Making Data Better

EP14: Steve Wilson on NAB Digital Next Podcast

Lockstep Consulting Pty Ltd Season 1 Episode 14

Lockstep's Steve Wilson just appeared on the NAB Digital Next podcast with host Alysia Abeyratne. NAB has kindly allowed Making Data Better to repost the podcast here.

If you want to understand how to untangle the knots we’ve tied around identity and identification online, take a listen.

Alysia asks important questions and Steve provides really crisp answers and explanations on:

  • The evolution of digital identity
  • Verifiable credentials
  • Commentary on Australia’s Digital ID legislation.


Speaker 1:

Welcome to Making Data Better, a podcast about data quality and the impact it has on how we protect, manage and use the digital data critical to our lives. I'm George Peabody, partner at Luckstep Consulting, and I'm here to plug and play a recent episode of the NABD Digital Next podcast with host Alicia Abratney and my partner at Lockstep, steve Wilson. If you want to understand how to untangle the knots we've tied around identity, take a listen. Important questions and Steve provides really crisp answers and explanations on the evolution of digital identity, verifiable credentials and includes some commentary on Australia's digital ID legislation. So let's get to the NAB Digital Next podcast.

Speaker 2:

Hi, I'm Alicia Aberatney and welcome to NAB Digital Next. Today, we have the privilege of being joined by Steve Wilson, a true pioneer in the field of digital ID. Steve is a leading international authority on digital ID, cyber security and data protection, with over 35 years experience as an innovator, researcher and advisor, and has been doing digital ID since well before. It was cool. Steve holds six patents, three of which are in public key security. Steve is a co-founder of Lockstep Consulting and advises governments globally, including, most recently, helping to develop a mobile credentials wallet for the US Department of Homeland Security and advising the New South Wales government on their leading digital driver's license initiative.

Speaker 2:

In 2018, steve was described as one of the most original thinkers in digital identity in the world today, something which certainly continues to ring true. I first had the great pleasure of meeting Steve at a roundtable NAB hosted on Digital ID last year, where he generously shared so many gold nuggets and wisdom, which we can get into later in the episode. But without further ado, welcome Steve. Thanks so much for being on NAB Digital Next.

Speaker 3:

Oh, what a pleasure, Alicia. It's great to be here. Thanks for having me.

Speaker 2:

Thanks, Steve. So one thing that really interests me about digital ID and this field is the diversity of journeys to working in this area. Before we dive in, it'd be great if you could share what was your on-ramp to digital ID and what drew you to dedicate much of your career to working in this arena.

Speaker 3:

Oh, wow, thanks for setting this up so nicely. So everybody's got a different background, for sure. Some of us come from like hard engineering, so my start was software engineering. I worked for a pioneering medical company in Australia developing software for pacemakers. So you know very high reliability, what we call tightly constrained, like not very powerful computers and not much memory to play with. So I learned the art of quality and hard engineering, which were skills that kept coming back as we get into security. But then I flipped accidentally. I needed to change jobs and I picked up a job running software development for a startup company in Australia. It went on to become Baltimore Technologies, which was a famous PKI and smart card company public key infrastructure. So I was there at the dawn of e-commerce. This is 1995. And Australia was leading in the area, leading in PKI. We were part of the APEC TEL, the Asia Pacific Economic Corporation, working on e-signatures and e-authentication and some pretty weird stuff, even before we were buying much online. So I was lucky to be in the room as we were developing the world's first e-signature legislation. That was around about 2000 that Australia passed a technology neutral e-signature law.

Speaker 3:

Pki was there. It was dominated by defence thinking. It was actually thought to be a national security technology. So we wound up with a lot of onerous operational standards. Some of them are still with us today when you look at things like TDIF. But more importantly, we had this really naive metaphors for identity. Back in those days we were talking about passports and signatures and all sorts of stuff. That is just ways of helping people to think about some new stuff. I saw the potential back then to be talking about credentials and I think it was 2003. I wrote an article about electronic business cards and ever since then I've been conscious of language and conscious of the mental models and conscious of the way that we think about problems. So here we are today still trying to rethink the problems of identity.

Speaker 2:

It's a fascinating journey. Steve, and your sentiments about the importance of language and shaping thoughts and how we approach problems. That really resonates and I'm keen to pick up on this thread later on in the conversation. But I guess to pivot slightly as an early innovator and someone who you know had so many prescient ideas in digital ID, I'm curious about how you see the problem space that this technology can solve for.

