Inside The EU's Digital ID Wallet - Episode #17

I'm joined by Andy Tobin, an all-round Digital Wallet and Innovation expert for an in-depth discussion about the EU's digital identity wallet

Inside The EU's Digital ID Wallet - Episode #17

I'm joined by Andy Tobin, an all-round Digital Wallet and Innovation expert for an in-depth discussion about the EU's digital identity wallet

On Apple

On Spotify

In this episode I’m joined by Commercial Director, Europe, Digital Trust Services at Gen, and all-round Digital Wallet and Innovation expert Andy Tobin for an in-depth discussion about digital wallets.

It's a must-listen for anyone interested in identity management. We go deep into what the European identity system (eIDAS) is, how it works and why the EU needs it.

We cover the difference between identity cards and digital wallets and the role of verifiable credentials. We also explore why digital credentials are more secure than paper documents, the spectre of big tech and the future of credentials in general.

Links to more of Andy's work:

Gen website
Links to Andrew’s eIDAS articles on LinkedIn

Tracey's book 'The Future of You: Can Your Identity Survive 21st Century Technology?' available in the UK and US

#DigitalIdentity #DigitalWallet #IdentityCards


Tracey Follows  00:21

Welcome to the future of you. In this week's episode, we take a deep dive into digital wallets.

Tracey Follows  00:27

Regular listeners will know that I usually have two guests on to discuss an area of identity that is undergoing digitization. It could be conceptual, such as digital twins, or second selves. Or it could be technical, such as biometrics or reusable digital IDs. When I spoke with Andrew, I had intended for him to be one of two guests. But our conversation on the European identity system ended up covering both the technical aspects as well as the ethical and conceptual, and I have preserved the whole conversation. So Andrew gets an episode all to himself. It makes sense because this is an important topic, both in newsworthiness and in terms of citizenship. The public needs to know more about digital identity systems and to be encouraged to engage in my humble opinion. So this episode is perfect for that.

Tracey Follows  01:16

Andrew runs the European Commercial Business for Gen's new Digital Trust Services unit. And he's also responsible for Gen's eIDAS strategy, which makes him one of very few experts in his area, who can convey in clear and simple terms what eIDAS is, how it works, and why we need it. Or more accurately why the European Union needs it. I have also included a link in the show notes to his articles and blogs on the subject, should you want even more detail.

Tracey Follows  01:45

In this show, we cover the difference between identity cards and digital wallets, and the key role of verifiable credentials. What the implications are of choosing the right versus the wrong way to prove your identity. Why digital credentials are more secure than paper documents. Trust lists. The future of trust both within and outside of the EU and interoperability across nations and regions. Self sovereign identity, the specter of big tech and the future of credentials in general. I hope you find it as absorbing as I did. For now over to Andrew to explain why we shouldn't be talking about digital identity, but we should be talking about digital wallets.

Tracey Follows  02:32

Andy, thanks for joining me on the podcast. It's great to have you here.

Andy Tobin  02:36

Thank you very much. It's nice to be on.

Tracey Follows  02:38

What I really, really want to talk to you about is eIDAS, and what's happening in Europe with wallets and digital credentials. But I wonder, before we start that, whether we could just get from you a point of view about why digital identity is so important in 2023 and beyond, and what your views are around it. Because obviously, you've been working in this space for a very, very long time.

Andy Tobin  03:03

Yeah, I think what we're looking for is a return to normality, if you like. So the way that we used to identify ourselves is we would carry our own documents with us, like a passport or driving license or even a credit card or gym membership, you carry them physically with you. And you can present them where you needed to present them. And once you presented them, you get them back and you go off and do your thing. And then this digital age came upon us and there wasn't an equivalent of doing that. So what would happen is instead this new paradigm emerged, where you go and sign up for an account somewhere with someone and they would hold your information, then you have to sign back into them, but you couldn't then use that information anywhere else. And we'd become beholden to these account holders that have our information. And rather than me wandering around with my own digital equivalents of my paper documents, my plastic documents, instead, I have to sign into someone who then does something on my behalf. So it's a strange way that things have evolved in the digital world, because there hasn't been a way for us to carry our own digital documents with us, that we've got this bizarre thing with accounts, and then you've got passwords, and then you've got two factor authentication and click all the squares with bridges in them, and et cetera, et cetera. And it becomes very, very annoying very, very quickly. So what we're looking for is a way to get back to where we were before but in the digital world.

Tracey Follows  04:44

So can you understand why some people are suspicious when they hear the words digital identity, particularly in the UK where we've never had an identity card. We're very different with our common laws to the sort of Napoleonic laws. Do you have any sympathy for that point of view?

