It's a standardization of APIs that's housed by the Linux Foundation. We also heard from the OID, the OpenID Foundation, which is working on I think they called a smart wallet and APIs and interoperability and blah, blah, blah. Now I don't want to belittle that It's a really important work, but it is not sufficient for these wallets to be recognizable and legible at scale around the world. We are seeing this blind spot. I think to the importance of networks and schemes. We did a lot of research. Georgie on me with other identities at Identiverse. We know that there's a huge amount of interest in the need for networks to support the wallet. I think that we're going to see more of that next year.Speaker 2:
Well, that's part of why we're having this conversation right now. Well, okay, steve, let's leave it there. Great to speak with you, and our thanks to you for listening as we begin this expedition to understand the many sides of data quality. So much of what we're talking about is making facts available on which to make a decision. I saw a new story today about a particular party here in the US actually, a particular candidate of a particular party in the US making use of an AI-generated image to tell a lie. Now that we have that AI generation of images, audio and video, we can't trust our eyes and ears any longer. They're insufficient, so we need a way of having facts enter our digital lives as a foundation, rather than run the risk of this technical nonsense. Yeah, so for more of our thinking, take a look at lockstepcomau and let us know what you think. We've got blogs there and also a link to makingbetterdatacom, which is where our podcasts live. So go ahead and tweet, steve. Hashtag making data better. Let us know your thoughts or drop us an email.Speaker 1:
Thanks, steve. No worries, george, good stuff, Great talking to you. Thanks everybody.