Steve Wilson

Former Vice President and Principal Analyst Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

NFTs (non-fungible tokens) are one of the hottest applications for blockchain at the moment. The initial craze has died down, and indeed there has been a backlash against the multimillion dollar cartoon monkeys. So what was THAT about? If putting graphics on the blockchain was some kinda of proof of concept, what is the concept exactly?

Enterprise applications for NFTs are emerging, and many see the technology as foundational in the Web 3 or metaverse to come. 

In this blog I am going to compare the purpose and functions of NFTs with Bitcoin and Decentralised Identifiers (DIDs).  I think it’s important to see the common patterns in these three blockchain applications. They share the same techno-libertarian roots, and they all pull off a very similar trick.

They all prove the uniqueness, or equivalently, the originality, of certain digital events, without relying on any official or central authority.

What sort of problem are we solving?

Understanding how these decentralized technologies are all similarly specialized, sheds light on their limitations. Let’s heed and learn from the fact that the early promise of blockchain has not led to matching benefits realisation. I find it especially sobering that two of the best thought through third generation blockchain – IBM-Mersk Tradelens and the ASX-Digital Asset stock market settlement system – projects have recently folded.

So let’s be more careful as we head into the metaverse with high expectations of NFTs.

The key is to understand precisely where decentralization surfaces with these technologies.

Decentralization is part of the digital zeitgeist but historically it’s unusual in business and society. The vast majority of us live and work within myriad authority structures. We deal on a daily basis with intermediaries and institutions that have evolved over decades (or even centuries) as the most efficient ways of organising complex communities. It is rare that these structures can be decentralized, and ever rarer that the benefit of decentralization is worth the cost.

Bitcoin, NFTs and DIDs all do something that is truly unique, but it is very specialised.

What’s the big deal with NFTs? 

I am not going to comment on the vagaries of the art market, where NFTs are getting perhaps the most attention. As a technology analyst, I don’t have a professional opinion about whether JPEGs of monkeys count as art at all.

Instead, I will focus on really special technical property of NFTs: their ability to prove originality of digital artifacts.

The token in a Non-Fungible Token is a compact and unique numerical proxy for something like an image. This is the same basic type of “token” used to mask credit card numbers. An NFT is a digitally signed token which is registered, usually on a blockchain, so it can be transferred as a unit but never divided or duplicated without detection.

Decentralised digital currency

Let’s revisit cryptocurrency. This was the exemplary and original use case for public blockchain , from which all contemporary decentralization has emerged.

Remember that to prevent double spending, Bitcoin uses the blockchain algorithm to monitor all BTC movements.  The community determines by consensus the order of every attempted BTC transfer, and the blockchain data structure memorializes the agreement.

This is really a matter of originality. The essence of the Bitcoin blockchain is to decide, without any official, which BTC transfer came first; that is, which transfer is considered to be original.

Decentralised Identifiers

When I first met Decentralized Identifiers (DIDs) the problem being solved was how to self-publish an identifier that is assured to be unique on a large name space. Some communities wish to allow their members to manage their own lifelong identifiers without being beholder to governments or banks. How can people “bring their own” ID and be sure they’re not going to clash with someone else’s choice of ID?  The task of proving uniqueness of an ID on a given domain generally requires an authoritative register and a trusted registrar.

It dawned on some people that a pubic blockchain could provide the means for a community to have self-published identifiers that are provably unique on the community’s domain, without any central registration. This led to the foundational blockchain DID method, in which a user creates an identifier (essentially a long, largely random and hard-to-guess string) in an agreed format, signs the DID using their private key, and publishes it to be ratified.

The community votes on whether that DID has ever been seen before, and if not, deems it to be unique and memorialises it. Thence the DID is attributed to (owned by) the holder of the private key that signed the first appearance. As with Bitcoin, no one need know the identity of the key holder; there is no central trusted registrar or naming authority of the actors, their key pairs and IDs.

A common pattern

I have come to the view that the real mission of public permissionless blockchains is proof of originality in settings where you have the option to reject authority. This is what they do that is special.

At some level, NFTs, BTC and blockchain DIDs are really the same thing.

They each rest on decentralised consensus that a certain event took place for the first time, whether it be that

• Alice sent some number of coins to Bob, or
• Alice generated and self-published a never-seen-before DID, or
• Alice authored a given digital object.

Each event is verifiably signed by Alice using a key pair which she owns and everyone in a community is satisfied she owns, without any central registrar or administrator.

The blockchain creates order out of the chaos https://www.constellationr.com/blog-news/order-out-chaos  where no one knows which key pair goes with which account, and no one cares.

But this is a self-imposed chaos!

Now, where does it matter?

BTC, NFTs and DIDs all have very similar motivations: to make certain actions “official” without central administration. BTC, NFTs and DIDs each bind a certain event to a key pair; the owner of that key pair is deemed by consensus to be the one and only sender of the BTC, or the subject of the DID, or the creator of the tokenised digital work.

