Identity Should Be Self-Sovereign
Informal security chat with Beyond Identity's CTO Jasson Casey, Head of Global Sales Engineering HB, Founding Engineering Nelson, and our host Marketing Empress Reece Guida on how identity should be self-sovereign and why people should care.
Transcription
Reece
Hello, everyone, and welcome to another episode of "Hot Takes" with your legendary crew, including me, Reece the host person, and...
Jasson
I am Jasson, the CTO.
Reece
And...
HB
HB, I run global sales engineering.
Reece
And...
Nelson
Nelson, I'm the founding engineer.
Reece
That was one of our smoother ones, guys. Well done. You're like, no, it wasn't. It was still as terrible as usual. So we are here on this lovely Friday afternoon to discuss a hot take that, ooh, it's a hill we would all die on, I think, right, guys? Identity should be self-sovereign. Now, that sounds very regal, and, you know, it might be an unfamiliar bit of terminology. So does anyone want to enlighten the listeners on what that means exactly and why they should care?
Jasson
Nelson, this is you.
Nelson
Who says that you are who you say you are? Is it your job that gave you that credential, that title, that access, or is it a thing that you hold yourself because you created a credential and you can assert certain things about yourself and you can also allow others to assert things about yourself that you hold, and then you show those things? It's a very complicated matter as you can tell.
Reece
Yeah. So what would that look like practically? You're saying it goes beyond just logging into my Salesforce account?
Nelson
Man, it goes a little beyond. Yeah. So if you have a wallet, and you have some claims. No?
Jasson
I don't have a wallet.
Nelson
I think I already lost Jasson.
Jasson
I just don't have a wallet.
Nelson
Yeah. So the model is different. I think that's what it comes down to. Rather than all the things that are known about your identity being locked up in a database somewhere in your work environment or in a customer database for the shop you go and do things with, you hold these claims that either you self-assert because they're things that you say to be true about yourself, or you hold these claims that others gave you and you can prove or you can show that those claims are true because there's cryptographic math assigned to it. Is that a good definition?
HB
I think I'm just a simpleton who's trying to look for freedom from my big tech overlords who insist that they can manage my IDs and love to publish how many billions of identities they've locked up into their fortresses.
Reece
Take that, overlords.
Jasson
It's okay. We already control him through 5G.
Reece
So, it's kinda a way...I think what you're saying, Nelson, is you have a wallet for everything, like all of your identities, whether it's for work, your civic life. And they can be managed digitally by you. So that's putting the power into the hands of, you know, whatever you are in the moment, whether it's an employee, a customer, a citizen.
Nelson
Yeah. There's a bunch of different implementations of that. But, at the end, they'll kind of come down to the same thing. There's a list of attributes and you choose which to show to whatever you trying to log into. You say I want them to see my date of birth and the fact that I have a driver's license and here's the number of the driver's license.
Jasson
So, if you were to rephrase it in terms of like the value or the utility to the end-user versus the service provider, would it be essentially control of information disclosure, or like more privacy control to the end user, or is it something else? And what is it for the service provider?
Nelson
Yeah. Good question. So I tend to think about it as if you collect all these attributes through your online life because you shopped at Nordstrom five years ago and they give you a loyalty card. But that information lives at Nordstrom.
HB
How did you know that Nelson?
Nelson
Well, because they told you, right? They said, "Hey, here's an email, here's the loyalty points, card number," whatever.
Jasson
I looked HB's info up from a data broker last night. So that's how we know.
HB
Yeah. I thought you guys were really on a data broker going, "Hey, you know, we were inspired by John Oliver and we're just buying each other's data secretly."
Jasson
Well, I thought we weren't supposed to talk about the arrest for check forgeries.
HB
Yes. My favorite crime, check kiting.
Jasson
Okay. So I've always had a hard time with self-sovereign identity because it starts to in my mind feel more like, or it comes across in my mind like Web3 and crypto in terms of, like, it's fascinating and interesting from a technical perspective, I just don't understand why we'd use...what we would use it for in a way that's useful or simple. So, I'm still trying to wrap my head around this. If I rephrase what I heard, self-sovereign identity provides a way for an end-user to control the information disclosure of themselves. I still don't understand what's the value to the service provider, because the service provider, they like having that information. Why would they give it up?
Nelson
Yeah. But in the traditional model, kind of the three actors, the issuer of the claim, the holder of the claim, and the verifier of the claim.
