Are you in charge of your own digital identity? How do you share "verifiable" information about yourself on the internet?
Our guest for today sheds light on the modern world’s approach to digital identity, as we talk about the different domains of identity, how our identities are currently held and managed by corporations, civil society, and governments, and why we should advocate for the rights of our digital selves.
We also unravel the definition of self-sovereign identity, and dive into how having a decentralized identity framework can impact the way we interact with technology, and ultimately, society’s trust models and democracy.
Kevin Montalbo: Welcome to Episode 34 of Coding Over Cocktails! My name is Kevin Montalbo. Joining us from Sydney, Australia is Toro Cloud’s CEO and Founder, David Brown. Hi, David!
David Brown: Good day, Kevin!
KM: All right. And our guest for this episode, I'm very excited to introduce to you the "Identity Woman." She has spent the last 20 years of her career focused on one thing: supporting the emergence of an identity layer of the internet that works for and empowers people.
She is an internationally recognized expert in Self-Sovereign or Decentralized Digital Identity, authoring two books "A Comprehensive Guide to Self Sovereign Identity" in 2018 and "Domains of Identity" in 2020. She also co-founded the Internet Identity Workshop in 2005 to bring together technologists who want to see decentralized identity come into being.
Joining us today for a round of Cocktails is Kaliya Young. Hi Kaliya! Welcome to Coding Over Cocktails! And you just had a sip there. We're just curious what you were drinking because this is Coding Over Cocktails, after all.
Kaliya Young: What am I drinking? I am drinking like probably two tablespoons of kombucha and a giant glass of water.
DB: That's not a cocktail.
KY: It's watermelon-flavored kombucha. It's very cocktail-like.
DB: Well we’ve had guests bring cocktails on the show. Kombucha is fine as well. Let's get started with the questions. Before we dive into the technicalities of digital identity and decentralized digital identity, maybe we should define it first. I was speaking to my wife about digital identity in this upcoming podcast as a complete layman. She's like, "What is my digital identity?" So, perhaps you could explain it to her.
KY: Sure. So, I think digital identity is actually really complex, right? When we started out back in the good old days of the Internet Identity Workshop, we were really approaching it from the perspective of consumers on the internet showing up and connecting to a place like Yahoo [and] Web 2.0 was just emerging. So, all of those: the usernames and passwords that you have to connect with different accounts is one shape of the digital identity. And then, one of the challenges has been that because of that paradigm of getting an account from lots of places, you could think of your phone number as a type of digital identity. It's an identifier in a network and when you call it, it rings you. An email address [is] the same thing, but all of those have this pyramid structure where you're getting your identity identifier for that particular context, and they could take it away from you.
And we were asking, "How could we show our own autonomous digital identity in cyberspace that we could carry with us between different websites?" That turns out to be a hard problem that I think we've got a lot of promising emerging solutions for with SSI. But it's just a different paradigm. It's more like, "How do I have a digital body that I control in a similar way to how I control my physical body in physical space?" And that's what we were setting out to do with our original work at the Internet Identity Workshop.
DB: So, let's talk about the workshop. You co-founded that in 2005. You describe it as an "unconference." That’s the first time I've heard of an "unconference." You might want to describe to us what an unconference is. But you've since gone on in that conference to define at least the backbone of standards such as OAuth 2 and OpenID connect. Did you ever imagine that this workshop and this passion for digital identity was going to have such a global impact, defining standards like that, which are used [in] every organization in the world pretty much now?
KY: In a way, that was our goal, right? We wanted to change how digital identity worked. And at the time you had enterprise identity and access management and a sort of corporate federation as your own new model. And we were very idealistic with some of the design ideas of what OpenID could be, that it didn't necessarily become, but it made it better than having an account, a separate account everywhere. Right? Consumer federation wasn't really possible before. You know, some people told us after we succeeded with both OAuth and OpenID, "Declared victory, go home!" And we're like, "Yeah," but we still haven't figured out this problem of how do I have my digital "me" with me that's really mine and can't be just taken away because someone decides I no longer have an account and for people who are listening who may not know, is every time you go and log in with Google or log in with Facebook, you're using OpenID and OpenID Connect and OAuth underneath.
