How organizations can make and save money with decentralized identity

Right. So our next speaker for the day is dialing in all the way from Australia. And he'll be talking about how organizations can save, can make and save money with decentralized identities. So please join me in welcoming John Phillips, who is the co-founder of CZU John. Welcome to EIC. Thank you very much. I wish I was there in person again this year. Next year. I promise you I'll Be there, right? We'll never forget this. Yeah. We hope to see you next year at EIC, for sure. Brilliant.

So, so you, your talk will touch upon making and saving money with decentralized identity. Now, the concept has pretty much been associated with, you know, privacy and the individual with less focus on the business case versus so what can we perhaps expect to hear from your presentation today?

Well, I, I guess I'm, I'm expanding on some work. We, we saw a few years ago around, how would you explain this whole new technology to businesses in a way that makes sense so that they might do something and therefore get some economic value for themselves and for their customers. And more recently, we've actually been working with one of the, one of the largest state government in Australia on a business case for their implementation of decentralized identity and verifiable credentials. So we've got some real ground truth kind of experience about the thinking that's going in.

And some of that I'm gonna be sharing today around how we might, how we might consider the, the business value and the, and the, the sort of economic social value for these things. Brilliant. The state is yours, John. Thank you very much, Raj. Always a pleasure. Okay. So that's the talk for today. I've actually a slightly tweaked already before we even start. I have about 450 slides as is my habit. That's not true. I've actually taken at least 15 out. I actually really wanna talk a little bit more about trust models as in a broad sense, as well as identity.

So it's not just to me about digital identity. It's gonna be around the idea of trusted data and information.

The, the basic sort of idea is to show, I guess, share with you some of the learnings we've had over the last few months, really. And in fact, prior to that, and also share a few personal views around some of the business models that we've seen, those that I think might succeed, those that I think possibly won't succeed.

Now, this is a piece of research I first saw in 2018. And I don't know if it's had a, a, a wide circulation, but R M I T university in Australia did some analysis of the employment roles for people in the us based on sort of publicly available data, looking at all of the various roles and positions people have in organizations and did a, a, a kind of calculation about how many of those roles to do with ensuring trust in the way the business either does its own work or does work with other businesses.

And their, their assessment was about a third of the jobs of all jobs. A third of them are to do with ensuring trust.

Now, if we could have an automatic way of ensuring at least some of that, or maybe even all of that trust, a third of the jobs of people currently employed might be better placed doing something else, creating new value and other things. That's a very big number, and I encourage you that these slides will be available. You can look up that link and maybe read the paper.

It's a very interesting way of thinking about the opportunity here, and it's somewhat different to the way people look at the opportunity when they look at things like the market value for digital identity, these four quotes are I pulled up in the last week or so. So they're very current, they're all predicting a, a, a very significant compound annual growth rate, great stuff. This is gonna be a big business, but in a sense, I think that the 50 billion us dollars in the next five years is an underestimate.

And the reason I think it's an underestimate is that they're not really thinking about the whole economy that they're actually enabling. So the, the simple analogy I'm using on the slide here is the, the idea of transport, you know, either take trains or take ships, but let's think of them in terms of measuring the value of that sector by measuring the value of the, the new ships you've sold, as opposed to the volume of containers and the value of the contents of those containers that they ship globally.

So what I'm basically pointing out is that the tools that we sell to enable verifiable credentials, decentralized identity, they're wonderful, and the people who produce and should be appropriately rewarded, and they should be very happy, but they're nothing like the value of the total economic gain that this stuff represents. So it's not just about tool vendors, it's not just about share market value of companies that are producing this software. It's about the whole thing.

Now, there's a very interesting sort of problem we get into when we look at decentralized trust. And I guess I'm gonna lean on a bit of sort of a sort of way of thinking about the model that is probably gonna be quite familiar to you when you see the next slide, but it looks at things like who's issuing the original data, who the holder is the citizen, the, the customer. Sometimes it's maybe an organization who the verifying party is or a lying party. And then this idea that our show cryptographically is a, a governance framework.

So kind of who do they all look to for, for a reassurance that there, there are rules and regulations and punishments and so on, should people do their own thing and qualities and so on. So I'm gonna use that sort of model to look at the, the way the market works. Then look at the way I think some of the, the business models might work. So that gives us this, this sort of framework.

