Let's talk about digital identity with Craig Ramsay, Senior Solutions Architect at Omada.

What is Identity Governance and Why is it important? Craig Ramsay, Senior Solutions Architect at Omada joins Oscar to explore all things Identity Governance including – the role of Identity Governance in compliance with regulations and standards, how it affects security and risk management for organisation, alongside some real-world examples of Identity Governance in use.

[Transcript below]

"We’re still trying to shake off the thing that - security is a barrier to efficiency. There’s an old adage that ‘efficiency is insecure, but security is inefficient’. But I don’t think that’s true anymore."

Craig Ramsay, Senior Solution Architect at Omada, from Edinburgh, Scotland. I have worked at Omada for 3 years and have previously worked at RSA Security and different financial services organisations in the UK within their Identity functions. Outside of work my main interests are hiking and travelling.

Connect with Craig on LinkedIn.

We’ll be continuing this conversation on LinkedIn using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 102.

Podcast transcript

Oscar Santolalla: This week I am joined by Craig Ramsay from Omada, here to discuss the importance of identity governance and how it is helping to solve problems in real-world. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar.

Oscar: Hello, for today’s episode about Identity Governance and Administration, mostly known as IGA, we have invited a super interesting guest who is Craig Ramsay. He is a Senior Solution Architect at Omada. He’s from Edinburgh, Scotland. He has worked for Omada for three years and has previously worked at RSA Security and different financial services organisations in the United Kingdom within their identity functions. Outside of work, Craig’s main interests are hiking and travelling. Hello, Craig.

Craig Ramsay: Hey, Oscar. How are you doing?

Oscar: Very good. Nice talking with you.

Craig: Thank you, you too.

Oscar: So, let’s talk about digital identity. As usual, we want to hear more about our guests. Please tell us about yourself and your journey to this world of identity.

Craig: Sure. So, I mean, thank you for the introduction. And I guess, in terms of my journey into identity, it was a little bit by fluke rather than by design. I studied Computer Science and when I graduated, I joined an operational IT graduate scheme. They had recently started a new IAM project, because I think back in 2008, identity and access management, identity governance wasn’t as mature as it is now. It was still kind of seen as an operational IT project rather than an information security principle. So, the drivers there were more about the efficiency, automated provisioning and stuff. But yeah, they were looking for a graduate on that project. That was me.

And apart from a few years where I decided to try what it was like being a policeman, I have worked in identity ever since either for, as you said, financial services organisations doing the work at the coalface or for vendors, either in project delivery or, and you know pre-sales in my solution architect role.

Oscar: Excellent. So, let’s go first with the basics. We have not talked about IGA yet in this podcast, have not focused on that. So, tell us, what is that? What is Identity Governance and Administration, IGA? What is important?

Craig: Sure. So, I mean, identity governance, when you focus on it, at its core, it’s a solution that will ensure the right individuals have the right access for the right reasons at the right time in your organisation. So, it’s protecting the authorisations or the resource assignments within your organisation. And that’s often policy-driven to ensure that all of, and I think the important distinction here when we talk about IGA, that’s traditionally your internal identities, maybe your third parties and contractors.

And then in terms of the overall importance of identity governance, as I said, it’s evolved over the years from being primarily driving and focusing, looking at the provisioning element of things. But as governance has become more and more important, as we start to take a more holistic view at identity, when you look at the adjacent technologies; privileged access management, cloud infrastructure and tailored management, user endpoint, behaviour analytics, identity governance is now really being seen as the kind of control plane across that identity fabric. So, I think it is becoming crucial. And there’s a lot of visibility on the importance of identity now, right up to C-level and maybe wasn’t 10 years ago.

Oscar: You mentioned this concept about identity fabric. Could you also explain a bit more about that in this context?

Craig: Yeah, sure. So, I mean, identity fabric is a term that’s been coined in the last maybe few years by a lot of industry analysts out there. It’s maybe a new phrase, but I think the concept isn’t necessarily that new. So, I think we also hear people calling it an enriched security ecosystem. So, it’s where you look at these solutions in the PAM space, UEBA, your SIEM solutions, etc.

Those traditionally have worked in perhaps a bit more of a siloed manner. And the integrations have been maybe limited and not as seamless. Whereas now, I think this concept of that enriched security ecosystem, that fabric is that these things should be joined up and they should be – the convergence of intelligence and data between those solutions, I think is becoming more and more important so that you can take a holistic approach to reducing your identity-related risk.

Oscar: It is very important, as you said, because there will be anyway, other solutions working together with IGA. Yeah, absolutely.

What are the main problems, just – I’m sure there are many, but what are the top main problems that IGA solves?

Craig: Yeah, so from a business problem or business challenge perspective, I think the main thing that we always focus on when we’re helping people build their IGA business case, is that we focus on security, compliance and efficiency. So, it’s looking to increase the efficiency and productivity of your end users and their experience, all whilst ensuring that you’ve got increased compliance, increased security and reduced risk.

So, when we look at that, some of those common challenges and problems within that would be reducing the attack surface in the organisation. So, removing unneeded access, adhering to the principle of least privilege, making sure that your identities only have the access they should. I mean, combining those two things is going to reduce the likelihood and the impact of a potential breach in the organisation. It provides you with a unified view of access across the organisation, which a lot of people often haven’t had previously. So, understanding who has what access.

And then there’s the automation around identity lifecycle management. So that’s reducing the time taken to provision your joiners, your movers, your leavers. You’re putting governance and auditing around all of these processes too. So, when people are requesting access, you’re ensuring they’re getting it for the right reasons with the appropriate approval. And you’re cutting down on things like rogue IT administration and stuff like that.

So that’s high level, there is more obviously, but I think those are the high-level ones that we see frequently when we’re speaking to prospects out there in the market.

Oscar: It’s a security compliance, and efficiency. Yeah, we’d like to talk about this. But before actually it will be interesting to – so people can understand the broader concept, how we try to imagine in their minds.

If you can see in a real-world example, how work for a typical corporation that uses IGA. So, tell us what are these main processes that you say, mostly employees, right? What are these main processes? Let’s say a new employee goes from beginning until the end.

Craig: Yes. I mean, if we’re going to talk - the phrase we kind of, is from hire to retire. So, when I try and explain this to my friends, maybe aren’t so technically minded when they ask what I do, I sort of give them an example. I say, OK, you join an organisation, and you are working in their HR department. So, from day one, you should have access to be able to log into the network, an email account, access to various file shares to do with HR to enable you to be productive from day one.

So, the IGA solution will help you identify the policies to automate that process, to make sure that you are productive and also make sure that you’ve only got access to what you should. So, if you’re joining HR, you shouldn’t be getting access to any file shares to do with finance, R and D, anything like that. And then as you move around the organisation or your needs change, you should be able to request access that goes through the appropriate channels.

It should be reviewed regularly to make sure that it is still appropriate as you go through your life cycle as an identity in the organisation. If you are promoted or changed departments, that should change automatically in line with those policies too. And if you either leave the organisation, be it permanently or temporary for maternity leave, garden leave, that kind of thing, your IGA solution should then disable or provision that access in a timely manner too, to make sure you’re reducing risk.

So, I mean, those are kind of some of the high-level things that it’s that right access for the right people at the right time for the right reasons is kind of trying to, in a nutshell.

Oscar: Indeed, that was in a nutshell, very, very easy to understand. Thank you for that.

Let's talk about digital identity with Jesse Kurtto, DPO and Data Scientist at Ubisecure.

Is now the right time to invest into Identity and Access Management (IAM)? Join us for episode 101, as Oscar is exploring why now is the right time to invest into IAM with Jesse Kurtto, DPO and Data Scientist at Ubisecure – as they delve into the current economic situation and some of the key factors of investing into identity management.

[Transcript below]

"Digitalisation is ongoing, it's accelerating, it's unstoppable."

Known as the guy who shortened the world and lived to tell the tale, Jesse’s career is gradually arching from the Wild West world of finance to his current position as the DPO and Data Scientist at Ubisecure. Learning to program before learning to read Finnish and visiting 25 countries before 25, he’s no stranger in exploring uncharted waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is putting the hiking boots and RPGs aside for a moment in order to write to his beloved snail mail friends across the world.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 101.

Podcast transcript

Oscar: Is this the right time to invest in Identity and Access Management? This week Jesse Kurtto from Ubisecure has joined us to answer this question and discuss the current economic situation. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar: Today’s guest is Jesse Kurtto. Jesse’s career has gradually arched from the Wild West world of finance, to his current position as a Data Protection Officer and Data Scientist at Ubisecure. Learning Program before learning to read Finnish and visiting 25 countries before 25. He is no stranger to exploring unchartered waters and discovering connections that others might miss. Surrounded by a delicate balance of the latest technology and dozens of carefully tended houseplants, his secret hobby is writing to his beloved snail mail friends across the world. Welcome Jesse.

Jesse: Thank you for the invite, Oscar. Nice to be here.

Oscar: Great having you, Jesse, definitely. We’re going to have a super interesting conversation about the market in Digital Identity and Identity and Access Management.

