Interview with LifeID CEO Chris Boscolo:Decentralized Identity
2019-04-23
Media: Decentralize Me Podcast
Date: 04/23/2019
Anchor: Today, decentralized identity is one of the biggest topics in the blockchain industry. One of the many reasons is that many consider decentralized identity and supporting standards to be the silver bullet when it comes to solving many of today's issues with the internet. Whether it's hacks, 3rd party ownership of digital identities, or giving users the ability to make decisions about their own data. We are fortunate enough to have a thought leader in the space join us to share some of his thoughts on what the current state of the identity industry and where he sees it going in the years ahead. Let's welcome the CEO of LifeID Chris Boscolo to the show.
Chris: So, I don't know how many people realize this about LifeID, and the original idea behind it is, it is a blockchain-based but it's actually not solving a Blockchain problem, and it's using blockchain to solve a problem that we had before we ever had blockchains.
How do you deliver an identity system that allows everyone to trust on this thing without the thing you usurping the trust and making everybody go through it for the identity? So, we've spent a decade building out a massive federated identity infrastructure. You've got everybody using Google, everybody using Facebook or everybody using some other federated ID and it's very convenient. So how do we deliver the same convenience without all of that power and money concentrating into those organizations where they don’t really care about your privacy and blockchain solves that problem very well.
Anchor: Yeah, so I was just being this morning, I wanted to get your thoughts when you hear this statement "Google wants to make its enterprise cloud platform the center of the universe for Identity and Access Management", what goes through your head when you hear this? They do have the money, they have Google single sign-on, which who knows how many people are really using it?
Chris: Yeah, I think the scariest thing about that statement is that they are maybe in a position to maybe pull that off and that's kind of frightening, right? Think about how many people use Gmail or G-Suite in businesses, they are in a position to make using your Google identity very convenient. So they are in a position to do that. And what's scary about it is they genuinely don’t understand the problem. It’s actually in their DNA, they don't understand the privacy problem.
I've been to W3C meetings where there are Google people present, and they fundamentally do not understand with when we talk about DIDs and the idea that users will control the keys to those identifiers and it's a concept that is very foreign if you work for Google. I don't think they realize they are the Borg.
So yeah, that's like I said, the most frightening thing about that statement is they could maybe pull it off.
Yeah, unfortunately, we are seeing a movement within the W3C and within companies, utilizing this new paradigm for identity that we call Self-Sovereign Identity, although, it's a very horrible name because there is really nothing to do with sovereignty.
And that, unfortunately, scares away some people, governments as an example. They don’t like to hear that word. In reality, the government is sovereign and not the users. The idea is that the users remain in control over the identifiers that are representing them in the digital world and they remain in control over the credentials that are assigned to those identifiers.
So those are the two building blocks that are going to make this new identity paradigm happen.
Anchor: So that, of course, leads me to the next question. Because there is another gorilla in the room called Facebook. I've read a lot recently about Facebook adopting cryptocurrency and potentially building blockchain/crypto into their apps like WhatsApp, and I'm curious from your perspective or whether you think this is realistic but secondly what is in for Facebook? And why would they change their business model to support this change?
Chris: Right, Where they are taking information about you and basically selling it for the purpose of advertising to you.
It's an interesting question, by the way, it's also super exciting because right now what's going on within the W3C, or the community of people that are working on these DID standards is should there be a litmus test for whether a DID can be called a DID or not? In other words, DID stands for decentralized identified which is basically a unique identifier that's made up of a bunch of characters DID call a method name colon, and then the method specific identifier, etc. and in the end well anybody can build their own method.
And so, Facebook, for example, could build their own method. And so, what's going on in the conversations amongst people is should Facebook be able to create a Facebook DID method where the resolution happens by going to a Facebook server. So, is asking them for the DID document associated with that DID method indeed a decentralized identity? I think it's pretty easy to say, no it is not. So the question then is what is in it for Facebook to use DIDs and if they use these DIDs are they merely doing it to usurp this new thing that's coming. And they're also kind of in the same position as Google, they have enough users that they have a chance to pull off something like that
The challenge is I don't know that we should presume that Facebook is going to do that. And I know there's rumors that they're investing in blockchain and I come out with a Facebook coin. I think it’s plausible that Facebook would create a DID method that actually is truly decentralized and why would they wanna do that? Well, they still want people to use Facebook and so if they bridge that convenient gap for users, and they build the wallet and they do it in a way that is decentralized so that people have the choice to exit and choose another provider that is gonna if there's something about Facebook they don't like then I think they still may want to do that, and they always may be able to do it in a way that actually allows users to maintain the control over their identifiers.
So I think the difference between Google and Facebook, and I believe though I could be wrong in this, I believe that user perception today is different for their users. Many users don't see Google is the same way they see Facebook because of what happened with Cambridge Analytica, and this is the only political statement I'll say this if Trump wasn't elected then perceptions likely would be different. In other words, if Hillary had used that data, I am not sure anybody would care, but that is all just speculation and perhaps something driving user perception about the two companies.
Anchor: With decentralized identity in mind, I've been thinking about is the concept of decentralized marketing and how that might actually work in the future. How does today’s personalized marketing efforts change or be challenged with the implementation of decentralized identity?
Now that I don't have access to all the data about a particular person how do I as a marketer target that user? In my mind, decentralized identity isn’t just disrupting “identity,” but in fact, this technology is disrupting a whole bunch of industries at the same time.
Chris: So that's an interesting thought. I don't know that it would totally disrupt it because a lot of the marketing data that is collected in aggregates where we're not identifying individuals uniquely, and I think that data will still get created and still being generated in a world, if a presuming a world that everybody has a DID, and can truly interact digitally in a private manner.
