The MoneyPot
Welcome to The Moneypot, the podcast from Money20/20.
Money Changed. Know more!
The MoneyPot
Exploring the Future of Digital Security: Aravind Narayan on Reusable Digital IDs and Blockchain at Money 2020
What if your digital identity could be as secure and under your control as your physical ID? Join us on The MoneyPot as we explore the cutting-edge world of reusable digital IDs with our esteemed guest, Aravind Narayan from the London Stock Exchange. We'll transport you back to the early days of the internet, tracing the evolution of digital identity verification from the wild west of passwords to the more sophisticated federated identities supported by tech giants like Google and Facebook. Aravind introduces the game-changing idea of reusable digital IDs, where user-controlled wallets that leverage selective disclosure and decentralization could revolutionize security and privacy. We also delve into the fascinating concept of verifiable credentials, which use blockchain technology to compile your digital claims—such as educational and employment history—into a secure, easily manageable identity.
But that's not all! We tackle the regional complexities of digital identity systems, comparing centralized models like India's Aadhaar with the privacy-centric approaches seen in Europe. Our conversation explores the cultural and governmental barriers to digital ID adoption in the UK, shedding light on the evolving role of governments and the implications these technologies might have on personal privacy and state power. Wrapping up on a lighter note, we discuss the whimsical idea of household robots taking over mundane chores, such as doing the dishes, and reflecting on the unsettling nature of certain TV shows. Don't forget to stay connected with us on your preferred podcast platforms, LinkedIn, and the Money 2020 website for more insightful discussions and updates.
Follow us on LinkedIn
This is Asc ential Audio. Welcome to T the Money Pot. I am Rachel Morrissey. I am one of the hosts of the Money 20/20 podcast, the Money Pot. We are here at the Amsterdam show and it is stunning. It is so beautiful, if I do say so myself. I know I I work for M many 20/20, but I don't get to plan all of this stuff. I get to look at it at all and it's amazing.
Micky Tesfaye:So I am here with my co-host, mickey tesfaya hello, rachel, and you are absolutely right, it looks beautiful, we've got trees, we've got the money pot we do.
Rachel Morrissey:We have the money pie. It's amazing. We also are here with a guest. We've got Aravind, is that how you say it?
Aravind Narayan:Yes, that's, right oh thank goodness. Why don't you?
Rachel Morrissey:tell me your last name, so I don't butcher it Narayan. Narayan, aravind Narayan, and he is here with the London Stock Exchange and we're going to be talking about reusable digital IDs, right? So let's dig into that. Mickey, why don't you begin? You can drive this.
Micky Tesfaye:Sure, let's just start at the top. First of all, how are you doing, erwin?
Aravind Narayan:Very, very good. You're absolutely right. I can say this is buzzing, as always, just like last year, even better.
Micky Tesfaye:Awesome, that's what we like to hear. Tell us a little bit about reusable IDs.
Aravind Narayan:Yeah, I'll just do a bit of a trip down the memory lane, nice, probably starting from cassettes and VHS and all that stuff.
Rachel Morrissey:Oh my goodness, okay, we're going to go back. I'm going to almost feel un-old.
Aravind Narayan:Okay, go ahead, right, I'm going to almost feel un-old, right? So back in the 80s, when a bunch of cybersecurity scientists started to build for a defense project, they built a network that can connect and talk to different machines, and that was called ARPANET before internet. And the idea was how can Mickey's laptop talk to Av's iPhone? Or okay forget iPhones, but laptops.
Rachel Morrissey:Their computer.
Aravind Narayan:Yeah, two systems talk to each other. But what it didn't do at the time was it didn't actually identify if it was Mickey operating that laptop.
Aravind Narayan:So, there was never an identity layer built into this when internet was built and that just got carried forward, so it was all the way through without an identity layer. It was just a TCP IP type protocol that allowed systems to talk to each other Great. But now fast forward. We have come to a stage where an average business user probably pre or post-pandemic holds about roughly 200 passwords and about 150 apps on their smartphones.
Rachel Morrissey:I know Google likes to tell me I have 136 matching passwords.
Aravind Narayan:There you go. That's because I can't memorize 136 different things, exactly.
