Event Recording

Kim Cameron - The Laws of Identity on the Blockchain


Keynote at the European Identity & Cloud Conference 2018

Who probably has been keynote speaker here at least 10 times or so. Something around that, so, oh yeah. Perfect. Hand it over to me. And in exchange, I'll hand over that to you. Thanks, Kim. It's your turn, the loss of identity on the blockchain. So I'm really curious what we, you will tell us today.
Thank you so much. Thank you. Actually, I'm gonna talk about the laws of identity and the blockchain, not just on the blockchain, because in my view, the laws of identity really explain how the blockchain should be used in identity and as interestingly, how they shouldn't be used now, after ask you all to forgive my somewhat allegorical presentation, I couldn't help myself. As I thought about about this, I realized that the best way to approach it would be to take us back into a retrospective and then arrive at, at what we can do and mustn't do out of that. So
The internet really was a realm of magic and experiences, but unfortunately it required that every child, woman, and man make a fian bargain in order to enter it, essentially they, for the pleasure of all that it provided needed to give an exchange their identity, tell about themselves and allow a profile to be built around them. The, the, the, the point here is that the, the, the internet was created without any kind of an identity system. And because it had a missing layer around identity, people had to make it up. As they went along, basically became a real old west rodeo where you had a patchwork quilt of, of things that were done, nothing worked together and all kinds of egregious outcomes could, could be the result. So back in, as docs said, 19 in two thou, sorry, 2004, a whole bunch of us who were working on identity and who saw this kind of catastrophe brewing around us, started to get together on the internet and on the blogosphere as we called it and have this, this really quite profound discussion.
I think many of you in the room are, were, were part of that. And as, as that went on, I tried to, to systematize what the discussion was, was bringing and with the hope that if we could properly understand what would make technology endure, people would be motivated to invest in that because they would have something that would, would, would last and would, would allow a foundation on, on which they could prosper over time. And the laws themselves, when you look at them from 2018, many of them seem really self-evident and obvious sort of a, a duh, the user should be in control and have consent minimal disclosure for constrained use. And yet at the time there were many, these were very controversial because there were many who said, oh, no, just all we have to do is announce to the user what, what is about to happen.
And, and that will be fine. And this minimal disclosure for, for, for, for constrained use that's. So academic come on, let's get real justifiable parties. Well, that's nobody's business, but my own, you know, offer directed identity. Well, most people thought it would be best if we all just had a single identity that we used for everything we'd do across the whole marvelous internet. And it could all be linked up. Wouldn't that be a nice outcome as for operators and technologies, none of them wanted to have anything to do with the others, because they all wanted walled gardens that they could lock you up in, and you could never get out human integration by that, I meant, you know, most of these systems were unfathomable. People didn't know how, how they could use it or what they were doing. And so how could you have anything safe? But I mean, that really wasn't a matter what one had to do is reduce the number of clicks to the minimum and so on. So nonetheless, the world seemed a realm of wondrous treasures, and yet a last unexpected peril and treachery await, you know, these you've, we've all seen it to the point where it's exhausting fishing data over collection, farming, breaches, cookies, sales of data, data churning, user tracking. The point with each of these is to go behind them and say, well, how did they relate to the laws of identity?
So I'll just pick a few, I just pick some random ones. And of course, they're probably about 10,000. I could have chosen, I pick some recent hots in case people forget about the old ones. But if you think about what no, what Snowden told us about, about all of the things that were going on in terms of collection of data on re ordinary citizens, clearly there was no user control and consent. There was no minimal disclosure. The information collections that were being made were far broader than they needed to be in order even to achieve the often illegal purposes that they were employed for. Parties were involved in all, all kinds of transactions who nobody knew were there. And the courts later determined should not have been there. And once again, there was no use of, of directed identities that would reduce the level of linking everything was done in order to favor linking.
Or we can look at the Cambridge Analytica once again, minimal user control and consent, no minimal disclosure for con constrained use. No, let's take everything and give it out to the researchers because, you know, research is a good idea, right? Justifiable parties, while people hadn't agreed to these parties being present. And of course they weren't even the parties that, that, that, you know, complied with, with the organization's definition of who, who they could share with for research. And once again, directed identity was, was, there was by that, I mean that you have an identifier that is pairwise used between two entities, as opposed to something like an email address or a social security number that is shared everywhere, foreign invaders. Well, this was a good one where, you know, the U the us government, the, the, all of the people in the security services and the armed forces, guess what they used as their identifiers they're social security number.
