We should be able to “tap and prove” any important facts and figures about ourselves – as easily as we tap and pay with a mobile phone at any one of 100s of millions or terminals globally.
I mean exactly as easily. With the same security, privacy and speed. With the very same gadgets.
We should be able to move verified copies of our personal information around the data economy as safely as we move our money.
Look at the innovation in mobile credentials. With our phones now we can carry and present secure copies (tokens) of payment accounts, boarding passes and even virtual hotel room keys.
In digital life and work, on a daily basis, we need to show things about ourselves – usually discrete pieces of official data, each with its own context. These details often come with special metadata that proves the origin of the data, the validity dates, jurisdiction and so on. More subtly, there can be additional signals about how the data was carried, plus signature codes to prove how the data was presented.
Smart credit cards are surely the exemplary way to digitally present critical facts & figures.
The primary account number (PAN) in a smart credit card is held in a certificate signed by the issuing bank. That certificate also specifies a key pair of the customer, where the private key is held in the smartcard chip. Every time the smartcard is used for a purchase and presented in a terminal, the chip creates a fresh signature on the transaction data, which among other things serves to prove that the legitimate card holder was in control of the purchase (because the signature is provably unique to the private key in the chip, and the chip can only be activated by presenting the correct PIN, the signature proves that the cardholder was in control at the time of the transaction).
Exactly the same cryptographic techniques are used inside a smart phone wallet holding virtal credit cards. Smart phone chips have a “card emulation mode” which enable them to mimic smart credit cards. In fact most smart phones can also emulate smartcard readers, which makes it possible, through a software app, for phones to act as digital payment terminals.
Credit cards have steadily evolved since the 1950s, from cardboard through magnetic stripe to chip and now smart phones and watches. Personally, I have had a credit card account with the same bank since the 1990s, and have seen first hand this evolution. My user experience of the very same account number has got better and better (while my customer agreement has stayed the same throughout).
Now we should extend this powerful data protection infostructure from credit cards to other forms of personal data. Consider the fact that the global credit card networks only exist in order to prove the truth of a certain piece of data (a 16 digit number) presented by customers to merchants anywhere in the world.
We could leverage the processing schemes, terminals, smart devices, standardised contracts and fee arrangements for verifying any facts and figures we routinely need to prove about ourselves: licences, qualifications, memberships, school grades, age, official government IDs, health identifiers, medical results, vaccination records and so on.
State governments in Australia are well advanced in digitising all manner of citizen credentials so they can be conveyed peer-to-peer from mobile phones. The user experience is evolving from QR codes through to instantaneous radiofrequency interfaces (of exactly the same type used in mobile phone payment wallets). And this digitisation is taking place without changing any of the meaning or the rules around the credentials. There’s no fuss, and there’s little or no complication around “identity”. The mission is simple: progressively digitise all the facts we need to know and show.
Simple data wallets are leaving federated identity for dead. While digital services have developed ever more rapidly, digital identity – which was supposed to be the essential underpinning – has stagnated.
We made digital identity too hard by solving for the wrong problem. Personal human identity is always going to be rich, relative, subjective and analogue. On the other hand, the things we really need to know about people in the digital domain are really quite simple. And they boil down to quality data.
We know how to solve for data reliability, by blending cryptography with established governance.
That’s the guts of the credit card evolution! We’ve gone watermarked pieces of cardboard in leather wallets to digitally signed verifiable credentials in mobile phone wallets. Each generation of data carriers carry exactly the same core data, but over time come with ever more sophisticated metadata, built in to prove that the core facts & figures are true.
The digital identity industry has arrived at cryptographically Verifiable Credentials. This technology can be married to existing rules frameworks to create infostructure for to verify any data anywhere across cyberspace and the digital economy. We’ve done it for credit cards; now let’s do it for data.
This blog is an update to my Identiverse 2021 conference speech Why Isn’t Identity Easy?