TRANSCRIPT

Wordcount: 8428
Average reading time: 42 minutes

Steve:

Today we’re going to be talking about the intersection of privacy, identity and innovation. With your new book out, I think there’s some really great insights there about your experiences in this space which no doubt span a couple of decades. Now, just looking at your background, your involvement in the Identity Workshop is impressive considering a lot of the cool technologies and standards that have come from that.

You’re currently the Chief Trust Officer at Evernym via acquisition of Respect Networks. When I took the opportunity to have this podcast, some of the things that I’m looking at are what really fundamentally is changing in the culture and changing the current paradigm in I guess technology or in this case identity as we know it.

Before we get into your book, let me start with a lot of folks are aware of the HBO show Silicon Valley, and that episode, actually that whole show just ended and had its final season, but what we know at the end is that the CEO was setting out to create a new internet, a decentralized internet, a better internet, and we’re seeing these things emerge now in culture and in references to this new internet, decentralized identity.

And I think one thing that’s interesting going from an incubation of a technology or standard to something that then becomes referenceable in culture is always an interesting milestone to achieve. By introducing decentralized identity and self-sovereign identity, maybe you can just start with what’s broken with the internet today, why do we need a new internet?

Drummond:

I’d say it’s starting to actually hit the headlines fairly frequently that the internet has been the basis, right? The internet is, I think of it as the ground floor, the foundation for the web. And the web is all the things we’ve been building on top of it that we just … Everything you do with your browser every day, right? Every site you go to, every auction you participate in, every product you buy or using web technology has helped built on top of the internet.

The internet itself is highly decentralized, that was the whole innovation that made the internet work. Any device can connect directly to any other device over the internet anywhere in the world. And it was brilliant innovation as a protocol how to connect all the networks in the world. When the web came along and said, “Okay, now let’s build an application on top of this way of sharing information,” it was a client-server protocol, and what that means is you used a few software to go talk to some server someplace that would serve up the website, and that’s inherently started to bring back a strong element of centralization, and that’s …

What we see today is a highly, an internet, a web dominated by large centralized providers, right? The big tech giants, whether we’re talking Google or Facebook, LinkedIn, eBay, these sites and services that have become tremendously popular and they’re doing a little bit changing entire economies, Amazon for example. But a lot of their power is because of that client-server architecture of the internet, because it’s actually … Well, it’s easy to connect to machines any place on the internet and you can have those peer-to-peer connections.

If you actually want to do something productive, especially something requires trust, then it’s all been about how do you connect to a common trusted point that just keeps building trust, keeps building business, keeps adding customers, and you end up with this very asymmetric, a few giant companies dominating the internet and this very long tail of much smaller sites that have no competitive chance in that environment, so that the move to a decentralized …

Whenever somebody says, “Oh, let’s have a decentralized internet,” I stop I say, “Wait a minute, the internet is decentralized. It’s the most decentralized technology I think we’ve ever come up with, it’s the web that has become a dominated by centralization and-”

Steve:

Well, that’s a great point, actually. Maybe that’s one that’s not often heard as you said, but then you look at web giants; Google, Facebook, Amazon, and they have centralized databases about your browsing activity, about your social activity. They track your movements everywhere you go because you carry your mobile phone with you and they have apps there, right? And then all of that data is stored in databases that are very lucrative and interesting to cybercriminals, and it makes their job quite easy if they only have to break into a handful of databases to completely build your digital profile.

Drummond:

… Yes.

Steve:

It’s the centralized model for data storage or websites and web interactions…

Drummond:

Right. So it’s both very dangerous from a fraud and security standpoint, and it becomes very inhibitive to innovation from a business standpoint. Right? There’s so much market power that it ends up concentrating then it becomes very difficult for innovation, right, the name of your podcast.

Drummond:

So the push to this whole new area of decentralized identity and what’s commonly called self-sovereign identity or SSI is to say, “Hey, there’s the way of literally building an internet of identity or an internet of trust that will even the playing field back out because it makes establishing and maintaining trust relationships something that’s much more peer-to-peer than the current model, and that will unlock a lot of innovation and new business models for using the web that tends to pull power back out to the edges and make it an environment where individuals and small businesses around the world will have a much easier time competing than in the current environment.”

Steve:

… So looking through that lens of competition and business models while we’re on that topic, today we have an environment where large organizations are very much dominated by shareholder capitalism. Their matrix or their lens of making decisions about how to invest, where to invest, how much to invest, and privacy is not always top of the list.