First of all, we always want to hear more about our guests. So please tell us a bit about yourself and your journey to the world of digital identity.

Jesse: All right. So, like many or even most of us in the digital identity field, I actually never really actively sought to be a specialist, IAM specialist, on purpose. And my personal background is actually nothing technology even, but in finance and investing more specifically. So, a chance encounter and I liked the people who interviewed me and decided to stay for a while, and that while has been over seven years now. And I'm still learning something new every day, checking out how we really the world of digital identity like and frankly haven’t ever regretted decision. No two days have really been the same and the field continues to evolve and develop quite a bit every year.

Oscar: Yeah, excellent and definitely hearing at Ubisecure, we definitely appreciate having this – well call it, like a blend of knowledge - the financial market, not lesser than what you bring with the security and digital identity knowledge, very practical knowledge you also had. So, it's always super interesting having those conversation with you.

And for the first time here on the podcast, we are going to have that, a bit more financial touch on that - What is coming, especially in this well this year, and I think also the years to come. The previous year and the year to come I think, we are already end of 2023 in which - well the financial situation is not good we're going to talk about. But of course, no matter how the economy is, the companies organisation has to protect their services, have to upgrade the services, maintain them, so they have to invest some money in that.

So, from the perspective of companies who today need to upgrade their digital capabilities, what would you say is the piece of the current macroeconomic situation that they should know well? So that was at least what they should know well, from what is happening now?

Jesse: Well, first of all, we all know the macroeconomic situation hasn't really been dancing on the roses over the past few years. But first, we had a massive shock with the COVID pandemic starting from spring 2020. Then we got massive economic stimulus to recover from that slump. And right after we were starting to climb up, then the war in Ukraine saw that all kinds of new problems everywhere around the world seemed to emerge just within three or four months.

The energy uncertainty in Europe and the economy went down the drain, and macroeconomic in quite a difficult situation here in Europe. But we would actually want to have some kind of stimulus in order to recover. But at the same time, we are suffering from quite persistently high inflation, which makes any kind of stimulus package basically equal to pouring more gasoline to the flames.

So, the European bank is really between a rock and a hard place here. And I can only look over the Atlantic to the States and be very jealous how they are able to both fight inflation and with high interest rates, five and a half percent this talking and meanwhile still have a blisteringly red-hot labour market all but there.

So, my first point would be that not all markets are equal. And the second important point is that now is actually a really great time to invest in any digital capabilities, including digital identities. Because now, we are in the middle of a small recession in Europe and investing in recession has historically been the very best time to invest in growth.

And if we think for a while, it actually makes perfect sense. After all, the alternative is to invest in the middle of a growth season when everybody else wants to invest in growth as well. Pushing prices even higher and reducing the availability of experts to help with these transformation projects. But now it's still for a while kind of a buyer's market.

So best time to invest in future growth is now.

Oscar: So, time to invest is now.

Jesse: Yes.

Oscar: Okay. So, let's go into what - because there are many things that the company can invest now and many things that many companies might need. But if you were one of the - chief executive, like CISO, or someone who is top decision makers in companies and there has to be some budget for digital identity. Thinking of - first of all broadly. Broadly but in digital identity, what would be the most important products that today would be the top priority for buying now?

Jesse: Today I would say that the absolute top priority would be - to establish really low friction user journeys from the very beginning account registration to the actual purchase, including solid online self-service. And now this low friction user journey is no way exclusive with security or compliance, but it is actually reaping the benefits of digitalisation. Digitalisation is ongoing, it's accelerating, it's unstoppable.

So, the question is for every organisation – should they try to fight this change to the last or embrace it and be among the first to actually reap its benefits. It's actually interesting because my background in finance, the many finance sector operators were among the first to embrace digital identities, but they kind of stopped it halfway there; “Okay, we can build self-service portals for our users, but for many, many procedures we still require hand signed paper documents being sent via physical mail.” And this is really only reaping a very small part of the benefits of digitalisation. So, there is plenty to go.

Oscar: Yeah. Interesting what you say in finance services. That's correct. For reasons of security had to be always in the latest of technology for security. But some of the process has been, as you say, very old fashioned like the old school, many paper fax I think still use or cheques. So, these kind of.

Jesse: Oh yes, those ones to.

Oscar: Still alive.

Jesse: Yes. And it truly hurts the user experience a lot. It even causes direct missed opportunities. Let's say new bond is coming to a market and you wish to buy a piece of it and participate. But if it takes three or four days just to do all the paperwork, then the opportunity has simply passed.

Oscar: And indeed, the price changed completely. Okay, so you say that the top is to - the user journey has to be digitalised. So, what is the category of products that address that?

Jesse: Would say a real CIAM system would be the one to go here, and not try to build the user journey from, let's say 4 to 6-point solutions and then somehow glue them together. I think the best solution would be an IAM solution that's designed for a whole user journey from the scratch and not something homemade or batched together.

Because when business grows, as it will eventually grow, no recession will last forever. And to user numbers pick up and suddenly there's a nightmare of issues of having 4 to 6 different vendors and trying to keep their products up and running with ever increasing user numbers. And that again, is doing digitalisation the wrong way, if I may say.

Oscar: Yeah. CIAM being - so how, well the evolution of the more broadly speaking, Identity and Access Management. Maybe you can give us an overview of that evolution of the Identity and Access Management, what - how we started and what we have today.

Jesse: Yeah, that's a very interesting topic.

Let's talk about digital identity with Heather Flanagan, Principal at Spherical Cow Consulting and David Birch, Principal at 15 Mb, author, advisor and commentator on digital financial services.

This is the 100th episode of Let’s Talk about Digital Identity – in this special episode two of our most popular guests, Heather Flanagan and David Birch, rejoined the podcast to explore what is exciting them in passwordless, identity wallets and digital money.

[Transcript below]

"Passwords have got to go. As we're moving to passkeys, I think there's always room for improvement on - even on them. If nothing else, focusing a little bit more on the user experience so that people will have a better understanding of what this means."

Heather Flanagan, Principal at Spherical Cow Consulting and choreographer for Identity Flash Mob, comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organisations on the Internet, including IDPro as Principal Editor, the IETF, the IAB, and the IRTF as RFC Series Editor, ICANN as Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work.

Listen Episode 74, where Heather discusses Making Identity Easy for Everyone or connect with Heather on LinkedIn.

“The thing that's broken in digital money at the moment, is identity, not the payment bit.”

David G.W Birch is an author, advisor and commentator on digital financial services. Principal at 15Mb, his advisory company, he is Global Ambassador for the secure electronic transactions consultancy, Consult Hyperion, Fintech Ambassador for Digital Jersey and Non-Executive Chair at Digiseq Ltd. He is an internationally-recognised thought leader in digital identity and digital money. Ranked one of the top 100 fintech influencers for 2021, previously named one of the global top 15 favourite sources of business information by Wired magazine and one of the top ten most influential voices in banking by Financial Brand, he created one of the top 25 “must read” financial IT blogs and was found by PR Daily to be one of the top ten Twitter accounts followed by innovators (along with Bill Gates and Richard Branson).

His latest book “The Currency Cold War—Cash and Cryptography, Hash Rates and Hegemony” (published in May 2020) “paints a fascinating and stimulating picture of the future of the world of digital payments and its possible impact on the wider global and economic orders” – Philip Middleton, OMFIF Digital Monetary Institute. His previous book “Before Babylon, Beyond Bitcoin: From money we understand to money that understands us” was published in June 2017 with a foreword by Andrew Haldane, Chief Economist at the Bank of England. The LSE Review of Books said the book should be “widely read by graduate students of finance, financial law and related topics as well as policy makers involved in financial regulation”.  The London Review of Books called his earlier book “Identity is the New Money” fresh, original, wide-ranging and “the best book on general issues around new forms of money”.

More information is available at dgwbirch.com and you can follow him @dgwbirch on X.

Listen to Episode 75 with David discussing Digital Currencies or connect with David on LinkedIn.

We’ll be continuing this conversation on X using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 100.

Podcast transcript

Oscar Santolalla: This is episode number 100 of Let’s Talk About Digital Identity. And for this special occasion, we have invited back Heather Flanagan, and David Birch.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

We have invited back to the show two of our most popular guests. So, these two guests, let me introduce them is Heather Flanagan. She is Principal at Spherical Cow Consulting and Acting Executive Director for IDPro. Hello, Heather.

Heather Flanagan: Hello, Oscar.

Oscar: Nice having you back.

And our second guest is David Birch. David Birch is an author, advisor and commentator on digital financial services. He is Principal at 15 Mb, his advisory company. Hello, David.

David Birch: Hi. Thanks for having me.

Oscar: It's a real pleasure having you both for this special episode, a bit different style, so being out of our usual script. But yeah, hearing a little bit more about yourselves.

So, I’d like to hear something in particular, because we want to hear something - a moment in your lives. So, what I want to hear – think of one specific moment in your career in which you told yourself, “Yes, this is why I love working in the identity industry.” Which moment would it be? Who wants to start?