If, if you are familiar with the work of people, like trust the trust over IP body of work, and others you'll know that they often draw the governance framework as a sort of another shake below those, that triangle. So it looks like a diamond, the trust diamond I've drawn it in the middle for, for reasons that I believe work for me in the sense that I'd like to think of the way that the parties all interact with the governance framework. So that means the holder and the verifier and the issue are all interacting a way, one way or another. We look at those ways.

So this gives us if you're into sort of the node arc stuff, it gives us six arcs and four nodes to play with. And we can look at how each of those currently work. Now they in the, the first ones, one, two, and threes, I've numbered them on this chart. They're pretty standard. So you can imagine ways that a, a holder might charge, sorry, an issuer might charge a holder to receive a credential. Think of the way when you get a driving license, you pay for a driving license.

When you go through a degree process, unless you in a country which remarkably still gives a free university education, you pay for your degree and so on. So you pay for the rights to have, or to, to gain the license or the credential or the diploma or the visa, or the passport, whatever that you, you hold.

Similarly, there's a natural economic exchange between a holder and a verify. There's a reason that the holder is approaching the verify saying, I want to have access to a product or a service.

There, there is a fee to be paid, no doubt in somewhere or other by the, by the holder to the verify, the verify needs to check and stuff. So that's really well known. That's a standard economic exchange between two parties. The third one is one that's again, fairly familiar. It's how do issuers get a, a recognized to be a due proper kind of holder or issuer of these things who says a bank is a bank who says a university's university who says a, an energy company is an energy company.

Well, there's usually a framework, a governance framework, a number of criteria to meet and licensing conditions and so on. So those three very familiar, not really any change for the decentralized model. The fourth one, the one that I believe, number four for the verify, the governance framework, that can be a little bit different in a decentralized model. Cause now we have opportunities that the, the verifier might get licensed and listed as a verifier. So they might have a role to play that is recognized by government.

They're checked and they're audited and they're, and they're compliant to conditions. And so on.

And again, there might be fees and in a decentralized model that could be really useful in the sense of creating a list of recognized verify. So the, the holder, the customer of the citizen can be sure that the organization approaching them and asking for some proof of something is a due and proper organization that they can actually trust the organization because they've been recognized by a governance framework that they themselves recognize. It's a way of kind of ensuring a recognizable trust framework between those three parties.

And they might be there for a fee to pay by the verifying or relying party to the governance framework. The fifth one is an interesting one, and it took me a while to think about how they might work. It's an indirect one in some ways, but if we are living in countries where we pay taxes and those taxes enable the government to provide a safety for its citizens and a framework of laws and governance and so on, then that's effectively a fee. We are paying for a governance framework.

We are paying an amount of money, which indirectly creates the opportunity for our governments and other, other bodies to create governance frameworks.

So that, that's a, again, I think understandable the sixth one is the one that really kind of scratches your head if you're into decentralized identity and decentralized trust, because the privacy promise is that when a holder presents something to a verifying agent or to a relying party that no one else needs to know about that conversation, that is only between the two, the two parties between the holder and the verifier and the verifier can check all these wonderful things cryptographically about who issued this thing. And who is it given to? Has it been changed?

Has it been revoked all this wonderful cryptographic proof and they can do so without actually contacting the issuer, which means the issuer doesn't know that this is going on, which is appropriate in a privacy related context, but then how on earth do, do you create a model where the issuer gets some sort of reward for, for things that are actually economically valuable to the verify, like effectively they're reducing the risk for the verifier, or they're enabling a transaction to take place that otherwise wouldn't take place.

So there are various ideas about how you can create new business frameworks that enable that kind of value exchange to be recognized without breaking that privacy promise that we want to achieve with a decentralized model. So I gave one example on here on check. There are other ways of thinking about that, that particular problem, but it's the interesting challenge for a decentralized model.

So if we consider those, those sort of approaches, what happens to a, a traditional third party trusted third party model, or with a third parties as put on this slide, the, the basic promise of a, of a decentralized model is to decentralize. So we, we reduce the number of, of central parties of third parties, of third wheels of, of something in between the two originating actors in this place. So there are reasons where you might have one, a third party at the moment.

