0:16

Welcome to Making Data Better, a podcast about data quality and the impact it has on how we protect, manage and use the digital data critical to our lives.

0:26

I'm George Peabody, partner at Lockstep consulting and thanks for joining us with me is Lockstep founder, Steve Wilson.

0:33

Hi, Steve, how are you, My friend?

0:36

I finally got it out.

0:39

This is gonna be one of our quick George and Steve chats about some things that are happening in the industry and, and around the world in terms of how do we actually make data better.

0:51

And, and today we're gonna talk about the notion of a single digital ID, not a single digital identity, which we talked about and one of our last podcast, but we're gonna talk about the notion of a single attribute used to help us make data better interact online in a more secure way.

1:11

And we're gonna actually be talking about the, the digital ID bill that's now in, in front of the Australian government and under consideration.

1:21

But before we get there, I just wanna compare it to sort of two other models that are out there where if you're familiar with what's happening in a lot of growing coun countries and developing countries with where there's a national ID, the poster child for that.

1:38

And that success is India's Adhar platform where there is a biometrically secured biometrically based national identity, which has everything to do with economic inclusion, where literally millions of people have been brought into the economy through the Adhar program enormously successful.

2:01

And and we if you're in the payments industry, you have to look at with admiration at what India has, has built with the India stack.

2:09

But Adhar is, is brought on, as I said, millions of people into the economy, many of whom simply now have AAA way of being identified so they can receive government benefits.

2:23

This is a tool of legibility for government to be able to find its, its citizens and be able to deliver a service to them.

2:31

That's one model in a completely different model is what we see really from data brokers like relics like Lexis, nexis and others who have, well, we've heard it referred to as a shadow id internally to their operations.

2:50

They have a single identifier, single I ID around which they hang all the other attributes there and all the other bits of data that they're collecting about us, it often might start if, if, if you're a child getting your first mobile phone, you know, one of those, they, they have an internal number that they attach that mobile phone number two and to use for tracking purposes.

3:18

So that's a very different approach, but it's still a there's still a single identifier, single id that's being used to enable these platforms that enable these approaches.

3:30

Now, Steve, let's talk about what's happening in Australia.

3:33

And if you talk about that approach a little bit, we can use that as this like this set up as a way to distinguish between them.

3:41

Yeah, very good setup.

3:43

Thanks George, the digital ID bill that's in front of us in Australia as discussed a few days ago by you and me.

3:49

It's a bill that seeks to not introduce a digital identity because we don't have anything like that in Australia.

3:57

It would be really novel.

3:58

There's some politics behind that as well.

4:00

Famously Australia, the US, the UK, Canada, New Zealand, the anglophone countries, the common law system countries, we are all famously allergic to National ID.

4:12

So that's sort of the negative connotations.

4:14

I I prefer to look at this positively like what's the problem that we're trying to solve?

4:19

And the problem turns out to be that the data that we use online to due identification, the data is crappy.

4:27

It's increasingly stolen.

4:29

It's bree that's used behind our backs.

4:33

It's plain text data.

4:34

We, we live and breathe plain text identification.

4:37

We have these I DS from the government, we type them into web forms and of course they're vulnerable.

4:43

The ID bill is about saying that a digital ID is as legitimate as a normal, normal regular text ID.

4:50

But there is an anticipation that these digital I DS will be safer.

4:54

They'll be easier to use online.

4:56

They'll be safer against attack and stealing and replay and they'll be more reliable.

5:01

So that's the bill in a nutshell, digitize I DS that we already have.

5:05

What goes it, what's the, what's the thinking in terms of, I mean, you, we're creating a, there's yet another attribute, a new digital ID.

5:13

This is new pointer.

5:17

OK.

5:18

I I'm curious what's feeding into it to make it useful to make it legitimate?

5:23

Great question.

5:24

And, and I think that that's why you and I got together again for this conversation because we're reading a lot of press reports.

5:29

We're speaking to a lot of policymakers and there is some ambiguity about whether this thing is gonna be a new idea, a new attribute or not.

5:38

Now the minister responsible for this bill very credibly and and convincingly says that they're not in the business of producing a new national ID.

5:47

So I take that as truth and yet by default, this thing, the Australian government Digital ID system AG DS could be thought to be producing some sort of new attribute because the way that it's described in the media is that Agnes will provide, it will deliver new ways for us to do KYC when opening a bank account, I'm proving how old we are when we buy alcohol online and prove who we are when we buy an airline ticket.

6:16

Now, the question that's left unanswered and the question that's left to the imagination is, does that mean a new attribute?

6:22

You talk George about the data that's feeding in?

6:25

Yes, data feeding in will be existing ID systems.

6:28

So in Australia, there's a famous set of I DS Medicare number, driver's licenses, just as in the US.

6:35

The driver's licenses in Australia are each issued by a state and birth certificates.

6:39

So those are the three major sort of components to identification processes.

6:45

Those are the feeds into AG DS, the Australian ID system.

6:50

What comes out is not necessarily a new attribute, what might come out is just better versions of the things that are going in cos what's going in is plain text backed up by processes, sovereignty, very trusted processes.

