Written by Ron Bowron
For those of us from the Apple IIe and the Windows 3.1 Generation, we all remember the days of “Granted until Denied” permissions and the simple Access Control List. Imagine having full access to the computer and all the system’s resources just by logging in? We were gods in our own little computing worlds. The Mid-Range, Mainframe and Super Computers had their ACL’s with the King’s guards (e.g. “computer engineers and scientist”) using lock and keys to rooms and low level binary or cobol coding with proprietary communication and access control protocols to secure the data centers most treasured database assets and information. I recall reading articles about how these “Highly Secure” systems laughed and scoffed at Apple and Microsoft as if they were light trucks trying to play in the field of giant earth movers.
However, history and science have a way of showing how a large number of very small, but powerful and distributed sets of resources can in many ways do much more work than a single, centralized, consolidated, large system. Once the Internet Protocols (e.g. TCP/IP) were introduced, the whole world was colonized with networks spreading out like ant or bee colonies, with servers as queens and the workstations as the data gatherers and information workers. And then the event of all events occurred… “Al Gore invented the internet!” Well not actually, in the early 1980’s the Open System Interconnect (OSI) model became the leading infrastructure framework and NSFNET established international connections to computing resources by leveraging Domain Naming System and TCP/IP; and there you have it “The Internet was born!”.
However, this network for the sharing of information was built upon a stack of services that lacked one primary foundational capability – Identity Management and Access Controls. Some would say it was intentionally designed to allow for anonymity within the protocols so identity and security was not to be addressed at the lower layers, but as an application layer service. However, over time ignoring identity, security and privacy measures appropriately has created significant technical debt across the OSI framework which requires additional investments to manage the security of centralized identity and access controls within every organization.
Now let’s fast forward to review the recent changes that have the potential to reduce some of this technical debt while significantly mitigating risks for Identity Theft, Data Privacy and Protected Identifiable Information… Welcome to the world of “Decentralized Identity” and the “Internet Identity Layer”.
Decentralized Identity – What is it?
In the world of human communications, one could argue that this concept of Decentralized Identity actually more accurately reflects the true nature of human and commercial interactions. Decentralized Identity assumes there will be no central authority to collect and manage the individual attributes of a person or resource.
A good representation of how identity can be decentralized is the use of the wallet or purse we all carry around with us. When you think of it, if you walk into a business and pay cash for an item, how much personal information was actually exchanged? Why do digital transactions need to be any different? This is the premise proposed within the Decentralized Identity framework known as “Verifiable Credentials”. When paying with cash, the currency represents a trusted method of securing the payment for the transaction. It doesn’t expose any more information than necessary to complete the transaction.
Some may argue that Credit Cards also solve this problem… but do they? The credit card organizations centralize and aggregate significant amounts of PII and purchasing data with very little knowledge or control by the persons or businesses leveraging the credit card for payment. To be clear, they don’t need to know what’s in your wallet, because they know what you’ve done with what’s in your wallet, and that information has significant value and influence over your life (just ask Norton LifeLock)!
Trust over IP Foundation
You may have missed the recent announcement that the Linux Foundation proposed in August of 2019 and published in December of 2019 in the IEEE Communications Standards Magazine on decentralized digital identity. Well that’s okay… to be honest most did. However, this led to over 300 organizations in May of 2020 (yes right in the midst of a Pandemic) to join the Trust over IP Foundation. ToIP has developed something far more different than the OSI model but fairly similar. They have create a dual 4 Layer Stack that address both the Technical and Governance for Decentralized Identity.
Industry Adoption is Already Happening
One industry that has been early adopters of the Decentralized Identity is the Credit Union Coalition known as Bonifii (formerly CULedger). This is significant as Credit Unions are different from Banks in that their membership has ownership in the union. Which means they have a different business model than the Banks, which affords them the opportunity to let the members benefit from the Privacy and Security that Decentralized Identification and Verifiable Credentials brings by leveraging the ToIP Foundations Technical and Governance Framework.
The ToIP Foundation lists the following foreseeable benefits:
- Fraud mitigation.
- Streamlined processes
- Improved User Experience
- Brand value (Security over Vulnerability)
- Increased consumer spend
- Regulatory compliance
- Reduced infrastructure costs
Every Force has an Equal and Opposite Force
The promise of all new frameworks and technologies always come with dissenters and barriers to adoption. (think BetaMax vs. VHS). The battle lines between Infomediaries business models will now be in full swing. Many may recall Novell’s DigitalMe efforts following their entrance into Identity Management during Eric Schmidt’s reign at its helm. That venture didn’t see much adoption so Mr. Schmidt moved over to Google and created the largest Corporate Infomediary that collects information on behalf of commercial organizations for the organization’s benefit vs the personal agent infomediary working on behalf of the individual which is the premise of John Hagel III and Jeffery Rayport in the Article “The Coming Battle for Customer Information” and the book that followed:”Net Worth: Shaping Markets When Customers Make the Rules” which aligns with the principals that the Sovrin Foundation and others have been promoting for several years now.
Adoption has already started to take root in the Customer Identity and Access Management (CIAM) and eventually the use of digital wallets will lead to changes in how employees and employers manage personal information as well. But there are many more mountains to climb and the achievement of the benefits have yet to prove themselves before business will start to implement on a broad scale.
The internet is about to experience a new revolution of sophistication as Decentralized Identity drives new Digital Identity Management business models to where the centralized IAM/IGA servers no longer hold as much raw identity attribute values as they do now. The shift from collecting specific content, to passing verifiable credential tokens will take some time for businesses to get their head around.
Therefore, the Trust over IP foundation will definitely have some battles as the revolution to decentralize identity information expands, and I for one in the Identity Management industry would like to see it’s success. This does shift responsibility and accountability more closely to the individual to maintain their wallets and credentials while relieving the organization of some data privacy and compliance challenges. Those early adopters that truly want their information held privately and securely have already started to join this revolution, others may find themselves waiting for the benefits to mature and be more fully realized. One thing is for sure… it’s no longer just about “What’s in your wallet?”, but “Who knows what’s in your wallet, and what are you allowing to be done with it?”