They can do things like full gaps in our knowledge where we don't know whether, if we are familiar with universities in one world, we may not be familiar with universities. And another part of the world, if we are unsure that the information we've received is valid. Perhaps we want to have some insurance against it being invalid. If we don't know enough about the candidate, except for what they've told us, perhaps we need to ask them other questions that aren't, that can't be answered directly by the candidate. And so on last one might be to observe or not to transaction.

So there are reasons why you might need a third party, but some part, some of those examples are, are, are kind of current. So we've got people who would offer KYC, know your customer, anti money laundering, customer due diligence, kind of processes for a bank. And that's, that's great that kind of save time and save money for the banking organization. And hence you get this concept of reusable, KYC or KYC as a service now in Australia, at least. And I know in some other countries as well, there are sort of impediments to that.

And it doesn't kind of work when we look at the decentralized future. The impediment in Australia is this idea that liability still rests with the relying party with the verifier. So if they were to take advantage of an outsourced service, no matter whether that outsourced service gave them bad information or whatever, they would still be liable for the, for the result. So they'd need to, it kind of complicates their Motiva dis it, deses them to actually take advantage of an outsource service for reusable KYC. And that's just the liability laws here.

The next point is slightly more impactful in a way. It basically says that if it's is a, a process by which you rely upon original documents, so no a passports versus a striving licenses, these, these things that we have as foundational credentials. And if you, the verifying party is relying on a third party to check those, to make sure they're okay, what's happening is the checking process is difficult. It's cumbersome, slow, it's costly.

And hence, there's a purpose. And having reusable, if that checking process is, is trivially easy, quick, cryptographically secure, and can be done every time you want to do it, then you don't need a third party to do that for you. You can rely on the original documents each and every time you actually want to do a KYC and you don't need a third party to do it for you, cuz it's actually quite easy.

So, so I think that's where I see the, the risk if you like. But if you have a simplified model for, for trusted third parties, then you're not going to basically manage to, to, sorry, just jumping around the slides. You're not gonna manage to carry on going, but there are going to be some new trusted third party business models coming forward, even in the decentralized world. And some of the, the reasons that they will need to exist and will have business value in existing are understandable. When you think about the transactions that we're talking about.

So one of the transactions is you are able to ask a customer each and everything that you want to ask them. And they are able to answer those things, using a cryptographic proof response type model, but they may choose only to share what they want to share with you. They could say, I don't have that credential. I'm sorry if it were say incriminating for them and you can only ask of them what they might have, if they, they, they won't be able to present something that is, is necessarily negative and sort. So you may still have to do checks outside of what you can confirm with them.

You can only confirm what they've got and what they've got is correct or valid. You can't confirm things outside of that space. So there are going to be reasons why you need to have third parties to do things in addition. And that's where I've come to the conclusion that basically business models that will succeed in the third party world, at least. So those that add value beyond authentication. So if the business model is purely just an authenticating kind of business model, I think it's gonna disappear. And the quote that I found, I was reading some of the papers as we all do.

I'm sure on trust that both made my mind going a bit of a pretzel not, but I thought was quite quite fun. Was the, the quote twist and Sam Godwin's famous remark about the idea of verbal contract is not the worth, the paper it's written on. And the author of the paper saying he was only half, right. That Sam Goldwin was only half, right? Because the all that is interesting in the concept of trust, light, precisely in the half, which is wrong. And it takes you a while. I promise you to think about why that's a pretty good, but also a little bit annoying as a, as a complicated way of phrasing.

It, basically it's filling the gap in knowledge is what is important in terms of the, the, the trust. So the model going forward now, I mentioned that we, we working on sort of new models of, of estimating the value of, of a proposition.

This is an, an example of something we tried four years ago, we were doing all sorts of smart stuff with Monte Carlo simulation and all sorts of weird stuff to try and get an idea of what would be the, the potential business value in a sort of issue or holder verify kind of model, a number of different layers, number of different parameters, very complicated, not very right.

And what we found recently was that very simple model that we simple model that, that approach we were taking, didn't take account of multiple use cases, multiple types of ways of using verified credentials, multiple parties, and other things. And given a challenge by government, what might this be worth for our citizens of the state? What might this be worth on a broader economic basis? We had to kind of rethink the whole thing. The way we started thinking about it was a process that had to follow or meet certain criteria.

