The Journey of Identity Podcast

Identity: Back to Basics

by David Rihak
on Aug 11, 2020

Reading time: 19 min

Patricia ( 00:05 )

Today we'd like to kick off our podcast show with the very basics of digital identity with David. So David, could you please start with defining what the digital identity is?

David ( 00:25 )

So digital identity is a difficult topic, actually. I guess there are a couple of definitions that we can adhere to. I think the very basic definition of digital identity is the stuff that is either able to identify you as a person or stuff that somehow relates to you as a single - a person in the identities or the digital space. It's not really stuff that, you know, we usually think about like your personal details somehow digitized in a digital form. For example, your first name and last name written in some database somewhere. It could be that, but it could also be other things like, you know, your record in Google maps, for example, or even your IP address. And some that you probably wouldn't normally think about as being part of your digital identity. Nevertheless, these things are things that actually identify, and they can be used to identify you as a single person. And therefore, there is actually a part of your digital identity.

Patricia  ( 01:34 )

Okay, good. So, where can we use it? Like in daily life? Or how it can be applied for a normal person in their daily life?

David ( 01:47 )

So, you know, this is actually interesting because the digital identity isn't always something you use, right? Sometimes it's really things that maybe are used about you by other parties because we have to realize that the digital identity or digital identity is usually relevant only in scenarios where you've got another party that somehow needs to know something about you, right. Or maybe it doesn't have to be your personal details, but maybe it has to be at least what you can do, right? So it's not always things that it's not always, you, who are working with your digital identity. On the other side, you should definitely have control over your digital identity, which unfortunately isn't always the case these days. We do have the GDPR. We do have, at least in theory, this idea that you are in control, at least to the extent that you're able to revoke, let's say the right for someone else to possess information about you.

 ( 02:49 )

The issue is, do you really know who has information about you? Right. So how can you technically get that sorted out, that is a completely different question? But from the other perspective, you also have these things we sort of think about as digital identity, which allows you to do something in the digital space. So the most primitive example of your digital identity is the username and password. We've all heard of the joke. No one can tell you are a dog on the internet. It's precisely that. With these types of technologies, it's really difficult to say, this is really the person on the other side because it's not secure enough. Right. And we've got some workaround; we’ve got some methods that help you. Some may boost the security of this, but at the end of the day, if we're talking about digital identity, from the perspective of something that people use. We should all be thinking about stuff like the username and password, and also stuff like new technologies that help improve this, or maybe completely shift the way we think about this type of digital identity.

Patricia ( 03:59 )

Okay. So let's go to the risks actually, because I think that's quite interesting. We let's work with what are the risks of the digital identity, or how it is done nowadays that it's risky, and it should not be done this way.

David ( 04:14 )

So I guess, you know, this leads back to the username and password. If we look at this from a technical perspective, it doesn't really matter whether it's your email account where no one knows who you are, but it's still a part of your digital identity, right? You've got a lot of sensitive information that goes through your email account. It depends on who you are also. I mean, I personally have several email accounts. Some of them I use for spams, some of them I use for my personal things. Some of them are my work emails, right. And for a lot of those, I have several for all of those domains. But in all of these cases, even if it's, on the one hand, maybe stuff like email, and on the other hand, even perhaps some government service, a lot of government services these days still use your username and password as a means of authenticating users.

 ( 05:10 )

You still have the problem, which is, is it secure? What if I accidentally by some phishing email or some other, sort of man in the middle attack as they call it, someone else, some attacker gets ahold of my credentials. Is it still me who is sort of doing, you know, posting those things on that government service or, or sending emails to someone else on my behalf, through my email account, right? So those are the technical risks. On the other side, we see that there are technologies that help you somehow mitigate these by doing some, you know, adaptive multifactor analysis, checking things like, okay, where are you? Where are you logging in from? Is it your typical location? And these are all nice things. But these are all things that can be faked because we have to realize that the internet and just the digital technologies in general, they work on a different principle. They work on a principle where, you know, you can't really distinguish one piece of data from another. Unless there's cryptography involved unless it's done in a way that cannot be compromised or that you can ensure integrity, for example. Right? So the risks really are associated with identity theft. What happens when someone else gets a hold of your identity means and can fake online that they're actually you.

Patricia ( 06:42 )

Nicely explained. In the digital world, they can steal your identity. That's what you just said. And normally I'm thinking about a normal world identity. Can you just draw a line? The difference between those two?

