In this episode of The Discussion I’m joined by digital identity thought leader Dave Birch and Senior Principal at Liminal,and host of the State of Identity podcast, Cameron D’Ambrosi to discuss the digital identity landscape.
We cover the push towards integrated identity platforms, the vision for reusable identity and the differences between centralized and decentralized systems and how those often reflect national culture. What is the state of Digital ID in the UK? Will the wallets offered by Big Tech win out in the USA? And how might eIDAS or the EUDI approach evolve across the EU?
Also to what extent do the public really understand (and trust) these identity systems which look like they are about to become part of our everyday lives?
Liminal website https://liminal.co/
2023 Digital Identity Landscape from Liminal https://liminal.co/2023-digital-identity-landscape/
The State of Identity podcast https://podcasts.apple.com/gb/podcast/state-of-identity-podcast-series-by-liminal/id1183881265
Cameron D’Ambrosi on twitter @dambrosi
Dave Birch’s website https://15mb.ltd/
Dave’s Substack https://dgwbirch.substack.com/
Dave’s books The Currency Cold War and Identity Is The New Money
Read him on Forbes
Dave Birch on twitter @dgwbirch
An New National Purpose : Innovation Can Power The Future of Britain
Tracey Follows 0:21
Today we're in conversation with David Birch and Cameron D'Ambrosi. Dave is an internationally recognised thought leader in digital identity and digital money. And Cameron, a Senior Principal at Liminal, advising companies on the technologies and insights shaping digital identity today. He's also the host of the State of Identity podcast, which I've had the pleasure of being on. I've lost track of the amount of negativity and fear about digital identity in my timelines. People have already chosen their camps. It's the best thing since sliced bread because it will pave the way for more seamless services as they continue to be digitised. Or it's a plan to sign us up to digital slavery, where we are all surveilled 24/7 in a technocratic nightmare. What continues to strike me is how unpopular my own view is with both groups because I don't fit into either. I can see how a world of digitised public services requires digital identity, at the very least in order to limit fraud and protect digital and physical property and other assets, even to protect the digital self. But I wouldn't want to sign up to any system. We need one that is privacy protecting and preserves user autonomy at all times.
My worry is that those shouting down the concept of digital ID at all, are wasting the precious time we have to decide which is the best system and to advocate for that. By not engaging in the technicalities. And the alternative approaches, we could end up with completely the wrong system for our country, culture and commerce. It's time for civil society to properly engage. So in this episode, we get the overview of the digital identity landscape. We cover the push towards integrated identity platforms, the demand for reusable identities, and the supply of digital identity credentials from both big tech and government agencies. The landscape is currently a mix of decentralised and centralised approaches, with the EU in particular, claiming to take a self sovereign identity approach, but does it?Especially in the specific case of the UK, we look at the need for improvement, the importance of convenience for mass adoption, and the idea of custodial self sovereign identity. One thing all three of us agree on is that trust is a crucial factor in the implementation of digital identity systems in the west today.
Tracey Follows 3:04
Hi, Cameron, welcome to The Future of You podcast. Thanks for joining me today.
Cameron D'Ambrosi 3:08
Thank you so much for having me really excited to be here.
Tracey Follows 3:10
Well, you are the person I always want to speak to when I want to know what's happening in the market for digital identity and where the big trends are. So could you just paint a picture of the digital identity landscape and what aspects there are that make up this ecosystem?
Cameron D'Ambrosi 3:28
Technically speaking, we really like to anchor our perspective around digital identity on the landscape and that landscape is anchored on what we call the consumer digital identity lifecycle. So starting with how an identity is created, how the attributes tied to that identity are then verified, you can think about the creation of an identity as someone almost handing you a blank driver's licence. The verification would be - let's fill those fields in like your name, like your date of birth, like a photo, like a biometric, you know, have those stamped onto that credential indelibly in some regard, then you move into authentication. So we've created an identity, we've populated it. You've come in once now after you leave, how can we let you back in again, and trust all those things we shared about you or you that you shared about you, and make sure that it's not someone else imposting you. This historically was the domain of username and password. Now obviously, we're moving to whether it's Fido2 pass keys, whether it's biometrics, location based authentication, browser fingerprinting, all of these things, you know, continuing to expand on the capabilities of where passwords originally brought us. Then once you've authenticated yourself, it's about authorization. So how do we give consent or permission within a system for people to do things? You know, a prime example of this would be you log into a bank, right for online banking authorization is about the fact that I only see my account and end balances and not Tracey's. And then finally federation, which is how can we kind of encapsulate all of these things that have created this digital identity that I've been using, those verified attributes that are tied to me, my methods of authentication, the associated authorization privileges that are tied to my account - can we make those portable and bring those along with us?