Andy Tobin  04:59

Yeah, I think firstly, we need to knock on the head, this identity card thing. And instead think of digital equivalents of the documents I already use that I'm comfortable with. And once you think of it like that, you think, why haven't I got a digital version of my passport? You give me a physical one, you get a physical ID document. Well, why can't you have a digital one at the same time? Okay, you're paying for it anyway, for a passport, driving license, and so on - birth certificate. So I think there's a difference between this concept of an ID card, and we'll talk about that more when we're going into the world of iDAS and digital credentials. So I think we need to get away from thinking about ID cards and digital ID and get towards thinking of digitised versions of the credentials you've already got. And once you think about it like that thing, well, it's just the same thing. I've gotten that, like I'm presenting the same way, but with better privacy and better security. And that then is a bit of a game changer. But to know that you need to know that space. I guess.

Tracey Follows  06:06

It's really interesting you say that, because I'd written down here actually, should we start thinking about the credentials economy, rather than digital identity as a way to try to explain some of this because I noticed, when the Blair Hague report came out, and it was reported in the UK media, the UK media, immediately, all of the headlines were about a digital identity card. And it so obviously wasn't, I mean, they literally talk about a wallet. It wasn't a digital identity card. So I wonder if we should just get into that then. But before we do, could you explain the UK's approach to digital identity? Well, at the moment, and how that might be different to what Europe are doing. And then we can get into, you know, explaining a bit about what the eIDAS System in Europe is all about?

Andy Tobin  06:55

Yeah, yeah, I'll have a go. So, the UK had an attempt to provide people with digitised identity information, called Verify. And that involved the government contracting with a bunch of identity verification partners who would do some quite stringent ID checks, in order to then create for you an account that you could log into, and then verify yourself to other websites, and so on. Called federated identities is the approach. Now the irony of doing that is the government was paying these identity providers to verify documents that the government had themselves issued, which is somewhat insane. So the government issues a physical document, and then pays an identity provider to verify that document the government has issued. So that identity provider can set up an account for you. Anyway, it didn't work. Not surprisingly, a lot of people spent a lot of money to create systems to support it, and it just didn't happen.

Tracey Follows  08:03

The take up was very small, wasn't it?

Andy Tobin  08:04

It wasn't that small, but the usage was very limited. Because there was only one type of data set, there's one fairly small data set, which is usable only in a relatively small number of use cases. Whereas compare that with an open world of digital credentials that we're going to talk about where with my physical wallet, I can put any bit of paper in there, I want to. The digital credential world is much more like that. And so now, the UK government's moved to, away from this Verify programme, to a new approach of creating a trust framework that says, you can get certified as an identity provider by following these rules. Okay. And that's resulting in organisations being certified as trustworthy enough if you like, to follow the rules and provide identity verification services. Very, very different to iDAS.

Tracey Follows  09:00

Okay, so what is the most significant difference? Is it that it's a government issued wallet with eIDAS, and it's the private sector who are taking parts and being held to the standards? Is that the difference or is it something else?

Andy Tobin  09:18

Yeah, there's quite a few differences. So firstly, IDAS is the biggest digital credential initiative in the world at the moment. And it's a lot more defined. So part of it is legislation. So there's legislation going through the European Parliament at the moment that will enshrine in law, the legitimacy of government issued digital credential and also all of the processes around issuing that credential and certification of wallets, etc, etc. So there's a legislative approach that will give an IDAS, government issued credential called a PID by the way, personal identity data. It will give that legal legitimacy. And it has other legal weight as well, such as, although I should point out the legislation is moving around still at the moment. But organisations being mandated or let's say strongly encouraged to actually accept these IDAS credentials as well. So private sector organisations, as well as public. So that's one angle of it is it's being enshrined in law.

Andy Tobin  10:37

The second angle of it is the technical operation of this credential ecosystem is being defined at a very precise level. Still early days, and one of the complexities of it is the legislation and the tech and moving at the same time parallel to each other. And that makes for a quite an interesting environment, because the tech has to reflect the legislation and implement it. And the legislation can only legislate for things that can be implemented technically. So there's quite a lot of jostling going on at the moment. But essentially, IDAS is creating both the technology stack and the regulatory stack for this Europe wide digital credential ecosystem. And very interestingly, whilst it's being led by governments, it is open completely to the private sector as well. Because this is IDAS 2.0, I guess 1.0 was a bit like GOV UK Verify very restrictive. Hard to get into federated identity mechanism, that didn't have many uses outside some restricted government use cases. Whereas IDAS is much more of an open ecosystem, where they're putting in provision to allow anyone to add any credential of any sort, within some limits, into this IDAS Wallet. So it's really a full end to end ecosystem solution.

Tracey Follows  12:05

How are they managing the fact that different countries have different identity systems already? Are they are then insisting that they all move to one new system? Or is this a new system that is encompassing and very forgiving of different versions, if you like?

Andy Tobin  12:22

Yes, so one of the drawbacks is that there will be implementation at the member state level, and that could allow for variances to come into this what would otherwise be a nice cohesive, interoperable ecosystem. However, they are setting down the standard for what an identity credential looks like. So this will be your official government identity credential, okay. So, there are standards about how that is going to be set up and who can issue it and how you get certified to issue it and the meaning of it and the data in it and so on. So, there is a lot of standardisation happening, there is also the creation of a reference implementation of the IDAS wallet. Which will be open sourced and can then be taken and implemented by each member state accordingly. So member states can either build their own, they can subcontract to somebody else, licence somebody to create one or more wallets. So it's quite an interesting situation at the moment where there is, in a typical EU way, a really strong desire to have commonality and interoperability across all member states, but there are some gotchas for local implementation. And it remains to be seen how those play out.