Wow. That's the same, of course, universal identifier that they use as citizens. So when the, when the hackers, whoever they were China was accused, actually got all of this information and broke into the military systems. They were able to figure out who everyone was in the rest of their, the world two in the rest of their lives. And so the immediate fear was, well, there are now all of these, these opportunities for black male. And so on of the security forces, again, this was a combination of directed identity and so on. So without identity, the laws crumble, and yet I had the feeling that this was, there was nothing stopping this. I, I had the, I remember it, it was bleak. I, I, I remember thinking I've really underestimated the, the, the asymmetry of power between the user and the, and, and the websites. And the, one of the darkest days of my life came in. I was with a bunch of, of leading executives in the industry. And they said, Hey, Kim, the laws of identity, are you kidding? In two years, Facebook will be the identity system for the entire world. Everybody else has just lost it and should forget it.
But the Cryer sounded, the alarms, the press really started to pick it all up. The, you know, you guys have seen these, it went from tens to hundreds, to tens of thousands of stories. And the population began to began to get disturbed and more and more disturbed, and to understand what was going on. And that led to series of lawsuits. And of course, once the lawyers started to smell the opportunity to, to, to, to, to really cash in on this, the lawsuits expanded and built upon the precedence. And there were endless numbers of these things. I won't even pause here, but there was a constant increase in this and the, the growing implication of federal agencies like the FTC. This one is particularly this one here is particularly interesting where, where the FTC really started to understand the implications of linking all of the mobile devices with the home devices and, and everything else.
So finally, these things around directed identity began to hit come out and where all of this really ended up. And, and this is the pivotal moment for me in the evolution of this is that the European union adopted the laws of identity and put them into European law. At least the first four, the remaining three remained to be done. Perhaps we can have that done, you know, over the next few years through the, through the type of work we're talking about at this conference, but this was really fantastically important and equally important was the fact that, although it was a European initiative, it, it spread far beyond Europe because for a technology, a large technology company, are you going to bifurcate your, your offering and your technology, and in 2018, when we live in such an interconnected world and have sort of one technology that you try and sell in and another completely different one else where you can't.
So balance began to flow back into the realm. And really it was a, it was a sea change because with the combination of the, of the fact that there was a legal backing, and the fact that people were realizing the sizes of all of these breaches, and it was combined with really substantial punishments, the question became is there some way we can reduce our liability. And so I personally have had numerous conversations with people in various corporations of, of all different kinds about this whole question of how you reduce vulnerability and the fact that is it possible to follow some of doc circle's laws and turn the tables in terms of knowledge, so that the information is actually maintained by the people. And then for every person who maintains the, in the information, there is no liability on the organizations that use it.
So the question then is if we had people, and if the people had, I'm gonna call them shields, people have been calling them wallets. You don't need wallets in this world. In this world. You need shields in order to protect yourself. And if you had shields, that would go along with the, with the, with the castles, we might have some way to do something about it. And what would such a personal shield do? Well, you would prove who you are. It would test who others are. It would keep and protect your personal data. It would give you control over who can see it. And these last two are so important because those are the things that make this, not a pipe dream for the individual, but really an advantage for the organization, for, for any forward looking corporation or government who wants to reduce their liability and basically get closer to the, to their citizens and their, and their customers.
This is the kind of this shield is exactly what they, what they require. Furthermore, I don't want you to look at it as simply something that is used to keep people away. It's also, it allows, it has the intelligence to allow the people you want to get in touch with you to get through it, to create a single messaging queue, and a messaging store for people, companies, and things so that instead of having to go and like, I do have to look at 20 different messaging systems because you know, like WhatsApp and, and this and that and everything else, I could actually have an app. Any app, any of my apps could go and look at them all and show them to me in whatever way they want. So the other thing is to be able to connect and order all your devices throughout your life.