Aravind Narayan:So the passwords, obviously all these internet service providers and all of them start to put identity, like stitch up identities on top of these and start to give you like a one. So it started, let's say, with one-to-one password which is like Mickey's Facebook has a password. Mickey's Google has a password. So every website in Facebook has a password. Mickey's Google has a password. So every website in your world had a password. Then Google, facebook, all of them came along and they're like let's do some federated identity which we now go to any websites like do you want to use your Facebook login?
Micky Tesfaye:Game changer. That was a game changer, let's be honest. However, for fraudsters, too, that was a game changer, let's be honest. However, for fraudsters, too, that was a game changer. Yeah, exactly, they were like yes yes, enjoy this Mickey.
Aravind Narayan:Exactly so 2022, I think. Facebook was hacked. About 850 million user details were stolen. Linkedin was hacked Again. I was part of the LinkedIn hack back in 2011.
Rachel Morrissey:You were hacked.
Aravind Narayan:You were not part of the hacking team.
Micky Tesfaye:please no complaints here. Okay, that's correct, yeah.
Aravind Narayan:So then there was we are still in that era where it's federated. People still use Google and Facebook and LinkedInin and the rest apple ids to log into devices and websites. Now the future, which is the reuse of light entity that we are talking about, is the world where I will have I will have a identity wallet on his phone and he'll only allow certain websites to log in that he thinks is allowed to actually see my information. Okay, so it becomes selective disclosure. It becomes, uh, fully giving the user back the control. So there's no hacks. If you were to hack that in a decentralized manner, you have to hack millions of smartphones.
Micky Tesfaye:Okay, maybe can I just stop you there for a second, because I guess, broadly, we started talking about reusable identity and then are you talking about a very specific type of technology layer for this? I'm guessing it's a blockchain-based solution, perhaps.
Aravind Narayan:Yeah. So I'll just tell you when we dive into reusable ID. Before you go into what the reusable ID is, I'll just dilute that a little bit. We want to talk about what verifiable credentials are Now, to know what verifiable credentials are, you want to know what a decentralized or digital ID is. So let's take an example. I graduated, after my MBA, from Bradford School of Management and all I have is a paper certificate that says I graduated my MBA, nothing else. Now convert that into a digital credential and put that into a ledger and then call that as a claim to say I've graduated his MBA from this university. So that's a claim. Now imagine a number of such claims together which says like I work for London Stock Exchange, I graduated MBA from Bradford and all of these things bring it together and that becomes unique Because you're the only one that would have those competitions and that becomes a verifiable credential.
Aravind Narayan:So the universities, the companies you work for, et cetera, send you that claim to say, yeah, he's right, he's actually claiming this and, yes, he's correct. So that becomes a verifiable set of credentials. Now put all those credentials together and that becomes a reusable identity. Now, where do they sit? They sit in your wallet, like how you have your physical wallet. It actually sits in your digital wallet, which is why we say we need to have a decentralized way of doing it, because unless you have a very good technology like blockchain governing all this, there's a good chance of honeypot, centralized attacks and, like the Facebooks, like the Aadhaar in India, et cetera, breaches always are going to happen if it's not decentralized.
Rachel Morrissey:Right. Here's something that I'm curious about. So if you're looking at digital identities, there's a few places that have issued digital identities and, for various reasons, right. Digital identities and, for various reasons, right. One of the cases that I find pretty inspirational and pretty interesting is the case where India did the.
Rachel Morrissey:Aadhaar, aadhaar ID, and I'm curious about that, because a lot of that was also sort of reversed right. It was a little bit of like where people didn't actually have a digital presence at all and they needed one because the country was about to go as cashless as it could. It was trying to really limit and therefore it needed to enable people to have a digital presence when they didn't have any kind of digital presence at all.
Rachel Morrissey:So what do you think about the nature of that? How does that work? How would that work in the Western world? We've got oh, you've got 5 million passwords. You definitely have a digital presence. You might have too much digital presence. We're going to steal part of it or all of it or some of it. And then how does that work in this?
Aravind Narayan:area.
Rachel Morrissey:What do you take from their system or their lesson that we could apply over here?