Tracey Follows  13:42

Now when you say issued with a credential, how do I get that government credential? Do I have to go and show my birth certificate somewhere? Is it replacing what would have been an identity card unique number? What is the credential?

Andy Tobin  13:57

Well, the first thing to recognise with it, with IDAS is, you can get your IDAS wallet. And you can fill it with all sorts of credentials without ever having to go and see the government. Okay? So you can use it without putting any government credentials in it. And that's a huge leap forward. I wrote an article on this called 'No PID, no problem'. So you could actually use it without one of these PIDs. The PID however, is a bit like going and getting your passport or going in and getting a birth certificate, you know, it's an official government document, albeit in digital format. And the data that's in it, there’s a mandatory data set and a bunch of optional elements. So there's things like your name, your date of birth, interestingly, a unique citizen ID number which we should come on to about unique reference numbers shortly. So there's some mandatory attributes as part of it and in order to get it or there will be processes in place that follow a level of assurance high as it's called to go and obtain it. So how that is implemented, again, it can vary country by country. And it will be fairly friction full. To obtain one of these, which is by design, you don't want to just have people being able to fake it very, very easily. It will involve reduction of evidence that you are used that you are. So, this is already in place with IDAS1. This is level of assurance high to get an IDAS1 account with an identity provider. Here when you'll run through similar processes, by showing various documentation and so on. And then rather than getting an account with an identity provider, you will be issued that PID credential into your wallet. But yes, it is worth emphasising that you'll be able to use your wallet without having a PIDn in it. When your wallet does get a PID, and PID is such a horrible expression isn't it? Personal identification data. Once you have got that your wallet, it goes into a different state, which is called a valid state. So it becomes a sort of government authenticated if you like.

Tracey Follows  16:06

Okay, how are the Nordics doing this, because their identity systems seem to me to be much more affiliated to the banks, and has come out of the banking industry. So how's that going to work if some or all of them become part of IDAS?

Andy Tobin  16:22

Yes, well, we're working very closely with Nordic governments, myself and the chaps from the government of Sweden set up a large scale pilot consortium called the EU Digital Identity Wallet Consortium, or EWC, for short, which now includes a number of other governments as well. This is getting European Commission funding to run large scale pilots of IDAS2, include the Finnish government as well, for example. So they're looking very closely at this. And it also includes a number of bank ID type providers as well. And I think you need to look at different sorts of use case. So bank ID, is typically used if you go to a retailer, for example, and you need to identify yourself, you can have login with bank ID. So it's a federated approach. You go to your bank, or the bank ID provider, you log in there and they go back to the retailer, say yes, Andy is Andy. Okay? In this new world, you'll be going to them with a credential that says Andy is Andy. There's nothing stopping the bank ID providers issuing credentials into your IDAS Wallet.

Tracey Follows  17:32

So let's talk about the wallet then what's in and not in the wallet? Can anything possible be in the wallets now? Is that how much IDAS has evolved?  [laughs]

Andy Tobin  17:42

Yeah, I think so. Theoretically, yes. Without getting into the depths of the technicalities of it, the team who are doing the design, which is called the architecture reference framework, have been really responsive to feedback from the industry and folks like me, and so on. Who, who say, Look, don't make this a government's only thing because it will fail if you do that. You need to open up for innovation. And the way you do that is you allow organisations to have credentials for anything within this wallet. So the way they've done things is they've created two configurations within the wallet. So far. There could be more than two. The first configuration is one that's really dedicated towards official government credentials. And the second configuration is much more flexible, and includes W3C verifiable credentials. In fact, the first config includes that as well. It allows a lot more flexibility around who the issuers of those credentials can be, how they're locked into the wallet, and so on. So it really opens up for innovation. And it's early days yet, I mean, there is no wallet. There's no IDAS wallet, yet. There is a consortium, which has been commissioned by the European Commission to build the reference implementation, which will be open source, so anyone can play with it and try it. And the actual wallets themselves, they will have to be certified as conforming to a set of specifications and capabilities. So you're not going to be able to have Andy's little backstreet hacking organisation creating an IADS wallet just from nowhere. Any wallet that a PID is going to be issued into is going to have to be a certified IDAS wallet.

Tracey Follows  19:43

Who's going to do the certification?

Andy Tobin  19:46

Yeah, so there are certification bodies in member states already that will do that and again, rules still coming out for exactly how that's going to work and what the certification will look like. But the idea is to give citizens a really good level of trust that this is a legitimate wallet, and it will behave in the right ways. And that leads on to a number of other implications for what the right ways might be, and what happens when things go wrong.

Andy Tobin  20:13

So I think to bring that together, you're going to be able as a European citizen, to get from your government or a government approved supplier, an official digital wallet, with certain capabilities in it that will be usable for public and private sector use cases. Which opens it up for all sorts of use cases that using the sort of digital credentials self sovereign identity world have been looking for for ages.