Jasson
Well, let's make the issuer concrete. So we've got...what did we say? Kohl's, HB, and who's the issuer?
Nelson
The issuer is Kohl's in that example. So issuer is...in the traditional model, the issuer and the verifier are the same person or the same entity.
Jasson
Okay. So in the new model, they're different?
Nelson
It could be different, right? So with a Kohl's card that has your loyalty number, that's enough information for somebody who is not Kohl's to trust that that's a valid claim and use that to benefit you in some way. So say you have a Kohl's comes together with the neighborhood ice cream shop, and because you're a member that you're gonna get a discount. In that model, the ice cream shop doesn't have to talk to Kohl's, they know because there's cryptographic proof that you are a member of the loyalty program with Kohl's.
Jasson
What's in it for Kohl's?
Reece
Ice cream.
Jasson
I think HB getting the ice cream, but what's in it for Kohl's for HB to get ice cream on his Kohl's card without Kohl's knowing?
Nelson
They don't have to run the program, right? Say they had a vested interest in creating some loyalty without ice cream shop, they don't have to run the program. All they have to do is distribute the claims and there's no server that they need to set up for the ice cream shop to go verify those claims.
Jasson
Okay. So there's an infrastructure cost reduction aspect to it?
Nelson
Some of it. Yep.
Jasson
So, the part that I've had trouble with though on the e-commerce retail side is these companies value the data of customer purchases above all else right? Because what you bought in the past tells us what you might buy in the future. So does this model necessitate that goes away or do we look at it in a different way?
Nelson
Give me an example.
Jasson
So, in the old model, right, if I'm issuing a loyalty card and I have some sort of cross-benefit with another company, in general, I'm gonna get access to the data of what you're buying at that other place, right? And that's gonna happen at the point of redemption or transaction or whatever they're calling it. My data scientist, my analytics folks are gonna be basically building models both specific on, HB, the individual, right, to figure out like how his preferences in clothes have changed over time to, you know, make sure that we pop in the right ad later. But also probably more...there's probably some group analytics at play as well, right, just to understand, like, demographic change so that they can plan, right, for their future. So do we lose that data or do we get it, but we get it in a different way?
HB
Typical brother thinking there Jasson, you know. Reality is that people today are not opting into this, like, utopian vision that you're describing. They're essentially having their privacy stripped from them using fine-print YULA that no one's ever read. And what this model essentially enforces is that people need to offer more informed consent, and you need to ask for permission before you compromise someone's privacy for the purposes of extracting value from their data. So I think it's a step towards making the end-party or the user a stakeholder in a marketplace that already monetizes them. So like, you know, you could potentially see yourself, you know, giving permission for, you know, some consideration that's equivalent to like what, you know, a person might pay for a targeted display ad. So I think the idea is, yes, like, superficially the current retail model is the current retail model, but we make a lot of assumptions when we insist that we know that switching the identity from the central provider to the end-user will suddenly, like, disrupt and destroy the system.
Jasson
I'm not saying it will destroy and disrupt, it's not obvious to me what's the reason the retailer is going to adopt the technology, right? I've heard a reason why the end-user might want it, but not necessarily why the retailer would want it. And maybe retail's the wrong example. Maybe there's another example that's better.
HB
I think global regulators are getting wise to the fact that the big tech giants are spending a lot of energy and effort in getting their lock-in earlier. And they're showing off how many users they have in their little walled gardens and the users that they've monetized to the tune of tens of billions of dollars. And when global regulators look at solutions to free their citizens, like a benevolent, like, you know...
Jasson
Free their citizens? Oh, keep going.
HB
But, you know, this is like the reality, right? But you need to kind of like look at the regulatory trend, right? Like, a lot of people are recoiling at the idea that privacy is passe and that the new reality is a fully transparent, you know, everyone knows everything about everyone thing. And to get back to something reasonable, you have to, like, think about in a digital world, how do you reproduce, like, sort of, the constructs of privacy that we had prior to this ubiquitous digital world? And I think...
Jasson
So, let's see the argument. Let's see the argument that we'll be compelled to adopt a different privacy framework. Why is self-sovereign the way to do that versus just data controls? Again, and the person who has to implement all of this, right, the service provider or the retailer, or pick a different example, they're the ones that are gonna have to spend money and time on the implementation, right? There's probably...You probably agree there's more than one way of fulfilling some, whatever future data privacy regulation would be. Why is this the choice or...?