David: Well, and it’s a bit self-centred, but probably when my publisher agreed to publish my first book. I thought I had some interesting ideas about identity – I mean you always think that your ideas are - but when you get that kind of validation that your ideas actually are interesting to other people. That really did change my career. Yeah, otherwise, I probably would have just carried on being a pretty average consultant and carried on in payments and banking. So yeah, it's – but I put it all down to my publisher.

Oscar: Which one was this book? Tell us which book was this.

David: Identity is the New Money. It was Diane Coyle, the Economist, who encouraged me to publish it. So yeah.

Oscar: Fantastic. Heather?

Heather: I don't have anything. I've been actually thinking about this question for a while, and it's really hard to point to any one thing, because there were no lightning from the sky moments. It's just, it's always been such a foundational aspect of everything that I've ever done since I started in tech in the mid ‘90s. Where the first question was always - when you're taking over something from a bulletin board system to an email server, “Who can access this? What permissions do they need to have? How do you set up accounts for them?” That was where everything always started. So, no one moment, it's all of the moments.

Oscar: Well, that's great that there are several exciting moments. I'm sure for all of us, it's been like that. Several moments in which we feel that this is exciting to be in this industry. But thank you for sharing that with us.

Being already towards the end of this year 2023 - so there are some keywords which were buzzing in the last years. But some of these buzzwords today are more reality, we have access to those. What do you think, what you feel about these technologies or techniques. And let's get started with passwordless. So, if I ask Heather, what excites you today about passwordless?

Heather: I'm really excited about the fact that the technology itself is solid, the standards themselves are really, really well-done. But as excited as I am, I am concerned. Like at all the new modern technologies, I look at them and go, “Wow, that's really cool.” and little anxiety making because for passwordless, what I observe is when you actually get out of the tech field and talk to my mother, she doesn't trust it because it's too easy.

And so, I do wonder about as bad as passwords are, the friction that they add, it's something that people can wrap their heads around. Whereas they don't understand the magic that's happening behind the scenes that makes passkeys better. And if they don't trust it, they won't use it. And if they don't use it, we lose out on all the benefits. So, one of the things I've been trying to think about for you know, the future is OK passkeys are amazing, but how can we make them less magic scary?

David: I'm a bit frustrated with it really, because I'm extremely lazy. And so, you know, like eBay, for example, uses passkeys, the whole thing works perfectly. So as soon as I go to a site, as in fact I just did 10 minutes ago to look at something and it’s log back in. I’m like, “What I have an account? I didn't even know I had the account.” And then I had to remember the password. And of course, I didn't get it. So, I had to click on, I forgot my password, and then I got the password reset. And then I put in the new password. And it said, “You can't have a new password that’s the same as the old password.” And we just go around in this loop. And it drives me crazy. I'm like, “Why can't you just all implement this?” Despite the fears of your mom, which I mean I can't discount those because they're real. The sooner we make people stop using passwords, the better.

I was reading a fantastic story in the Insider this morning. Did you see this story about the Zelle fraud on Insider? It’s typical kind of thing, you know, guys getting some work done by a contractor. The hackers get into the contractor’s email account, they send him a thing to send money to a different account, which is the hackers’ account. And they make off with all of the money. And so, they go and talk to the contractor and said to him, “You know, did you know that your email has been compromised, you should change your email password.”

And the guy, it says in the article, “We may as well have been speaking Romanian.” The guy had absolutely no idea what they were talking about. Because he's a normal person. He doesn't care about all of this stuff. You don't say to people, “Oh, here's a car, would you like a seat belt with it? Or would you like a piece of string that you could attach in, you know, particularly opt in place.” You know, as a society, it comes to a point where you say, “I'm sorry, not wearing seatbelts, there's just too many people dying. So, cars have to have seatbelts. And you have to put the damn things on. End of story.”

Let's talk about digital identity with Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id.

Join this episode of Let’s Talk About Digital Identity where Gautam Hazari, mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id joins Oscar to discuss the missing identity layer of the internet. Gautam shares details about what the missing identity layer is, more about mobile networks as well as discussing Gautam’s TEDx talk.

[Transcript below]

"Internet did not have that identity layer. So what did we do? We created a trust-less model."

Gautam Hazari is a mobile identity guru, technology enthusiast, AI expert and futurist & is the CTO of Sekura.id, the global leader in mobile identity services. He led the implementation of the mobile identity initiative – Mobile Connect - for around 60 mobile operators across 30 countries. Gautam had also been an advisor to start-ups in digital identity, healthcare, Internet of Things and Fraud and Security management. He is a thought leader for digital identity, advocating solving the identity crisis in the digital world and speaking on making the digital world a safer place. If you ask Gautam, “What is the best password?” you’ll always get the same answer: “The best password is no password”.

Connect with Gautam on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 99.

Podcast transcript

Oscar Santolalla: On this episode of Let’s Talk About Digital Identity we are joined by Gautam Hazari, from Sekura.ID as we discuss what is the missing Identity layer of the Internet. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar: Hello and thank you for joining us, a new episode of Let’s Talk About Digital Identity. Today’s guest is Gautam Hazari. He is a mobile identity guru, a technology enthusiast, artificial intelligence expert and futurist. And he is the CTO of Sekura.id, the global leader in mobile identity services. Gautam led the implementation of the mobile identity initiative Mobile Connect for around 60 mobile operators across 30 countries. He has also been an advisor to startups in Digital Identity, healthcare, the Internet of Things and fraud and security management. Hello, Gautam.

Gautam Hazari: Hi, Oscar. How are you?

Oscar: Very good, happy to have you here in the show.

Gautam: My pleasure. Thanks.

Oscar: It’s going to be super interesting. Now, we are focusing on mobile - mobile initiatives, like the one you are working with, can help us to solve the identity problems we usually discuss in this show.

First of all, I would like to hear a bit more about yourself. So, if you can tell us your journey to this world of digital identity.

Gautam: Sure. Thanks, Oscar. I have been in the identity space for quite some time now. And it started in the telecom world and that’s why I talk about mobile identity a lot. So I spent many years of my life in the telecom, so I worked with the Vodafone group for nearly 14, 15 years. What I realised is that there is one thing that the mobile operators have done quite efficiently is solving what I call the identity crisis of the internet. I started to talk about it quite passionately in different forms.

And in 2013, end of 2013, GSMA approached me. GSMA as you know is the GSM Association which is the trade organisation for the mobile operators. So the GSMA board was discussing that there were some assets within the mobile operators which can actually help in solving the identity crisis in the internet. Then they approached me that, “Hey, you were talking about this identity thing for quite some time, do you want to come and join?” And that’s when I joined GSMA to do the initiative for mobile operators to solve the identity crisis of the internet.

Then I led the technology for what was known and still known as Mobile Connect Initiative. I was the Chief Architect for Mobile Connect. And then me and my team created the reference architecture, the specification. And then of course, that’s not enough, so I went around the world, worked with the mobile operators to implement it as well. You know, at that time, there were around 62 mobile operators around the world who implemented it. And they did very passionately and this is where I met some of the founders, Mark and Keiron, in GSMA, working with the same team. And then I’m taking that journey forward in a much more accelerated and commercial way in Sekura.id.

Oscar: Yeah, excellent. Well, definitely a lot of your journey is in identity already and mostly in mobile, as you said. Before we start going to what you are doing in Sekura.id and we definitely want to hear more about that. I know that you have a special experience which is you have even a TEDx talk. So if you can tell us a bit of that experience.

Gautam: Yeah. Thanks, Oscar. It has been a fascinating experience actually, while preparing for the TEDx talk and also after that. So I was invited to do this TEDx talk to share my vision and dream of a world without passwords. I have been talking about these things passionately and that’s kind of my personal journey has been as well.

So, I had a lot of learning, you have to compact all that you want to talk within 18 minutes and that’s very interesting, right? If you have a free floating, I mean I’m really, really passionate about this identity thing, I can keep talking for days. But if you need to give your message within 18 minutes that’s quite interesting. So I learned how to deliver the message in that concise way.

And after delivering that, and once the TED organisation published the video in their YouTube. Interestingly, they didn’t actually remove any part of that, generally they do some editing but they didn’t do that for me. I’m really thankful to TED on that. So it happened end of last year. It’s been just one year completed and it has been viewed more than 157,000 times. And I have been receiving some very, very interesting messages from all around the world. From identity enthusiasts to security specialist, and also, from general public as well, saying that awareness is important. And we are having some inertia, right? We have been using passwords since, you know, 1961 actually, even before the internet was invented in 1989. But we don’t actually think that we are actually using it, and the complication that it brings too. I have been fortunate enough to hear lots of personal stories as well. These viewers, they have been sharing their personal stories related to passwords, and discussing what is the solution that can actually solve this.

Yeah, so it has been a fascinating experience and I’m really, really thankful for all the viewers who have been watching it and also most importantly, interacting with it and sharing their stories.