But ultimately, with that big identity provider, as we call Google or Facebook in that scenario, they can take your identity away. And I often call myself an advocate for the rights and dignity of our digital selves. We have hundreds of years of common law and civil law legal practice around how it's not okay to hurt someone's physical self or kill them. Well, if Google takes away my digital identity, what recourse do I have? Zero. Because I have a TOS contract with them that says they're allowed to do that. And I think as the digital becomes more and more important, that paradigm doesn't make sense anymore. Why should they have the right to terminate my digital representation?
DB: So, when you were coming up with these concepts in your conference, which as I understand the unconference concept, is that there's no set agenda and it's like open discussions where, you know, topics can just bubble to the top and throw some world experts on that topic and see what problems we can solve. Is that right?
KY: Yes, almost. I mean, we have a schedule, we actually have rooms when we're in person and digital rooms when we’re virtual and we have time slots. But what we don't do is decide who should speak when about what ahead of time. So, in the opening morning or whatever time zone now that we do it virtually, we literally sit in a big circle and people get cardstock and markers in real life—and some of them do that in digital form, too—and name the topic they want to discuss. And it could be presenting some work that they worked on and a working group. It could be an idea. I remember one particularly poignant idea was put on the wall. It was "Cloud LDAP" with a question mark, and two years later, that was a working standard.
t became SCIM, which is the connection between cloud enterprise services and LDAPs, right? So, it's a way for people to put out things and discuss and talk about anything they want that's relevant to the industry, or beyond. I mean, we've had sessions about Buddhism and identity. So, the good thing is we've made space within our technical community because of this format to hold some of the deeper philosophical and meaning questions, that I think as soon as you start getting close to identity, you end up touching, right? And we don't say, "Oh, no, they're not welcome." They're totally welcome on the wall. And whoever's move [it is] to go in the sessions goes. So, there's another set of things with open space. The method of our unconference is open space technology and it has principles which is: whoever comes are the right people, whenever it starts is the right time, whenever it's over, it's over.
And then there's a law, which is the "Law of Motion and Responsibility", which says if you're not learning or contributing in this session, it's your responsibility to respectfully find someplace out to go. And so with that, your people are in charge of their own happiness at the event. And if they don't like a session, they don't run to the organizer and go, "I don't like it" because the organizer didn't schedule it, right? Just go to some other room where you think you might enjoy the conversation and leave the folks who are happy in that room alone. So, we make a norm of moving between spaces. It's slightly different from the default Western culture way of being at an event where you're being polite and staying.
DB: Right. And you mentioned that there's also philosophical debate, presumably an ethical debate as, "How's this standard that we're proposing going to mature. ?" So, with something like OpenID connect, the potential must've been there to see that you're handing over your identity to global giants, which could federate your identity.
KY: No. Because those weren’t the original design ideas. Big companies came and made it theirs. And there's actually a great presentation by Eran Hammer-Lahav—which I'll dig up and you can put it in your show notes—where he was one of the grassroots developers of OAuth and basically it was, "I'm quitting OAuth and why." And part of it was, he felt abandoned by grassroots developers who chose to not continue in the process when the giant company showed up and sort of made it go their direction. And he was there, but everyone else was like, "Oh, you'll take care of it." And he couldn't. He couldn't keep it on a different path by himself.
So, it's heavier than it might've been. The original vision was that the original OpenID talked about at the very, very first IIW which was in 2005 was like, each human on the planet would have their own URL. And you sort of log into your URL every time and everywhere. But normal people don't understand that they could own a URL and they shouldn't authenticate against it. I mean, it worked for LiveJournal users, which was where the first OpenID [was] before OpenID merged four different things that were similar. But our idealism was not eventually realized in the final standards as they are. And I just heard from someone that the new executive director of the OpenID foundation doesn't even know what user-centric is. And I was like, "Oh, that's kinda not great." Right? That’s why we’re onto the new set of protocols that have flowed from the Internet Identity Workshop.