This is obviously tying into where we are in 2023. I think this is the area where we are seeing the most rumbling, if you will, the most exciting developments, tying all of these different facets of the lifecycle together. Because historically, we have seen piecemeal point solutions out in market, and it has been on the enterprise, it has been on the government, it has been on the end platform to stitch those things together into a viable digital identity experience, for lack of a better word. And I think, again, to put a pin in this and maybe let you redirect some of my ramblings in a more cohesive way, we are seeing in 2023, an intense push towards what we at Liminal call integrated identity platforms. The notion that we are moving from these point solutions that are maybe just offering something like passwordless authentication, or just something like document verification, or just something like biometrics into solutions that tie all of the different tool sets, technologies and capabilities and integrations required to make the full lifecycle work within the confines of a platform offer a single integration that's going to bring all these things together, and hopefully drive where we all want to be, I think aspirationally speaking, which is a unified digital identity, that is privacy preserving user centric, but able to be used across varying degrees of identity assurance. So something as simple as anonymously proving that you're over 21, in order to buy a bottle of wine online, all the way up to, you know, a bank grade KYC for something like starting a company incorporating it and then opening a bank account for that corporation.
Tracey Follows 7:25
What a fantastic overview. Thank you very much. I think particularly for people who don't have much technical background in digital identity, that explains it really, really well. And it feels to me like there's a big shift towards, like building the proper infrastructure, rather than just having random apps on loads of different platforms that one might use once and maybe never even use again. Is this the vision for reusable identity as the language states it?
Cameron D'Ambrosi 7:57
The fundamental questions, any platform is, is trying to figure out to some degree when you're interfacing with it are - is there a real person at all behind this device? Or behind this session? You know, so making sure it's not a bot? Then moving beyond that? Is this person an actual legal person who exists? So can we go to a database of some sort that's authoritative to say you're claiming to be Tracey Follows? Does Tracey exist at all? Or is this like a synthetic identity? Someone who has been made up completely? And then the last piece is, okay, you're claiming to be Tracey, and we've proven that Tracey is a real person. Now, are you actually Tracey? Or are you know, an identity thief and imposter.
The problem with the market right now is, every single organisation that has a need for any of these levels of increasing identity assurance is having to do it all themselves. Now, obviously, from an efficiency and cost standpoint, that's extremely ineffective, you know, everyone is having to pay for a single use identity verification, which is creating, you know, a negative externality for the ecosystems as a whole, right, everybody's spending money they don't need to be, but more critically, tightening regulation, and shifting consumer awareness, increasing consumer awareness of data privacy concerns - who has my data? How is it being stored? are really creating a massive liability for these organisations. They don't want to be stewards of your identity data in a meaningful way beyond what they have to do for legal and regulatory reasons, because it is just creating too much of a headache. They don't want to have to put all these controls in place for CCPA and GDPR. And even if it's not a regulatory constraint, they don't want to have the cybersecurity risk, you know, you can be held liable in depending on the jurisdiction criminally and or civilly for leaking this information out if you get hacked and the amount of cybersecurity threats are only increasing nation state calibre tools are in the hands of more people than ever.
These data lakes have turned into kind of toxic waste dumps, if you will, that are just, they're not good for anyone. Right? So I think all of these trends are pushing towards the desire to establish reusable identities. And then on the other side of that equation, right, if that's the demand side of the ledger. On the supply side, we have both big tech in the form of Apple and Google, as well as nation states or coalition's of nation states like the EU, or in the US at the state level, organisations at the government level, looking to put digital identity credentials tied to an authoritative issuing source in the hands of consumers. Because these governments see the writing on the wall, they're realising by making the identity records that they store that are the only authoritative but true authoritative source of truth, for identity verification, enabling direct access is only going to drive better outcomes for society, it's going to reduce fraud, it is going to drive better user experiences. When governments look to transition to digital services, right? Obviously, the government wants you to pay your taxes digitally, as opposed to sending a manila envelope full of paper, and it saves them time and money. Digital identity is a necessary component of that. So I think, you know, in 2023, we're seeing both the supply and the demand sides of that ledger really fill up with excitement and progress towards getting reusable digital identities out into the market and usable.
Tracey Follows 11:48
One of the things I've been trying to understand is to navigate through the market for this though, because even in the UK, we've obviously got the government system of one login, which to some extent replaces what we would have known as government gateway system, and will allow us to access lots of public services that the government makes available to us. Separately, we've got this burgeoning sort of private marketplace of companies and entrepreneurs and startups, starting to offer apps where we've got a wallet, and we can keep biometrics or credentials with the likes of Yoti and others. Of course, you just mentioned we've got the eIDAS in Europe, and I know in the States, and maybe you can explain what's happening in the States, we've got the mobile driving licence. I'm not entirely 100% clear whether these are all very similar systems, or there's quite big differences, which are truly decentralised, which aren't. Could you simplify it for people or maybe even just explain what the differences and the similarities are between some of those sorts of systems in this new integrated marketplace?