Speaker 3:

Thanks, alicia. It is a bit of a story and I think we learned from history. There's an old I think it's an Indian proverb why are things the way they are? And the answer is that they got that way.

Speaker 3:

So we need to look at the history and the evolution of digital identity. You know, we started, as I said, with these naive metaphors about a passport. There was even a product called Passport and it was thought that we could have an electronic thing that would allow us to go from place to place in cyberspace and prove who we are and get on with things. It turned out to be really hard to have a general purpose proof of identity. So we got smarter and I guess, starting about 15 years ago, we started looking at assertions and attributes and claims, which are words that are more or less synonymous. But you know, I boil it down to what do you need to know about somebody? And that varies from application to application. What else do you need to know about the credential? So it's really important to know who the issuer is of a credential, and that's why there's no universal identity, because every credential, every important fact, is issued by somebody else. So that evolution has got us to where we are today. We have a very sophisticated technology, which we'll talk about verifiable credentials. It lets you know where credentials come from. It tells you the history of a credential. It even tells you how a credential has been carried, so you know. We need to know the difference between smart cards and passwords. It seems obvious, but the cryptocurrency people actually fell into that one. It took them a long time to understand how important hardware wallets are compared to passwords and hard drives, and that's why they lost so much Bitcoin in the old days.

Speaker 3:

So let's sort of recap I think we've got to a place where, instead of talking about identity, we ask design questions like what do I need to know about you, alicia, right now to be able to transact with you? And if we're doing something important, I don't trust you. I need to know where your credentials have come from. So you're trying to tell me that you're a cardiologist and you're going to implant a pacemaker. Well, great, but I need to know where your cardiology credentials have come from and I need to know that the pacemaker is genuine and I need to know that it's been clinically tested. So all of that you know.

Speaker 3:

It's called provenance. Where does the data come from. How do you know that it's true? And that's where we've landed. I'm excited that you see the same pattern recurring through digital credentials, artificial intelligence, iot. We need to know about IoT devices, we need to know about the software, we need to know their history. So that pattern what do you need to know about somebody? Where are you going to get the data from? I think it's a super important pattern and that's where we are. This is what we call identity. Now, it's really about data and the story behind the data.

Speaker 2:

I love that, steve, and I think your point around data provenance and I know you've captured it in other terms before the metadata that you speak to I think that's something that is so fundamental and oftentimes I find that it's missing from the conversation around digital ID, so I'm grateful that you've drawn that out here. You've drawn that out here. I'm going to shift gears a bit now. There is a lot of technical terminology in digital ID, as with many areas. For those who maybe aren't familiar, it would be great if you could break down the concept of verifiable credentials, which I think we're hearing a lot more about now and as this technology perhaps becomes a bit more, dare I say, mainstream, it would be great if you could just break down what is verifiable credentials. How should we understand that term?

Speaker 3:

Yeah, very cool. And let's remember to look back at the end of this little story about mainstreaming verifiable credentials, because they're more mainstream than people think already. So credentials, I think in English we know what a credential is normally and there's all sorts of different credentials. There's, you know, driver's licenses and and trade licenses. So plumber's credentials somebody comes to my door to fix the tap and I, you know, want to know that they have a credential. Um, so credential is a word that we know and we also know that credentials come from issuers. So university credential, you, you know it's almost like the brand of the credential, the prestige or the reputation of the university matters. So we know all that with credentials. Driver's licences can only come from a driver's licence issuer. Other credentials can come from multiple sources. You know there's different sources of trade qualifications et cetera. So we kind of know all of that.

Speaker 3:

Now we're going to throw in cryptography and call it a verifiable credential. Now, all we mean by that is is there like a mathematical trick to bake in the brand of the credential? So how do you know who issued it for sure? So that's what the verifiable part is. It's done. This is the only technical thing I'm going to say it's done with digital signatures and those need keys. The best digital signatures come out of hardware and you know in banks we know that ATMs and EMV chip cards, chip and PIN cards these things are all based on standards-based hardware with cryptography and keys and certification and standards. So all of that stuff is well known in banking. The same principles apply in this thing called verifiable credentials. We want digital signatures created with cryptographic keys. You want those signatures to be reliable. You want them to come from hardware, ideally.