Oscar: Yeah, excellent. Yeah, I also watched and as you said, the way you explained also definitely appeals to the general audience which is of course what mostly TEDx is about, reaching wider audiences. So it’s definitely a good job you have done there. And I am happy to hear also that there have been a lot of conversation because that’s also important that people not only hear the stories or the ideas but also get involved in, spreading those problems, sharing their own pains, et cetera.

Gautam: Thanks, Oscar.

Oscar: I also know that you have written, of course, you write blogs, particularly, I read the you talk about the missing identity layer of the internet, missing identity layer of the internet. Could you tell us what is that?

Gautam: Yeah, absolutely, Oscar. I mean it’s extremely important that we acknowledge and realise that. Let me go back to when the internet was invented, right? Let’s face it, the internet was never designed to identify the human users. It was designed to identify the computers, right? That’s why there are IP addresses. Fortunately, or unfortunately, we humans don’t have IP addresses.

So, in the initial days of the internet, if you remember, all we used to do in the internet was browsing, right? We used to browse AOL, we used to browse Yahoo, different stories within Yahoo. So, it did not matter if for me, Gautam, is browsing AOL or Yahoo, or it’s Oscar browsing, or there’s fraudster who is browsing, right?  Because all we did was browsing the internet. Yes, the returning user needed to be identified, not as Oscar or Gautam but whoever was browsing, right? So that’s why cookies were invented just to provide a continuity of the experience, right?

But then we started to do interesting things on the internet. We started to do commerce on the internet. We started to look for things on eBay and started to pay for those things. We started to do banking on the internet. We started to interact in the social media in the internet. And then it did matter whether it’s me, Gautam, doing that commerce transaction, whether it’s me, Gautam, who is doing that banking transaction or it’s you, Oscar, or it’s the fraudster. Or, in the current days, if it is that AI chatbot who is doing that transaction, right?

Internet was not designed to do that. Internet did not have that identity layer. So what did we do? We created a trustless model. So, if I want to pay for some things that I found on eBay, or if I want to do a banking transaction, my bank will say, “Hey, you cannot do that, because I don’t trust you. First, I’m challenging you to prove that you are Gautam.” That’s what we created, because the internet didn’t have that identity layer.

So how did that challenge happen? And they initially did this, this challenge happened in the form of user ID and password, right? And again,

Let's talk about digital identity with Russ Cohn, the (Go-To-Market) for IDVerse.

In episode 98, Russ Cohn the Go-To-Marketing for IDVerse joins Oscar to explore Generative AI within Identity Verification - including what is generative AI and deepfakes, why deepfakes are a threat for consumers and businesses, and some of the biggest pain points in the identity industry and how generative AI can support this.

[Transcript below]

"It's very important that we understand these threats and start to mitigate and create ways of helping to support and stop these practices."

Russ Cohn is the (Go-To-Market) for IDVerse, which provides online identity verification technology for businesses in the digital economy. Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA & US markets within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions.

His strong tech knowledge is coupled with deep operational and commercial experience building teams within SaaS, advertising and marketing technology-driven revenue models. Russ was previously a key early member of the Google UK leadership team who grew the team from 25 to 3,000 people and the revenue from £10m to £1billion during his tenure. He brings deep experience supporting international technology companies and has a passion for marketing development, startup growth and technology solutions.

IDVerse empowers true identity globally. Our Zero Bias AI™ tested technology pioneered the use of generative AI to train deep neural network systems to protect against discrimination. Our fully-automated solution verifies users in seconds with just their face and smartphone—in over 220 countries and territories with any official ID document.

Connect with Russ on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 98.

Podcast transcript

What is generative AI? This week Russ Cohn, from IDVerse has joined us to discuss generative AI and deepfakes and the threat this imposes on businesses and consumers for their digital identities. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Artificial Intelligence, in particular, Generative Artificial Intelligence is a topic that has been, I believe on most of our radars in the last 12 months, particularly. And there are amazing things going on. But also, we know that the bad guys are also using those tools. And one of those is related to deepfakes that are being used to cheat the identity verification system having existing until now.

So, to see how we are going to solve those problems in identity verification, these newer problems, we have a special guest today who is Russ Cohn. He is the go-to market for IDVerse, a company which provides online identification technology for businesses in the digital economy.

Russ has spent more than 20 years scaling businesses of all sizes by delivering successful growth strategies across the UK, EMEA, and US markets, within fast-paced and high-growth online media, fraud, identity, SaaS, e-commerce, and data-driven technology solutions. His strong tech knowledge is coupled with deep operational and commercial experience building things with SaaS, advertising and marketing technology driven revenue models.

Hello, Russ.

Russ Cohn: Hello, Oscar. How are you?

Oscar: Very good. Happy to have you here.

Russ: Thank you. Very glad to be here.

Oscar: Fantastic. It’s great to have you here. And we'll talk about the deepfakes and how the newest practices in identity verification are solving these problems. So, let's start, let's talk about digital identity, Russ.

So first of all, I would like to hear a bit more about yourself, your story. Tell us about yourself and your journey to the world of identity.

Russ: Absolutely. I am fairly new to identity. I've only really started in the industry probably just over three years ago. I was the first international employee of OCR Labs, which is we recently rebranded to IDVerse, but I joined about three years ago. We've since then built the international team to over half the company, and we continue to grow in EMEA and the US.

As a background, I'm a marketer, a commercial leader, investor. I've spent probably over 20 years in technology-driven companies of all sizes. And I was lucky enough to join Google very early on, and there were 20 people in the UK, and 600 people around the world. And I grew up with them a little bit, and I left there with 65,000 people. So, I've got a fairly good experience at scanning companies and have invested and advised companies since then.

I'm now, as I said at IDVerse. And I'm focused on the go-to market. So, helping them globally, to take our products and execute them in the best possible areas and help our customers with the most cutting-edge technology to drive identity verification, make it effortless. Obviously, through the use of our sophisticated technologies and techniques, including Generative AI.

I'm excited about the opportunity for identity verification, as the need for verified trusted identities has grown exponentially, globally, really, since the pandemic. And with digital growing at such a phenomenal rate as well, we're now living in a mobile-first world, and we need the right kind of identity verification to support that growth.

Oscar: Indeed. So, let's go to some basics. For someone who has heard about that term, Generative AI and still is not so clear what it is, particularly. Could you tell us what is that? What is Generative AI?

Russ: Yeah, sure, I think, you know, everybody is talking about ChatGPT and Bard and it's brought these techniques, the AI techniques to the public, and we can't get enough of them. But everyone is using ChatGPT and Bard, etc to learn more, do their jobs better, find new facts. It's pretty addictive and very, very useful but still at the at the fairly early stage.

So Generative AI, short for Generative Artificial Intelligence refers to a class of artificial intelligence systems and techniques that focus on generating new content or data rather than simply recognising patterns or making decisions based on existing data. Now these systems are designed to create original content that resembles human created data such as images, music, texts, videos, and more.

I use Spotify extensively. I'm sure most people do. And I've got an AI system on there now a couple months ago that's going through my music catalogue in my background and choosing the right music based on my tastes. Generative AI models are generally trained on large datasets, and they learn to understand the underlying patterns and structures within the data.

So once trained, they can produce new examples that are similar to the data they were exposed to during their training. These models are capable of generating content that didn't exist in the original dataset, making them a very powerful tool for creative tasks in content creation. Now at IDVerse, we've been doing Generative AI for a long time, probably since the start, seven or eight years ago.

And we use a technique, a very familiar technique called Generative Adversarial Networks or GANs, I'm sure a lot of your audience will be familiar with. Now GANs, just to go back to basics, consists of two neural networks, a generator and a discriminator. These are trained together in a competitive manner. The generator creates the synthetic data, and the discriminative task is to differentiate between the real and the generated data.

So, the competition between the two networks leads to the generation of increasingly realistic content, which we see everywhere in videos, photos, documents, et cetera. Now, we've trained millions of synthetic and real documents and millions and millions of synthetic faces using these techniques. For us, just to be clear, we only use ethically sourced or fair source data for face biometric, particularly in the training. This refers to the facial recognition datasets collected and used in a manner that upholds strict ethical standards and respects individual’s privacy, consent and fairness.

Such data is obtained transparently with informed consent, minimal intrusion and efforts to mitigate bias. So, these measures ensure the responsible and equitable use of biometric technology. In the context of facial identity verification, training data refers to the specialised datasets of facial images used to train the machine learning algorithm, or deep neural networks that are responsible for recognising and verifying individual’s identities based on their facial features.

So that's quite a mouthful. Hopefully, that gives you some context. But this is how we look at Generative AI in identity verification.

Oscar: Yeah, thank you for that introduction. Of course, in one of the products of this type of Generative AI, in related tools are deepfakes that we are seeing more often, sometimes we saw that only for, like, say celebrities or famous people. But now, they can be used to attack me or to attack you, actually anybody right?

So, tell us how the use of deepfakes is a threat, a real threat for both consumers and businesses?

