There’s a lot of very good and productive discussion about the “trust economy” these days, and this article from Deloitte’s Eric Piscini, Gys Hyman, and Wendy Henry is a good example of that – https://dupress.deloitte.com/dup-us-en/focus/tech-trends/2017/blockchain-trust-economy.html. It’s a long piece but it’s good.
People who are paying attention to blockchain, know that blockchain is based on two simple concepts, trust, and decentralization. The decentralization element is pretty straightforward and mentioned in the Deloitte piece. The element of trust is about the block in the chain – it’s not about the participants in the blockchain. In fact, thus far, one of the big benefits of the blockchain has been anonymity.
Anonymity is a rare and elusive thing in the digital world and that’s among the reasons it’s so important and valuable in some aspects of blockchain. Especially since cryptocurrencies remain largely unregulated, there are a lot of things participants can do with cryptocurrency that they can’t do in other ways online. That anonymity is also one of the reasons industries like financial services and healthcare have not embraced all aspects of the blockchain and cryptocurrencies because anonymity is a bad thing in many parts of those industries KYC (https://en.wikipedia.org/wiki/Know_your_customer) for financial services and HIPAA (https://www.hipaa.com) for healthcare.
But let’s take a big step back on trust.
Much of what we knew as trust was historically built on face-to-face, eye-to-eye interaction. Human-to-human.
The Internet Broke Trust
The last mile of the Internet eliminated the need for face-to-face interaction, and we know that in some ways that has been a huge positive and in other ways it has created all sort of problems.
What has resulted from that is an entirely new model for trust, authentication, and verification. We have changed what it means to be a “friend” with someone, via social media, and a login and password is what we have used for the last 20 or so years to prove we are who we say we are.
Some of that is because the state of the art has not supported much more than that.
Today trust has many layers and dimensions.
- Operating System
ID/Password are used in many cases today for the last three of those dimensions. Things like OAuth (https://en.wikipedia.org/wiki/OAuth) and OpenID (https://en.wikipedia.org/wiki/OpenID) are common ways to share either a single sign on or traverse different applications without having to enter an ID/password every time. We can call that application-to-application authentication since no effort has been made to check that the person with the ID/password is actually who they say they are.
Today there are many companies talking about biometrics and facial recognition software to help with identity authentication – but that’s still often at best at the application or operating system layer and for most devices it’s pretty easy to hack one of those devices – so while it is very convenient – in most cases it’s not much more secure than ID/password and even though a human was (presumably) involved with the biometric capture, there is still zero human trust involved.
There are some new ways to achieve trust across all seven of those dimensions above. That’s the good news.
But there’s another level of complexity – even if you can get all seven of those dimensions accomplished in a trust model – there is another set of dimensions that now must be considered – and that is the specific information someone needs for their transaction or activities. For banks KYC is pretty clear – that they need to be sure the person is who they say they are. But what if someone wants a car loan or a home loan, or a job, or a job reference? All of those things requires different information to be validated – and in those cases something central is probably what they need. But there are other things that people want that are not central – like whether a gardener did a good job on a neighbor yard – such that a neighbor would make a decision based on the recommendation of their neighbor (someone they know) or someone down the street they don’t know. From this, a list of attributes emerges that people want to know about a person or a business:
- Identity (using a government ID like a passport or license been used to verify they are who they say they are
- Military background
- Credit history
- Driving history
- Criminal history
- Bill paying
- Customer rating from services like Uber, EBay, and Airbnb
So there are many kinds of ways in which people will want to know things about a person – some things are necessary by regulation, some are not.
Context is a third dimension of this model – is it social, professional, recreational or some other purpose for the request and how that relates to trust.
Requests can come from many directions with different contexts and purpose and with all of these requests – privacy and control need to enter the conversation. The person in question may want to curate how this information is transmitted and set up rules for the context and ways in which they do, and don’t, want information transmitted.
So as we get away from old-fashioned human-to-human trust it starts to be clear that in the new world of trust with different dimensions of connection, and different central and de-centralized types of authentication and context – we need to have a smarter way to manage trust and identity. That is what we call Smart Identity and we will be elaborating on various facets of that in future blogs.