Speaker 3:

Now there's an extra twist to this. The verifiable credential is signed by the issuer, so it's like a brand or a stamp. But every time I have a verifiable credential I'm carrying it in my smartphone, for example. Every time I present it, I want the verification of the presentation as well, so that if the credential is stolen or copied and counterfeited into some other sort of format, you want to make sure that it's useless if it falls into the wrong hands. So there's another key and it's in my smart card or my smartphone and when I present a verifiable credential then it's signed again. It's countersigned by the holder. So that's as complicated as it gets. Now I was going to come back and talk about how sort of mundane some of this technology is. We've actually had a type of verifiable credential almost all of us for over 30 years, and it's called a SIM card.

Speaker 3:

So a SIM card is a chip in your phone and it's digitally signed by the telephone company Telstra or Optus, and it's a signed assertion of the fact that you are a telephone customer of that company. Every time you pick up your phone and dial a number at the start of the call, the SIM card signs the start of the call. It signs a message to the network that says hey, this is the telephone number 1234. It's been signed by Telstra and the start of this call is timestamped and it sends this message into the network. The network might be in Japan or anywhere in the world. The destination network picks up that signed message. It knows that the origin of the call is genuine. It knows which origin network is involved. It's got all of the data that it needs and the metadata to create a bill. It's as simple as that. Worldwide roaming and worldwide billing depends on the SIM cards sending little signed messages at the start of every call, sufficient to create bills and sufficient to know where the calls come from.

Speaker 3:

So a verifiable credential. It's a very special purpose. It only does one thing it starts phone calls. But that idea that you've got a chip and you control the chip and you unlock the chip in your smartphone and you use the cryptography to send a message, that's all there is to it, and we've been doing this for years and years and years. What's happened recently is that this technology is becoming more widespread. It's becoming open sourced, it's becoming available to different applications so that we can, instead of just verifying our phone number, we can verify all sorts of other things.

Speaker 2:

I love the way you broke that concept down, steve, in such a clear way and really demystified it the fact that we have this in our phones, we've been using this for such a long time and these credentials, as you say, they're limited to the use cases that they're relevant to. So I think that ability to selectively share is something which is so powerful, really, from a privacy and data minimisation perspective, something which I think if more people were aware of, they would all be great champions of digital ID. And then the way in which these verifiable credentials are tamper-resistant that's something that relying parties really need right to be able to trust the legitimacy of those.

Speaker 3:

Exactly. You know the problems that we face with the vulnerability of data when it's breached and people can know secrets about me. They shouldn't be secrets. My driver's licence, my passport, my Medicare number these should not have to be secret. But we are vulnerable when they fall into the wrong hands because they can be used behind our back. But that idea of a SIM card and a verifiable credential all we're doing is taking those principles and making them more widely available now, so that driver's licenses and Medicare numbers and when we present those things online, when we put them into forms, the relying party can be sure that the data is original and it hasn't been stolen and it's been presented by the person who controls it.

Speaker 2:

So I just want to pick up on what we were talking about earlier around the importance of language in framing the problem space. You've been fairly vocal about the need to take identity out of the picture when we're talking about digital ID, and you've been an advocate for nuance in language. Why do you think this is so important?

Speaker 3:

It's really great to see organisations like NAB. You know the roundtable that you referenced before last year and this year those roundtable events have really been concentrating on the meaning of words and language and making sure that it's clear, so that's great to see. There is a lot of nuance here, but I'm a bit famous for being non-nuanced. I've written blogs in the past that says forget identity or identity is dead, and you know I have a turn of phrase that tries to catch some attention sometime. The thing I'm trying to attend to is this problem of what are you trying to solve? For what do you really need to know about somebody? And when you put it out like that, we all know intuitively that the less you know about me the better. I want to identify myself as little as possible as a customer to you, the bank, and usually you know once I've done KYC. All you need to know about me is an account number or if I'm shopping and using a bank credit card, all the merchant needs to know is the bank issued credit card number. So we want to take identity out of it. We know that Technically it's called data minimization or disclosure minimization or purpose specification.

Speaker 3:

The privacy law has got all sorts of words for it. It all boils down to minimisation or disclosure, minimisation or purpose specification. You know the privacy law has got all sorts of words for it. It all boils down to the need to know principle. What do you really need to know about me? And it's almost never my identity. That came clear in the first roundtable that we did at NAB. So if you don't need to know my identity, we shouldn't be calling this thing digital identity. It's as simple as that.

