Decentralized Identity, Verifiable Credentials and the Future of Privacy

originally published: 2024-01-25 12:39:56

In a digital environment rampant with the adoption of emerging artificial intelligence technologies, data continues to drive considerable value. The risk to confidential and personal information continues to be an ongoing threat.

Enter decentralized identity, an emerging paradigm of digital identity that champions the principles such as individuals having control over their own information and being able to selectively share them with others as needed. Verifiable Credentials, a rising standard and enabler of decentralized identity, are gaining adoption by public and private sectors across the world, including the European Union.

Verifiable credentials are a type of digital credential protected by modern cryptography. They contain digital representation of information or attributes about an individual, organization, or thing. These include educational degrees, digital driver’s licenses, employment records or certifications. These credentials can be shared across various services to streamline processes that require proof of identity or qualification while still maintaining the privacy and security of that information.

Verifiable Credentials are designed to provide a secure and tamper-resistant way of verifying and sharing personal or organizational data. Together with other decentralized identity technology, Verifiable Credentials are enabling our systems to allow individual data control, and to increase trust by reducing reliance on central authorities. What does this mean to the future of data privacy?

We were pleased to welcome Lucy Yang, Managing Partner of Identity Woman in Business. Lucy has been working in the decentralized identity space for 4 years and was also Community Director and Committee Chair of the Covid Credentials Initiative, which sought to address privacy issues and concerns of sharing COVID and health information through verifiable credentials. We discussed the principles of decentralized identity and how a community has evolved them into new infrastructures to solve today’s data privacy issues and how this will interplay with the rampant development of Generative AI.

Transcript

Hessie Jones
So we are all living in this increasingly digital world where our lives are migrating to digital spaces in our work, in how we communicate, in who we connect with. So our physical spaces are now turning more digital. And what’s been clear is that this path to control who you are online, across all your profiles, all your accounts with certainty, can really be challenging. So the journey between the physical world and digital spaces makes it more difficult to control your identity. So as you traverse through digital applications, through sites, your physical driver’s license, your health card, any of the certifications that you need to verify you as owner of these credentials has to be done in a way that provides a higher level of assurance and allows you to securely share a lot of the information, your own information, to be granted access to, let’s say, information to sites, to be able to go to that concert, to hop from one country to another while minimizing what you actually disclose. So, welcome, everyone. My name is Hessie Jones and we are at Friday, June 9, Tech Uncensored. The emergence of verifiable credentials has been around for some time and evolving within this user-centric identity space for well over a decade.

Lucy Yang
And it seeks to resolve some of the challenges as we start to transition between the physical and digital spaces when it comes to identity. Verifiable credentials is a rising standard, and it’s gaining a lot of public and private adoption across the world, including the European Union. And I’m happy to welcome Lucy Yang, who is the managing partner of Identity Woman in Business. This is a boutique consulting firm specializing in digital identity, and she’s worked in the decentralized identity space for over four years. And she started off as a community director of the COVID Credentials Initiative to address some of the privacy issues and concerns of sharing COVID and health information through verifiable credentials. So, just so you know, we’re also both co-founding members of My Data Canada, and it’s a nonprofit organization that advocates for more personal data empowerment. So today we’re going to discuss the principles of decentralized identity and how a community has evolved them to a new type of infrastructure to solve some of today’s data privacy issues and how this is going to play in the rampant development of artificial intelligence. So, more importantly, what will this mean to founders who are developing applications and collecting and managing customer information towards this new privacy standard? So I welcome, Lucy, thank you for coming today.

Lucy Yang
Thank you, Hessie, for having me. I’m looking forward to our discussion today.

Hessie Jones
Yeah, this should be fun. Okay, so let’s talk about how you got started with Decentralized Identity. So, COVID was a significant event that actually started to surface some of the issues when it comes to personal data at a time when people’s identities connected to COVID vaccination were highly scrutinized. So tell us about the initiative and what you were trying to accomplish.