Cameron D'Ambrosi 12:59
You know, in a nutshell, I think there's two main approaches, right, and this is obviously a gross oversimplification to some degree, but I think you call this out and it's worthwhile anchoring here, which is, you have a truly decentralised approach on one end of the spectrum, self sovereign identity as the industry term is sometimes used. That's the notion of a blockchain approach. The foundational characteristics of true SSI being your identity wallet is like a Bitcoin wallet. Only you can create it, there is no central authority that can revoke it or access it. And I think more critically similar to a Bitcoin wallet, like if you lose the secret key to access it, there is nobody who's going to come to bail you out, right? On the exact opposite end of that spectrum would be a fully centralised system, run by a government agency or a private enterprise and you have a digital identity. But that's similar to and this is a gross oversimplification again, but it's like a Facebook account, right? It's run on somebody's servers, they are a super admin, which means at a fundamental level, they are going to be able to reset your password for you. But also what comes along with that is theoretically, the notion that they could cut off your access, revoke it, modify, view your data, etc.
I think what we're seeing out in market is a spectrum of solutions that maybe play not quite at each of those extremes. But somewhere along the line. I'll start with Europe. They are very much anchored with this eIDAS and with the I've been calling it EUDI, maybe 'yoo-dee' is how folks are saying it in plain speech. But this European Union, digital identity ecosystem they're building up. They have taken a very self sovereign identity centric approach. The true self sovereign identity heads, who I think are a bit more ideological about these questions, would strongly dispute that anything with direct government involvement can truly be self sovereign, because they object to that notion. But the EU is kind of taking it as close to that principle as you can get, which is, we're going to build the ecosystem around blockchain based user centric wallets that are wholly in control of the end user. Only they can read and access their data, and give permissions for other folks to access it. But critically, they are building the frameworks to allow for direct verification of the initial identity, you know, when the identity is created within the system, and you need to verify those attributes. Are you Tracey, are you Cameron? What's your birth date? What's your nationality? Are you French? Are you Spanish?Integrations to allow direct access to those authoritative government sources, which, personally speaking, this is my opinion, I think, is the right, compromise, right? Because as much as we all dream of this true notion of self sovereign identity, and complete independence of our identity from any government authority. At the end of the day, we live in a world where you need an authoritative government backing to give weight to your identity, because otherwise, it's meaningless.
Tracey Follows 16:21
It's not anchored, is it then?
Cameron D'Ambrosi 16:22
You know, I appreciate the concerns around well, what if the government takes away access to your E-ID, but you know, if the United States revokes your passport, because your persona non grata for whatever reason, I think you have bigger problems, then I can't open a bank account digitally using my E-ID because they revoked my wallet, right?
Tracey Follows 16:40
So would that be a custodial wallet, the eIDAS one or not? In that it's kind of a decentralised solution, but really somebody's looking after it for you, because you don't have your own servers, your own keys, that sort of thing. Is it that or is custodial wallets something different again?
Cameron D'Ambrosi 16:57
They have built privacy by design, into the core of the ecosystem, which I think is really a heartening and exciting development. So right if that's where we are on one end of the spectrum with the EU, I will place where we're seeing United States advancements somewhere shifted more towards that centralised approach. We do not have any federal legislation that has passed around digital identity. There is a bill that rattled around the Senate and its status is currently a bit up in the air. But we have kind of seen in classic US fashion, a piecemeal state by state approach to identity.
Now for your international listeners who maybe aren't quite as familiar with this, in the US, we have this fundamental aversion historically and culturally in this country to any sort of official federal identity document. Despite the fact that we, as American citizens are all issued what's called a social security card and social security number, which is our de facto national ID number, but also treated as the secret PIN code for proving that you're in control of that associated identity. So it's somehow supposed to be both the username and the password, but also, we're not supposed to use it as a form of identity. And so we've had states step into the void, where all 50 States issued driving licences, and those have become the de facto national identity card. And the government through legislation, like the REAL ID Act has really tightened the issuing standards at the state level for those credentials, so that they can be used for nationally important use cases like air travel. So we've backed into attempting to get a unified national ID card standard, through state level guidance on how states issue a driving licence, which again, is ridiculous, because the assumption that you have to drive in order to have a valid identity is absurd on its face. How this is translated to the E-ID or mobile driver's licence realm is somewhat predictable, which is every state is kind of winging it and going their own way currently.
So we have a children's treasury that has different approaches at the state level. You have some states like Louisiana, for example, that have issued their own state run and funded app that lets you convert your driver's licence into a digital driver's licence, and then can be used for use cases like in Louisiana age assurance. They passed a law restricting access to pornography for anyone under the age of 18. Many popular porn websites like Pornhub require you to use your Louisiana digital driver's licence in order to perform age verification. The other approach you're seeing is states that are choosing to ride with big tech. So Maryland, for example, has announced that they are supporting both the Google and the Apple mobile driver's licence ecosystems that those big tech firms are standing up. That's going to allow you to basically onboard yourself to Google or Apple's identity wallet solution and turn your physical ID document into a digitised version. Both of these again, in thinking about this spectrum we created with fully independent decentralised SSI on one end and fully centralised on the other. These are much more skewed towards the centralised versions, again, whether it's the state level app, which has again centralised issuing authorities and revoke ability around it. Or the big tech approach, which again, inherently is putting control of that credential at the whims of those big tech platforms.