If you think about organizations, maybe a company that has a series A or a public company, they’re motivated by providing returns to shareholders as their number one reason for being in business. But now today, and this became a pretty interesting topic of discussion at the World Economic Forum, and the former CEO of IBM and Marc Benioff, quite a few companies are now behind this idea of a form of capitalism today that it’s broken and it needs to be reinvented.

If you look at the motivations in the business models behind decentralized identity, providing better privacy to consumers fundamentally as a motivation of business, when are we going to reach the tipping point, and is that going to be enough incentive for businesses to want to change how they do things today?

Drummond:

That’s extremely a good question. I mean you asked both timing and what the incentives will be. Self-sovereign identity is still young, right? If we use the lifetime metaphor, I’d say it’s still, it’s not a toddler anymore, but it’s in elementary school. I’ll put it that way. So it’s got a lot of growing up to do, but the promise is enormous because it goes directly to solving problems as you put it, Steve, not just with security and with convenience but with privacy. And I think of them often as the three points of the triangle of what will drive adoption and innovation on top of it.

And it depends on the audience that is interested or that you’re talking to, which of those three. If you’re talking to business people, they’ll look at the security and privacy components to just go, “Oh yeah, okay. It’ll help with those, but tell me what it does for convenience.” Right? That’s what will drive adoption. The analogy is often used there was a time, it’s hard to remember, but before any of us used credit cards, right? We used cash, we used checks, but there wasn’t any way to electronically transfer value.

And the banking industry, a lot of folks don’t know this, took them a long time to figure out how to actually get credit card adoption to happen. First they tried individually issuing credit cards, the banks or department stores and they recognized, “Wow, if we can make money flow faster, it’s going to be good for a lot of folks.” And they did try to go after convenience, but it wasn’t very convenient if you got a different credit card for every store or bank that you needed to deal with, so they finally had to recognize, “Oh, we need to create credit card networks and we need for a credit card to work every place you need it or every … Don’t leave home without it, everywhere you want to go.” Right?

And once they figured that out, then credit cards became the most convenient way to make payments, and now they’re just baked into our economic life. If you look at those three things, it will be the convenience of this new form of digital identity, which we use a credit card analogy because it is based on digital credentials. It’s like having a digital version of all the things you have in your wallet, and of course that will make it dramatically easier for you to prove your identity and be trusted on the internet.

What I’m glad you’re bringing up is that inherent in the technology will be why it’s more secure, so we don’t have to dive deep into that. It’s all based on cryptography, and yes, there’s some blockchain component, and so it is the dramatically deeper uses of cryptography that will make it much more secure. But you bring up the element of privacy and what will it do for privacy, and ironically, I think that might end up being the benefit of this technology that has the biggest impact in the long run.

The convenience will be enormous and the security will be much better, but what self-sovereign identity will end up doing for privacy I think is yet to be discovered and will be quite profound. To explain why, we probably have to go a little bit deeper into the technology and how it works, not necessarily the technology but how people will actually use it.

Steve:

Yeah. Well, before we dive into technology, I think there are plenty of ways that we can look at technology today that are not bad at making a business case for offering greater privacy, offering better convenience or helping to reduce operating costs. Like cloud computing for example, made a lot of promises. And cloud computing by comparison is quite mature, although I’ve recently read some arguments that it is a underutilized computing model and that there’s still a lot of opportunity there in cloud computing.

But I guess coming back to this question in the given climate, why organizations should change to embrace or adopt decentralized identity if you will or self-sovereign identity, this new model of managing identities and interacting with customers. Is there something else besides these kinds of benefits, like maybe something political? I know that in one of my previous podcasts, my guest was Dr. Ann Cavoukian and she has privacy by design in her portfolio of inventions or intellectual property, if you will.

Those requirements translated into data protection by design or data protection directives in GDPR. So do you see the privacy requirements that are going into privacy frameworks like GDPR, CCPA and other types of regulations being an even more powerful motivator to adopt the decentralized model of identity and identity management?

Drummond:

Yes, definitely. At the Sovrin Foundation which governs the Sovrin Network blockchain for self-sovereign identity infrastructure. I’m one of the founding trustees there and I chair the, what’s called the Governance Framework Working Group. And we just finished last December the second generation of the Sovrin Governance Framework, and the last nine to 10 months of our work were specifically developing the data protection compliance framework for the Sovrin Network with GDPR and CCPA and any global data protection regulation.

And to do that we had to actually tackle a difficult problem which is widely recognized. And the European Commission itself, it’s blockchain advisory group has put out a paper about GDPR and self-sovereign identity. And the goals of self-sovereign identity are highly aligned with the goals of GDPR, which a lot of folks aren’t aware GDPR, the General Data Protection Regulation, is explicitly to increase privacy, it’s to protect individuals, European citizens personal data, and to enable them to obtain greater value from it.