David ( 07:00 )

Yeah, well, you know, with the normal, the question is what normal identity is, right? You've got your legal identity, you've got your first name, your last name, your document, really, the document identification number that, and the biometric on the document that associates this with you, right? That's a part of your identity. Another part is your social identity. And if you think about it and in the real world, it's much more difficult to steal that, right? Because it's actually physically, somehow coupled with your physical person. If you know, I go and pretend that I'm you in a group of your friends, they're probably not going to believe me, right. Unless I get a very good surgeon, which is probably going to cost me a lot of money. On the internet, on the other side, the whole situation is actually a completely opposite, because on the internet, what you can do is you can actually very cheaply steal, a lot of different identities from a lot of different people at the same time. If you have a good hacker, let's say, right, and you know how to do this. And you have a system that is not protected well enough. It's really easy to just basically steal identities of multiple people at the same time at one go. So this is sort of the balance. And I think that's really where we have to sort of draw the line and realize, the principles that we are used to thinking about in the physical world are principles that don't necessarily apply in the virtual world.

Patricia ( 08:49 )

That's very much true. That's a completely different dimension, everything about it. And well, we know the risks. What about now saying how it should be done? Because we pictured, we illustrated how, what are the risks, what's not working, and what's wrong? So how should it be done actually, the right way? What's the future? What's the presence of that?

David ( 09:13 )

Yeah, so we do see, I mean, this is an open topic, right? There's a lot of different people that are trying to tackle this problem and create a solution that is the ideal fit for all types of purposes. And it can be used to secure, you know, our digital identities in real practice. A lot of these approaches are sort of still going the old way and, and thinking, okay, we built some centralized identity system, and by using that system, we derive all the other identities and relationships in for all of the services, right? And I think this is really an example of how not to do it. And, this is not to sort of pick at anyone. Uh, but if we look at how a lot of the governments do it, and if we look at the types of technologies, they use you soon, find out that these are really approaches that are not very scalable and they are essentially designed in a way that you'd have to have some sort of one central all-knowing identity system that can just tell you all the verified identity things about you that you need and everything.

( 10:28 )

And that's the problem, right? That's not really the way you can work with identity systems. So I think that what we really need to start thinking about is how we can build distributed identity systems, that can sort of separate identity into what it really is in the real world, which is its relationships, right? You may know me, your opinion about me and your knowledge about me is probably very different than what the government knows about me. It's probably different from what Facebook knows about me. It's probably very different from what my email account knows about me, right? Because you know, everything that's in my email account is a part of my digital identity effectively. So it's not just sort of some identifiers and some cryptography, but it's also the assets and the stuff that's behind the identity that we really have to be thinking about.

( 11:20 )

And for that reason, we really need a distributed identity that separates my private life from my legal life. My professional life, from whatever I do at night. So these are the things that you see this in practice. It is this ever going question on, okay, if you were trying to get a new job. How do you know that you're a potential employer, doesn't go through all of your social accounts? If you're not smart enough to know that you need to, or not smart enough, but you just don't know. And the way you want to use account in some part of your life, maybe open and in some, it may not. Right. So this is a very difficult question, but essentially one of the first things that we, I think we should get straight, and we should sort of all get on the same boat. It is that we need some sort of distributed identity design. And I think, I think if you think about it, uh, uh, there are things that are going this way. So there are some of the older designs that are still thinking about identity from sort of this technically PKI, architecture type perspective. But you've got new things like the verifiable credentials, which I think is really going in the right direction.

Patricia ( 12:34 )

Oh, that's a very topic and from many points that can be discussed further on in our next podcast show for sure. But on the final note, I would like to wrap it up with a general note - in one to two sentences, why is it important the digital identity? Why, in general, on a societal level, on the macro level, as humanity, where are we going? Why we should care.

David ( 13:02 )

This is a really good question. And I think we should always start with this question because the reason why it's important is whether we want it or not. It's becoming more and more important in our daily lives, right? It used to be that internet services used to be only for posting content online. You didn't need any identity at that time, but these days you've got your banking online, the governments are going more and more towards putting all the services that you typically have to go for, you know, physically, somewhere. They want to put these online. And there are, they are putting these things online as well. And more of the services that are more of the things that we're used to even today doing physically: the transactions and the relationships, that were physically used to physically establishing with other legal entities, basically anyone. Whether it's a business, whether it's a personal relationship or whether it's maybe a relationship with the government. All of these things are going digital, and this is why digital identities are enormously important.

( 14:10 )

And from the other perspective, we also have to realize that with this growth comes a responsibility because this new paradigm of a digital world is working in different principles. And we need to really start considering that it's not, we can just sort of copy-paste what we had before and go on a limit, living as nothing happened. But we have to really reassess how we go about in this new world where we've got a lot, a whole lot of different new problems ranging from cybersecurity all the way to, okay, how private is your life, really, if you're sharing everything on Facebook, for example. So that's why digital identity is important, because whether we want it or not the times that basically changed in a way that the internet services are here. And they're very beneficial for us, right? This is, this is not something that just happens. And we can sort of say, okay, so why don't we just live without it? No, this is really progress in a good way to go forward from any or all of the perspectives. But we just need to make sure that we do it right from the digital identity perspective.

Patricia ( 15:23 )

That's very good closure for the very first episode of our, The Journey of Identity podcast. So thank you very much. I'm looking forward to the next talk.