Tracey Follows 20:54
Yeah, you've made me think to ask you about Facebook. Do you have any insight into what they're planning? Because obviously, they've come out and said, they are hoping to bring in verification, as they call it? Do you have any insights into what they're planning to do? Or how they might be going about it?
Cameron D'Ambrosi 21:11
Well, I do, I have many thoughts here. You know, the first is, and this ties back to Twitter as well, you know, what has been leaked from Facebook? Or Meta I should say, across, you know, Instagram and Facebook is they want to make identity a premium product, which I think in many ways I fundamentally disagree with. And I think both from my personal perspective as well, from a business perspective, I think that's a fundamental mistake. This notion that, you know, you have to pay in order to get trust and safety out of a platform is ridiculous. Imagine if, and while I believe Uber did do this by tacking on like a rider safety fee. But imagine if when you got into an Uber, it said, Hey, do you want to pay an extra $5 to make sure that your Uber driver isn't a criminal or drunk driver? You know, that would be absurd. And I think people would rightfully object to that.
I hope that Facebook's announcement and Twitter's announcement that they're going to have these premium products that mean you pay a monthly fee, and only in exchange for paying that monthly fee, can you tie your account to your real identity. I really hope that's the world that we don't end up living in. But, you know, let's see how the market responds. I hope that people are going to push back against that and say, this is something that we think should be done for free. Now, obviously, you have a business to run, and do you need to make people pay for access to new and exciting features? Certainly, there's an argument to be made there. I would argue that at the fundamental level, you know, are you a real person? And are you the identity you're claiming to be? should be table stakes for operating one of these accounts. And I do think with the major, major global push around age verification for social media applications, in particular, it's going to make it a lot more challenging to monetize identity as directly, because these platforms are really struggling hard right now with how they're going to meet these age verification mandates at scale. I don't think anybody's really cracked that nut, proverbially speaking. And obviously, that's a fundamental identity question in and of itself, right? In order to answer, is this user above 18? Or not, you need to answer, are you a real person? and then get at some semblance of and who is the person behind this device? And are they who they are claiming to be. Are you an actual 13 year old? Or are you a 13 year old who's trying to claim you're your dad sitting at your dad's computer?
Tracey Follows 24:00
Dave Birch's thoughts on social media verification have been pretty clear for a while.
Dave Birch 24:06
A long time ago, I think I quite accurately predicted that the most valuable credential would just be that you're a person. Not that you're Tracey, or English or living on Earth at the moment but the fact that you're a person. And I think chat GPT has accelerated this into the mainstream. So I mean, Mr. Musk was getting very exercised about this last year about not knowing who were bots and who weren't. So the possession of this as a personal credential becomes absolutely vital.
Tracey Follows 24:42
I was going to ask you what you think Twitter and Facebook should do in terms of, well, Facebook story, talking about verification. I think Musk talks about authentication.
Dave Birch 24:52
I personally think they should decouple it. I mean I don't care what Twitter thinks about you. What I want Twitter to do is to maintain the social network, run the tweet system, essentially. It shouldn't be up to Twitter to say whether you're a person or not. So what should happen is, I go to create a Twitter account, or I go to log into Twitter the next time. Twitter bounces me to my bank, I do my strong customer authentication two factor, login to the bank. And the bank sends Twitter a credential which says this is a person. End of, that's it. Doesn't say which person it is - not relevant. Now Twitter can put a tick next to my name that says this is a person. It's none of their business who I am. If I want to put another tick next to my name in a different colour, which means I run a business, or a tick in a different colour, which says somebody else provides, it's not up to Twitter to go out and find out those things. So you end up, they have this kind of black and white verified, not verified, Facebook, are going to introduce the same thing. But actually, it's kind of two levels. There's 'am I person?' which Twitter wants to know. There's 'am I Dave Birch?' which might be relevant in some cases. Maybe I want to be Dave Birch on Twitter, I don't have to be but maybe I want to be. And then there's 'am I this Dave Birch?' and Twitter, have no idea whether I'm this Dave Birch or not. And it's expensive and time consuming to find out. Which is why the whole blue tick thing is a bit of a mess. The people that I know I'm this Dave birch are, for example, LinkedIn, or Consult Hyperion. So that credential should come from them, you see what I mean? You get credentials from the people that know them. In the case of Facebook is the other way around. So Facebook wants me to pay them to provide...
Tracey Follows 26:52
This is hilarious, isn't it?
Dave Birch 26:53
..to prove that I'm a real person is the other way around. Facebook should be paying me to prove that I'm a real person. Because I'm far more valuable to Facebook. Why should it be up to Facebook to work out whether you're a person or not? That can be done by getting you to log into your bank or whatever else. And the whole real names thing, I mean, I know that's not the subject of today's discussion, but the whole real names thing opens up an absolute can of worms. I am militantly against real names policies, they always end in tears.