Tracey Follows  20:47

Do you consider IDAS to be fully self sovereign, then?

Andy Tobin  20:52

I don't think so. If you think of a spectrum from a fully centralised account, like Facebook, or Apple or Google where they control it, or Twitter where they control the whole thing, and they can turn you off at any time, to full self sovereignty, where there is no central control, everything is decentralised, then any solution implemented is going to sit somewhere along that spectrum. And with IDAS we're seeing quite a degree of centralization coming in around the governance of the IDAS ecosystem. Someone is going to need to manage the Trust List. Somebody is approving a wallet. Somebody is defining the fact that a PID has legal status and something happens if it goes wrong. So there is a degree of centralization. That's even before we come on to the technology and who runs the verifiable data registry and who runs the trust lists, and so on. So it's definitely not at the extreme SSI side of the spectrum. But it's a long, long way, from the centralization side of it. I think we need to see the implementation a bit more and see how different member states implement to determine how centralised it becomes. But the big difference is that you're getting your data deployed into your wallet that is on your device that you then manage. That's a big, big difference from having your data held hostage, if you like, in some central database. You're getting given a copy of it that you can use at different places. And you shouldn't be able to be tracked when you're using it. And you should have full privacy when you're using it. So from that perspective, it is much more down the SSI side of things, but the human governance and regulations and so on, we'll pull it back from full SSI infrastructure.

Tracey Follows  22:50

Can you give us a use case on, you know, who would be a verifier? And who would be an issuer? And what actually happens in the use of the wallet and the showing of a credential in a situation, like an everyday situation?

Andy Tobin  23:04

Yeah, I think the easiest way to think of it is what have you got in your wallet at the moment? So let's say I've got my employee ID from my organisation. So in that situation, in order to issue that ID card, that physical ID card, the employer has to know who I am and have a picture and all of that kind of information. And then they print out and issue that employee ID card to me. So instead of printing it onto a physical piece of plastic, they can take exactly the same data and put it in a credential and send it into my wallet. And how that might look is on a work system. I'm already authenticated into, say you scan this QR code to get your employee ID on your phone, and you scan it with your wallet app. It  pings up and it says here's your employee ID. And you're done. Right? When you want to use it, let's say you're booking a flight with your employer's travel agency, and you need to prove that you're an employee. They might have a QR code there says scan this to prove who you are, that sets up a connection with your wallet, your wallet will then pop up and say please share the fact you're employee of Gen digital and if I didn't need to know any other information, but I just share that. And they get that and they can verify it’s authentic. So that might be an employee ID use case. You might have another use case, which is a construction worker needs to prove they're certified to run a tower crane, for example. So they go to their new site. They've got a wallet full of credentials. One of them happens to be their tower crane certification issued by the tower crane Certification Board, wherever that may be. They go to the construction site. There's a foreman there, who's got his phone, and he pops up a QR code saying please provide your credentials to the tower crane driver. His phone goes ping, Foreman wants to know this, this, this, this and this? Do you want to share it? You say yes. So you're sharing under your control. You share the data to them, they get lots of, a picture of your face their certification. And most importantly, they're able to see that the training authority that issued this certificate is the one that has actually signed and okayed it. So that might be another use case. So it's, you know, in this world, many, many use cases, anywhere where you're proving who you are, or what you are, or what you're entitled to, could be used. And what's more interesting is if you have to prove that you're a tower crane driver that works for a particular employer, it's going to be very interesting to see how the wallet tech is going to come along to allow you to combine multiple data attributes from different credentials together, to do those things that are really painful for us often, like, have you got a bank account? What's your address? What's your social security number? You know, bringing lots of different identity elements together, or entitlement elements, whatever they may be, to prove in one go something that typically with paperwork, which would take you ages.

Tracey Follows  26:11

This is very important, isn't it? Because what it's doing is verifying that you're a person and then verifying some facts about that person, but not identifying the person. And I think this is where one of the misunderstandings about this particular model of digital identity anyway, comes, that people think they're going to lose their anonymity, or potentially they're going to be tracked. I mean, maybe you can talk to that for me, but that somehow they're going to be identified as a particular person. Whereas that's not what's happening here with this system, isn't it?

Andy Tobin  26:46

That's right. So really important point to make. This digital approach is actually much more private and secure than a paper based approach. So a good example, is the well overused, are you over 18 to enter a nightclub type thing. Where normally you might go up and have to show your driving licence. And I've experienced in various different countries, you can show driver last night he took a picture of you, of the driving licence, so they can prove they've checked who you are. But all they're looking for is the date of birth, but then they've got your home address, and they've got your picture, etc. And that's really, that's really dangerous. Because there's, there's no other way to handle it with a physical, plastic driving licence unless you carry a little card with you a little cutout windows on it, to put over the top of it, which they probably wouldn't accept anyway. In the new world of digital credentials, you can do what's called selective disclosure. And you can reveal only the attributes you need for a particular transaction. So in that example, I could reveal a picture of my face, and not even my date of birth, but an over 18, or an over 21. So this capability is actually in the legislation. It says things like selective disclosure, must be supported. And that makes it really powerful and a lot more private than actual paper documents that everyone is already comfortable with. It enables you to prove things about yourself without revealing too much information that you don't want to reveal.