Lucy Yang
Yeah, sure. So I came from a business background. Never claim that I’m technical, but what I’m passionate about, and even before I get started in the space, is how to leverage technology, especially emerging technology, understand it well as a business person and use it to solve problems in a meaningful way. That’s also how initially I got in the space and COVID was kind of a turning point, I think, for a lot of us. Our life all of a sudden changed. And especially more and more, as you mentioned, introduction is where more of a more of our lives are becoming digital and especially there are some kind of circumstances early on like in COVID where we have to use share our house information and also to gain access or even just to there are a lot of scenarios. I think everyone is kind of familiar with that and which kind of brought a community that has been working on what we call user-centric identity to think about how the standard which you mentioned verifiable credentials, can be used in a way that protect individuals when they’re sharing information about themselves, especially sensitive personal information and personal health information. And so that’s kind of how the initiative like the COVID credentials initiative got started. It was mostly by the community who have been in the past, I would say like even over a decade, thinking about how to bring more kind of control of our identity, our digital presence, to ourselves, to individuals. Certainly there are other aspects of organizations and things, but at least for that kind of initiative, we’re focusing on how for the initial kind of like the momentum is how to kind of bring back things to the control of individuals. So that’s kind of yes, particularly just like one emerging technology to solve kind of emergency issues, but which also have longer term implications. My work now is certainly beyond just COVID. As you mentioned. I’m having my own consulting firm that kind of help particularly apply what we have learned in the kind of COVID health space into a kind of broader areas of our lives.

Hessie Jones
Okay, this is an interesting time as well because I know there was a lot of applications being developed and I think because of the time people were scared. I think that the scrutiny that came with being an individual who was unvaccinated or not vaccinated was one issue, but I think for the government, information was the most critical piece and they needed to understand where COVID was actually developing in what geographies and what areas so they could see the movement and the disease. And unfortunately that also has implications on what individuals can share. So that’s one area. So let’s go back a little bit and let’s identify decentralized identity and why you think we need to actually rethink about these representations of ourselves through our credit cards or our certificates, passports, et cetera and how they’re disseminated.

Lucy Yang
Yes. Let’s kind of go back to how we even get started, how we start using it in computers or Internet, right? I think we’re still using it today. We’re still using username and password. But at the very beginning it’s pretty much at the individual level. We’re not talking about enterprise, obviously today, but more like there are more and more people getting probably a decade or two decades ago, more access to Internet, more access to computer and to devices, right? And then there’s all these applications, web applications, mobile applications. And each one of that you’re kind of, oh, you have one password, one username and password and getting more and more it’s kind of exploding to a point where we’re is not, this is not how we want to manage our things, right, in a digital space. And then that’s also when kind of like the social networks, like know, also large tech companies know, Google kind of start to emerge and we’re like, okay, if everyone is kind of using kind of Facebook or some kind of social networks and you must have a username and password, a way of getting into it. So how about let’s leverage that as kind of our identity and try to get it into different apps so it’s easier for people. It is easier. We call it social logins. And I think many of you I’m still using it today. But what’s the implication of using that is pretty much whatever the applications you’re using that you use your Google or use your Facebook login is that they’re going to know who you’re interacting with, how you even get the ads and all the how much they know about you. You don’t mean it provides more convenience. But the idea of kind of being tracked by large tech companies is not like a sexy idea. And so they’re also kind of a more kind of jargon we use, we call it federated identity. We go from kind of like siloed identities, right? Like each application we have kind of our own username and password and then move from that to kind of more federated or centrally federated identities which the social logins. And then we’re like, okay, how about us as individuals, we can have the same kind of control that we do in the physical world. The same thing happening in the digital world. I can give you example because you mentioned driver’s license. The way we do it in the physical world is we get our driver’s license issued to us in a card and then we use it. And whoever issued us, they don’t know. I don’t know if I’m using my driver’s license to get a bottle of wine at LCBO gladly. So and then you want to do that in the same way an online world. And so I mentioned social login. But in general, there are many ways of doing federated kind of centrally federations by, for example, one way of doing driver’s license. The same kind of government entity can issue you a driver’s license, like in a digital version, and then you use that when I’m buying alcohol at LCBO can use that digital Credential and then share it with LCBO. But then the issue is how the LCBO is going to that. Do they get that information? If you’re doing kind of like central in a central way, then probably they have to pin a government database. So each time I’m using that driver’s license, getting verified. I’m not saying that’s the case. I’m just giving you an example of kind of prior to kind of decentralized kind of identity. What could be the case. It still could be the case today, but we don’t want it to be like we don’t want each time we’re logging to a new application, google for Facebook know what, we’re doing the same, right? So the idea of decentralized identity is really kind of like disintermediate anyone in between that actually are our identity providers. Because if you think about it, actually Facebook and Google become our identity providers through the different applications. That’s not ideal, especially when we’re using those identities and they know what we’re doing and when we’re doing it and how often we’re doing it. So that’s kind of like decentralized, because when we’re talking about decentralized, what we mean actually disintermediate and actually let the individuals have controls at kind of like the center point is us.