So for instance, it’s actually very explicit about data portability, enabling you to move your data from one service provider to another. And privacy ends up being sort of something that you get because you have these protections and rights around your personal data. Another one of the best known rights is the called the right to be forgotten, technically it’s the right of erasure that you can say, “I want some service provider to delete my data,” that’s there.

Self-sovereign identity infrastructure turns out to be a wonderful tool, a nearly ideal tool for enabling individuals and organizations and enterprises to implement the kinds of data protections and the kind of data rights that GDPR prescribes. In fact, the only real area of tension is that in that right of erasure that GDPR gives to individuals, if you’re writing some portion of personal data to a blockchain which is immutable, then it’s very difficult to say, “Well, how are you going to give an individual the right of erasure to be able to take that information off the blockchain? Because you can’t erase anything from a blockchain.”

So there was a period where a lot of folks said, “Well, how can you have this self-sovereign identity and give people this powerful new tool for controlling their personal data and do it with blockchain technology where you can’t erase it?” And the short answer, it’s easy to give the long answer, the legal support for this took us, as I said, 10 months and about a thousand man hours of legal and technical work to put it together, but the short answer is you don’t put personal data on the blockchain, you only put the cryptographic information you need to give individuals and organizations the ability to digitally prove information about themselves in the form of what we call verifiable credentials, digital credentials.

And you don’t put those credentials on the blockchain, you put them in digital wallets that individuals have and can use, and you put them in digital wallets enterprises are using, and the information, the actual exchange of the credentials takes place entirely off the blockchain. And you’re only using the blockchain for the cryptographic infrastructure so that you can sign those digital credentials and everyone can verify those signatures and go, “Yes, that really is a passport, that really is a driver’s license, that really is an employment credential from this company, X, Y, Z. That really is a membership in the Sierra Club or the Red Cross.”

And we can start to prove these things about ourselves, but we do so privately when we connect directly person-to-person or person to business or person to thing, and that information that we’re sharing those credentials never itself touches the blockchain. So with that problem solved, we actually take a very strong stance that self-sovereign identity infrastructure is the best way to implement the data protection rights of GDPR and other global data protection regimes.

Steve:

Drummond, I’m not the expert here that’s why I’m interviewing you and not vice versa. So I appreciate that point of view, and the more folks I speak with, the more I’m actually coming to believe and think that you’re correct in that statement.

Before we go a little bit deeper into the encryption and the governance frameworks, with the trust deficit that we have in our world today and looking at the increasing trend of decentralized identity being able to address some of these privacy requirements, you’ve written a book, Self-Sovereign Identity that I think is really timely, but as I’ve began reading the book, I began to realize the genius in the book isn’t so much as, “Hey, this is a how to do self-sovereign identity.”

It does provide some direction around how to do self-sovereign identity, but I think that the genius is in the early sections of the book where you talk about the incubation of new standards and the history and how and why this technology came about. So you talked about how new standards were incubated and came out of your involvement with the Internet Identity Workshop.

UMA for example, and SAML and SCIM and many other notable standards that we use in our common today, it’s in Silicon Valley and then at this workshop in particular that meets a couple of times a year. Maybe we can take a detour here and let’s trace back your earliest concepts or ideas about how this model was proven and conceived of and incubated within this framework of the Internet Identity Workshop.

Drummond:

You bet. I love talking about that particular conference, IW is what we call it for short it, because it really is fascinating. I don’t know of any other conference quite like it. And the next one coming up in April, last week of April this year, and it’s been held at the same place except for the very first one was in Berkeley, California, but since then all other 28 that followed the first one had been at the Computer History Museum in Mountain View, California, so it’s sort of iconic in that particular space. And the next one is number 30, twice a year, so that means we’ve been going to this conference for 15 years, and I’ve been to every one. I think there are four of us that have been to every-

Steve:

Wow, every single one, that’s pretty incredible.

Drummond:

… Every single one. Steve, the most unusual thing about the conference is it really is ground zero for this problem of internet identity. I mean, the conference started because there were multiple efforts working on the problem and we’re talking, yeah, 15 years ago, and we all recognized that we were working sort of pieces of the elephant and we needed to get together and say, “Yeah, let’s combine our efforts and figure out how we can get this problem solved because there are so many things that we need a really effective internet scale identity solution for.”