Russ: Yeah, absolutely. I think they are a massive threat as the rise of Gen AI, and you touched on it,  fraudsters use the same if not better techniques than we do, or many companies do. And they are very, very good at surging ahead of these technologies and finding ways to create very realistic synthetic identities to both impersonate real people,

Let's talk about digital identity with Riley Hughes, Cofounder and CEO at Trinsic.

This week, Oscar is joined by Riley Hughes, Cofounder and CEO at Trinsic and host of the Future of Identity podcast. They delve into Verifiable Credentials, including what verifiable credentials are, some examples and success stories of how these are being used and implemented, the connections between verifiable credentials and wallets and whether verifiable credentials will become interoperable.

[Transcript below]

"It seems like the future of identity will be much better than it is today."

Riley Hughes is CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralized identity community, Riley has pioneered efforts on making emerging, privacy-preserving technologies such as identity wallets and verifiable credentials adoptable to the masses. He began his career in the decentralized identity space as the second employee hired at the Sovrin Foundation where he established and led several teams.

Connect with Riley on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 97.

Podcast transcript

Oscar Santolalla: This week we are discussing verifiable credentials. I am joined by Riley Hughes, the host of The Future of Identity Podcast, to explore some of the most recent success stories of verifiable credentials and how we can work to improve adoption moving forward. Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Hello, and thank you for joining a new episode over Let’s Talk About Digital Identity. One term that has been in our radar for the last - I would say four or five years has been verifiable credentials. Which I will say personally, I'm feeling that is becoming in the last one, two years pretty crystallised. And we have not talked too much about this lately, so I have a very special guest who has a lot of insight - what's going on worldwide about verifiable credentials.

Our guest today is Riley Hughes. He is the CEO and Co-founder of Trinsic, a reusable identity infrastructure provider. As a leader in the decentralised identity community, Riley has pioneered efforts on making emerging privacy preserving technologies - such as identity wallets and verifiable credentials - adoptable to the masses. He began his career in the decentralised identity space as the second employee hired at the Sovrin Foundation, where he established and led several teams. Hello, Riley.

Riley Hughes: Hi, Oscar. Great to be here.

Oscar: It's great to have this conversation with you. So very welcome. And let's talk about digital identity. And as usual, I want to hear more about our guests. So, if you can tell us about yourself, and especially your journey to this world of identity.

Riley: Happy to do so. I am very fortunate to have totally fallen into this amazing industry. And it happened because while I was at college, I was seeing all those smart people around me going and getting jobs at elite places, you know, investment banks and management consulting firms, and so forth. And I thought that I wanted to kind of differentiate my resume enough that I could, maybe I could get an interview as well at one of these places. So, I thought, “What is the most, kind of, off the wall internship that I could get that would differentiate me from all of my peers?”

And I ended up getting a job at the Sovrin Foundation, as you mentioned. Sovrin at that time was very early. I was, as mentioned, the second employee hired, and it was kind of a blockchain meets identity meets nonprofit, you know, meets early employee kind of a role. And so, it, sort of, fit my criteria for differentiating my resume. But it was also just really, really exciting to be part of an early organisation. It grew up to about 25 employees in short order. And I was able to participate in some of that growth. And that was a lot of fun.

And what I realised is that there are a lot of problems to solve in this world of digital identity. I remember just thinking, “Man, it seems crazy that we are sending people to outer space, and we're editing genes, and we're doing all kinds of unbelievable things with science and technology. And yet, the best way to prove who I am on the internet is to take a photograph of my government-issued document and a selfie, or something. It just seems kind of backwards.” It seems like the future of identity will be much better than it is today.

And so, although I didn't necessarily know whether Sovrin would be the ultimate manifestation of that better digital identity future, I did know that something would happen here that would lead to that better future. And so, I thought I would stick around in this space. I decided not to go for those other kind of recruiting opportunities that I alluded to. And instead, I started Trinsic with a couple of -. And that's kind of how we got to where we are today. That was a little over four years ago.

Oscar: Yeah, super interesting that one of the first jobs - when you start to differentiate yourself - it was Sovrin. How did they find you? How did you find them?

Riley: The Chair of the Board of Sovrin was Phil Windley. And he was a professor at the university that I was attending. So, they had a job posting out for university students. And they didn't have any money yet so they couldn't pay very much and so they needed a university student and that's sort of where I came in.

Oscar: Right place, right time. Fantastic, those coincidences that sometimes happened.

So, you've been around, as you said, four years/five years in this space already. So, what would you say has been something that has surprised you the most, something special you would like to tell us?

Riley: Yeah, that's a great question. I think that when I started in this space, and the way we were talking about verifiable credentials, was as if it was a digital representation of a physical document. Right? And we can get into more about what verifiable credentials are and what they aspire to be. But the thing that was most kind of interesting and surprising recently, is - at Trinsic we are an infrastructure provider for verifiable credentials. And so, when companies want to incorporate a verifiable credential-based solution into their offerings, we're an infrastructure to enable them to do that.

And as we did a kind of - an inventory or a survey of the landscape, of all of our customers and the ones that were most successful. What we realised was that people were not using verifiable credentials as a replacement for a physical document, generally. Instead, what they were using it for, is - in the same way that a FinTech developer might use an open banking API, right?

Basically, open banking allows you to unlock your data from its original silo, which is your bank account, and reuse that financial data and make it interoperable across other third-party applications. And, you know, what our customers were using verifiable credentials to do is something similar, but for personal data. Unlocking that personal data from its original silos and making it useful and interoperable and reusable across multiple applications.

And so, it actually changed, Oscar, the kind of form factor of the product we needed to build, right? And we realised that the correct - you know, we needed to change some things about how we were approaching our product.

So that's been what we've been in the thick of doing for the last few months. And it's been a fun journey. Startups are always a little bit of a roller coaster. And this is a fun part of that roller coaster.

Oscar: OK, super interesting, Riley. So, let's jump into the main topic. So, tell us please, what are verifiable credentials?

Riley: Yeah, I alluded to verifiable credentials often being talked about as a digital representation of a physical document. And generally, when you hear the term verifiable and credential - a credential is sort of an attestation, or a claim made about one party by another party. So, in healthcare, right, your credentials are something that you've obtained, from a trusted source, that you can use to prove to somebody else certain things about you, and what your qualifications are, et cetera. And verifiable credentials are a way to do that verifiably, cryptographically in a digital form.

Now, if we're talking about - I think there's two ways that people use the term ‘verifiable credentials’ today. One is with an uppercase, V and C, an uppercase Verifiable Credentials, that is the formal official W3C Verifiable Credential Data Model Standard. And that is a specific kind of verifiable credential that is sort of an interoperable, and probably the most well-adopted, and well talked about kind of verifiable credential.

And then you have the lowercase, vc, verifiable credential. And there are lots of different kinds of lowercase verifiable credentials. Lots of things that can fit this model of an attestation that is given to you by some trusted party, and used to get access to the things you need throughout your life. So, I guess it depends on which of those you're talking about. But I hope that that's a helpful kind of intro.

Oscar: All right, thank you for that. And the same term can mean different things from different perspectives. Let's make even more concrete.

So, let's hear from you some concrete examples. If you can tell us something that is already widely used, some that most of us might already know about. So, tell us a bit of some examples of verifiable credentials.

Riley: Yeah, I mean, again, if we're to zoom out a little bit and talk about verifiable credentials in the broadest sense. Even something like a credit card could be considered a verifiable credential.

Let's talk about digital identity with Drummond Reed, Director of Trust Services at Gen and Andy Tobin, Commercial Director, Europe at Gen.

In this series opener of Season 5, Drummond Reed and Andy Tobin join Oscar to explore vLEIs and Self Sovereign Identity (SSI). They explore what LEIs and vLEIs are, how SSI principles are used within vLEIs, the benefits of vLEIs, which sectors and industries will benefit the most, and some use cases of where the vLEI has been leveraged.

[Transcript below]

“If LEIs were digitised in a way that could be instantly verifiable, it could transform company onboarding.”

Drummond has spent a quarter-century in Internet identity, security, privacy, and trust infrastructure. He is Director, Trust Services at Gen, previous Avast after their acquisition of Evernym, where he was Chief Trust Officer. He is co-author of the book, ‘Self-Sovereign Identity’ (Manning Publications, 2021) and co-editor of the W3C Decentralized Identifiers (DID) 1.0 specification. At the Trust Over IP Foundation, Drummond is a member of the Steering Committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he served as co-chair of the Sovrin Governance Framework Working Group for five years.

From 2005-2015 he was co-chair of the OASIS XDI Technical Committee, a semantic data interchange protocol that implements Privacy by Design. Drummond also served as Executive Director for two industry foundations: the Information Card Foundation and the Open Identity Exchange, and as a founding board member of the OpenID Foundation, ISTPA, XDI.org, and Identity Commons. In 2002 he received the Digital Identity Pioneer Award from Digital ID World, and in 2013 he was cited as an OASIS Distinguished Contributor.

Connect with Drummond on LinkedIn.

Andy Tobin leads European and eIDAS strategy for Gen's Digital Trust Services business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym as the world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date.