7:06

I mean, I've done security work for some of these DMV S, the databases and the, and the human processes that generate driver's licenses are by and large the most secure processes in the world.

7:17

It's sad that what they deliver to the, to the to the human consumer is usually a piece of plant text.

7:23

So we think that what will come out of a is, is, is better versions of what's going in and not necessarily whole new attributes we could discuss why a new attribute is, is not a great idea.

7:36

So, you know, you and I are talking, we're trying to create clear ways of thinking about what A DS could be delivering.

7:42

You know, as we were getting ready for this, you were speaking about the problems of a new attribute.

7:46

How do you see that?

7:48

Well, first of all, even given the, the title of the bill, Digital ID, look, you and I, and those of us looking closely at this, we're celebrating the fact that we're not talking about digital identity anymore.

8:01

We're talking about digital I DS.

8:03

Even the term digital ID out in the public mind could be construed as I'm getting us some na identifier and a new card, a new national ID yikes, I don't like that idea.

8:16

So there's, there's, there are optics to be concerned about more important though, to my mind, Steve, is that how is it being presented to the parties that need to use it?

8:29

In other words, the relying party, the party that's taking a risk.

8:33

So if this is being used by a, an ecommerce merchant or AAA bank, their existing systems don't know how to consume these things.

8:44

And that's, that's one of my new attributes, a new attribute.

8:48

They haven't seen it before.

8:50

How does it get it incorporated into their risk management processes and whether they already have processes around driver's license, birth certificate, Medicare numbers.

9:04

It goes to the thing called KYC, not your customer.

9:07

KYC gets a bad rap and it's far from perfect, but it is the pattern that banks go through around the world to meet their regulatory and governance obligations to know enough about their customers to to be good customers.

9:23

So there's this pattern that's superficially the same and it consumes those, those I DS.

9:27

You talked about driver's licenses, passports, birth certificates, Medicare.

9:31

Every bank actually does it differently and every bank we think should do it differently.

9:36

You know, as advisors, as risk consultants in this area, we know that every, every bank's risk profile, every business's risk profile is suddenly different.

9:45

My favorite example is that the KYC rules at the moment as, as loose and as imperfect as they are, they leave a lot of room for discretion.

9:53

There's the perennial problem of the low dock person that doesn't have a driver's license, but still has every right to have a bank account.

9:59

Now, banks will deal with that differently.

10:01

They'll deal with low dock people through a different workflow and they determine what that workflow should be to be most responsive to their customer and to manage their own risks if there was to be a new digital idea, a brand new attribute.

10:16

How do you deal with the low dock people?

10:17

All of a sudden, we are having to on behalf of banks come up with new identification processes and the banks aren't going to be comfortable with that, not because they're uncooperative in any way at all.

10:28

But the banks know their own risk.

10:30

They know their own way of doing business and to date, they have correctly had the discretion to make up their identification processes and to maintain those processes and to compensate, to have different sub processes.

10:43

as, as need arises, a whole new attribute into the ecosystem, we wouldn't know what to do with it.

10:49

We've also know perfectly well that the failure of Federated ID programs in the past, they failed because trust isn't transitive that the work of one party around risk.

11:01

Is it going to satisfy another party?

11:04

So one bank's, you said one bank's approach is different than the, than others.

11:08

You know, just one other thing I'd be concerned about.

11:11

And it's important to be thinking about in the design of this kind of service sys system is if we're creating a yet another attribute that gets database by a relying party or a service provider, We've done nothing to improve the problem of data breaches.

11:27

We just have more data that might actually have more value out there than an individual constituent that fed it gave it validity in the first place.

11:38

And in my mind, you know, how do we get rid of data breaches?

11:41

Well, we minimize data and we make it impossible for data to be replayed to be useful.

11:48

And that's where we need what we were talking about.

11:49

Last time is let's get, let's move away from plain text presentation, plain text representation and form based presentation.

11:58

We need to have a device bound presentation just like we have with our, our, our chip payment cards, there's a device there, there's hardware and software working together.

12:08

And the beauty of it now is the opportunity we have now is that everybody's got one of these things we all have.

12:15

We all have computers in our hands that can present and release data in a, in a far more secure way than the model that we, the only model we had 1520 years ago with the web was yeah, filling out a form.

12:29

We don't have to do that anymore.

12:31

No more plain text.

12:33

Exactly.

12:34

So to, I guess to recap this, this thing ag is in Australia, the the identity system could, you know, people can be forgiven for believing or expecting that this is gonna be a new attribute, a new ID.

12:45

It's not the government promises that it's not.

12:48

And as risk people, George and I are saying, I think that it's not even needed, what's really needed is to conserve the I DS that we have today.

12:58

We know what to do with them, make them better online, make the data better, make it move from plaintext to, to a device bound smart presentation so that you can prove your existing I DS without any new ID and without any change to this business processes.

13:13

Well, we look forward to a lot more clarity and, and watching how this evolves in Australia because again, there's a tremendous opportunity here for Australia to lead in solving these issues.

13:27

This looks like world space practice at this stage.

13:29

So we'll see how the rules pan out in the next few months.

13:32

All right.

13:32

Talk to you next time will do George take care.