The fact that we’ve been doing it for so long is evidence of just how hard that problem turned out to be. So every one of the acronyms, I think the last time we actually added them up, I think it’s almost a dozen different standards or technologies were either born there or significantly nurtured there. One thing I love about it, Steve, and you’ve been to a couple, so you know what it’s like, it’s except for the very first day or the very first one, it’s always been an un-conference.

And by that for folks who are not familiar with it, it means there is no assigned speakers or predetermined topics, there’s no … You assemble as a community, you get together and you propose the topics that you’ll talk about every day. There’s five one-hour session slots each of the three days of the conference, and each morning you get together and people propose topics. And then go to a great big board, it’s just a big grid on the wall, and you slot in your topic for one of those five session slots in one of … I think it’s up to 18 rooms are needed now. The conference is up to over 300 people now.

And you self-organize to talk about the things that are most important to talk about. I love it. People talk about it being the most exhausting conference they go to because there is never any excuse, any moment of that conference to not be talking about the most important subject to you personally. So it’s an extremely productive conference, it’s developed very devoted following, and it produces real results.

We make significant steps forward every time we have one, it’s sort of the heartbeat of the industry. I could go on about it for quite some time. I will say one more thing which is, as an un-conference it spawned a number of other, it’s encouraged others to tackle un-conferences, and as it happens, Evernym, my company is doing its first un-conference spurred by our experiences at IIW.

Steve:

I have been to a couple of the IIW workshops, because you’re right in the heart of Silicon Valley at the Computer History Museum and you attract great thinkers; Doc Searls, Eve Maler, Kaliya Young, and folks like yourself, in talent from nearby companies like Google. I was at VMware at the time. They’re not necessarily leaders in the identity space, but they’ve produced some interesting thought capital, I think.

And you do get this cross section of talent and technology driven ambitions to look at opportunities that because of the format of the conference, what needs to be talked about and collaborated on by this cross section of the industry gets its airtime. That’s great because if we’re going to solve a big problem, inclined to say nothing is certain but death and taxes, and one of the things that I’ve jokingly added to that list are data breaches.

And so I think if we’re going to have a good shot at out-innovating cybercriminals that we need to have a technology that has those characteristics of blockchain technology and make it harder. The immutability, the decentralized nature of it, we make it harder for cybercriminals to do what they do, right?

Drummond:

Absolutely. A lot of folks ask me when I tell them that IW story, right, it’s like, “Okay, 15 years you’ve been at this conference.” So then they turn around and say, “So why is this suddenly, after all that time, why do you suddenly have this big breakthrough with self-sovereign identity? Right? Why is it suddenly taking off when you’ve been banging your head on it for so long?”

And in fact, I had this very long conversation over lunch yesterday with someone who was new to the industry, but is extremely interested. I said, “Look, it’s really pretty clear in hindsight, three years of hindsight now that we were using the best technologies available, we have been all the time, but we didn’t really understand how we could wield cryptography in the service of identity and digital trust until blockchain came along.”

The real essence of self-sovereign identity is it is cryptography all the way down.

Even though ironically, blockchain technology doesn’t play the huge role that a lot of people initially thought it might in self-sovereign identity, it does play a critical sort of foundational role, but the real essence of self-sovereign identity is it is cryptography all the way down. The digital wallets and digital credentials we will use, every one of them is a store of private keys.

Many people I point out as soon as I see they’ve got a smartphone, I’m like, “Oh, how are you doing your key management for iMessage, for WhatsApp, for Signal?” And they’ll look at me and go, “What do you mean, what key management?” And I say, “That’s my whole point.”

Those applications are totally doing encrypted communications all the time and you don’t even … If you Signal every so often you do get a message about someone changing their safe number, but otherwise it’s transparent, that’s because Apple and Facebook and Signal have built it down, right? They built it into the whole thing, they’ve made it easy to use.

Well, all we’re doing with self-sovereign identity is we’re applying that to open standard, digital wallets and digital credentials that everyone, if you’re using that kind of wallet, you can get a credential from any issuer, you can present it to any verifier, a website and application, a company, any place. And it’s just, it literally is the digital equivalent of how we prove our identity in the real world today, right? We get a credential out of our wallet, we show it to a TSA agent, they verify it, and we get on a plane. Right?

Steve:

What’s old is new again.

Drummond:

What’s old is new again, exactly, it’s just we’ve made a digital. And it’s ironic every time I talk about self-sovereign identity, I just start out and say, “How many folks came to this conference and used a mobile boarding pass on their phones?” and it’s up to about 70% of the people raise their hand. I said, “Great, you just used a digital credential in exactly the way you’ll use it, it’s just you used a proprietary credential and a proprietary wallet.”