This is a, a, a, a government infrastructure project, really, and a number of agencies going to want to put things through the infrastructure that sort of surfaced their verifiable credentials, their content, and so on which ones come first, which ones are the ones that get up through the business case. Those sort of questions need to have answers, which are kind of transparent and, and, and, and sort of shared with people. So we need a thing we can share with stakeholders that they understand. That makes sense.

The, the, how was that each of these, each of these answers needs to sort of demonstrate that the, the use cases achievable within alone time within a forecast budget addresses some identified problems and opportunities and has measurable benefits. So there's, there's some substance to the reasons we want to choose particular use cases and what we basically, whether there's a three step process. So we've got a whole bunch of use cases are the one there's least 50 plus that are in the left hand side.

We've got some filters that we apply to say, which one's gonna make it through the scoring process. We've got a bunch of fairly sophisticated scoring processes once they get through that filter. And then the results of those scores, give us a way of looking at the results that we can then sort of analyze and prioritize and, and select those use cases to make it through the kind of things that the criteria we use to filtering are, is it, is it simple enough? That's our first phase filter. It's not got multi-step to it. It's not got sort of extra complexity. Is it doable?

It's a number of sanity checks sensible. And the third one is to do with the government's approach to, is this the right thing for government to do? Is it gonna compete with existing commercial interests inappropriately? Is it gonna create new opportunities? New markets make market existing markets, more efficient. Those things are okay, but not competing with existing commercial interests out of that sort of filtering process. We then score in five areas. There's about 20 criteria that we're using right now for the scoring.

So underneath each of these five is probably another four and they cover things like how many people do we think might take this up across population of, of in this case, many, many million, how ready are the parties to make the change to adopt this process? How complex is it to implement and do?

How, what kind of benefits might we achieve? Minutes saved, risk saved, or reduced, sorry, dollars saved into fees, both quantitative and qualitative.

And, and what would the perception be? We have a, a somewhat joking test inside the mix, but it actually is worth having, which is in Australia. We might call it the pub test. And basically we're saying, what would people say in the pub if they heard that the government was doing this, are they gonna be kind of for it? You Butte mate, or whatever, are they gonna say what the, in terms of what they're thinking about? Are they gonna be for, or against it?

And that's actually, I know we're in an election stage right now in, Australia's a bit of a hot topic, but it's a sensible question to ask, does this fit a perception? Are we gonna have a communication challenges to explain why? And then we aggregate all those scores and a number of sort of fairly sophisticated ways so that we can combine them into say two dimensions, cuz people like two dimensions. You can see that and draw that. So in this one, we've shown impact in terms of reach benefits and perception and ease of implementation calculated by change readiness and complexity.

And that then gives us this ability to draw something like this, which is the classic top right hand corners where you want be model of where the use case should fit. So the ones that along in the top, right, aren't there for a bunch of reasons. You can analyze those reasons, draw back and say, well, why does that one not come up? That's my favorite. And we can kind of do a rigorous approach to sort of sensing why they fit or don't fit. The model is, has to be configurable. This is for the one we've built right now is tuned for a state government.

If we were doing it for other enterprises, it would be tuned differently. But this, the theory I, I believe is, is extensible to pretty well, every kind of type of business that this kind of approach I think works in terms of the use case analysis for decentralized. I want to share with you a couple of kind of pseudo-real examples. I'm not declared needs to be real, but they're similar to the things we've been looking at. These are the five criteria you can see across the top of the columns for the filtering process. And these are the use cases across on the rows that we're looking at.

And so we can see a use case that has all yeses is a first data certificate in the state. We're talking about though, those certificates issued by a state government education authority. So they own the data. It's an existing credential, it's it fits their purpose and so on. So all five.

So yes, if you look at a bank KYC, if you're a, if you're a finance person, you'd be glad to know the government doesn't intend to do KYC for your bank customers because they, this is data they don't have. It's not their data. It's not really the government purpose to do so it's not a single step.

However, the government can provide some credentials that might be useful in a KYC. But so it's not to say they, they can't do part and help the economy in a part, but they can't do the whole thing of bank KYC. So we'd have to rephrase that use case to break it down, to actually make it addressable by government, rather than calling it bank KYC. And as you can see, we got that list of six, we get four no's and two ticks.

And that, that was what we got now I erased through. And I'm just checking my time. I think I'm sort of on time, Raj, that's the end of my slides and I'm very happy to have a chat.