HB
It's gonna be simpler.
Jasson
But is it?
HB
I think it also is an opportunity to give people training wheels on their journey to understanding public key cryptography.
If we're looking at, sort of, the future, there's a need to...Not a lot of the world is getting savvy to how to use browser extensions to mint and secure public and private keys for their own purposes. But some of the world is becoming savvy to it. And you don't want to create a digital-crypto divide, you don't wanna have a scenario where the people who understand some of these cryptographic technologies, without necessarily understanding like deep internals. If the people who are able to effectively be power users of these technologies are only, like, the weird folks who have been, like, super involved in cryptocurrencies up to this point, it would be a failing, I think.
Like, I think there are a lot of people who aren't involved in cryptocurrency exchanges and transactions that could still benefit from, like, the broader value of digital privacy, and self-sovereign identity is a good way to introduce people to the idea of a private key that you need to protect, and that needs to be maintained with good hygiene, and how it interoperates with a public key. Like, at a very basic level, I think 90% of the population still doesn't...or more doesn't really understand anything about the idea that you can have this perfectly paired public and private key and it creates certain, like, you know, privacy characteristics that are ideally uncrackable.
Reece
You just said something interesting that has its roots in a real-world issue. And I wanna make sure I'm understanding it correctly. You said when people have self-sovereign identities, they would need to understand the importance of protecting that private key. Well, guess what, I've lost my wallet before, now there's an air tag inside it. So on the one hand, it sounds like self-sovereign identity is empowering people to have more privacy and control how they're sharing data about themselves and what they like to transact on. But how much responsibility is it to manage that key and make sure that it's not being exploited? Because I know on our end in the security space for what we do, it's very easy, but what about this application?
Jasson
And fundamentally there's no difference.
Nelson
Yeah. It just comes down to the wallet and how that wallet protects the credential on the key. And there's models...like, there's all different storage models for those keys themselves, hardware wallets, or software-based, or paper where you print it, there's little metal things that you stamp and you have your key recovery mechanism built into a little metal plate.
HB
Fire-proof is how that's marketed.
Nelson
Yeah.
Reece
Well, Nelson, you have a chip in the palm of your hand that you use to, you know, unlock certain things like the door to the office. Could your self-sovereign identity inside of the wallet be in your hand? Like, what is...?
Nelson
So you're outing me a little bit, but yeah, I put my private crypto wallet keys...But yeah, the storage of those keys, I think it becomes kind of the fundamental problem if you're placing this trust on being able to present claims about yourself and that gives you access to your online life in so many ways, you better keep those keys close to your body, no pun intended.
Reece
Take it from Nelson, the guy with keys in his hand.
HB
I think it's really early days. And right now, like, I'm constantly amazed. Like, I'll go to a dinner party or meet with my wife's friends and they'll have the craziest stories about their crypto phishing attacks where they were recommended to switch to cold storage of their wallets, and they're regaling me with information about their USB ledger hardware wallet and how it, like, truly protects them. And I have to, like, sort of burst their bubble and ask them, like, you know, so what kind of backup technique did you use? Like, you do realize that now you're responsible for this and it'll disappear if you don't have, like, an adequate, like, approach to that? And you do realize that when you go from cold wallet state to warm or hot wallet and connect it to something, opportunistic actors are aware that there's a limited surface of these USB wallets and you can be, you know, subjected to all sorts of targeted attacks.
That's like a real, like, sort of bubble burst, like, oh crap, like...But my financial advisor and all of my friends have been doing this. And, like, it causes me to marvel, right? Like, having been in cybersecurity, but like, you know, having been busy with young kids, I haven't had the chance to become, like, you know, insufferably entrenched in talking about cryptocurrencies and wallets all the time. But hearing ordinary people do that, it's like kind of wild. And...
Jasson
So, I'm gonna translate. HB is saying he's not a crypto bro but he knows a couple.
Reece
Who you are.
HB
Yes, those.
Reece
You know, listen, guys, we might all be crypto bros in 15 years. We're definitely on the threshold of something interesting. Is it going to be a decentralized utopia or a decentralized hell? Let's, you know, stick around and find out. Thanks for listening to this week's episode, everybody, and we'll talk about something just as enlightening next time you hear from us. Thanks for tuning in. Like and subscribe, etc.
Jasson
Ta-ta.
Reece
Ooh.