What we’re doing with self-sovereign identity is we’re creating the internet for that. We are standardizing the credentials, we’re standardizing the wallets and now we can do it much more broadly and just solve the problem generally.

Steve:

It’s not glorious work, there’s just a lot of dirty work that has to be done before a technology can grow up to become dominant or in some cases maybe a household name like every … Whenever they type a web address into their browser, usually know about www or HTTP, right? In a previous podcast, Eve Maler made the comment that I thought was fascinating that standards are just kind of strategically commoditizing something that’s about to be commoditized so you can build value on top of that.

And when you look at the timeline and the momentum behind this movement as an investor and a predictioneer, if you will, to see where this is going, I tend to be optimistic. I know there are some analysts out there that have their issues and their concerns about the futures of identity and the viability of decentralized identity, if you will, a couple of them and so let’s continue in looking at one of them, which is how do you address the issues of decentralized key management or decentralized governance, if you will, for something like identity management?

Do individuals suddenly have the responsibility of managing their own credentials on their digital wallet? And what if they lose their digital wallet or it’s stolen or … Like with the credit card example, if you don’t leave home without it, well what if you leave home and you didn’t bring it with you, right? Like you had a brilliant concept Trust over IP, you recently gave a presentation about it which I’ve watched and I’ve listened to, and I think this is kind of brilliant in terms of how the trust deficit that we have in our economy today is being addressed through these kinds of capabilities. So how do you see the decentralized governance working? You refer to this as the missing identity layer for the internet.

Drummond:

First of all, I have to say I just love that term, trust deficit, because I think that’s exactly what we are addressing. We’ve dug ourselves a large trust hole with the current technology and infrastructure for the internet and the web. It’s producing tremendous value, but in some ways the trust deficit is almost like that toxic exhaust that it’s been giving off, and now it’s reached, it’s become poisonous enough that we have to address it.

Steve:

We do. I’ll tweet out to Ann Cavoukian at this point in the podcast when it goes live, but we have heard of things for that.

Drummond:

That is excellent. And I’m looking right now at my privacy by design ambassador plaque on the wall, and was the one not only according to term, but then it inspired me to get deeply behind privacy by design. And I actually was in Toronto recently, but not able to see her, but I’m looking forward to doing that soon because I wanted to explain to her with SSI and specifically with governance frameworks, I believe we’re finally going to be implementing privacy by design at the largest scale it’s ever been possible before.

Steve:

That’s awesome. That’s awesome to hear.

Drummond:

Yeah, and there’s a really good reason for it which I don’t think is quite yet apparent yet, but it will become here soon. You’ve seen the Trust over IP presentation so you know that we talk about this four layer stack, and the bottom layer is blockchains, right? That’s where we can root these really strong, what we call trust roots, which is basically an assurance. It’s a way to assure that the identifier on the public key for whoever you’re dealing with, and mostly that will be organizations that are issuing credentials are really theirs.

Drummond:

It’s the same cryptographic infrastructure we use today to secure our browsers. Every time you see the lock in your browser, you know you’re dealing with a company that went and got a TLS certificate, a proof of its public key from a certificate authority out there, they’re like 250 of them in the world. And that’s the encryption infrastructure that we’re using to trust the web today, right? Every time you buy a product from a security commerce site or you deal with your bank or anything else, you’re using that encryption infrastructure.

Well, it’s working, but it’s very brittle because there’s just those 200 certificate authorities out there, and if they get hacked or attacked, then whole parts of the internet can fall down in terms of their security. Well, with blockchain technology, we can take what they’re doing and we can say, “Okay. Now, you can use globally distributed blockchains like the Bitcoin or Ethereum blockchains or specialized ones like Sovrin just to do this and have really strong bottom layer foundation of trust.”

And then we build on top of that interoperable digital wallets at the second layer and then credential exchange at the third layer. But it’s the fourth layer that actually is what, Steve, is going to launch this new era of privacy. And to do that, I just quickly need to explain what is that fourth layer about, and why is it the key to this break from privacy.

The fourth layer is governance frameworks for this new digital trust infrastructure. And when I use that term governance framework, don’t necessarily think of a government just simply think of a group of any size that says, “Hey, we want to achieve trust together, what rules are we going to follow? How are we going to do it?” One of the best examples we use constantly whenever I’m explaining this is what I’ve already brought up earlier on this podcast, the credit card networks. They had to turn around and say, “How can any merchant in the world trust a credit card that can be issued by almost any bank in the world when they all obviously can’t know each other directly?” The answer was, “They built a trust network.”