Tracey Follows 27:22
Can you explain what that is Dave? What is a real names policy?
Dave Birch 27:26
Well the real names policies… So for example, my Facebook account isn't in the name Dave Birch. And so if you search for me on Facebook, you won't find me. But all of my friends know what my Facebook name is. And that's fine. Because, you know we post pictures of the cats and whatever and it's fine. But there was an interesting example, I was reading a couple of days ago about Cambodia where they enforce the real names policy. With the obvious purpose of capturing and detaining people who've posted. So once you've got a list of all the real names, if someone's posting is not a real name, you know it's not a real name, you know it's a pseudonym, because you've got all the real names. So then you can go after the pseudonymous accounts, bully Facebook, into giving you the details, and then you can arrest people and do whatever you like with it. So real names don't work, and also a lot of the value in social networks. As my kids would point out, I am a person of privilege. You know, I don't care about my name being known on Twitter, but there are a great many reasons why a great many people would prefer to communicate pseudonymously. You know, if you're taking part in a Facebook support group for, to take a very obvious and emotive example, if you're in a Facebook support group for women who are escaping abusive relationships, forcing you to do that in your real name is really a rather poor strategy I think. Also the end of the idea that names are identifiers anyway is stupid. I logged into some national savings thing. You log in, you use your name and your date of birth to log in. I don't doubt for a moment that those aren't unique. But I mean, there's lots of people called Dave Birch. Your name is not an identifier. It's just another attribute. And you can do this kind of probabilistic combination of attributes to try to identify somebody uniquely. But in a properly functioning digital ID system, it will be much better to have the uniqueness maintained separately from the attributes, which was one of the proposals around the idea for a national entitlement system rather than a national ID system, which was my contribution to the last consultation.
Tracey Follows 29:51
Digital ID is starting to take off in the UK, but it's happening amongst businesses out of necessity. Just think about hiring processes which can be pretty torturous and they do depend now on surfacing the truth in a digital environment. Right to Work checks that employers now need to carry out require companies to prove an employee's nationality and eligibility to work. This can be bureaucratic. However, if it can be done digitally, with remote Right to Work checks being carried out by, for example, the Post Office. These reusable digital identity apps, certified through the UK government's trust framework, can allow an employee to use their passport and add a facial biometric and therefore have their identity verified within a matter of minutes. According to Elena Hall, the Identity Services Director at the Post Office, this has resulted in the processing of 1000s of digital Right to Work checks every single week, with one of her client organisations reporting that they can now process 1800 checks in the same time that it previously took to process one. From gaming to banking to retail and any other industry, HR departments can now hire employees much easier and quicker than before. But it's not going to stop at Right to Work. Tenant onboarding requires ID checks and the signing of important documentation. Now it can be done at the touch of a button, as prop tech firm Openbrix just found out when they recently announced their partnership with Yoti - helping to streamline the process, improving the user experience and limiting the amount of physical documentation. But first let's take a step back and see what Dave Birch has to say about all this. What is the status of digital ID in the UK? Have we in fact made any progress at all?
Dave Birch 31:49
Well, where we are is, you know, to be honest, a bit of a mess, it feels like we're making no progress at all. My wife was just turned down for a savings account at a bank here, because her driving licence had expired. It wasn't clear to me why the ability to drive is related to the ability to save but but whatever. Meanwhile, I read in the newspapers that you know, a money laundering Russian arms dealer gets to pass KYC by using his mum's gas bill from St. Petersburg. So where we are is frankly a mess. Hence my inexplicable optimism. So in other words, I do actually think some things are bubbling along. You know, the pressure certainly in the UK, where fraud is completely out of control. It's the biggest crime. We have all of this authorised push payment fraud and all sorts of scams and people. And it's getting steadily more annoying for an average member of the public. I tried to send some money by Barclays, my bank. I tried to send some money the other day. Barclays blocked it. Presumably because of some sort of money laundering. So, you know, normal members of the public are being steadily more inconvenienced. And yet fraud is out of control. It's not impacting the bad guys at all. We have an optimally bad situation at the moment. But, you know you've got the European digital ID wallet pottering along. You've got things like sign in with ethereum coming out of the cryptocurrency space. You've got more and more - for example just before I was talking to you, I was moving some money using Wise. And they're a good example. They don't use stupid SMS things anymore or sending you text messages. It's all done in app. I am slightly baffled as to why Facebook is capable of sending me encrypted and digitally signed messages. So that Facebook knows only I can read them and I know they came from Facebook. And yet, and I won't name them, but I had an email a couple of days ago from a financial institution about some data they needed, saying, 'Oh, by the way, you know that it really came from us, because we've included the last three letters of your postcode.' I mean, seriously. So it's a mess. But actually, I'm optimistic. I think things are actually about to improve.
Tracey Follows 34:14
And how engaged you think the public are, particularly in the UK, we're talking really, how engaged are they in some of these changes? How much do they understand the technical details?
