IBM is in the forefront of introducing distributed technologies to virtually all areas of our lives, from traceability of food by IBM Food Trust to introduction of decentralized IDs. IBM Trusted Identity promises to bring the power over our identities back to us. Digital Asset Live Editor-in-Chief talks with Dan Gisolfi, IBM Trusted Identity CTO.
Q1: When one talks about identities, the most common fear is for institutions who will control our identities. How can decentralized identities help?
A1: Decentralized identity is extremely disruptive. Today, institutions control our identity, and that model is broken. The entire purpose of decentralized identity is returning control of personal data and identity interactions back to the user. Decentralized identity is based on privacy by design principles, whereby users can be in control of their identity, manage their own identity, maintain the right to be forgotten, and only provide information or share information that they desire, when they desire, and with whom they desire.
Q2: What constitutes a personal identity today? While in the EU the GDPR defines borders of ‘personal’, where do borders to one’s identity lie, in your view? Is consumer behaviour part of identity, for example?
A2: New and emerging global regulation such as GDPR and CCPA all define “personal data” differently. All entities – people, places and things – have both physical and non-physical attributes that form the corpus of their personal identity. In our view, there are no borders anymore, each of our relationships is increasingly peer-to-peer (whether that’s consumer-to-consumer, consumer-to-business, business-to-consumer, or business-to-business) and are framed by a variety of different identity interactions. Each interaction is framed by a proof request and a proof response. The data necessary for these interactions are typically defined by business policy.
Most regulations treat any information held by institutions that is about an entity or derived from entity behaviors as a form of personal data. However, what constitutes commercial data is open to geo-specific legal interpretation.
Q3: Let’s take social networks, most modern ones live off sharing our identities with advertisers. How would your envision application of your technology in a decentralized social network?
A3: I’ll respond to that question with another question: How would you define a decentralized social network? I think the jury is still out on what that would even look like. In general, what our core technology provides is a way for all stakeholders (issuers, holders, verifiers) in a given ecosystem to perform identity interactions in a secure, trusted way.
For our enterprise customers, this means helping them provide privacy aware experiences to their users. For identity holders, that is, our customers’ clients, it means providing a simple way to share and prove their reputation so that they can enjoy a safe digital lifestyle which protects their identity.
Q4: IBM is a heavy weight in decentralized identities. You are the CTO for Trusted Identity at IBM, before you worked on IBM Mobile Identity. If an outsider to distributed ledger technologies asked you to tell about these initiatives, how would you elaborate on them?
A4: My elevator speech always starts with taking out my phone – which I always have on me – and my wallet, which I’m far less likely to be carrying. I then ask whoever I’m with, “why can’t I board a plane with a digital driver’s license just like I can with my digital ticket? If I get pulled over, why shouldn’t I be able to provide my insurance information, my registration, my drivers’ license, and all the other information I may need using my phone? And if I’m just in a bar, why do I have to provide all my personal information to the bouncer as opposed to just my picture and the fact I’m 21? Why should the means of proving my identity in physical interactions differ from those online?”
These are just a few examples of the problem at hand. At the end of the day, all individuals want to be able to interact with all possible identity challenges in a calm, seamless, and secure manner without sharing more private information than they have to. Most importantly, this must be true both online, and in physical, offline interactions.
Q5: For years, we have believed that a combination of capital and small letters with numbers and special characters constitute a strong password. Modern hackers turned us to as long passwords as possible. How will decentralized IDs help to prevent unauthorised access to our bank accounts?
A5: Authentication and authorization to online accounts like a bank starts by proving that I actually own the device that I’m holding, proving that that device was registered with my bank, and proving that the credentials stored on the device have granted me authorization to use the services of the bank. Decentralized identity, specifically verifiable credentials, is just one aspect of this solution. The combination of strong tokens, biometrics, and other identity access management technologies form the rest of the solution.
Q6: What is a self-sovereign identity in the context DLTs. Give us an example.
A6: Why use blockchain to manage identity? We talk about it at length here, but the abbreviated version is that IBM uses decentralized identity and self-sovereign identity interchangeably because the phrase self-sovereign is not culturally acceptable in all geographies where we do business. The purpose of DLTs with respect to decentralized identity is to establish a web of trust rooted in the exchange of public keys in an immutable manner.
Put more simply, blockchain provides a secure key exchange that enables the exchange of digital credentials at a higher level. IBM’s point of view is that blockchain is an enabling technology for decentralized identity, and the true focus of the industry should be on building an open stack of technology called Trust over IP (ToIP). (You can see a description and diagram of how IBM looks at ToIP here)
Q7: How will your work change our everyday lives in the near and more distant future?
A7: To return to our central theme, decentralized identity is a matter of placing the individual in control of their identity in all matters of identity interaction. For it to be operable, decentralized identity needs to be seamless, it needs to be mobile and it needs to be convenient. Ease-of-use is expected. Fortunately, we have the technology that can provide this. The problem is finding someone who is willing to step forward and spend what’s necessary to develop the infrastructure. Thus, our dilemma.