What are we all going to do together that’s going to design the system and operate the system so that we can all trust it?

And Visa and MasterCard, two of the largest trust networks in the world, they got together and they agreed on the rules, and the rules are like, a very small part of the rules are technically, “How is it going to work?” the vast majority, the rest of it is, “What are we all going to do together that’s going to design the system and operate the system so that we can all trust it?”

Steve:

That’s so important, I love that you say that. A lot of data breaches we have today are preventable and it’s not because we are missing great technology. I don’t think it will be difficult for us to decide what the technology should look like, but I think you’re hitting on a key point, which is how do you get the consensus, how do you get the agreement? With the Sovrin Foundation for example, a not-for-profit, is focused on sharing that governance framework that a lot of organizations can agree to.

Drummond:

Exactly. That’s exactly right. It is agreeing on those rules that everyone’s going to abide by to achieve trust online. The Sovrin Foundation was set up explicitly to do that to say, “Hey, what we need … If we need at least one self-sovereign identity network that’s set up just to do that, it’s just one component, that bottom layer component, but we’ll do it with the governance framework and we will set that up. The nodes of that work will be run by trusted institutions around the world.”

It was a theory three and a half years ago, we now have over 75 organizations in the world running nodes of that blockchain because they all came together and said, “This is a great way to achieve digital trust online.”

And we said, “That’s a good way to have a trusted blockchain, let’s just make sure it’s all well vetted institutions of all sizes and every place around the world.” It was a theory three and a half years ago, we now have over 75 organizations in the world running nodes of that blockchain because they all came together and said, “This is a great way to achieve digital trust online.”

Steve:

Wow, can you repeat how many again?

Drummond:

Yeah, I think it’s either 74 or 75 right now, it’s right there, but there are a couple being added every month. And people ask, “Well, who are those stewards?” and it’s a classic power law distribution. Yeah, the very big ones everyone’s heard of; IBM, Cisco, Deutsche Telekom, but then there medium sized ones in a number of countries around the world. For example, TNO in the Netherlands is a research organization that’s part of the government or has government funding that is helping build blockchain infrastructure and now specifically SSI infrastructure in Europe and the Netherlands.

And then you’ve got ATB Bank in Canada, for example, that’s leading the, what we call the Alberta Credential Ecosystem, there you just … And then you’ve got smaller companies that are startups in this space, but their whole business is self-sovereign identity infrastructure. Evernym is one of those, Matter in New Zealand, MTTR is another example. So a whole spectrum, there’s a single page on sovrin.org, S-O-V-R-I-N.org that has all the stewards.

You can see every single one of them, you can go in and look at the operation of the network and get statistics, it’s all transparent, it’s all public, that was part of what we all agreed it had to be. And so the Sovrin Foundation said, “We need a governance framework for this network,” but what we realized was that governance frameworks were going to be for every digital credential and every trust network that wanted to use this infrastructure would need its own governance framework.

Just like every card in your wallet, every credential you use in your wallet, there’s a bunch of rules behind who can issue that card and the policies they had to follow to do it, right, whether it’s a passport or even a coffee loyalty card, right? If it’s got value, there’s a set of rules back there. Even the Starbucks Loyalty Card has a governance framework behind it, it happens to be Starbucks governance framework. So that, Steve, is the tool that we’re going to use to turn the tide of privacy on the internet.

Steve:

I like it. And I liken this to a socially conscious driven effort because I think on one hand people do want better privacy because they feel that their information is important, and they understand that to some degree, some of the data breaches they’re involved in aren’t their fault, right, it’s the corporations who have policies on their databases, or if they’re using AWS, their default position with regards to admin accounts or policies are just not very strong.

Drummond:

Yeah. I would say 99% of the data breaches out there, the individuals whose personal data is being breached, had no part in it whatsoever. They did everything right, and it’s … The problem today is since identity and many of the services related to us as individuals rely on data we share in order to receive those services. That data going naked into these giant databases is, as you said, it’s just a giant honeypot.

The problem is when a hacker breaks into those databases, that data can be used because today we identify ourselves using that data, right? If you lose your password, you have to go to a site and you’re going to have to go on and answer a bunch of questions to prove it’s really you. Well, anyone else who knows the answer to those questions can say, “I lost my password, give me a new one.” They’ll know the answer to those questions and they can impersonate you.

That method of just using our personal data to prove it’s who we are is broken, and there is no fixing that. But if you turn around and go, “Okay. We are now going to provide everyone with a standard way of using cryptographic keys to prove their identity,” then it’s no longer having our personal data that’s got to be able to be used. In fact, I love the fact that the tables are going to turn since we’re now going to be able to provide a standard way of providing permission.