DB: And obviously you're a big, big advocate for maintaining and controlling your own digital identity. So, why is this important? Why should we control our own digital ID?
KY: Because it's too important to delegate to giant corporations or governments.
DB: Now you mentioned governments because we talked about corporations today. But I was thinking while you're talking there, some forms of ID which were in traditional forms of identification, such as a driver's license, I now carry around my driver's license on my phone. And so it is now a digital form of ID, right? So governments, with their health security numbers and Medicaid numbers as we have in Australia, these are all becoming digital identifiers, right?
KY: Right. And so, how those systems work in a way that puts people at the center and not the government at the center is I think one of the critical things for the next five years that we need to really work with governments on. So, governments are an authoritative source of information about people. I was born in the province of British Columbia in Canada. And so, British Columbia is the authoritative source of my birth date and the name on my birth certificate and the location of my birth. They’re the authoritative source. The question is how can I get that information from that government? And then use it [in] other places because other places want to know my name and date of birth? Should the system be architected in the similar way that OpenID is, where the identity provider is this province of British Columbia and every time I want to share my birthday, they have to phone home to that identity provider, to the province to find it out and believe it's true? Well, if that's the case then the government is becoming this hub that I have to go to all the time and it knows everywhere I share my birthdate and that's none of their business, even though they're the authoritative source of it.
DB: Unless they want to make it their business, right?
KY: Well, this is the thing. And that's why I said in the next five years, it's really important for us to do more work with governments to say, "Yes, you are authoritative. We're not trying to end your power to issue birth certificates to your citizens or issue driver's licenses to them, or issue barber licenses", like in the state of California there are like, 150 different licensure things. Great, keep doing that.
But it doesn't make sense if I, as a citizen, need to prove those things that the government's in the way of all those sharings. And that's kind of what the decentralized identity architecture is about. It’s that the individual is the pivot point for federation sharing, not the entities that hold the information or the authoritative source.
DB: Got it. You've written a book, "Domains of Identity" that guides readers through complex identity challenges. And you synthesized 900 academic articles to write this. So, first of all, how do you amass 900 academic articles and then synthesize them into a book?
KY: So, okay. Here's the real deal. I have a master's degree in identity management and security from the University of Texas at Austin. And, it was an interesting journey going through that program. It was done in a way where we had basically one weekend of classes a month. So, we would do two classes at a time and we'd have like, you know, a four-hour block, two days in a row in each of those classes. And that took us two whole years of one class a month to complete 10 units or 10 classes. I don't know how many classes a unit is, but like, that was the master's degree. And during that time, you could either fly to Texas to go to class in person, or you attended on Zoom. And I went to Texas about a third of the time, and the other two-thirds, I was in Zoom.
And I was like, "I have access to a T1 library, right?" Like a top tier university library. "I better use my time to extract from the library all the things that are going to cost me money next year when I need to access a library." So, while I was in class on Zoom, I could have the library up and I'd be searching. I was like, "I got to find the identity literature," right? Just for my own interest and also to try and understand what's out there. The literature is horrible by the way, because so much of the community around IIW has a thriving, intellectual community. That's largely on people's blogs. They're not writing academic articles, but their blog posts, or some of them are intellectually like keystone for our community. And then academics don't like to research people's blogs, right?
So, there's this disconnect between the academic world and then the implementation world of identity. So, I downloaded all these articles and I had a "ta-da!" of insights to start the domains. We were in a cohort class, so we had the same group of 12 students so our teachers knew who the students were. And so, by the time we're in class at six, this professor walks in, they're like, "Let's talk about what identity is." I'm like, "Oh my God, not this first class again." They all said that, right? "We've had this conversation. You're new."