His career has spanned the three rapidly converging sectors of identity, mobile and payments. He has written code to control cash machines, built the world’s first mCommerce server, run a £1.2bn mobile messaging network and been CTO for Europe’s first fully mobile bank. He is a passionate technology strategist who believes that the identity ecosystem and the personal information economy is poised for massive change, enabled by the capabilities being built right now by Avast.

Connect with Andy on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 96.

Podcast transcript

Oscar Santolalla: Welcome back to Season 5 of the Let’s Talk about Digital Identity podcast. In this series opener I am joined by Drummond Reed and Andy Tobin, from Gen Digital, joining us to delve into vLEIs and Self-Sovereign Identity (SSI). Stay tuned to find out more.

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

 Oscar: Today, we are very happy to have two expert guests, Drummond and Andy. And today, we are going to discuss vLEIs and what is the connection with self-sovereign identity.

First of all, we have Drummond Reed. He is Director of Trust Services at Gen, previously Avast after their acquisition of Evernym, where he was the Chief Trust Officer. He is co-author of the book Self-Sovereign Identity, published by Manning Publication in 2021. And he’s co-editor of the W3C Decentralised Identifiers, DID 1.0 Specification. At the Trust Over IP Foundation, Drummond is a member of the steering committee and co-chair of the Governance Stack Working Group and the Concepts and Terminology Working Group. At the Sovrin Foundation, he serves as a co- chair of the Sovrin Governance Framework Working Group for five years. Hello, Drummond.

Drummond Reed: Hello, Oscar. It's very good to be here.

Oscar: Welcome Drummond. Our second guest is Andy Tobin. Andy Tobin leads European and eIDAS strategy for Gen Digital’s Trust Services Business. He is one of the pioneers of self-sovereign identity and helped to establish Evernym, as a world leader in this field. He is a well-known public speaker and writer on the topic of digital identity and has delivered some of the largest SSI projects to date. His career has spanned the three rapidly converging sectors of identity, mobile, and payments. He has written code to control cash machines, built the world's first mCommerce server, run a £1.2 billion mobile messaging network, and been the CTO for Europe's first fully mobile bank. Hello, Andy.

Andy Tobin: Hi, Oscar. Nice to be here.

Oscar: Welcome as well. I'm very happy to have both of you, Drummond and Andy.

So, let's talk about digital identity, and as usual in this show we want to hear a bit more about our guests. So please, both of you tell us a bit about yourself and your journey to this world of identity.

Drummond: Oh, the journey. I don't think we have long enough in this podcast to cover the whole journey. Yes, I'll just say, originally, I was very interested and focused on solving problems of what we'd now call decentralised data exchange, and how people can share data, sort of directly peer to peer over wide area networks, like the internet, when it was first getting going. And I had no idea that to do that you actually had to solve the problem of digital identity and trust. And so, working on that led me over into this area.

We didn't even call it identity when first working on it, we just said, “Hey, there's this challenge that you have to be able to establish a trust network.” And turned out that the problem there was identity. And doing that on a decentralised basis. And at that time, I was working on it was really centralised identity. Where you have an account with every different system you were interacting with. That was the norm, and it was – the pain was such that we had to have some solution to that. And so we thought it was federated identity, where you could take one account and reuse it in a whole bunch of other places. And in the end that's what most people, encounter with social login. The login with Facebook, or Google or Twitter now X, whatever.

And so, we spent 15 years and three generations of standards developing a federated identity. And it seemed like we could get there and then it just – we hit the ceiling. It just – federated identity by putting an intermediary in there made it – you could solve certain problems, but you couldn't solve others. And then blockchain came along and sort of taught us, “Oh, there's a way to make this fully decentralised that actually simplifies things tremendously.” And so that era, I really, market starting in 2015, 2016 that's when Evernym came together, which is where Andy and I met. And we've been working on decentralised ever since. Over to Andy to talk about his journey.

Andy: Yeah. Thanks, Drummond. I think the thing I like to look at most frequently, and that gets me most engaged is - seeing how megatrends that emerge affect existing businesses and capabilities. So, I've seen, for example, the digitisation of payments happening. And then digitisation of telephony happening and the emergence of mobile phones. And then the digitisation of commerce through the internet.

And with the digitalisation of identity, we're seeing really something a little bit different, which is – we need to have the ability as people to identify ourselves or prove things about ourselves - it doesn't need to be identity, it could be anything - without having to rely on anyone else to help us really to do that. So really, we're looking at a return, if you like, to the world we used to inhabit where you could go along with a piece of paper and show it to someone, like a passport, for example, and say, “Hey, look, this is me.” We don't have a digital way of doing that.

And so, there's lots of, what I call, work around solutions in place and Drummond’s just talked about a bunch of them that fudge the problem. The problem is solved properly by giving people digital versions of the paper documents they've got and giving them to those people in a way that enhances their privacy and security online. And when you have that capability, you can apply equally to companies who find it very difficult to prove who they are online, and also to things as well.

And as we move into the next megatrend of artificial intelligence. Underpinning artificial intelligence is - how do you know who or what is at the other end. And as it gets much easier to fake everything, there's going to be an explosion of trust issues. And if we can solve that with some of the techniques that we're working on, which we can, artificial intelligence gets a lot less scary.

Oscar: Yeah, indeed, through your life, I could see the reasons why this topic of self-sovereign entity had to happen. But just a few years ago it is getting, mainstream finally in these very recent years. And now we talk also about the future, there's a lot, a lot of problems to solve still.

In this conversation, let's go into much more specific topic related to self-sovereign identity. This is going to be about vLEIs. But to give a bit of concept, if one of you could throw a simple definition. What is an LEI?

Drummond: The LEI, that's pretty straightforward. In fact, what's ironic, is an LEI is really a classic, what we would call federated identifier, it fits into that second category. And that's because - so it's, to be very, very concrete, it's a 20-digit identifier of a legal entity. And it's important to clarify that term legal entity, because it can - in some legal jurisdictions,

Let's talk about digital identity with Elizabeth Garber and Mark Haine, co-editors of the Global Assured Identity Network paper.

In episode 95, Elizabeth Garber and Mark Haine, who were editors on the Global Assured Identity Network (GAIN) paper, join Oscar to share the latest updates for GAIN, including recapping what GAIN is, the challenges that have been faced, alongside successful case studies and what developments we can expect to see for the future of GAIN.

[Transcript below]

"It's all interconnected with standards development and has a really big impact on how identity systems will work, interoperable, in years to come."

You’ll remember Elizabeth Garber, who was one of the lead editors of the GAIN paper - we interviewed her in episode 52 (back in October 2021).

Elizabeth has a long background in Customer Strategy and Product Management. She has also led the Open Digital Trust Initiative at the Institute of International Finance and co-chairs the OpenID Foundation's GAIN technical proof-of-concept, which strives to create globally interoperable networks for exchanging high-assurance identity information. Since we last interviewed her, she co-founded IDPartner, a venture-backed startup that puts people in control of their digital identities. It will be a key player in any Global Assured Identity Network (GAIN) as interoperable networks begin to flourish.

Elizabeth and Mark recently published a draft paper for the OpenID Foundation called “Human-Centric Design: a primer for government officials” which is all about how to design identity systems to sustain and promote human rights. It is open for public comment - and may feature on a future episode. You can find it on the OpenID Foundation website and blog, openid.net.

Connect with Elizabeth on LinkedIn.

Mark is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate risk in financial services.

Through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role in the OpenID Foundation as Co-Chair of the eKYC & Identity Assurance Working Group and is a co-author of OpenID Connect for Identity Assurance specification.  Mark also is a board member of the Open Identity Exchange.

Connect with Mark on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 95.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello, everyone. You will remember Elizabeth Garber, who was one of the lead editors of the GAIN paper. We interviewed her in episode 52, late in 2021. Elizabeth has a long background in customer strategy and product management. She has also led the Open Digital Trust Initiative at the Institute of International Finance, and she co-chairs the OpenID Foundation's GAIN technical proof-of-concept.

Since we last interviewed her, she co-founded IDPartner, a venture backed Start-Up that puts people in control of their digital identities. This will be a key player in any global assure identity network, as interoperable networks are beginning to flourish.

We have a second guest. Our second guest today is Mark Haine. He is an engineer and entrepreneur who has focussed his career on building solutions that enable business and mitigate the risk in financial services through Considrd.Consulting Ltd. Mark and his team are providing strategic security consultancy to a range of clients. He has also taken on a leadership role on the OpenID Foundation as co-chair of the eKYC and Identity Assurance Working Group and is co-author of OpenID Connect for Identity Assurance Specification. Mark also is a board member of the Open Identity Exchange.

Elizabeth and Mark recently published a draft paper for the OpenID Foundation called Human-Centric Identity: a primer for government officials, which is all about how to design identity systems to sustain and promote human rights. As we speak, it's open for public comment. You can find it on the OpenID Foundation website - openid.net. So, let's get started.

Hello, Elizabeth. Hello, Mark.

Elizabeth Garber: Hi.

Mark Haine: Hi.