Tracey Follows  28:20

Now, what about tracking is that possible at all with the technology and the regulatory framework?

Andy Tobin  28:28

There's been a lot of debate about this. Some of the initial legislation, drafts included unique identifiers for the wallet. So that's like in your physical wallet, having a serial number on it, every time you use it, you have to share. That would be very, very bad, because that is a unique tracking number that follows you everywhere. And everywhere you used your digital wallet, organisations would see 12345 and they would associate that with Andy Tobin. And then the next one I went to if I was using selective disclosure, they would associate it with a man who is buying some camera equipment, for example. And then the next place is a man who's over 18, who's buying some Finnish Gin, so that you can start to build up a picture because that unique number ties everything together. There was a lot of pushback against that from folks like myself and other people who are steeped in this world of the danger of unique identifiers. So and I happily I can report that has been taken out. We need to check the legislation against make sure it doesn't go back in. And I think we need to differentiate really clearly between unique identifiers in a credential as an attribute, like for example, a passport number and unique identifiers in the metadata for the protocol, the information exchange that you can't see you don't have any control over. So, of course, there will be unique identifiers in credentials. Because you have a driving licence number already on your physical credential, you have a passport number on your passport, you have an employee ID number, etc. But if you're using selective disclosure, you're able to share details from your passport without necessarily sharing that passport number. Of course, if you were crossing a border, by law, you will have to share your passport, but it's very different with an official border crossing type example like that, versus, you know, me at a shop. So there will be unique identifiers in credentials as attributes. And that is actually part of the PID. There's a unique identifier citizen ID number in the PID. But that doesn't mean you share it everywhere. The danger is about unique identifiers in metadata, like a wallet ID, for example, that are shared everywhere you use your credential, and that act as a unique correlator for you. And that's very much like a supercharged version of a Google Ad cookie, ad ID. So we need to make sure that doesn't happen. Unique Identifiers in metadata are really bad. They can only be used to correlate you and track everything you do. So it looks like they won't be, those will not exist in the IDAS world, which is great news. But again, still early days - there is no wallet yet, so we can't check this. So we need to see what the first version of the reference implementation of the wallet looks like to verify that that is the case

Tracey Follows  31:38

Without any unique identifier, in the metadata like that, can the government identify your wallet? And then, like revoke it? I mean, do they have that power? Or is it really not within their gift to do that, the way in which it has been structured and set up?

Andy Tobin  31:58

Yeah, you're hitting on exactly the right points here, Tracey. So one of the reasons they wanted a unique identifier in the wallet is so they could revoke a wallet. And a number of us were aghast at that because my wallet as we now know is going to contain all sorts of credentials. Not just government ones, but private ones to me, employee ID, etc, etc. So the government revoking my wallet would be a bit like me reaching into your pocket and taking your physical wallet with all of the stuff in it, just to revoke your driving licence. Okay? So rather heavy handed and not very sensible. So that looks like it's gone away as well. What's in its place is a change your wallet state, okay? So your wallet can be operational, in which you can put any private sector credentials in it that you want. But when you put a PID into it, the wallet becomes a new state called valid, it becomes a legally valid thing. So there was a really long, interesting argument, discussion, debate around whether you revoke the credential or you revoke the wallet. And thankfully, revoking the credential has won out, which is definitely the way you should do it. Because it allows the other credentials to operate. So if the PID is revoked, then the wallet changes state from valid to operational. It doesn't mean nothing else can be used, it just means you haven't got a PID in there. Okay? And that's a really important differentiator. There's no detail yet on how revocation is going to happen. And revocation itself is a really tricky thing to get right. Because revocation can be a privacy leaking process. If I published somewhere a list of all the revoked PIDs, then anyone could look at that and go, Hey, Tracey has been revoked. Oh, dear, That's naughty what she'd been up to. So you can't publish a list anywhere in the open like that. So the question is then, if I'm using my PID somewhere, how does someone check if it's revoked or not, but they need to check your list somewhere? How do they check that list without revealing all of the data in the list? Okay. And without when you share your PID, if you share the metadata a revocation ID for that PID. That's a unique identifier in the metadata. And as we know, you shouldn't do that. So there's a bit of work to do on revocation. There are some really interesting anonymous replication protocols out there. This is a really thorny area, but it's one where IDAS is going to stimulate a huge amount of innovation because, you know, there's so much to be gained here that there will be amazing cryptographers working on this, you know, mathematicians figuring out how to do it, make it work at scale of, you know, hundreds of millions of people and so on. So it's gonna be amazing to see what evolves over the next couple of years.