Anytime we share our data, we’re going to digitally sign we’ve done that. If I go to a new merchant and say, “Yeah, I want to open up an account with you, and I want you to ship me goods. You need my address, you need a way of payment for me, all those things,” I’m going to give them a digitally signed credential, permission to use that information. And they’re going to have both the data and the digital signature on it. And that’s digital signatures got to bind that data to them, they’re the ones who have authorization to use it, whoever that merchant might be.

Steve:

In terms of distributing these governance frameworks, one of the underpinnings that I found fascinating and I’ve had some experience of my own in this area is around zero-knowledge proofs. Your company Evernym just had a great webinar earlier this week on the math of zero-knowledge proofs. I’ve just recently taken some college level math classes and I … So I joined this webinar, it was interesting.

Because when you think about encryption, I’ve heard it said that it would take a billion, billion years to hack into SHA-256d. I couldn’t do those equations because I’m not that big of a math nerd, but I can appreciate that analogy. And then when you think of quantum computers and potentially how they have the ability to break encryption, well the other side of that coin is that quantum computers can help encryption increase and strengthen reliability as fast as quantum computers can.

So when you think about the risks of this trend of the immutable ledger or the decentralization of credentials and attributes and user data, sensitive data, I think it’s protected as good, maybe even better than it is today because of stronger encryption innovations in the architecture, et cetera. One question technical question and then one business related question that I have in mind, which is in looking towards the future of this decentralized model, one of the challenges about scale, you briefly touched on this.

Scale from the standpoint of the technical aspects of scale, which I don’t think are going to be difficult, but scaling from a cultural perspective or a business perspective and a governance perspective, all aspects related to that, how do you see us addressing some of the challenges around the scale of decentralized identity in SSI?

Drummond:

The vast majority, self-sovereign identity infrastructure is not on a blockchain. It’s intentionally not, it’s just secured by the blockchain.

I’m going to come right back to governance frameworks. I agree with you, the scaling challenges for the technology are going to be very solvable, and especially because as I’ve emphasized already, self-sovereign identity does not depend on blockchain to scale. Blockchains do have challenges around doing that, but as I said, the vast majority, self-sovereign identity infrastructure is not on a blockchain. It’s intentionally not, it’s just secured by the blockchain.

Steve:

Thank you for mentioning that, by the way. I’ve heard some really critical views on decentralized identity because of blockchain. I’m glad you mentioned that, I wanted to make sure I included it in our conversation of relative to scale, which is you don’t need a blockchain to have decentralized identity.

Drummond:

Yeah, very important. And even if you are leveraging it, you don’t need a high throughput by any means, the blockchains we have today will work just fine. I think you’re absolutely right that the scaling problem is one of trust. I like to point out you can use technology to create a foundation for trust, but trust inherently cannot be achieved by technology alone. Trust is a state of being between human beings, and it’s a confidence in relationships and that can only come from humans, right?

And that’s why the real adoption will be guided by, and to some extent gated by governance frameworks. So that’s why I’m doing so much work and others in the community are now doing more and more work because as we have the first credentials and the first governance frameworks designed for those credentials, that really solve real business and social problems, they will start to spread an adoption just like the first websites, right?

As soon as you had a website like Yahoo that made it really easy to find other information on the internet, wow, the web started growing and growing, and pretty soon it was exponential growth. We’re going to see a similar kind of growth here when you can start to solve digital trust problems, by for instance, just be able to prove you’re a member of some organization.

CULedger, the consortium of the credit unions that got together, recently rebranded the credential they’re focused on as MemberPass. You’re going to be able to prove, any credit union member of the world is going to be able to prove I’m a member of a credit union. Well, what website would not turn around and say, “You can actually prove to me you’re a member of a credit union?” That’s like a hundred times better than you can do with any form of digital identity on a website today.

So it will be those kinds of breakthroughs of the kind of trust you can achieve, the simplicity with which, and speed with which you can do it, and now the new kinds of applications and services that can be built on that, that’s going to drive adoption of self-sovereign identity.

Steve:

Drummond, I have to say that’s exciting stuff. And my interest in it, I think society’s interest in it is in large part a reason why I’m grateful to have you on the show, and this seems to be a recurring theme on the Nonconformist Innovation Podcast. So your answer leads to my next question and final question for the podcast relating to the human element. And I get a sense that the technology at this point is more or less inevitable, but it can be improved by the human element.