And then the conversation is like lumping all this stuff together. There’s these identity theft issues, like the Target HVAC attack that leaked 4 million credit card numbers or, you know, issues of biometrics and like, "Should they be part of our government IDs?" and "Should they be checked at borders?" Great questions, but like HVAC attacks and your customer center and "Should you have biometrics at the border?" [are] both identity manageable questions in completely different domains. But in these conversations, they kept getting mushed together. And I was like, "Stop it. They're not all the same."
DB: So, you broke these down into 16 domains, right?
KY: I did. So, I had the insights. I saw the domains and then I sifted through all of those articles to find which ones applied to which domains. And then I read all the ones for that domain and I summarized it. And some had almost no articles but I wrote something anyway. And some had huge literature. So, the domain starts with "me" and my identity, and then "you" and my identity. So, delegated identity. I don't know if you're a parent, but if you are, you're stewarding the identities of your children while they're growing up, right? Or if you have elder parents, you're helping them with their identities or disabled folks who can't, right? So, there's delegated identity and it's rarely built into the systems, but it's a critical part of being human.
And then you have a grid that is transactions, registration, and surveillance. And then you have columns that are government, which is like, getting your ideas from the government. You have civil society, which is healthcare, education, unions, sports teams, religion. Big category, but commercial—which is like buying and selling stuff like your washing machines or your car or whatever—commercial. And then employment, because so much of identity management is around managing employee identity and it's its own big category. And then all of that feeds down into the data broker industry, which is buying and selling information, which is disconnected from the "me", you know, the humans, people at the top. Everything I've just described is all potentially attackable by bad actors and sold on the illicit market.
DB: And so I'm guessing by identifying these domains, it makes it easier if you exist in that domain or you're interacting with that domain to start identifying the issues associated with that domain.
KY: Yes. Exactly!
DB: So, you'll both go into these domains and the challenges associated with each of those domains.
KY: Yeah. It doesn't get too much into the challenges. I left that for the next book or for other people to write, but it was definitely like, this is the shape of this domain and this is what we need to think about and to understand it.
DB: Sounds like it could kick off some topics at the next IIW.
DB: Self-sovereign identity. What are the problems with self-sovereign identity you're trying to solve?
KY: So, we've touched on some of those today. I think a great one for where we are now and relating it to the domains is this question of proof of vaccine and being able to share it. So, you can go on an international flight and travel and that use-case ends up bringing together several domains that typically don't touch each other. When I get on an airplane, I'm not taking a medical file with me normally, ever. It’s just not relevant. I might say if I had some weird thing that I wanted to tell a flight attendant about, but no one's by default sharing any medical information with airlines. The same is true with governments when I land with a passport. Although it might be different if I'm an immigrant. Like, I have immigrated to the United States, I have to go to a medical checkup to get my permanent residency here.
But that's also not an everyday thing. It's a special thing for these particular things. But when we're talking about, potentially in the coming year, every international flight you take, you need to prove to the country you're landing in that yes, you're vaccinated. And potentially also, yes, I took a COVID test a day before I got on the plane because you can carry the disease even if you're vaccinated, but you just don't really get sick. Right? And how do we create a system where I can easily take that little tiny piece of medical information from a medical context and put it into a travel context in a way that's as privacy preserving as possible, that shares the least amount of information and puts the individual as the pivot. Because I don't want the airline calling my healthcare record system, but how else do they know it's true?
So, the verifiable credentials technology gives any issue or the ability to sign cryptographically—signed information that they give to you in a digital form. And you can present it to any requester, any verifier that you want based on what you're trying to do. And it's up to you to share it and not up to the airline to connect to your medical system, you have the power to share it. You're the point of federation.
DB: There are so many massive stakeholders involved around identity. So you’re talking about health records and I immediately think of, you know, Apple's Vault on your iPhone to hold your health records. Now, intentionally, otherwise it's holding identifiable records around your health and it could easily hold your vaccination records, for example. Now they may not be intentionally trying to commercialize your health records or otherwise it could be just being good citizens, but there's still a large entity which is involved in this management of identity.