Dave Birch 34:24
I think the first thing is for getting mass acceptance of a better infrastructure. It's really all about convenience. You saw this back in the days of when Apple first introduced Touch ID. And I remember people saying, oh my god, I read somewhere that someone in Japan can make a fake fingerprint. And all they've got to do is steal your phone and take the fake fingerprint. But the alternative is worse. So the reason why that caught on wasn't because it offered people better security, but because it offered them more convenience. And we have to get the European digital ID wallet or you know, a UK equivalent into that kind of space. I'll give you an example. I was counterfeited on Instagram recently. So somebody made up a fake Instagram account, and took my icon and took all of my pictures, and then started sending messages to my followers saying 'have you thought about investing in this cryptocurrency?' Luckily, a couple of people emailed me and said, 'Is this really you?' I was like, of course it's not! I would never advise people to invest in anything. And the point is how is it that you don't know whether a message came from me or not? You know, a couple of generations after we invented digital signatures and encryption, it just doesn't work for them. So we have to get to the point where it becomes convenient. So basically, when I get a message from somebody, my bank, or Meta my app should know whether it really came from them or not. And if the digital signatures all check out, it can display the message in green and if they don't, they can display them in red. I mean, I wish they could do that same thing for text messages as well. So you knew whether it really came to the bank or not. Of course, they can't, they just don't implement the technology to do it. So you know, the route in the mass market is not trying to explain keys and certificates and asymmetric encryption and whatever to the general public the way is to make it convenient. And I think that means wallets. I'm probably a bit of a one trick pony on this at the moment, because I see several trends pointing towards wallets from different directions from the payments direction from the identity direction the credentials.
Tracey Follows 36:49
On wallets, eIDAS, the European scheme. Obviously they're using a wallet, aren't they and verifiable credentials. They're saying it's a self sovereign model. Is it? Could you explain to people what you think the model is and whether it really is self sovereign. What is self sovereign? Can we even ever get to that point?
Dave Birch 37:08
Look, I come from a technical perspective, Tracey. So to me, it's quite straightforward. It's all about control of the keys, if you have the key, it's self sovereign. If somebody else has the key it's not self sovereign. And of course, the people that are fans of self sovereign, say, 'Well, you know, you should put people in control of their own identity, you should put people in charge of that sort of thing.' Which, of course, is dumb. I mean, this is because the people saying it are sort of 21 year old MIT computer science undergraduates who have no experience of the real world. Putting people in charge of their identity is absolutely insane. Because the first thing they'll do is give it to Facebook, for a Mars bar or something. So putting people in charge of their own identity is ludicrous.
Also I don't want the key. I'm a normal average member of the public, tragically for the state of our country. And I don't want the key. I lose my car keys. I'm not even joking, it took me 15 minutes this morning looking because I couldn't find my little wallet that's got my American Express card in it and I couldn't find it this morning for 15 minutes. At least I can find my car keys now because I've got an apple air tag on them. So I can find those. But you really think I want to look after the keys that are the heart of my online future. Of course I don't. I want a responsible regulated institution, I can sue to be in charge of them. And for most people, the obvious candidate is the bank. So the way we get round this is by the idea of custodial, self sovereign identity.
So in other words, we use the technologies of self sovereign identity, because we like keys and verifiable credentials, and all these sorts of things. They are nice, and they solve the problem. And they work well at a technological level. Which of course is meaningless in the general population. So we have to solve it at the mass market level. And we do that by making the keys custodial. So in other words, the bank has the key. So for example, when I drop my phone down the toilet instead of my whole life stopping, I can get a new phone and go to the bank and get my keys back. And banks know how to securely transport keys and store them in secure hardware. Because they do it all the time. You have a chip and pin card in your pocket. I mean, how do you think the keys got into that chip and pin card, you know, it's the same technology. So custodial SSI, I think is the way forward on this. Now if some people want to custody, their own keys, good luck to them. They should be absolutely allowed to do that. And if I want to create an identity and take the private key, and put it on a USB stick, and wrap it up in tin foil and bury it near the lake, near where I live under a tree that I will memorise using a mnemonic that I'll write on a piece of paper and give to my sister in a sealed envelope - Well, good, fine, that's absolutely fine. I mean, don't go whining, you know, when it ends up in landfill or whatever, you can't get it back, don't go complaining, you know. But for population scale solutions, it has to be custodial.