Speaker 2:

That makes a lot of sense to me. Now. We've spoken a lot about the fact that many of these concepts like verifiable credentials have been around for a long time, and you've been in digital ID for over three decades. Why do you think it remains such a hard nut to crack in many places? If you do agree with that hypothesis, and what have you maybe seen change in more recent times which might give you some hope that we are in fact making some progress here?

Speaker 3:

It is a hard problem, alicia. There's no backing away from that. It's famously that, empirically, it's the hardest corner of cyberspace, that we've been talking about this for 30 years and meanwhile cyber technology, and security in particular, goes ahead in leaps and bounds while we're still talking about identity. So I think that we've made it hard for ourselves by using bad metaphors.

Speaker 3:

There's no, getting around it, it's not identity ourselves by using bad metaphors. There's no getting around it. It's not identity. We need to know things about people and if it's not identity, then let's call it what it is. It's usually credentials, it's usually like specific facts and figures, maybe like just an account number. Like I said, I think that we need to acknowledge and always have in mind that it's not just the data, but the metadata, the issuer, all of the other details, the secondary details around the data, and if we always frame the question around that, then I think that things become a lot clearer.

Speaker 3:

So we are making progress. We've got white label verifiable credentials. They're just data structures that can be loaded onto wallets and smartphones and they can be customized. And the really cool progress is that now that we've got new standards you know the World Wide Web Consortium, the W3C, the mobile driver's license standardization using this technology specifically for driver's licensing, but also broadening it to what they call MDocs mobile documents. So that's another standard. The standards are nice and firm. Now, correspondingly, we're seeing white label services, so you can get verifiable credentials customized to an enterprise's need and then issued in bulk from a cloud service, and I think that that's a really powerful business model that's emerging and that will commoditise this thing called verifiable credentials. Enterprises will be able to convert employee IDs, universities will be able to convert student IDs. Banks, of course, will be able to convert credit cards and other banking instruments into verifiable credentials, load them onto wallets, digital wallets and have people present exactly what people need to know when they go about their business online.

Speaker 2:

That's fantastic and it's great to hear about these advancements.

Speaker 3:

Yeah, it's good to be in the middle of all of this and to see in many ways some old business models are now being more thoroughly digitized, creating verifiable credentials in the first place, with the hardware and the cryptography. This is specialised stuff and you can do it at home. You can roll your own. You can get open source software. We've seen that movie before. We used to do PIC AI in the enterprise and then there were PIC AI cloud services.

Speaker 3:

You can do your own magnetic stripe photo IDs if you like, and big businesses used to do that. You know a new employee would go up to HR and sit down with their hair nice and neat and tidy and get a photo taken and a photo ID with a barcode, whatever you know, all of that stuff would arrive in your inbox and then you'd flash it every time you go to work. Well, it's the digital equivalent of that now, and there's a business model where, instead of taking photos and producing plastic cards in the office, then you outsource that to a verifiable, credential cloud service. So it's really cool seeing this stuff come to fruition in a way that replicates the good stuff of the old business models. It conserves so much of the way that we deal with people. It conserves the meaning of a credential, but it allows you to digitise it and keep its context when you take it around online. It's fantastic.

Speaker 2:

Okay, steve, as a final question, casting your gaze to the future, are there any sort of developments in digital ID? You've alluded to a few, or perhaps some trends you're seeing overseas that you're excited about or that you think could be really game-changing.

Speaker 3:

Well, the amazing game-changer is happening at home, and I want to talk about the digital ID bill, the Commonwealth Bill. It's actually now nearly an Act of Parliament, isn't it it?

Speaker 3:

certainly passed its legislative hurdles last week. So digital ID it's a simpler concept. They're making it smaller. I think that digital ID should be as small as possible. You know, the IDs that we have are just database indexes. My Medicare number is just an index into a database. We should conserve that. We should conserve the meaning of employee numbers and driver's licenses and credit cards and all of those different numbers. That's what the digital ID bill does. The Australian Federal Digital ID Bill recognises that we have IDs in real life and we should be able to govern the digital format of IDs in a much more secure way.

Speaker 3:

So it's a response to the famous data breaches in the last two years, where stolen data just gets reused. And you know why? It's because we have this ridiculous pattern of using plain text data, plain text identifiers. My driver's license I don't know, it's six numbers and two letters. I won't tell you what that is, but it's imprinted in my brain and I hate having to change it and I just use it as plain text. And even worse, people accept it as plain text. Businesses ask me my driver's license number as proof of identity. It doesn't prove anything. It's just what geeks call a shared secret. And after a data breach. It's not secret anymore, but our only response to plain text data breaches is to change the plain text and reissue everybody's driver's licenses. We have to stop that pattern. It's ridiculous.