And then you have, obviously, governments and then those which may be able to commercialize your identity like Facebook and all these stakeholders. How do you manage that process when you're trying to create this self-sovereign identity that you have control over? Doesn’t it seem like it's an insurmountable problem when you're dealing with these stakeholders and you know, retching this information out of their hands to get control over it and stuff?
KY: Sure. So, I think that the good thing is we have some pretty big stakeholders that are really excited about the technologies. I knew that we might be onto something when we had banks showing up and saying, "This is really cool. Can we use this too?" And we're like, "For sure!" They don't care two hoots about people controlling their own identity. They care that it's actually way more secure and it's a usable public key PKI, public key encryption that provides a way to get end users key material that they can use to log into banks in a usable way. And bonus: they could potentially bring verifiable credentials from a trusted entity with them. Or what else is happening right now? You can go look it up. I believe it's called MemberPass. It was created by the Credit Union Network in the United States to support credit unions issuing KYC information back to their customers to say, "Yep, we checked this person's ID because we have to, because they're a customer of ours and this is their real information."
So, they could use it potentially to fill out loan applications or do things like start engaging with buying a house or things like that. It's not like that's the only ID information those people will need, but it's like a doorway to somebody checking something about this person. So, we can start talking to them in a way that's different than like we have no idea who they are.
DB: And presumably momentum will build. So, you start with these particular use-cases or domains and momentum will build around them.
KY: Yeah. Well, in the US we have the US government funding and several provincial governments in Canada also funding the development of the technology because they, as western liberal democracies who value those values are like, "We're authoritative sources. And we don't want to get anywhere near the transactions where people use their information, because that is inappropriate for us to know."
DB: You mentioned democracy. And I was listening to one of the videos on the IIW website. And there was an interesting snippet at the tail end of it. I don't have the guest's name, the lady's name who mentioned this, but she talked about trust models and democracy. And she said once we have this secure link between individuals where those individuals can trust each other's identity and the data is not owned or controlled by anyone else, it's going to have a significant impact on trust models and democracy in the future. And I thought that was really interesting, like how this is fundamentally going to impact trust and democracy itself. Can you elaborate on that concept a little bit more?
KY: Sure. I think that one of the interesting features about this technology is that peer-to-peer aspect of it. So, that means that with my software agent, I could connect to your software agent, David and yours, Kevin, and yes, there's the software that I have as my agent, but it's a different relationship than having an account with the software agent, which is where we're at now with everything, like with Google, et cetera, right? Like with WhatsApp. Every app that I have, I have to have an account with the app that they control and then I can connect to other people. So, we're being disintermediated by the identity provider role that the app service is playing and with SSI, I can have my agent and connect to your agent using what's called a standard called bid communication.
So, that has a lot of potential to kind of shift that whole sort of connection between people. I think also, in terms of potentially supporting greater integrity around voter rolls and managing them in more sensible ways. But you know, how we know who people are and how we connect to each other, if we look at what's going on with social media and the issues with misinformation, disinformation, I'm in the US and it's really screwing with democracy here.
DB: Yeah, and election results. The trust around our election results. Right? So, if the trust models are fundamentally different, then there's a real, very real case where the outcome of an election is up in the air based on whether we could trust this vote was coming from an individual or not.
KY: Right. I actually think we have really solid voter systems. I actually wrote a report on securing voter data systems. I'll share a link to it, so folks can read it. And it's a fascinating process. I was a non-voter myself living in the United States and not being a citizen. I didn't know about a bunch of things, including that the voter roll is public. And the reason it's public is so that you can know who the voters are and somebody could go check and be like, "Are these real voters in this real place?" And sort of have integrity in the election because you know who's on the list. You don't know how they voted, but that's why it's public in a democracy. And I was kind of horrified that the whole list was public, but that's the trade-off we make for having confidence in these systems.