Tracey Follows  34:59

Yeah, it is. Yeah, it's just gonna be big new ecosystem and new industry, isn't it? Like, when the car was first invented, it was just the car, wasn't it? And then, you know, MOT certificates needed to be done. So then you've got people setting up garages and stuff. And the whole system then flourishes, doesn't it as new services, I guess, start to be added on as you start to realise what is required to like maintain it? Is this the end of passwords and usernames, username identifiers? Can we do without these and do away with them now?

Andy Tobin  35:37

So the answer is, I'm going to say yes. Because if you have a digital wallet of this sort of capability, you can absolutely get rid of usernames and passwords. And the wallet itself acts as a two factor authentication device as well. Okay, so it is definitely possible. It also will let you sign digitally sign documents like contracts, as well. At the moment, it's a bit easier, because you can get a PDF, and you can scroll on it with your finger, right and send it back. So there will be an ability to sign as well. So once you can digitally prove who you are, there's two steps here, essentially, there's one which is onboarding. So you onboard, to a new, I don't know, so your online shopping as a retailer, or as your employer or something, you onboard by proving various things about you from data you have in your wallet,. Just like you go in your filing cabinet, and you pull out bits of paper to prove you've got some A levels, or whatever it might be university degrees. So you use that information to onboard digitally in 10 seconds rather than 10 days. And then once you're onboarded, the wallet will enable you to be recognised instantly when you go back. So it's perfectly feasible for let's say, your onboarding for that retailer for that retailer to give you a credential into your wallet to say you're a customer. And then when you go back, you just say well here I am and here's the credential you gave me previously, that says I'm a customer with this customer number and delivery address, etc. So absolutely getting rid of usernames, passwords, CAPTCHA codes, etc, is definitely on the cards.

Tracey Follows  37:19

Are we going to need to use a biometric or maybe even more than one biometric?

Andy Tobin  37:24

The answer to that is yes. It'll depend on the seriousness of the transaction, you're doing the level of assurance required. So the wallet you'll need to open your wallet with probably the on phone biometrics, okay? But there may be other situations where as you execute the transaction, you need to know that the person who is executing it, that has hold of that wallet ,at that time, is the right person. So it's a remote transaction, typically, and you need to make sure Andy is Andy, who is pressing his finger, you know, I can register other people's fingerprints or faces on my phone if I want to. So at that particular moment in time, you want to check that the person holding the phone is the right person. And for that you can do a biometric comparison with a passport photo, for example, that is also digitally held in the wallet and send an okay, back. So not not 100% sure if that's gonna be implemented in IDAS yet, but I can see it happening for those high assurance transactions.

Tracey Follows  38:26

And anonymity - is anonymity going to be possible everywhere, that you would want to be anonymous without any restrictions.

Andy Tobin  38:36

So that is the plan. So in the legislation, there are a number of clauses in there that reinforce that now. For particular use cases, you will have to reveal who you are. And that's, that's fine. So if I'm, I want delivery to my address, I'm gonna need to give him my address, right. But if there are transactions where that's not necessary, then it will definitely be possible for you to just share the minimal amounts of data you need. Now, what's going to be really interesting is how the legislation manages what relying parties or what relying parties can ask for so the relying party is the organisation that's asking you for the data. There is talk of relying parties having to register somewhere with someone somehow in order to be able to send requests to an IDAS Wallet. So that's gonna be really interesting to see how that emerges. I think it would be sensible to have organisations register if they're asking for what might be deemed sensitive data like data from your PID. But if I'm just a gym and I want your gym membership card, then that's probably fine. So I think we'll see different levels of relying party registration from none to quite a lot. And as you said earlier, it's part of this ecosystem evolving someone, there's gonna be a registrar somewhere. How does the relying party apply? What do they say about what data they want? Who they apply to? Does it cost them any money? Who is the registrar? Who pays them? How do they work? There's gonna be a list of relying parties somewhere, where's that list? Who runs it? How secure is it? If someone hacks it, what happens? So this concept of what's called trusted lists, which is built into IDAS, is really important. If there's a trusted list for relying parties, who operates it, and what controls are there on it? Because the party also be a trusted list of issuers. So who is allowed to issue a PID? As a hint that would be a government in a member state. But if there's a trusted list, and someone hacks it and as Andy Tobin's Cornershop, as a trusted PID issuer, then it's going to be really bad, because I'll be issuing PIDs for £20 a time and becoming very rich. So trusted lists are, under the skin, the thing that is going to act as a centralising function, right? So someone's going to run these trusted lists somewhere. And it's an area which if I was an attacker, like a hacker of some sort, I don't go for your wallet, I go for the trusted list so I can fake a bunch of other wallets and things.

Tracey Follows  41:25

Should the UK just have gone with the IDAS system. And may it do that in the future, if the approach he's got at the moment ends up not living up to expectations?