Hessie Jones
So how would this look like? So let’s just say the way it works now, and let’s use a simplified example. You want to go to a bar. You want to prove that you’re 19 years old. So you hand the bouncer your driver’s license, and he not only sees your name, your address, he knows your date of birth, right? And that’s enough for him to let you access, right? But now he’s seen all of them, and he really only needed to see your age. So how does this change in the verifiable credential space when it comes to disintermediation? And what would that bouncer see in a verifiable credential for the person that’s trying to get into the bar?

Lucy Yang
Just one kind of small point of correction. I think he needs two things, right? He needs to know if actually I’m presenting my driver’s license, and then he needs to see if I’m in above age. And it’s the same case. He needs to know it when we’re using digital version, right? So what we’re trying to do with verifier credentials, verifier credential is just one piece of the technology. But in general, the ideal end state is the bouncer, kind of like there’s some kind of verification mechanism, ideally just on his phone, where phone provided by the bar or something that can actually verify like a digital version of it, which he still needs to know. This is actually my actually it’s my driver’s digital driver’s license. He has to know, it’s actually coming from a legitimate government body that actually issued it, which actually this is something we can’t do in a physical world because you can fake a car, but in a digital world, you can do it and there’s a way to know if it’s a legitimate issuer. And another thing is, like you mentioned, is the age right? If I’m above age right, and he doesn’t even have to see my birthday. He just has to know, is this person above certain? And and also when he’s doing know, he’s not painting any government database. No one is knowing know. Lucy is using my digital version of driver’s license to get into a bar. So that’s kind of like what their credentials, together with other supporting decentralized technologies, is trying to achieve.

Hessie Jones
Okay, so I’m trying to think whether which one we should go to first, identifying self-sovereign identity, which is the framework behind this, or actually going into what verifiable credentials are. Maybe we tackle self-sovereign identity as the framework first and then what does the infrastructure look like within verifiable credentials?

Lucy Yang
Yeah, I think it’s interesting, like you’re actually using an alternative term, right? Self-sovereign identity. I just wanted to kind of for the audience who don’t know, self-sovereign identity is actually an alternative term we use for decentralized identity. We’re less inclined to use it because self-sovereign is a confusing term.

Hessie Jones
Political too!

Lucy Yang
Yes. But what I was trying to explain earlier about what we’re trying to decentralize is the essence of what we’re trying to achieve. So hopefully we’re not kind of like getting confused by the term. But I hope that the audience get the essence of we’re really trying to give individuals more control of their digital presence and also, especially the way they have been doing in a physical world where we’re not trying to kind of give anything too kind of mysterious or anything. We have done things in a way in a physical world that we’re familiar with that also works a lot of time towards our benefits without having to kind of let anyone know we’re doing something with our physical cards. We want that in the digital world as well. So that’s kind of like the kind of control an individual can have of our identity and data online. This is what we’re trying to achieve regardless of the term itself.

Hessie Jones
Okay.

Lucy Yang
Yeah. Go down that path.

Hessie Jones
Okay, let’s go down now. Self sovereign identity. Okay. Same principles. So can you talk a little bit about some of the elements of it? Like user centricity, control, trust, and interoperability?