DB: Collectively, there are so many implications. And I can think there's a bunch of governments that perhaps wouldn't want to lose this control and have people in control of their own identity and be able to be accountable for their own voice and their own identity associated with that voice. So, I think I can see some real changes around and it's going to be interesting how commerce could change when you know you can trust or, you know any type of transaction in a scenario where those trust models have been taken away because you don't consider anymore, because you have this self-sovereign concept where you know the person and the identity you're dealing with is legitimate.
KY : Right. I think this is one of the things that the Trust Over IP Foundation is working on, and what this technology provides for that earlier identity technologies, including OpenID, do not provide is mutual authentication, which is that the person connecting to the website, other than sort of looking at the URL, isn't really able to confirm that the entity they're speaking with is really them, is really the entity they're intending to connect with. Right? And that this technology provides not just a way for me to prove who I am to the business, but vice versa, the business is able to prove that they are the bank they claim to be when I'm connecting with them. And "Are they actually on the trust registry of banks in this jurisdiction? Oh, they're not, well, I shouldn't trust them then."
DB: Yeah, the URL is not a foolproof system. You can easily hijack the DNS of the end user and hijack their URL. So it’s very clear and the system is working, but it's not certainly not foolproof. It's interesting. We're in such early days of this, right? Because we've had centuries and centuries or millennia to build our identity in the physical world, but this all has evolved a lot in the last 20 years.
KY: Yeah and I have a new article I just finished and hopefully it'll get published soon, talking about this history of how accidentally, digital systems built identity and also how accidentally, we built physical identity systems and how they're really quite different. And then we tried to jam them together and because they're so different, it doesn't work and why self-sovereign identity actually gets you digital identity, but much more like how the paper identity systems evolved. Because when I get a paper document, I choose who to share it with. And whoever I'm sharing with typically trusts the security features on it as the kind of proof.
Sometimes they call up the issue where, like for a high profile job, did they really get the degree or what, you know what I mean? And there is actually a lot of money spent for various businesses trying to do that type of identity checking. This is very disruptive to these businesses because I'll have the digital proof that it's real. But that's okay. I think they need to innovate and find new opportunities with the change in the paradigm of how identity is going to work in the future.
DB: I was living in Hong Kong for the last six years and just moved back to Australia. And last year, I kid you not, they're still using rubber stamps in Hong Kong that this document is legitimate. They won't accept it unless it's got a rubber stamp that you can go buy at a local market for a dollar. For some reason, they cannot accept it unless it's got that rubber stamp on it. In the physical world, in many economies, it has evolved, the sophistication of identity. In some cases, it hasn't evolved either. "We'll just stay in our bureaucratic and old-school and old-world set of systems." [Inaudible] is one of the leading economies and DNS dynamic economies in the world as well.
We will have to leave it there. We've run out of time. How can our listeners follow you on social media and what you're talking about and what you're doing?
KY: Sure, my handle on Twitter is "IdentityWoman". I also have a LinkedIn presence. I do not have a Facebook. I think I technically do, but I never go there. Facebook is against my religion. It's totally evil. No. I am on this new social network that one of the people who actually introduced me to digital identity has just built based on open standards. It's called True.net. So, that is a fun, interesting, new thing that people might want to explore because it's based on open standards.
And I totally encourage folks who want to learn more about the digital identity things we've discussed today to check out the Credentials Community Group at the W3C [and] the decentralized identity foundation Trust Over IP Foundation. If you're interested in the COVID credentials work I talked about, that's Covid Credentials Initiative.org, and we're coming out with a blueprint next week. So, that'll be an interesting journey. And please join us at the next Internet Identity Workshop, which I don't know if it will be virtual or not, but we will continue to host virtual workshops. So, that's an opportunity for folks all over the world to join us.
DB: Brilliant. Thank you so much for the work you do. It's very, very interesting to talk to you today.