So when you think about the types of supporters that we have, thinking about the individual consultants, the systems security solution integrators, the big four consulting, what role do you see them playing in terms of accelerating the adoption of decentralized identity in SSI, and what is the timeline for them to be able to deliver a lot of value in ensuring success of this new wave of computing?

Drummond:

Well, actually I think they’re going to play a major role. Evernym, for example, has already formed partnerships with companies like Deloitte. They’re seeing, and I think rightfully so, emergence of self-sovereign identity and the decentralized trust infrastructure behind Trust over IP as a major new branch of their business.

And they should, that’s exactly right, because adoption is all about companies recognizing the advantages of these technologies, integrating them into their websites, their applications, their services, their business process design, and then consumers, individuals, I tend to avoid the word consumers, but those of us who are now going to use those services, just starting to, and those businesses just starting to enjoy this new, what will again, look primarily like convenience, but have this strong foundation of increased security and I think what will be dramatically better privacy because it comes with it.

I like to point again to the analogy, no consumer in the world sat there and said, “I want a piece of plastic to start to pay with,” right? Credit cards were innovated by the financial services industry because they recognized that everyone would be better off and they would make more money if money could move faster, right, if it could be transferred electronically, and the whole mail order business was enabled that way.

That’s what’s going to happen here is that it will be the business value of digital identity in the form of, as I said, digital credentials and the whole infrastructure that enable them, that’s what’s going to drive it. And we as individuals would just start to enjoy the benefits. We could have another podcast, Steve, on the peer-to-peer usage and the potential, I even think the business models that will come about when all those trust issues can be dealt with without going through central sites. But regardless, I think we are going to see, I’d like to use the analogy an internet of identity-

Steve:

I like that.

Drummond:

… a decentralized internet identity. It’s actually Phil Windley’s term, he wrote a blog post about a couple of years ago, but I think now it’s much easier to see how that will happen. And now we’re going to see a web of trust. That term has also been around for a long time, but now it’s really going to become real. And with webs of trust, I love it that we’re going to be able to tackle problems way beyond business. Right?

I think a lot of folks recognize the downside of the lack of trust on, for instance, news sources on the internet today, and just the headline just before I entered my home office this morning on the Russians being able to influence elections in the US because of the current technology and the internet, right? We can directly address even problems of that scale by putting in place this new trust infrastructure.

Steve:

It’s beautiful to talk more and more about trust and privacy. I think it’s, at least for Europe, it’s great that we’re starting to see these things become a part of with privacy by design, part of the regulatory frameworks. Hopefully we’re going to see more of that in the US soon. By way of wrapping up, I think we could have more than one additional podcast to cover some topics that we haven’t.

In tracking with your book on Self-Sovereign Identity, Drummond, I think we’ve scratched the surface, I think we’ve covered a vast couple of chapters, which address more of like the history, the “why to” –  the context around decentralized identity, why we need a new internet and hints at some things to come. For those who are more interested in the technology and the mechanics of encryption or the use cases, the book is out there.

So this podcast is going to have a code for listeners to go and download a courtesy copy of the book. We’ll have that, it will be posted in the show notes. Now, Drummond, thanks so much for coming to the show and for writing this book, which is full of great knowledge and information for those who are, maybe we should say a self-sovereign identity curious. It’s certainly going to answer a lot of questions for those type of folks.

Drummond:

The book is from Manning is in their Early Access Program, so the first, right now eight chapters are available online. I don’t believe it’s actually, because I know we’re not actually finished with the last parts of it yet, that it’s going to be fully published until June, but you can get the first eight chapters and as everything else comes out, you get that and then you’ll get the physical book when that comes out, so that’s why we started doing podcasts and getting this early feedback going.

We are excited about it. Alex Preukschat was the coauthor of that. And I want to point out to folks, I think there are more than 20 other contributing authors. We said this isn’t just … We don’t want this to be just our views, we want this to be experts throughout the … not just in self-sovereign identity, but in industries that are adopting it. So I think it will be as much about business and social impact of self-sovereign identity as the technology.

Steve:

I love it. The business and social impact is an important part of it. And I would add, in my experience with the book so far, it’s great because it addresses those things, the why to, and the how to, and it’s accessible. It’s not as dry or dense as a college textbook, so I would encourage everyone listening to go out and grab a copy of the book via the Early Access Program and then in June you’ll have the opportunity to get the final copy.

Drummond:

You bet. Happy to do another podcast on privacy is a social good.

Steve:

Sounds good, I like that one. We’ll have to discuss that. Well, Drummond, thanks again. Enjoy the rest of your day, and thanks for being on the show.

Drummond:

Oh, my pleasure, Steve. Thanks for having me.