So that’s the special technical trick they all share, but whether proving originality in this way is sensible or worth the cost, is another question. The benefits matter most to communities that reject central authority.  By the same token (no pun intended) the benefits are diluted or entirely academic in settings where a central authority is necessary for other reasons.

There actually aren’t many things that can be accomplished without a central authority.  We must take great care with use case selection. The really good use cases for BTC, DIDs and NFTs are rarefied and fragile.

Hybrid use cases in which the decentralized log of events import critical facts established by external sources of truth render the hybrid architecture pretty vacant. If Sotheby’s for example vouches for an artwork and then mints an NFT to that effect, or a winemaker attaches an RFID tag to a special vintage bottle, or a government agency tokenizes a land title deed, then what’s the point of crowdsourcing the order of subsequent events and transfers?

Steve Wilson

Former Vice President and Principal Analyst Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

One of Australia's worst ever data breaches occured in September 2022 when the telecommunication carrier Optus was attacked by cybercriminals and personal data on approximaley half the population was leaked. It triggered a mass response, knowing that so much personal data used to establish identity was coming onto the criminal black markets; many governments expedited the renewal processes for driver licences and the like. 

And there was sudden renewed interest in the various digital identity initiatives of Australian state & federal governments.  It just so happened that the federal myGov program was under review, andthe scope of that examination was broadened (at least unoffocially) to consider if the newish myGovID could be modified somehow to provide improved "digital identity resilience". 

But it's a mistake to think of these as identity problems. They are data problems.  To be precise, it’s the quality of the data that we use in identification that needs to be addressed.

Frankly, there is no such thing as "identity theft". What happens after a brach is that personal details used to establish identity fall into criminal hands and get reused behindour backs to impersonate us. That sounds like I’m splitting hairs, but the point is we can’t protect people by just updating their data. That’s no lasting fix. Changing driver licence data or passport data is not a sustainable response when another breach is inevitably around the corner. People deserve better safety in a modern digital economy. 

The root problem that makes people vulnerable after a breach today is that businesses can’t tell the difference between original data and copies. Websites can’t tell if a form is being filled in by a genuine customer or an imposter. So stolen data is traded on black markets and used by imposters behind our backs.

Data is the lifeblood of the digital world. Data sharing can only expand in coming years. Of course excessive, nefarious, covert and deceptive data collection must be fought, but well-intended data collection must continue. Instead of changing the way data is used, we must change the way data is presented.

We must make data better.

Instead of having people type raw numbers into forms to establish their bona fides, we should transition to digital presentation of cryptographically protected facts and figures. Digital credentials should be signed by their issuers when issued, to prove their origin, and must be signed again by their holders when presented, to prove the owner consented to each transaction, or was at least actively involved.

The signing is relatively easy. It’s built into mobile technologies and used seamlessly every time we bring up a virtual credit card from a mobile phone wallet.

We should be adding official digital copies of driver licences, Medicare cards, passports, and all official facts and figures into digital wallets — whether they be government mobile apps such as that of Service NSW, the Apple and Google wallets, or new versions of the future Open Wallet standard.

People should be able to move their important data around with exactly the same convenience, privacy and security as they move their digital money.

Stay tuned through 2023 as I publish more on Data Protection as a Service, andcheck out our Constellation Shortlist of Data Protection Infostructure solutions. 

Steve Wilson

Former Vice President and Principal Analyst Constellation Research

Steve Wilson is former VP and Principal Analyst at Constellation Research, leading the business theme Digital Safety and Privacy. His coverage includes digital identity, data protection, data privacy, cryptography, and trust. His advisory services to CIOs, CISOs, CPOs and IT architects include identity product strategy, security practice benchmarking, Privacy by Design (PbD), privacy engineering and Privacy [or Data Protection] Impact Assessments (PIA, DPIA). Coverage Areas: -  Identity management, frameworks & governance-  Digital identity technologies-  Privacy by Design -  Big Data; “Big Privacy”-  Identity & privacy innovation Previous experience: Wilson has worked in ICT innovation, research, development and analysis for over 25 years. With double…...

Read more

The Internet, e-commerce, and digital discourse are dominated by identity. Until recently, identity was all we had to go on when trying to trust other people online. We developed a terrible habit of over-identifying: Relying parties tend to collect circumstantial clues, like credit card verification codes and social security numbers, instead of properly verifying what really matters. People divulge excessive personal data (often unwittingly) which then leaks and gets abused by criminals. We have way too much identity, sloshing around.

Is there a paradigm shift coming? The most important developments in our industry — Self-Sovereign Identity, the FIDO Alliance, and verifiable credentials — are really not about identity at all, but authorship, provenance, integrity, and control. Let’s move beyond identity and imagine a world where cryptographic infostructure is as universal as electricity or clean water. All the data we need is hallmarked, traceable and trustworthy thanks to authentication technologies.