Aravind Narayan:Yeah, no, that's a very good question, rachel. So I think the main thing is Aadhaar is fantastic the way it was rolled out, in the sense that it was top-down and it was just like one day to next you're going to be cashless and you've got to have this one digital ID scheme that will drive every transaction around, everything you do in your daily life. The only challenge is that the privacy aspect of it didn't really like, if you think about it, essentially makes India almost like a surveillance state, because you start to like I mean government can say it's centralized again. Yeah, so one. It's prone to hacks and I think two years after it was rolled out, I think about a couple of million ADAR IDs were stolen as part of a hack.
Rachel Morrissey:Woohoo.
Aravind Narayan:Yeah, exactly. So, from a lessons learned perspective, that is definitely one thing that Europe took when they redrafted the EIDAS, which is the new regulation they're rolling out now, which basically said oh, hold on, if we centralize it, we're going to face the exact same problem as what India faced. And secondly, government can pretty much see everything. They do Everything, like I'm using Adar card to get a mobile phone, to get this, get that, every transaction, my, my salary, my tax, everything and my entire journey. So that to me was not the appropriate way of doing it. Uh, because again you're starting to become the privacy has gone out of the door. So europe again kind of looked at it and said okay, in that case, again, this is still a regulation. We don't know how the 27 states are going to implement it, but the general guidelines is around. Okay, you take this legislation and what we're going to say is you want to apply a privacy by design principle on top of this, in the sense that we will never track anything you do, because everything is going to sit in your wallet. And you've got that.
Aravind Narayan:What I said earlier selective disclosure. So, if I don't know, you're going to a car leasing company and you're going to a car leasing company and you're going to say, hey, I would like to hire a car. Oh, show me your driver's license. Why? Because I want to know if you're eligible to drive and if you're over 18. Okay, I'll show you enough information. I don't need to show you my address. I don't need to show you my face. I just need to show you that I am, let's say, in the UK. It's DVLA. I'm going to show you that I've got a valid driver's license that is DVLA certified, which will show almost like a trust mark against my name to say, yeah, I am DVLA certified and I'm over 18 to drive. That's enough. I don't need to give you my address. That's enough. I don't need to give you my address.
Micky Tesfaye:I don't need to give you any of my details, so that, to me, is a big step in the right direction. Um, that's not. This whole story around digital identity is fascinating for me because it I feel like since I've started working in fintech, it's been just like a very big question and there are just some interesting, like regional differences that I'm not even sure how they occur right like.
Micky Tesfaye:I think we talked about india being fascinating, yeah, I think the nordics are particularly fascinating, yeah, and the country we're in right now, the netherlands, is particularly fascinating because, within the context of the uk, for instance, these countries private sector has solved some of it a long time ago not necessarily to the degree and the dynamism that you're talking about.
Micky Tesfaye:With regards to, I think the kind of digital idea you're talking about is maybe not even the type where you have to prove you are 18 by showing that you're 18. But it's more like the way that the information comes up is absolutely right. You're yeah, you're not even giving information about yourself. It's just saying this part is it's all right, you don't need to know what's in there, but for the purposes of this service or whatever, you're good, right, like if someone is buying alcohol from amazon they wouldn't know the age now you know that you're over 18.
Micky Tesfaye:Yeah, yeah yeah, right, so that's more advanced than what's maybe available with ideal in the Netherlands or Scandinavian countries.
Micky Tesfaye:But I guess my question, in a roundabout way, is these other markets have made significant progress that makes it even culturally much more likely for digital identity solutions that are over the whole country or region to occur. What I remember growing up in the uk back when the last labor government was in power and I was young I was not, yeah, like working or whatever. I remember the conversation about digital identity yeah, digital id cards being introduced in the country and everyone was like no, this is government overstepping the point you're talking about right. So I wonder, why does that gap exist where the private sector is not doing much in the UK, other markets, the government's obviously, even if it wanted to do it, that barrier to adoption is significant.
Micky Tesfaye:And we've seen it with digital services in the UK actually, where the government has been not great at trying to.
Rachel Morrissey:Well, and there's always this trick, because traditionally, governments have been the ones to issue an ID that would be considered legitimate right Driver's certificates, driver's licenses. In New York City, you can get just a registered license, since you're a citizen of the city.
Aravind Narayan:Yeah.
Rachel Morrissey:And so it has been part of the role of government.