Oscar: It's very nice having you. Welcome back, Elizabeth, and welcome for the first time Mark. So, we'll hear more about GAIN, this initiative that was launched a bit less than two years ago. And we really want to hear the news about that. But to get started, we always want to hear about our guests.

So, for all of you, please tell us about yourself and your journey to the world of identity.

Elizabeth: Okay, I'll go first. For me, the journey really started in identity when I was working at a bank. We had introduced a new vendor into our identity and access management program. I won't say who because it didn't really go very well at first. But I was brought in as kind of fresh eyes to lead a root cause analysis exercise and make some quick changes and fixes. And that led to two things.

First, I ended up taking a digital products role on that team and having more and more to do with identity. And second, I was absolutely hooked on the industry. So, there were just so many interconnected challenges and opportunities. The stakes were really, really high. So, I started to form partnerships outside the bank, and most notably with the person who would become my good friend and my Start-Up co-founder Rod Boothby. So, he brought me into the Open Digital Trust Initiative with all the world's leading banks, the IRS, and also the OpenID Foundation.

And that, of course, led to the GAIN paper where I quickly raised my hand to help out and Mark my colleague here and the other co-editors. I then still co-chair the proof-of-concept along with Mark and authored the follow up paper, which will be out by the time this podcast airs, I think.

Mark and I then wrote the paper you just referenced, which is addressing how government identity systems can sustain and promote human rights. All of those papers can be found on the OpenID website, by the way, openid.net.

Since we last talked, I co-founded my company IDPartner, which is really in the spirit of GAIN and is seeking to help banks and other parties connect into such a global network. So yeah, I'm still relatively new to this industry of being a few years in now, but it's pretty much consumed the majority of my waking moments for the last three to four years.

Mark: So, we're in some ways similar to Elizabeth, but in other ways slightly different. My background is also from financial services. I have had a number of operational roles and then design and architecture roles in primarily UK banks. I've had a rich array of roles. I'm taking on some really interesting challenges along the way. It started out with operational I.T., moved into networks and security design and after some time and lots of rich experiences.

I ended up in the Identity and Access Management team at a large UK bank having done a bunch of work on future architectures for that organisation and innovation team. And around that time the UK was starting to move towards open banking. I managed to switch over to become a core member of the Open Banking UK implementation Entity Security Team, where I was involved in designing various aspects of the open banking architecture and the protocols involved. And that led me to interact with a bunch of people from the OpenID Foundation, who recruited me to come and help on the open standards side of things more actively, after I moved on from open banking to do other things.

Since then, we've been working on new draft specifications, and writing a number of white papers, including the GAIN white paper and the one that Elizabeth and I have been working on together about human rights in the context of government digital identity. And here we are today.

Oscar: Excellent. Thanks both of you for sharing your story. Before starting to hear the newer things that happened for GAIN, I hope you can give us an overview. So, what is the Global Assure Identity Network?

Elizabeth: Well, so back in 2021 when we last spoke, GAIN was just a paper. It was - we used to say it was no logos and pro-bono. It was 156 individuals, identity and industry experts who signed as individuals because it contained so much that they could all agree on. And primarily that was that we wanted to build a globally interoperable network for high assurance identity.

We wanted to connect the islands of trust that exist out there today, the different ecosystems where you can be trusted. And we want to create new ones and connect those too. We want to make it possible for somebody in the US, like me to transact with somebody in Finland confident that you could trust who it was on the other end of that digital session.

And we wanted to do that in a really - privacy preserving way. So, no new databases being introduced of PII, full customer consent for sharing and really the minimal amount of information required. All of that was the stuff that the original authors could agree on. At the time we wrote it addressing financial institutions. We didn't think any such network were going to be inclusively or exclusively led by banks.

But we did argue the banks were really well-placed to catalyse such a movement as they had done in Sweden, Norway and other places. And also, open banking was a growing enabler and there were lots of benefits to them, their customers and others. If they took a lead and did so with a sense of urgency. What we have seen in the intervening years though, is that while that's still true and still would be a great catalyst, but other corners of the market are moving very, very quickly. We're having broader conversations now in relation to GAIN,

Let's talk about digital identity with Keith Uber, VP in charge of Sales Engineering at Ubisecure.

In episode 94, Keith joins Oscar to delve into Single Sign-On (SSO) best practises and how organisations can implement SSO – including technical aspects, how it used in practise and the advantages of SSO.

[Transcript below]

"The best type of single sign-on is where the user doesn't notice it."

Keith is VP Customer Success at Ubisecure. As an Identity and Access Management product expert, he leads the Sales Engineering team and is involved in many stages in the planning and design of demanding customer implementation projects. Keith is active in various industry organisations and has a keen interest particularly in government mandated digital identity systems. He holds a bachelor’s degree in I.T. and a master’s degree in Economics, specialising in software business.

Check out Keith’s SSO video series.

Connect with Keith on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 94.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining a new episode of Let’s Talk About Digital Identity. Single Sign-On is one thing that, today we take it for granted. So, it's even hard for us to remember when was the first time we have used it. Today, we'll go a bit deeper into that and in which direction Single Sign-On is going. And for that we have a special guest, who is Keith Uber, VP at Ubisecure. Hello, Keith.

Keith Uber: Hi, Oscar.

Oscar: Thank you for joining us for the second time. So, you have been – two years ago. Two years ago, you've been here before talking about mergers and acquisitions. So happy to have you back here.

Keith: It’s a pleasure. Thank you for the invite to come back.

Oscar: Yeah, nice to have you, Keith. And we'd like to hit a few things about yourself. So, you can tell us about your journey to the world of digital identity.

Keith: Yeah. So, my entry into the world of identity probably began around the year 2000 when I had just moved to Finland from Australia. I was working for telco provider, who was in the – around the dot-com boom era had been acquiring lots of small businesses. Lots of startups, they had their own projects and all of these have many different types of identity systems and lobbying systems. And my introduction to that process was – my job was to evaluate different solutions to their problem and ultimately, take part in a commercial pilot to implement a product to solve that problem.

Oscar: Excellent. And I already can imagine that a single sign-on had some role on that. Just guessing that yes, single sign-on is something that. I was really trying to remember when was the first time that I used it and it's quite difficult. Because it has been coming in different, in different flavours I would say.

Probably the first time I used was in one of my first jobs when, you know, you go to the office - people used to go to the office every day, and today is not, not for everyone at least. And then you sit down, and you login to your computer. You login to the domain and then suddenly, you can access some of the internal applications without logging in again. So that is one of the ways. And then later it came, what we see more often today is the web single sign-on, right? So, several applications.

So, in order to start with the basics, how you define single sign-on in a nutshell?

Keith: Yeah. Single Sign-On is maybe a more technical term that the industry understands. But for the end users, they don't really understand what the single sign-on means. But they do understand that they don't want to have to sign in again and again to different parts of the same website or different sections of the same company. So single sign-on is the ability to sign-on once using any form and use that same session information across many different services. For the end user, that's great. That means that's one less username and password, or many, many less username and passwords, or many less authentication methods for the user to manage.

And you mentioned the internet, or the web-based applications has a kind of thing they sort of came along. So, a long time ago, we all used to have desktop machines, and we would have PAT [personal access token] client-based applications and we’d even have to sign into those. Early on, there were different solutions for remembering and replaying the usernames and passwords across different PAT client applications. And that's what we call enterprise single sign-on.

That's very much faded away as the world has moved to web browser-based applications where people are spending most of their time in a browser or signing into applications based on browser-based technologies.

Oscar: Thinking of we, as normal user, like majority of users, we are using without noticing, right? You might ask people what is single sign-on and not sure or maybe they try to find meaning from the name itself, but it's everywhere.

So, if you can tell us a bit more how people are using single sign-on, SSO, in practice? So, what are the - how many ways, what are the scenarios? How many scenarios? Or just mention of a few of the most common ones.

Keith: Yeah. So single sign-on in essence is the reduction in the number of times that you have to sign-in to the different services. So instead of signing into different parts of the same website that might be based on different technologies, you only have to sign in once. And then when you transfer to a different section of the website or a different application within an organisation. You're already logged in, your name appears, and your information appears.

And a lot of what's happening, or the technology behind that is happening behind the scenes. It's mainly invisible to the user and that sometimes makes demonstrating single sign-on, for example, quite a boring demo. Because you're actually removing a lot of the things which you don't want to see, and the end result is you see nothing. So, the best type of single sign-on is where the user doesn't notice it.

But there are other advantages. For example, in order to create an account, you only have to create that account once. So, the user registration process is also simplified with a single sign-on. Without single sign-on, you would have to have a registration process for every individual user application. Or at least some way to authorise your account to be used on other applications. So that makes it easier.

And then password reset, or credential management is then simplified. Because instead of having to reset your password in different services, you can reset your password in one spot, and it’s the same password used for many different services.

Oscar: Yeah, indeed, that illustrates the advantages that as you also said is the users don't notice. It’s well, in a way, invisible once it’s set up.

So, going deeper into, what are the nuts and bolts of single sign-on? I'm sure there are many technicalities behind, but what are the main standards that make single sign-on possible?