You're still leaving off what people call digital exhaust.
I think the difference in homing in on any particular users. Now you just maybe need to ask their permission, and they might give it to you.
And so, I even better, is that they might ask you to pay for it and as a marketer you are actually paying for it, either way, it's just... Do you give it directly to the end-user or do you provide it to an entity?
Anchor: What do you think about Brave and their Basic Attention Token?
Chris: I think that it's awesome. In my mind, that is definitely a step toward the future.
Going back to the previous question and that there is a critical role for trusted entities like governments and big organizations.
They still are going to play an essential role in this.
DID is only part one, the other building block is verified credentials, and verified credentials are the packaging of what you wanna say about somebody as another somebody. So for example, we were talking a little bit earlier about the part of the US government that issues green cards that entity is authoritative on who gets a green card, and they can create a verified credential and sign it. And so if you're the person holding the Green Card that verified credential is given to you by the government, and they also have a copy, and that can be presented to somebody else to confirm that you are a green card-holder and this, somebody else is going to have to trust the US government. Well, that trust pretty much for most people is already in place, right? I, as opposed to it. I think sometimes we think of this decentralized world where there's no conveyance of trust using trusted third-party entities, and that's not the way it would work. I wouldn't show up at a bank and make them anonymously and make them figure out who I am without giving them any help. And so, those larger organizations still will play an important role in issuing those verified credentials.
The difference is that the user have a choice.
They can exit, they don't have to participate, and can choose who they want to interact with, whereas today, that's not really a choice, if we use our credit card to buy information, that information about that purchase is sold with an entity else without our consent. We have no say in the matter, today.
Anchor: What is the role of zero trust technology?
Chris: As in zero knowledge? It’s vast, but it is also very early. So zero knowledge technology is what's going to ultimately be the last leg of the privacy conversation with regards to DIDs and verified credentials today DIDs are pseudo-anonymous, in the same way, Bitcoin is pseudo-anonymous, but I think as a lot of criminals have learned pseudo anonymous means actually you're still very trackable.
Okay, so and so there's, there are some challenges, and this is definitely one of the problems in any digital technology conversation is it's effortless to correlate data.
We are really, really good at it.
Now we are collecting piles of it, and we have machine learning and it's crawling all that data. So the zero-knowledge proof is gonna deliver that last bit, which is the ability to transact privately to the extent that governments allow it because now we're starting to enter territories where you will be able to transact in ways where governments maybe can't collect their taxes, or they want to enforce anti-money money laundering laws. So there is going to be some challenges, but it will deliver the privacy part of it.
However, we're just in the really early stages. So, I think adoption is going to happen without the zero knowledge being a fundamental core part of the story because it's too soon in an install a slow, too slow for production use.
Anchor: Here is a what-if scenario – what if a private key is compromised? And what are some things that can actually be done to reduce the loss or potential identity theft that could happen within this new privacy paradigm?
Chris: That is a great question. And so, the first question is compromised how? Let's imagine a scenario that I already threw out there which is the green card. So if I, as the DID owner, want to transact with that credential, I need to sign something that proves I have ownership of it, if I lose or if somebody else gains access to the private key that allows me to do that then they could sign on my behalf.
The reason that the IDs are so powerful first of all is that you as the DID owner, depending on which method provider you're using you can rotate the keys that are in play for that particular DID. And so, for example with LifeID that's one of the built-in things You can go to some entity that you trust when you're setting up your wallet to say, “hey, will you be my back-up? Then I come to you if my keys are compromised and you’ll help me get a new key associated with my DID. So that's part of the advantage of a DID approach which includes key rotation, and that is the name in the game.
So you may not know this about my background, I came from the world of internet security, and I would argue that you should assume it's going to happen and if you don't build the technology thinking it's going to happen then you're going to find yourself in big trouble when it does happen. And it's just like, I just posted this today. Back in February, Microsoft found out that someone had broken into their email servers and were reading everybody else's email for. So, even the mighty Microsoft which is a top three Cloud provider in the world gets caught with their pants down some times.
I agree, and it’s safe to assume that it's not will happen but when it will happen.
And in fact, the product design should make it so easy for dealing with these situations and having key rotation should always be part of the product experience because the end user should know it shouldn't be hard for them, it should be so simple.
Anchor: What's next for LifeID and where do you see the industry going over the next few years.
Chris: I'm very excited. I'll answer the second one. We are moving from a world where we're using username, passwords, and systems that act as a proxy for who we are online and are controlled by 3rd parties or services that can identify where we are going and what we are doing to a new one where we're actually going to have digital identifiers that are under our control. Not necessarily the control of a third party like Google or Facebook. And, we're moving to a world where the very large organizations like the US government are going to issue verified credentials using these same standards that allow you to use your digital identity online with another party.
So that to me is very exciting. That means we're laying the foundation of a new identity paradigm where users will be to the control the amount of information they have to disclose with another party, they'll be able to control the mechanisms they used to change digitally who they are with another party, and they'll be able to, as we talked about a little bit earlier with the zero knowledge stuff that's coming, they'll be able to do it in a way where they control how much the privacy information they have to devote.
So that's super exciting, so where does LifeID fit into the new identity paradigm? We are building some technology to make it possible for users to have a wallet where their identifier information can be stored in an online or in their mobile phone utilizing a network that can exchange these identifiers with entities when they need to prove who they are to those entities. So I, so that's why I'm excited about the identity future.
Anchor: Well, thanks so much for joining us and I know you got me excited about the future and the work that LifeID is doing.