Aravind Narayan:That's right.
Rachel Morrissey:But having this new power right that there's no way to kind of guide. You know, I mean if anybody, I mean like in the U S, if anybody's learning the lesson of having to to work on trusting the intentions of the people running the system, where we're learning that lesson pretty tough right now and um, and I think about this like I never. In reality, I never really worried about government overstepping in my own life.
Micky Tesfaye:Like I never.
Aravind Narayan:I understood it.
Rachel Morrissey:I understood it philosophically, I thought about it, but I didn't think about it like personally. But now, now that I understand what is possible. Talk about government, you know. You talk about a digital ID, you talk about programmable money, you talk about some of these other and you're like, okay, well, now we're getting into a realm where there is a real sense of personal infraction.
Rachel Morrissey:And, like I said, I never really I mean governments. You know, not all governments can be trusted, but even when a government can be trusted, like that's a lot of personal infraction that we never had to think about before this kind of power existed.
Aravind Narayan:Yeah, no, absolutely I think. If you think about this in the spectrum of, like the sort of tripods which is like there's an issuer, there's a holder, there's a verifier, that's pretty much it in the ecosystem, right.
Aravind Narayan:But what we didn't have in the past, which we're now starting to look at, is a sort of a trust layer in the middle, which is completely sort of decentralized, in a way that the issuer never gets to see what the holder is using that issued credential for.
Aravind Narayan:You can't track back all of my activities anymore, so the issuer could even be a government issuing a driver's license, but they will never get to see what I'm using it for, because what happens is like user. That's where the smartphone adoption becomes a big thing, because smartphone comes with fantastic features such as, like the secure enclave where you store the private keys and all of that stuff. So what happens is government just get to put their sort of verifying credentials in a public blockchain and you are the one who are kind of using a private key to authenticate, so they never get to see what the usage is. And the same thing applies for the verifier. A verifier, let's say a pub. You walk in, you show your identity, they just ask you a question, but they never get to see anything else, so there is no revelation.
Micky Tesfaye:It's like a yes to a no, but it's not the detailed stuff.
Aravind Narayan:Exactly so, I think else. So there is no um, yes, revelation. Yeah, it's not the detailed exactly so there's a. I think that gives me a lot more promise, and now, if you go across the pond to the united states, I think there's still. I mean, eid has stood, or was like a big leap forward, like everybody never thought like europe would just jump ahead so quickly until that point, I think. In think in the US, it was mobile driver's license, which is now becoming a thing. The only challenge with that, though, is that it still doesn't stop you from it still doesn't let you do selective disclosure, so you have to show everything. It is just in a digital format.
Rachel Morrissey:Right, that's pretty much it so we only have time for one more yeah, question, I think I have this. So my background. Yeah, I did a. I did a thesis on in my media studies yes, okay, so there you go and um part of what I was talking about was the nature of us incorporating technology into our body and incorporating the body into technology.
Rachel Morrissey:Like I have this thesis my thesis was all about the nature of. We do not invent unoccupied space and physical. We do not. So the internet particularly when I wrote it like this is 2014, everybody. But I was writing about how the fact, if you were going to create a space called the internet, and we were going to call it a space, a places and all of these things and have communities that physically we were going to occupy this space in some way.
Rachel Morrissey:And that, in doing so, we were going to incorporate it into our physicality. So, legally, if we're thinking about the adoption of the smartphone and we're thinking about only revealing certain things and having that, smartphone be kind of the keeper. Would we have to think of privacy and that smartphone as a part of our corpus? Absolutely and something that means that we can't like in American vernacular, we don't have to testify against ourselves. That means the smartphone would be part of us and not something you can go break into.
Aravind Narayan:That's right.
Rachel Morrissey:So can't testify against us, Isn't that? I mean, that's sort of an interesting. It is Kind of stretches that a little bit.
Aravind Narayan:Yeah, yeah, no, absolutely.
Rachel Morrissey:I know, that's really heady, sorry.
Aravind Narayan:No, no, no, no, I mean it's good. Yeah, think of that. It is true, it is an interesting one. Until your device gets stolen it's a totally different story, but I think, if you look at the different ways to approach this, it's got like your bank. I mean, who do you trust right today? Do you trust your government? Do you trust your bank? Do you trust your smartphone provider, do you trust your telco provider, or do you trust a private wallet provider? I mean, it's a big question.