Lucy Yang
Yes, I think we touch upon user centric centricity a lot. Right. I give some context of how we started initially, so I’m not going to go down deeper there. But I think the one thing I want to highlight is the interoperability part you’re talking about, I think with user centricity and what is the second thing you’re saying? Trust, yeah, trust is really hard. How to put it? So there are multiple existing kind of writings that around the principles, which I’m happy to share so the audience can read it. It’s a hard word to define. So it’s also like a very vague word. I think the principles of these decentralized identity are more kind of like we’re trying to be tangible. If there’s a principle, there needs to be a way of actually using the technologies to do it. So I think I will bypass the trust part. But I think control is another thing you mentioned, right? Control.

Hessie Jones
Can I just add something? I’m thinking that even from a trust perspective, maybe it’s the infrastructure that defines verifiable credentials. Yes.

Lucy Yang
I think I would say trust is less of a principle, it’s more of a goal.

Hessie Jones
Okay.

Lucy Yang
It’s the same thing in the digital world or in the physical world. You’re trying to leverage tools, systems and technologies to actually achieve trust, whether it’s digital trust or trust in the physical world. Right. And then it’s a little bit different from the principles you have to hold. Right. So I think it’s important to kind of distinguish that. The last one was interoperability. Yeah, interoperability. I think going back to kind of like the earlier context of provider. So when we are looking at identity, when I first started in this space, I didn’t think about it. I think about identity as username and password, but I didn’t think too much about identity. In a sense, that how institutions have been before, prior to Internet age or prior to we have even computers, we have identities in just like a purely physical world that’s needed by institutions, our schools, the companies. That is something I didn’t think too much about. But in the digital world, we’re more inclined to think about identity. Like how we get into applications, how we kind of but the identity is way beyond that. So that’s one thing I want to say, and second I want to say when we’re looking at identity, we’re still more focusing on there’s this application I need to provide in my information. But what is happening now is there’s so much of our lives in the digital space, how the different kind of things we’re using to represent ourselves, actually, how these things work together. Because we’re not just used, I think, in the language of using credentials. If we have a digital driver’s license, and we hope that we can just have you use that digital driver’s license wherever we go, whoever is running the system on the other end to verify us, we hope that they can take the one digital driver’s lessons I got from the government. This is the case in the physical world, but technology is more complicated. Different systems are different based on different technologies. And so I think what makes digital identity unique and different is it’s one of those technologies that is not just a technology, it’s also an infrastructure. I think one example I can give is think about emails. So we’re using email programs. Whether using your Gmail or Outlook or other email programs, the one thing that we know know, whichever program we’re using, we’re able to send emails to others regardless of what kind of email program they’re using. So we look at them as applications programs. But actually there’s some kind of thing fundamental at the infrastructure level that enable all the different applications. There are some kind of ways to exchange emails, right? So this is the same idea or a similar idea in digital identity. Regardless of what programs, what applications we’re using, there should be some kind of infrastructure level that are kind of reconciled, so we can use our digital driver’s lessons wherever we go. So that’s kind of like interoperability piece. That’s why interoperability. It has been highlighted as a very important principle. I mean, there are different versions of principles, but this one is certainly a very important one to highlight.

Hessie Jones
The one thing I want you to talk about a little bit, because before we started this program, one of the principles that we had discussed was about the ability to kind of tamper proof the information between entities. What you had told me was that we wanted to create a higher level of assurance, and that tamper-proofing, it could be a goal, but are we there yet?

Lucy Yang
I think a better word to use is tamper evident. It’s really hard to tamper-proof. And so the reason why I’m saying is verifiable credentials and decentralized identity leverage a lot of modern cryptography. I think one thing I also mentioned earlier is if we’re using our physical driver’s license, there are so many ways of fake your physical card and go use it, right? What modern cryptography can help in a digital world is how to kind of bring more security and higher level of assurance to the digital to digital credentials you’re having, for example, in the form of your driver’s license. So that means, in a simple way, whichever authority can actually issue a digital driver’s license, he will have his keys. The ordination will have the keys, right, that they actually sign the credential. And also the work nation will have a way of actually publish. There’s a public key and private key. They use their private key to sign the credential, and they make their public key public, for example, on their website. So whoever the verifier is can actually use that public key to verify if an incoming credential is coming from that issuer. So that is something that you don’t see in the physical world. Which means, for example, if I somehow have the tools to actually issue a credential to you hasi and says, oh, this is your driver’s license, there’s a way of a verifier can know actually the public key that is paired with the private key that signed the credentials. It actually doesn’t from the authorized entity that can issue driver’s license. I hope that I explained a simple enough way, but the idea is there’s some kind of modern cryptography in place that can help improve the level of assurance of a credential in world.