An Unhealthy Obsession

I make this call with great respect for my friends and colleagues in the industry: we must end our obsession with identity. For thirty years, identity has dominated digital practice and discourse. We overcook the Peter Steiner gag that “On the Internet, nobody knows you’re a dog”. That was just a wry joke about dogs getting up to mischief, not an editorial commentary on digital trust. Until recently, when trying to "trust" anyone online, identity was all we had to go on. When faced with higher risk, we would seek higher trust and ask for more identity. We put the quantity of identity ahead of quality. We put identity first.

Bad Habits

Obsessed with identity, we developed terrible habits. Instead of verifying the particulars that really matter about people we deal with, we drag in circumstantial evidence — almost always extra identifying data — from unrelated contexts, such as CVVs and SSNs, much of which is then stolen and bought and sold and replayed by fraudsters. Consider Knowledge Based Authentication (KBA), which places a premium on “out of wallet” details that ought to be less likely to be known to criminals. But personal information is everywhere on the Internet and KBA backfires by motivating a black market for personal data.

Identification for digital risk management is like putting out fire with gasoline. We should do more to secure the specific facts and figures that each transaction really depends on.

Data as a Utility

Meanwhile, data has become the lifeblood of modern society. The World Bank last year in its world development report Data for better lives called for a “new social contract for data” to protect citizens against harm arising from the information and power asymmetries created by big tech. Data is now a resource almost as important as clean drinking water. Yet we access, accept, and recommend data on an ad hoc basis; outside certain professions and intelligence circles, data is handled without any standards for quality or provenance.

Regulatory Pressure

And so regulatory pressure is building, quite properly, on data flows and processing, and also on what customers know about data. There is more onus on transparency and accountability. There should be no more digital Wild West!

Digital Truth

Cynics say we are “post-truth” but as cyberspace grows in importance, surely our biggest challenge really is digital truth. From payment card fraud and online scams through to misinformation and AI-driven Deep Fakes, every one of these problems is fundamentally about poor-quality data. We can’t trust the evidence of our own eyes anymore. Are we really contemplating digital twins in a synthetic metaverse without first taking better care of fidelity?

Concerted multidimensional responses to the data quality problem are underway (not to mention some narrow legislated bans on Deep Fakes). For one, several major mastheads have teamed with Microsoft Research in the Coalition for Content Provenance and Authenticity (C2PA). The group’s first draft standard draws heavily on technical measures familiar to the identerati, such as digital signatures and certificates.

And the new Verified Information Exchange (VIE) is an interdisciplinary research program hosted by UW with a work program focused on network or scheme-based business models for data supply. According to the VIA, “The global information environment is a form of 'market' that needs exchange protocols and local standards”

Another new effort, the Global Assured Interoperability Network (GAIN) was prominent at Identiverse 2022. It means different things to different stakeholders; even the ‘I’ in G.A.I.N. since the initial publication has been reframed to interoperability. One of the best features of the concept is the Service Provider: a fourth party in the data flow, intermediating the familiar End User, Issuer and Relying Party, to enhance scalability.

Infostructure

The payment card processing networks exist purely so that certain customer data — account numbers and some metadata — can be reliably presented to merchants and verified. GAIN represents an extension of the four-party model for presenting and verifying data more generally.

Card schemes are a paragon of infostructure: An organizational structure used for the collection and distribution of information (usually hardware, networks, applications, etc.) used by a society, business, or other group (Ref: Oxford English Dictionary). That is, verifiable data sharing will be underpinned by rules, technologies, and business models.

Data Means Business

We know data is big business — good and bad — and that information is being organized into value and supply chains. We are still in the very early stages of digital transformation. As cyberspace becomes civilized, we need data business to be more orderly and transparent.

If there is any truth in the comparison of data and crude oil, then let’s think in terms of assaying data. That is, let’s start to measure the properties of data that make it reliable, fit for purpose, and valuable. And then let’s bind the assays to the data records as they move through the information value chains. I envision a world with widespread cryptographic infostructure, so that verifiable data is available everywhere, just like stable electricity and clean drinking water. We have the tools to build such infostructure. We IDpros know we have these tools because we have already built them!

The Post-Identity World

So let’s shift focus from the abstract to the concrete. Notice that I haven’t used the word “identity” since the start of this piece. The idea of identity is simply not helping. I know that it strikes some as a sterile perspective but what we think in the digital identity echo chamber doesn’t matter because the tools developed by our industry have shown the rest of the world how to design for verifiable facts and protect them cryptographically. We can trust without identifying. We are familiar with “zero trust” - let’s try zero identity!

We can break old habits. Instead of starting with identity, let’s ask:

• What do you really need to know?
• Where will you get the data?
• How will you know if it’s true?  

It is perfect timing for a paradigm shift. We have intelligent devices at the edge, we have mobile digital wallets that make ideal verifiable containers for data, and we have clouds full of APIs for signing data. We can do better with digital identity; indeed, we can do something much bigger and better for all of cyberspace. Let’s apply our proven tools to build an infostructure that delivers data as a true utility.