Aravind Narayan:It's a big question and this is where this ecosystem probably next year, if we are sitting here, I would probably be talking about guess what? We have now 600 different wallets around the world and we are in a position where we don't know what to choose. And it could very well, it can happen, all right, and which is why we say in this world it's like from Flintstones to Jetsons, you know, from Stone Age to flying cars. It's a marathon and it's not a sprint, and I think laying that right foundation would probably get us there. But I think going forward, a smartphone adoption will be the main driver behind this, and Apple will definitely lead the way um and google um, I, I know rich said she had one more question, but I have.
Micky Tesfaye:I do want to ask one more, one more if you would. Yeah, absolutely I guess I like I don't know in terms of the way that this is gonna evolve right. It sounds like to me there's a interesting set of challenges on every side that have to be resolved right like. You touched on a really important one that we probably already started to see, which is fragmentation of identity solutions, so they end up causing the same issue right, we're going to go back to the multiple password issue right.
Micky Tesfaye:Then, on the other hand, one of the things we see, even in the last 20, 30 years, right, growing distrust in institutions like governments and whatnot. So governments, probably, the more that they do that, the greater their risk, right? So we've got these two issues already. The other thing is, in a weird and roundabout way, like banks have become one of the most trusted institutions over the last 20 years, right.
Aravind Narayan:So now we've got another potential Until Santanto was hacked about, I think, a couple of days ago. Okay, so you're way ahead. Hey, hey, I've been on site. Okay, I've been on site.
Micky Tesfaye:I can't be looking at it. So now it seems like there are three kind of again these layers, right. So I wonder, is part of the problem not that we're so focused on trying to find this perfect solution? Would there not be a better way forward, for instance, for private banks to come together and say, hey, look, at the end of the day, the more we compete against each other, one we're going to be, we're never going to take on the big technology players because I mean, they've got how much to blow on all of these things?
Micky Tesfaye:yeah, and then, two, it gets more cannibalized and then you end up with the same situation.
Aravind Narayan:Absolutely so. This is interesting because one of the things that when EU Commission rolled out the regulation and in the UK for the digital ID trust framework, the common theme was we need to have common protocols and standards. So as long as you have W3C verified by credential standard, with FIDO2 encryption and JSON web tokens etc there's a lot of tech jargons in there, but if you have sort of a clear layer that actually is across the wallet and it's standardized and governments around the world approve with their trust mark to say, use that wallet, that wallet, not that one, I think even if you have, let's say, six different wallets in your phone, if they are interoperable keyword here it makes a big, big difference across. And again, that's what EU is trying to do, because when they launched the first EID scheme back in the day bank IDs, it's me, all of that stuff the only challenge was it's working in a certain country. You go outside the country, that government doesn't know who you are. So all that data you furnished in Belgium means nothing for France.
Aravind Narayan:So, that is what we are trying to build bridge the gap. And you can only do it by saying common protocol, standards across the globe and have the same security layer so we trust every wallet equally and government certifies it. That's probably the way forward.
Rachel Morrissey:It has to be.
Aravind Narayan:Yeah. But that sounds like a long road it is a long road, but, as I said, you know we are not in the Jetson Zero yet, so we're slowly getting there.
Rachel Morrissey:I want a robot to do my dishes.
Aravind Narayan:Have you watched Human Humane? Oh yeah, that's scary.
Micky Tesfaye:There you go. I don't want to be scared. I'm not going to tell you about this.
Rachel Morrissey:So that's all we've got time for. I just want to thank you so much for joining us today in the Money Pot.
Rachel Morrissey:And Vicky, like always, I the money pot. And uh, nikki, like always, I love having you here with me, thank you anyway. So, uh, thank you to all of our listeners and just know that you guys can always find us on any place that you listen to your podcasts, and you can find us on the money 2020 website. So go find us and dig out all of this extra information. We'll be putting on ar information. Well, where you can find it? On LinkedIn?
Micky Tesfaye:Not fully identifiable. Yeah, that's right.
Rachel Morrissey:And thank you, and we love our fintech nerds.