Speaker 3:

Now, 15 years ago, the banks did stop that pattern. The banks went from plain text credit cards, magnetic stripes of plain text credit cards, and they went to chip. And the chip is another verifiable credential. So the credit card number in a chip card is signed by the bank and every time I dip the card at a merchant terminal it's signed again. It's countersigned by my chip. So that's the pattern that we need. We need to get away from plain text to verifiable IDs, and that's exactly what the government has done. I think that that's the game changer. So it paints the way forward. It actually shows sorry to get so excited about governance shows sorry to get so excited about governance, but it shows how you can govern IDs as a special form of data.

Speaker 3:

The government, in its wisdom, is giving the ACCC the power of the digital ID regulator and the ACCC say what you like about CDR. It's far from perfect, but it's a good model. It's a good first start. I'm talking about the consumer data right, the data sharing regulatory regime. It's got lots of teething problems, but the regulatory model is in the right place and it's reproducible. And the things that we're doing to protect data sharing are now going to be done to protect ID presentation, and I think that that's game changing. I think that it's turning out to be done to protect ID presentation and I think that that's game changing. I think that it's turning out to be world's best practice.

Speaker 3:

So if we can have a uniform approach to data and metadata like what do you need to know about me and how are you going to know that it's true, if we can govern that, then we're going to do something that's much bigger and much more important than identity and we're going to look at the quality of all data, because this pattern replicates in AI.

Speaker 3:

The wicked problems that we have at the moment with deepfakes boil down to you don't know where the data's come from.

Speaker 3:

Now, if we could have a governance regime where important data so an image or an article, any piece of content from an author and a publisher if you could be sure about where that stuff has really come from, if you could be sure about its provenance and if you could be sure that authors and publishers and AI algorithms are all anchored, rooted in a hardware, verifiable credential, then you could be sure where the data has come from, you could be sure that it's intact and that it's genuine. And that's where we're heading. We're heading towards a governance regime for all important data, so that we know where data has come from, we know what it was intended to be used for and we know that it's always been in the right hands, so that, I mean, that's the game changer and that's what we're sort of. We're prototyping that in Australia the governance regime for digital ID and the work that is happening through, like the Nairb roundtable, flushing out use cases and working out what do you need to know about people. That is a game changer.

Speaker 2:

That's so exciting and I think a lot of what you've said I totally agree with you. I think it is exciting in Australia, both the digital ID bill going through the Senate and soon to be passed, hopefully, and also what we're doing with the consumer data right. It really is world leading and from a privacy perspective I feel like it is best practice and a gold standard the way in which individuals can share their data for their own benefit. So I think that really is fantastic, that we're leading the way on both of those fronts. So absolutely echo all of that. Steve, thank you so much. I feel like we could easily spend the whole day chatting about this topic, because there is so much to dig into. We are going to have to wrap it up here.

Speaker 2:

I'm going to attempt to summarise a few of the themes that stood out to me there were so many, I think. Firstly, the importance of language and how we label the problem space, and then how that impacts the design of the solution For digital ID. You've talked about the fact that in most cases, we're not interested in identity, hence the move away from that labelling, and you've given us a really important call to action to start with the question of what do you really need to know, and I think that's so powerful. I really love that you reference these fundamental concepts of provenance, data quality and knowing about the lineage of that data, because often I think that's either forgotten from this discussion around digital ID and, as you say, it's going to be so relevant in other contexts in AI and where is this data from? So I think that's really important.

Speaker 2:

And finally, we heard about the need to move away from plain text data and instead use this really amazing technology of verifiable credentials, which we've had in many instances, but now it's becoming more ubiquitous and accessible to companies and individuals. Steve, thank you so much for again so generously sharing your time and your knowledge and insights. It's been such a pleasure speaking with you For our listeners. You can read more about Steve's work on his website, lockstepcomau, and Steve and his co-founder, george Peabody, have an excellent podcast themselves called Making Data Better, and you'll soon be chatting to one of our colleagues, olaf Gru, which will be a fantastic conversation. We'll also make sure we leave a link in the show notes to the website and podcast so listeners can check it out. Thanks everyone for listening to Navdigital Next and stay tuned for more episodes to come.

People on this episode