Keith: Yeah. So single sign-on doesn't have to be done using standards. But of course, standards simplify the implementation process and simplify the management of the solution. There's basically two main standards which are in use today. The older standard is called SAML 2.0. And this is an XML-based standard. A way to transfer information about the user and the login session between different services using public key-based technology. In more recent years, and the more modern technology is what we call OpenID Connect, which is based on OAuth 2.0. Different workflows use different parts of those two standards.

And that's a JSON-based, REST JSON-based protocol. It implements most of the same use cases, most of the same user flows. But of course, as technology has developed, new use cases have come, now OpenID Connect is what we call the gold standard. Even though it’s the gold standard, there’s still a lot of software systems and products which are based on the SAML 2.0 standard.

So, to truly implement SSO in a - as wide range of target applications as possible, the best thing is to have a solution that supports multiple standards. And there's ways to bridge between these two standards. So that some applications can use SAML 2.0, and other applications we use OpenID Connect and you don't have to do a lot of your own development work. Because if the products and the servers support those standards, it's pretty much plug and play.

Oscar: Yeah, indeed, as you said, two main standards, even though there are other ways, but then two main standards is SAML 2.0 and OpenID Connect. Yeah, even though there are two main standards, there are a lot of software that can make single sign-on happen. We know because from experience being talking with customers, organisations in different sizes. And even though we feel as user that single sign-on is almost ubiquitous. There are still many organisations, companies that don't have single sign-on or don't have single sign-on, at least for all the applications.

So, it's common that there might be in an organisation, let's say 20 applications and a portion of them, let's say four of them, which have some similarity, they have single sign-on. But all the rest are disconnected, different identities for that.

So, there is still some technicalities behind putting that in practice from an organisation perspective. So, if you can tell us how organisations can implement SSO. The main step, let's say, for setting up single sign-on.

Keith: Yeah. What you described is a common scenario that even a company that's implemented SSO in their environment.

Let's talk about digital identity with Kalev Pihl, CEO of SK ID Solutions.

In episode 93, Oscar is joined by Kalev Pihl, to answer ‘What are the cultural aspects of digital identity?’  They delve into the role of culture in shaping digital identity and how digital identity is being treated as a detached technology, without considering cultural differences. Alongside discussing the challenges in recognising these cultural aspects, as well as sharing some of the solutions at have successfully prioritised the human aspects of digital identity.

[Transcript below]

"We have to be designing mindfully those digital identity solutions for a specific culture, and I think that this is a value in the world."

Kalev has worked with digital identity over 25 years. Started with the topic in governmental side preparing Estonia for electronic identity on national identity card. Has since worked in financial sector and in Microsoft. Last 15 years he has been CEO of SK ID Solutions – trust service provider that serves digital identities in Estonia, Latvia and Lithuania.

Connect with Kalev on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 93.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thank you for joining a new episode over Let’s Talk About Digital Identity. What are the cultural aspects of digital identity? So that's definitely a good question and very relevant questions and this is one of the questions that our guest today is going to answer.

Our guest today is Kalev Pihl. He has worked with digital identity over 25 years. He started with a topic in governmental side, preparing Estonia for electronic identity, or national identity cards. Since then, Kalev has worked in the financial sector and in Microsoft. During the last 15 years, he has been the CEO of SK ID Solutions, a trust service provider that serves digital identities in Estonia, Latvia, and Lithuania. Hello, Kalev.

Kalev Pihl: Hi, Oscar.

Oscar: It's nice talking with you, Kalev.

Kalev: It's been a while.

Oscar: Yes, Kalev. So, let's talk about digital identity. And the first thing we want to hear from our guest is something about yourself and especially your journey to this world of digital identity.

Kalev: I think of the journey to digital identity for me went through this very physical, governmentally controlled national identity. So that was my starting point. And I guess that's where I'm a bit stuck with my mindset as well, sometimes. And this is my limit. But that's how it started.

So, it started from the idea that in the world of physical human beings. Governments tend to have this role in society to name, number and identify the residents, they treat as their residents of the country, we are speaking about.

And whilst we have probably different other nicknames in different other societies. And somehow, globally, these governmental-issued identities have become the norm of; How do we know each other across the world. How do we identify the people whom we don't know beforehand. So, I think from that angle, I've stuck with the idea that governments have the role of naming and identifying who we are.

Oscar: Yeah, indeed. I think it’s – I mean, in my view, probably in the constitution in most countries, I'm not a lawyer, but I'm sure it's written in some of the laws. So that's one of the functions of the government. And yeah, and that has been translated in our very, let's say, not very recent time. But talking, especially in the last maybe 20 years that we have such digital identifications, like Estonia is pioneering and in a few other countries as well. It's pretty digital, pretty well-established.

Kalev: Yeah. I think that the – for the beginning of any country or state in the physical world, some limit, some borders, what is the ground they own. Then we are talking about some legal framework, what is the agreement. Then we need to know; between whom is the agreement? And those are then the human beings in the society, and that's kind of what every state or country is made of, I would say.

And that's something that if we go now, from this real-life identity and tried to tackle the digital identity, the idea. Then there are two kinds of attitudes. One is that digital world is borderless, global or universal even. And therefore, doesn't require and there’s no relation to any, these kind of physical limitations and countries, states and therefore, like no borders, no anything. And then the other is that it is just – it should be, is and will be always a reflection of something that physically makes sense. Only then it becomes meaningful in a larger context when it is physically meaningful.

So, I think that's one of the staring points if we say that there is point to the cultural differences. Then the culture that we started off is clearly not so much digital, but rather what is the culture before any digital and then definitely, we have different digital cultures as well.

Oscar: Yeah, yeah, that's true. Every country has internally a different culture while some often several cultures inside a country as well. And this is something that shapes digital identities that we, the ones who are in this industry have been shaping and continue shaping today. So, yeah, tell me more about that role that the culture plays in shaping and influencing the current and the ones that are coming in the digital identity.

Kalev: Yep, sure. That's the topic for today. So, the culture that we can see in the digital identities is quite a lot, related to, the ways how we culturally trust our own governments. How the government trusts its citizens, residents. And also, it's very tightly connected to the idea of what is and how the privacy as such is defined in the society. A couple of episodes ago, you discussed heavily again, this kind of ISO standard on the privacy. And privacy is something that is cultural as well, and it's not globally, universally defined as a value. And where the value kind of lies actually and these cultural differences. How they look in the digital identity is exactly, I would say, let's take the two extremes.

One of those extremes is that digital identity is something that is central, that binds all of the digital actions that one does in a digital world together. And therefore, makes you, in essence, traceable, recognised everywhere. You cannot hide in a digital world, based on that identity. This identity reveals you everywhere.

And then we have the other extreme. We have digital identity that must, in essence by definition, protect you from being recognised from one environment to another. You must have different representation in different contexts. You have to have the right not to be recognised and not to be traced.

So, I would say that, culturally, the need might be on both of those extremes and something in the middle. And that's I think, something that we are struggling globally now, that we are trying to talk about digital identity and what this identity does. What kind of privacy does it guarantee and what the privacy means to anybody.

And then we – then we are stuck with the fact that we don't define the digital identity. We believe that everybody understands the identity and digital identity in the same manner. And then we also tried to say that the privacy is preserved. Privacy is granted. Privacy is by default as we like to say, or by definition and by default. But what this privacy means in this context of digital identity and usability also is not defined. So, we kind of use the buzzwords, and we neglect the background from which we come from. And therefore, we don't understand each other, and we try to regulate that into different places. And well, do a lot of mistakes in that.

Oscar: Yeah.

Kalev: I don’t know if that makes sense to you, Oscar.

Oscar: Of course, a lot of sense. So, one concept, one particular concept you mentioned is privacy, right? Which can – well, not can but means different things in different cultures, in different countries. That's true. I understand that. And it's a challenge to try to have a definition and based on that create the laws, create the technologies that support that. Yeah, indeed. It's a very, very good reflection that you are doing.

Kalev: I think that with the privacy, again, similarly, those extremes. And as I said, one of those extremes is on this identity and the definition regarding that privacy is that: OK, the privacy means that there is no data about me anywhere that I specifically didn't reveal myself knowingly, giving the consent to that specific data to be revealed about me. Which makes me in the centre of all the transactions about me. And well, gives me a lot of work, let's be honest, because there are several institutions all the time that work kind of for me. Make my digital life easier, and they need to make decisions. And if those decisions need my data, then therefore I need to make a lot of decisions to reveal or not reveal that data to them.

And the other side of that is and I would say the other way of looking at the same privacy, kind of, from the same concept. Still saying that privacy is preserved, privacy is kind of granted and by default, by definition. Is that whenever your data is used, then you, by nature of the setup, have the control over who and where and for what used your data. And therefore, you can kind of trace back it and say that, well, why did you do one or the other thing? And if they didn't have the right, didn't have your permission, didn't have legal rights to something then they will be punished by the law.

So, it's kind of - one is preventing anything to happen upfront.