And there's two separate parts. One of the reasons why people write outrage letters to the Daily Telegraph about digital identity, is that they don't understand is because they don't understand the difference between identities and credentials. So whether I've got the private key or not is irrelevant in the use of the credential. So because credentials are wrapped around public keys, not private keys. So if I tell you that I can drive, you should quite rightly ignore me. If the DVLA tells you that I can drive, you can probably take that on trust. What the DVLA is providing you with is a credential that contains a public key. How do you know that it belongs to me? Well, you can force a cryptographic challenge against that public key, which can only be answered by the owner of the private key, i.e. me. So you know that it's my driving licence, essentially. Now, you're not going to mention anything to the general public about credentials, keys, public and private nuances, and all this sort of stuff. You're just going to tell them, 'Look, if you have one of these wallets, from your bank, or Tesco and you go to the pub, you know, it will automatically see whether you're over 18 or not.' And that will manifest itself as in, you tap your phone on something. And either the bouncer sees your face on his phone, which means you are over 18, you're not barred or whatever. Or he'll see a red cross. In which case you can't get in. Computer says no. It's got to operate at that kind of level. Last month Tony Blair, who used to be a prime minister, and William Hague, who used to be not the Prime Minister, published a report on... I can't remember what it was called but it was something like...why is this country such a mess?
Tracey Follows 42:04
It was - A new national purpose: innovation can power the future of Britain.
Dave Birch 42:09
One of their core recommendations is we've got to get the identity infrastructure sorted out. And I agree with them completely. And it was interesting to see how that language has evolved since the original Blair ID card proposals, because it explicitly says in the report, we're not calling for an ID card. We're calling for an identity infrastructure. I think that's right. And there are plenty of people. I'm not the only one, by the way, there are plenty of people who would know how to build such an identity infrastructure in a privacy enhancing way. And actually, to be fair, if you look at what's going on with the European digital ID wallet, because they're building it around verifiable grants they're heading in that same direction as well.
Tracey Follows 42:56
It's very interesting you say that, because I was going to ask exactly that. I mean, what they say in the report is to quote, implementation of a single digital ID for all residents, allowing them seamless access to services, as in other technologically advanced places in the world, but also states that the rather than creating a marketplace of private sector providers to manage the government issued identity credentials of citizens, the government should provide a secure private decentralised digital ID system for the benefit of both citizens and businesses. And my question to you is going to be what they seem to be recommending sounds very, like eIDAS I think, but it seems to be recommending against the way the UK have started to go with the approach around the private sector providers who are creating their own apps.
Dave Birch 43:46
Yes, so I think what they're saying is that the root or the core identity should be government providers, but you wouldn't actually use that in most cases. So the way it would work is you get a government digital identity; so a private key essentially, which is then loaded into your smartphone, or whatever it is. So then I go to see the doctor and to get to see the doctor I need an NHS identity. So I use my government identity to get my NHS identity. Now, to me, a member of the public, I don't see this as being a separate, verifiable credential, using a public key. I don't see any of that. I just tap and now I'm in the NHS. What's happening under the hood, is that a pseudonymous NHS identity is being generated against that now. And then attributes can be attached to that as you go on. Or to take a more private sector example. I go to British Airways and I get my British Airways identity, which is a credential which contains my British Airways frequent flyer number, all that sort of thing. But now I can do this all online and effectively because they've got the government digital ID. So I don't use my government digital identity to book a flight, I use my British Airways ID to book a flight, but to get my British Airways identity, I use my government identity.
Now, if I want to tell British Airways and Sainsbury's, that these two identities are the same person, that's entirely up to me. But you should construct the system in such a way that because the keys that will show up in those identities are different if the system is designed properly. British Airways and Sainsbury's can't collude behind my back to see where the shared keys are between the two people. That wouldn't work. If I tell them 'this is me,' for the purposes of Nectar, or Avios, or whatever, that's fine. But they shouldn't be able to do it behind my back. So I think what Blair and Hague are saying, actually does make sense. So you need an underlying core digital identity, to make it efficient for you to get the other identities that you actually need on a day to day basis. And it's up to the industry to design that infrastructure. Look at what happened in Australia. So Australia's had a couple of massive data breaches, you know, Optus, the telco. And everybody's passport details got stolen. And you think, well hold on, why has the phone company got copies of your passport details? Of course, it's some idiotic government regulation about KYC, and all this sort of thing. But now imagine it in the model that Blair and Hague are talking about. So I go to the phone company, the phone company needs to know that I'm a person that I'm resident in the UK, that I've got a bank account in all this sort of thing. So they basically obtain those credentials. But we're intelligent about how we design and implement those credentials. So in general, what those credentials are providing is proof that the data is there, but not the data itself. You can provide a cryptographic proof that I'm a British citizen, without having to store a picture of my passport. So I need to get my telco things sorted out. So I present my bank identity, or it doesn't matter, you know, and they say, 'Well, you got to prove that you're British...'. I don't know why you'd have to do this. But, but let's say for some reason, Virgin needs to know that I'm a British citizen. So I present them with a credential from the passport office, which says, I'm a British citizen. It doesn't say who I am, it just says, I'm a British citizen. And again, this all has to happen under the hood. Consumers don't get involved in this. Consumers just have their wallet, they can go to the doctors, they can pay their phone bill, they can do whatever else they need to know. But under the hood, you know, we need to make sure it works in a privacy enhancing framework.
Tracey Follows 47:58
So where does one login fit into all of this, then?