Andy Tobin  41:37

Well, I think you can imagine lots of scenarios where a European with an IDAS wallet comes over to the UK, and wants to prove something about who they are. So it would make sense for UK organisations to be able to request data from IDAS wallets, which would mean they probably need to be on some trusted list somewhere. So that would make an awful lot of sense. Then you've got the opposite action where a UK person goes to Europe and they want to prove digitally who they are, they don't appear as, as sort of second class citizens, it would apply to anyone in American, someone from Bolivia, someone from India anywhere, goes to Europe and is locked out of this world of really slick, fast, secure transactions. So it remains to be seen a little bit on that. Certainly the EU is really leading the way here. The UK government is involved in the large scale pilot consortium that we've set up. So DCIT, I think they're called now, no longer called DCMS, we did invite them in to participate in May. They have joined in very willingly to see how things are operating. So I think that country to, EU outside the EU integration is gonna be really interesting one. It's gonna be hard enough, just getting member states in the EU to work together to make this happen, let alone anyone outside. So I think the UK government's doing the right thing at the moment, which is joining in with a consortium that is working on this to see how its operating, and determining what their process will be from their own. So certainly very ambitious, I could see the UK and other organisations joining in with their own IDAS type capabilities. And there being some Global Trust List somewhere like there is for passports, right with iCal. So why not for digital wallets? Again, someone's got to run that workout who's gonna run that thing.

Tracey Follows  43:40

And then someone's got to oversee the running of it.

Andy Tobin  43:43

Yeah, exactly. There you go. So I think the opportunity exists. And I think that the EU is doing the right thing in setting up the IDAS wallet has an open source capability. So everyone can look at what it's going to look like and use it if they want to. And then the decision can be made down the line whether to integrate different trust ecosystems together.

Tracey Follows  44:08

It's an interesting future that we're heading towards with all of this. And as you've pointed out, there are lots of things that we don't know yet because it's all in play. But I know that you've noted in some of the stuff you've written on this topic, that if this doesn't pan out in the way that you have brilliantly explained on this podcast, that big tech will step in and fill the vacuum. And that's a very different future, isn't it? How would that, just in summary, how would that play out in terms of some of the aspects we've just been discussing? Anonymity, getting rid of passwords, interoperability, would it work at all?

Andy Tobin  44:47

Well, that again, is a really good question, Tracey. Big tech is already there. So you have your wallet, on your Google your Android phone or you have your wallet on your Apple phone. And then you have other wallets, like you can have a Google Wallet on a Samsung phone or a Samsung wallet. Not so much on the iPhone side of things. And you think, well, what are the drivers there for these folks doing this? Well, if they own your identity, let's put it like that. If they own your wallet, if you can't easily transfer out your stuff and put it somewhere else, then you're going to stay with them. Right? And the question for people is going to be whether that's a comfortable thing or not. Now, at the moment it's the easy thing. Because sure you're in the Apple ecosystem, for example, great, you've got an iPhone, you've got a MacBook, and I've got my wallet. It works on them all. And it's great. Well, the reason it works like that is because Apple wants to sell you more shiny things,. People might think, well, they're great, because they're, they're not selling my data. Well, they do have quite big advertising business as it happens, but they are selling you more and more very highly priced, shiny things that don't interoperate with anything else. And then you've got Google on the other side who are an ad driven business who are looking at how they can sell your data for ad revenue. And that's just two examples. What would be really interesting would be if Apple and Google and others like Meta and so on, if they, IDAS enabled their wallets and got them certified. That would be really interesting, because the legislation would force data portability, for example, and openness. So I kind of can't see it happening, because they're all about locking. Whereas IDAS is all about openness. We will have to make IDAS really attractive for people. At the moment, my Apple wallet or my Google Wallet, they just worked really easily. I can put various credentials in boarding classes and all that kind of stuff. There wasn't really any selected disclosure. And it's not really the ability to combine different data elements, for sure they know every time you use it. So you need to make the IDAS wallet as beautifully simple and easy and elegant to use. And there is no focus in the IDAS world at the moment on that user interface, which is a big gap needs to be filled in, right. And lots of focus on the legislation and lots of focus on the underlying technology, no focus on whether I see a big green tick or its blue, or it's in the right, a nice font to read, etc. So that's a huge gap. And if it's filled by techies, it's not going to look beautiful.

Tracey Follows  47:35

It's going to be hugely bureaucratic, isn't it? It's going to look like a bureaucracy has done it, designed it, because it will have, right?

Andy Tobin  47:42

Well, this is the thing. Yeah, it doesn't have to. But at the moment, nobody is putting a design language around it. So yeah, that is a big gap needs to be filled, and I think the European Commission is saying, well, here's some open source stuff for a wallet, you can paint it blue and whatever. But I think citizens will be seeking a familiar, consistent user interface that fills them with trust and simplicity. So they reach for their IDAS wallet, rather than their Google or Apple rather than the inbuilt operating system wallet. So that's a really big challenge. But if that can be overcome, you know, usage is going to skyrocket and the be really epic.

Tracey Follows  48:27

That's a fascinating possible future. Because I mean, I can see them obviously charging every time you want to use a credential, something like that. But also, you know, they'll just revoke things, won't they? And we've seen that with PayPal, we've seen it with other tech platforms. We've seen apps taken off the whole platform, because they haven't behaved in the right way. Or they don't have the right opinions or their users aren't behaving in the right way. And that to me is, is more terrifying, I think, than any of the alternatives, apart from the Chinese system. As we go towards ambient and spatial computing. And we spending more time in, let's say, mixed reality. And obviously, we are talking about 2030 and beyond now, you won't have a smartphone device with an app on it, will you? So where will the credentials go? What will they be like?