In other words, not have to go through the horror of say, changing a phone these days, when, you know, it takes you, you know, you have to devote a week to getting the phone back into shape once you've changed, say the operator and, and the, and the manufacturer. So this is what I'm calling a, a, a shield. Now, how will all of this work? Is it how far away is it? The, the idea here is that if you go and you look at what's being talked about in diff in the, in terms of the blockchain, the, there is this concept of the identity hub, the identity hub, please look into it. It does everything that is described in my shield. The future consists of websites connecting to the hub and personal apps, connecting to the hub. And the hub is the center of decentralized identity and is the center of what we're doing. A note, the hub is not blockchain. The hub is a set of services that run and allow control of private information encrypted for others, so that it is secure, and it is privacy and enhancing. And, and the way we can do this is by virtue of taking this hub and having it adopt open ID connect so that it looks to the enterprise, just like any social network, so a social network. So, so, you know, any enterprise that has software that supports a social network could just as easily support a D I D hub. Now
Underneath the hub, underneath the hub underneath the replicas is where jock blockchain lives. And what is it doing there? It's basically managing the life cycle of the hub. So that over time, all of your identities, and the other thing I should say about the hub is that it consists of multiple devices and multiple replicas. So it's not a single thing it's, it's in, you can keep it on your, on your phone, on your computers or in the cloud. There are multiple, multiple, and they synchronize. And how is that to be managed? And how is that to be kept out of the hands of any single corporation or any government it's by using the power of the blockchain in order to give out these D I D decentralized identifiers. And that layer has no PII has nothing, no intelligence. All it does is point to the services that are above it, and in particular, the hub. So my call on of, to action really is to look carefully at, at this, at this, at this, at this architecture, see how it could actually be done in such a way that is not a, a radical rupture that, that, that, that causes enterprises to have to drink blockchain. Kool-Aid it, it, by integrating with open ID connect, it can actually be very, very incremental, and we can get somewhere with this. Thanks very much.
So, thank you, Kim. Thank you, Martin. The coolest slide deck of the day. I really like that.
I do it all. My,
I think even while you use different terms then than I used my, my keynote, I think we are pretty close
Martin. I wouldn't be terrified to oppose your views.
Oh, no, that would be okay. I like arguing with you, so that wouldn't be the problem honestly, can be,
I think your, your insistence that there being no PII in the blockchain is so important and the what's going on here is really it's it's it's. I mean, for example, there are other uses of the blockchain, which are, you know, really, really super, super. Yeah. But here we really wanna do use this as the organizing grid and nothing more. And I think if we do that, what you're concerned about will be Matt and I'm really impressed at, at all the energy that's coming outta this, this dif is a, is a industrywide thing. And it's very interesting.
And, and I think there are so many smart people currently working on the same theme. And that will definitely bring us for, let's have a look at the questions maybe quickly. We have little time. So I think we maybe pick the first question. Short answer to that simple question is you are a product coming to an end with that.
Well, you are a product is the perception of others and, you know, other's perceptions. I can't see them coming to an end. So the big question is, is, is our perception of ourself as a product coming to an end. And I hope so. That's all I can say. I hope what we are doing is more authentic than that. And you know, we are not products. We are people, we're people doing divine things with souls. Anyway, I'll shut up.
Okay, Kim, thank you again very much for your excellent keynote pleasure to have you here. As always with that, we are very close to.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

A Comprehensive Approach to Solving SaaS Complexity

As businesses adopt cloud-based services as part of digital transformation programs to enable flexible working, boost productivity, and increase business agility to remain competitive, many IT and security teams are finding it challenging to gain oversight and control over the multitude of…

Analyst Chat

Analyst Chat #135: Can DREAM Help Me Manage My Multi-Hybrid Infrastructure?

The IT environments have become complex, and this will not stop as more technologies such as Edge Computing start to take hold. Paul Fisher looks at the full scope of entitlements across today's multi-hybrid environments. He explains how this new market segment between the cloud,…

Webinar Recording

Multi-Cloud Permissions Management

Most businesses are adopting cloud services from multiple providers to remain flexible, agile, efficient, and competitive, but many do not have enterprise-wide control over and visibility of tens of thousands of cloud access permissions, exposing the enterprise to risk of security breaches.

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00