Hessie Jones
I want to highlight one of the comments that came through from William because he said we need more training for normal people, especially as they trust more big data. And with the information that’s already out there, it leads us kind of into the before we get to the next question about the rampant adoption of generative AI, can you just provide the basis of verifiable credentials, like the three entities that conform to the foundational infrastructure?

Lucy Yang
Okay. It’s not too different from what we have in the fiscal world. If you think about, like, let’s keep using the driver’s license scenario, right? There’s an issuer that is a government body that issued the credentials. There’s a Holder, which is me, could be you, could be me. Individuals who actually get that credential issue from the government entity. And then I need to use the credential. Like, for example, I go to LCBO, where I go to a bar. There’s LCBO. The cashier is going to need to verify my credential, whether physical card or digital version. The same thing with the Bouncer. These are kind of the three key players in what we call it the trust triangle. And it’s the same thing in the physical world and the same thing in the digital world. But one important kind of party that we sometimes miss is these credential issuing and holding and verifying doesn’t in a vacuum. There’s actually certain rules and policies that are guiding it. It’s the same idea in the digital world. There needs to be rules, like who are legitimate issuers of a driver’s license. So actually the bouncer or the LCBO knows who they should trust as the issuer.

Hessie Jones
The oldest kind of a governance and policy level of that kind of role is also very important, I think, whether it’s in the physical world or in the digital world. So from what you’re saying is that to actually be part of this circle of trust, I guess there needs to be verifications around that too, right? Yes. You are a government entity and you issue driver’s license. From that perspective, by you being already part of that infrastructure, does that still provide make you still more vulnerable to, let’s say, breaches, et cetera, and the possibility that somebody may tamper with your infrastructure to create an identity that may be false, is that possible as a verifier?

Lucy Yang
It’s possible. I think there’s no perfect technology. There’s certainly risk still there, right? For example, on the issuer side, how the government entity manage their employee logins? How they manage that so that the only authorized individuals can actually issue credentials? And to the holders, like to you and I, are they also doing it responsibly? So that’s kind of the things you have it in a physical world, the same thing in the digital world. And also they have our data, right? The issuers do have our data, right? How they guard that data is not different, whether with verified credentials or without. And on the verifier side, it’s the same idea. I think that the thing on the verifier side is even trickier because when we’re then presenting physical driver’s license, there’s no data stored, right? They just look at it and it’s fine. Now, the verifier’s decision is I think there should be policy that says what the verifiers can actually data they can take and store. And also on the verifier side, there’s also some of their decision is how they’re going to deal with that data. Do they even want to data in the first place? Because when I’m presenting the information, even if verifier credentials to a certain extent can enable me to selectively disclose information, it’s still information when it gets to the verifiers, get to the verifier. So that’s on their side, whatever they have to do to safeguard their system and data is still there. Even on the holder side, it’s still like how I safeguard my wallet, right, if I have a wallet that holds credentials. And how losing your phone could be actually a way of letting other people access your thing. These things are still, they exist before they still exist. But certainly the way the credentials work, right, and also the cryptography works certainly help improve assurance and security in some way.

Hessie Jones
Okay, so let’s talk about control or maybe lack thereof, especially now that we get into more of the generative AI stuff and where I think things are moving much faster and there is this I mean, the issues that exist even before AGI are now going to be faster, like manipulation and let’s say creation of fake accounts. How does that impact verifiable credentials? Like vice versa.