Andy Tobin  49:17

Right? That's another really good question. Where will they go? So IDAS already allows for a cloud based wallet or a hybrid wallet. So you can have what's called a full edge wallet where all the credentials and keys are on the phone, a hybrid wallet where some elements of that like some of the keys that unlock the main content are on the phone, but the actual credentials are in a cloud somewhere, which just means someone else's data centre. You need to know who that cloud is. And then you can have a full cloud wallet, which is everything is in someone else's data centre. So it's a really interesting one. to see how this is going to play out. It becomes much easier for synchronising it receive multiple different devices, if you've got a hybrid or a cloud style wallet. So as you're going to Metaverse or mixed reality situation, firstly, there's a really important role to prove who you are in, in a digital environment as well as, as well as the physical environment like, you know, your retail shops, and so on. So it's just as important skill to identify yourself effectively there, or prove things about yourself in such virtual environments. So the question then becomes, if you're going to go down the route of a cloud, or a hybrid wallet, who's going to provide that for you? And how much do you trust them? And how do you avoid it just being a Google or a Facebook providing that and locking you in, and as some of the legislation around IDAS is about preventing that from happening, about allowing you to select a different wallet and use a different one. But with the same underlying technical protocols to make it interoperable. There are certain things with IDAS that you can't move from one wallet to another. So you can't move a PID from one wallet to another, it's locked into, it's locked into the wallet. So interesting. There's latitude to allow for cloud based wallet scenarios. But then you've got to figure out who the cloud provider is going to be and how to regulate them and so on.

Tracey Follows  51:22

Then I'm on Amazon Cloud aren't I? And AWS, and then I'm locked in again!

Andy Tobin  51:27

Yeah, well, the thing is, the legislation should prevent that from happening. But then people will go down the easiest route, don't they? And might find that, accidentally its all on AWS. So yeah, very interesting one.

Tracey Follows  51:42

So a final question for you then Andy, what is your vision for 2030? Where will we be with digital ID by 2030? And what would be like the priority things that have to happen, to make sure that that's achieved in reality?

Andy Tobin  52:00

So where will we be 2030? I think IDAS is creating a huge wave of interest in this digital credential world. Previously, it was companies like Evernym, where I used to work, who were ploughing the furough of saying, look, there's a better way. And a lot of that work that the early pioneers have done is starting to pay off now with things like IDAS so I think it really is setting the scene for what a digital world will look like that encompasses trust, and privacy. So I think that's really good. And I think in seven years time, every organisation will be issuing and verifying digital credentials, whether it be private sector or government sector. I think that there'll be a bit of a balance of power that moves back to users. So rather than this, go here and create an account thing, there'll be feeling much more in control of who they're sharing data. And for what, and being able to manage that situation. People are already getting used to digital wallets, the whole COVID thing made people a lot more use to scanning QR codes. That's sunk into the psyche of people. I'll hold my phone up to a thing, right, that theatre of doing that has now happened. And that is the primary way that you initiate a trusted digital connection as well. So the groundwork is there. IDAS it's coming along with this huge wallet initiative. There are other huge wallet initiatives happening as well. There's all sorts of other things going on. But even if IDAS doesn't work, the cat is out of the bag, and it's happening anyway. So I hope it does work. Because that combination of carrot and stick, right, the legislation, you must do it like this, here's what happens if you don't. Plus the carrot of vastly improved business processes, much better user privacy, much better user convenience, without getting hacked and fished all the time. That carrot and stick approach is really, really good. I think it's going to lead to huge toecap. Lots of hurdles to jump through, you know, this this large scale pilot that we're involved in. We got two years to have 1000s of users using this stuff. And yet, we haven't even got a wallet. Nobody's got a wallet yet. So lots and lots to do, lots of innovation to come out. And I think it really, IDAS is triggering a huge mainstream effect, you know, going from small startups like Evernym was. Evernym has now been bought by Norton. It's a core part of our strategy is this. It's, there's other organisations doing the same. So it's a really significant leap forward in this wave towards a digital credential world that frees us up from subservience to big tech and account providers.

Tracey Follows  54:54

Well, Andy, thank you for bringing so much clarity to what is really a very complex, highly technical topic for most ordinary humans to understand. So it's really helps a lot with I think, civil engagement and public discussion on this. So can't thank you enough for that. Thank you.

Andy Tobin  55:11

You're very welcome and great questions as well.

Tracey Follows  55:20Thank you for listening to the Future of You, hosted by me Tracey Follows. Check out the show notes for more info about the topics covered in this episode. Do like and subscribe wherever you listen to podcasts. And if you know someone you think will enjoy this episode, please do share it with them. Visit for more on the future of identity in a digital world, and for the future of everything else. The Future of You podcast is produced by Big Tent Media.


More posts from this author