Dave Birch 48:02
Well, that's a different thing. That's basically that's the single sign on for government services, which again, in itself is a good idea. I'm not quite sure how far they've got, I sort of lost track of things a bit because it was in the department for something or other and then it was in the DCMS, and then they were going to have a joint DCMS Cabinet Office thing. And then they moved into the, I don't know, the Ministry of meat and two veg or whatever it is at the moment. So I've sort of lost track a bit on where all these things are, but I think there's going to be a single sign on for government services, which completely makes sense. I was at a conference a couple of days ago, they were talking about fraud detection actually, but it doesn't matter, the point holds. And one of the panellists was from Finland. And she thought it was astonishing that apparently, in Finland, when you move house, you log in somewhere and say that you've moved house. And that's it. And they tell the gas company and the phone company, and the post office and whatever. She thought it was baffling that here, you didn't have an identity to log into government services. So I actually am very positive about it. When you look at what's happening technologically around EU ID wallets custodial self sovereign identity, this kind of thing, zero knowledge proofs, this stuff about... all of these things are kind of really providing a much bigger toolkit. And then you've got people like Blair and Hague saying at a much higher level, actually, society needs these things. You know, if the government proposed introducing, you know, the Chinese digital identity system or even the Indian identity system, I'd be writing stern letters to the Telegraph as well. These originate in different cultural contexts and they're not appropriate for us. Absolutely. I agree with that completely. Does that mean we shouldn't have digital identity? Well, of course not. I think, you know, if you look at the bell curve it's probably pretty polarised. You've got 5% of people who are militantly against identity, whether they understand it or not. You've got 5% of people, talking about the Daily Telegraph again, who remember fondly the paper identity cards that we had in the war and were rather sorry to see them go in 1954, and would like to have them back again. And most people in the middle haven't got a clue. And if it makes life easier for them, they'll use it. And if it doesn't, they won't. End of.
Tracey Follows 50:27
Every time Tony Blair gets up, which is really quite often to talk about 'well we all need digital identity.' Unfortunately, he is not a trusted person to deliver that. And so every time he speaks on digital identity, certainly in the UK anyway, actually, the trust seems to reduce every single time. So I don't think it's doing the sector any favours. I do think it's interesting that we don't really have, at the moment, the right kinds of ambassadors for the audience. So it's difficult to communicate a trustworthy message.
Cameron D'Ambrosi 51:00
You stole my thunder with the Tony Blair joke. I was about to make that exact same comment, right? These systems are only as good as the trust placed in them. And I think it's a perfect example of where we need to think long and hard, and I think these platforms need to think long and hard, about who are these ambassadors that are going to be used to bring these to market? And in an era where unfortunately I think public trust in anything quite frankly, is at an all time low. I mean, it feels like you can't walk down the street and ask 10 people what colour the sky is without getting some divergent answers in some regard. So I think this ties back into this notion of this education piece. Like how we are rolling these platforms out, how we're messaging around them is going to be really, really critical. Because, and this is something that I neglected to hit on when talking about this current landscape, whether it's the EU with eIDAS2.0, and EUDI, or the US and that nascent federal legislation that I referred to that was in the Senate committee, both of these major ecosystems that are being talked about, are explicitly stating that they are going to be opt in. I do not foresee any future within either the US or the EU, where there is the political will, or feasibility to make adoption of digital identity credentials mandatory. That's enshrined specifically in the eIDAS2.0, the latest draft. As well as in what I would expect to see out of any federal legislation, or quite frankly, state level legislation. Which is this enshrined right of, I do not wish to have a digital identity credential and will not be forced to adopt one. So I think what this long tail of consumers who refuse to adopt digital identity over a physical identity credential. You know, how big and how long that long tail lasts, is going to be up to us as an industry. To your point pick the right messengers, nail this consumer education piece, and really make sure that we're designing these ecosystems in ways with fundamental privacy built in at the ground level, and then explain that in a way that people can understand and with a trusted messenger, so that they actually believe these assertions.
Tracey Follows 53:28
So where does that leave us in the digital identity landscape? What do you think lies ahead?
Cameron D'Ambrosi 53:33
I think, look, you know, keep an eye on the continued development of the EUDI, European initiatives in particular, and big tech here in the US. I think those are really the leading indicators of how ready we are as a market for the adoption of E-ID for mobile driver's licences? And look to see, how are consumers responding to this? What is the state of this consumer education? Because I think that's going to be a major bellwether for how aggressively this growth curve starts ticking up. So I think this is going to be a really impactful next 12 months. And maybe we can circle back sometime in the future to check in on some of these predictions and see how we did.
Tracey Follows 54:25
Thank you for listening to The Future of You hosted by me Tracey Follows. Check out the show notes for more info about the topics covered in this episode. Do like and subscribe wherever you listen to podcasts. And if you know someone you think will enjoy this episode, please do share it with them. Visit thefutureofyou.co.uk for more on the future of identity in a digital world, and futuremade.consulting for the future of everything else. The Future of You podcast is produced by Big Tent Media.