Lucy Yang
Yeah. So I just came back from one of the largest identity conference in North America last week. I think one thing, like in the keynote we’re being discussed is like impersonation. It’s pretty much like, how do I know I’m actually speaking to Hessie Jones now. You could probably be like an image, like created that looked like you’re, very much like you or exactly like you by AI. And also your voice is also mimic by AI. I don’t know. But in this scenario, the risk of me being getting into any kind of fraud where is low. But if you think about if someone is kind of important person, the AI is actually impersonating that person. So you can get into people’s bank account, all this kind of stuff, this makes a digital identity even more difficult, right? So it’s kind of reflections we’re doing at the conference, how our tools and technologies and infrastructure needs to evolve to actually to keep up to date with how AI and other technologies, the involvement of other technologies I think this is quite a kind of like scary example if you think about it. Okay, credentials can help, right? Because the things that, yes, the AI malicious can use AI to impersonate you, but the chances of them actually getting control of your credentials, which potentially in your wallet where you’re in some kind of encrypted data vault, it’s still low. Right? So how to kind of use digital identity, like secure digital identity technology properly to help kind of prevent kind of impersonation is something that we certainly need to think more about these days.

Hessie Jones
Okay? Yes, absolutely. Okay, so last question, because I know we’re running out of time. So for startups who are developing, let’s say, applications in this space, and increasingly many of these applications are going to collect and manage customer information, what should they know about how they can get started to integrating verifiable credentials into their tech?

Lucy Yang
Yeah, I think that great questions because the reason why I mentioned earlier don’t think identity, special digital identity just as logins where users and password anymore, right? It’s an actual infrastructure. I know that many of the current problems, there are existing solutions that companies can use. But as things evolve, government are looking into how to build infrastructures to provide better public services in the world of identity. And more and more companies are actually adopting standards. Like the infrastructure I mentioned is actually standard, right? It’s our standard that enabling us to exchange emails. They’re also open standard that we’re using to build identity infrastructures. I think for companies who are building applications, I think they need to first understand how actually go beyond just understand identity in a way that beyond just identification, username password, authentication, authorization, they’re still there. But there’s way beyond that, right? How a person’s identity digital representation online and how that kind of connected with the broader data space of the services or product you’re providing is something important and having that understanding and then come back to, okay, how these new kind of infrastructures could potentially impact them. I think a lot of companies, they don’t have to do a lot at these states, but even just start to understand digital identity is becoming an infrastructure that is very important as part of cybersecurity or privacy part. It’s something that even us, we’re trying to understand more because cybersecurity, privacy and digital identity has been three things, but not necessarily actually connecting well from kind of an industry point of view. But I think at the end of day, an application software provider, an application provider needs to think about all these aspects and understand it trying to keep up to date so when the time comes, they can evolve accordingly.

Hessie Jones
Yeah, I think the one thing that I would always advocate is that especially if you’re starting a business and you’re developing some kind of digital platform, that privacy and security at the very least has to be at the foundation of what. You’re building, you can’t kind of add it on afterwards. Now, because of regulation, because of the concerns that we’ve outlined here, need to be addressed at the very foundation of building that business.

Lucy Yang
Yes, I think one thing I would add is not only just risk reduction, but also potentially business value, right. Because as now, one key difference in the digital world in terms of identity is more and more people can become identity providers can become issuers. Right. The data you have about people, how that can be valuable for the individuals, but also using new technology, you can enabling them to have more control of that. So you’re actually providing more business value to your customers and potentially to your partners, which will actually help you help your business also start to think about that way too. That’s something like we have been helping many of our clients with.

Hessie Jones
Okay, thank you. I think that’s all we have for today. Thanks, Lucy, for joining us today.

Lucy Yang
Thank you Hessie, for having me. And thank you everyone, for tuning in. And we’re watching it.

Hessie Jones
You can you can actually connect with Lucy on LinkedIn, by the way. And I know she and Kalia Young are doing a lot of amazing work for you, our audience. If you have any great ideas and topics that we should be covering on the show, email us at [email protected]. We are also on podcasts, so Tech Uncensored. Wherever you can find your podcast, that’s where we are. Thank you for joining me. I’m Hessie Jones, and until next time, have fun and stay safe. Thanks.

Lucy Yang
Thank you.