Developing Open Standards for Self-Sovereign Identity With Kaliya Young
Jessica: Hi everyone. Welcome to the Impact Podcast. I'm Jessica Lang content editor at Georgian. Today, we have Kalia Young, an expert in digital identity and self sovereign identity. You might know her as identity woman. Kalia has spent the last 20 years developing a layer of the internet based on open standards, but the goal of empowering people. In 2005, Kalia co- founded the Internet Identity Workshop, a place where people from across the world gathered to figure out what standards are needed for digital identity and collaborate to build them together. IIW still gathers twice a year. We caught up with Kalia about her work, the importance of open standards in an achieving self- sovereign identity, and what people working in web three should know as they're building identity solutions. Before we dive into it, I want to provide a quick explanation of self sovereign identity for those who might not be familiar. According to identity woman in business, the temporary name of Kalia's consulting practice with her business partner, Lucy Yang, self- sovereign identity is an emerging digital identity paradigm that can enable secure and trusted online transactions by letting individuals and organizations have control of their digital identity the way they do with their physical identity. With SSI, people can share the minimum required identity information needed for a particular transaction without intermediaries. Lucy and Kalia note that self sovereign identity falls into a few evolving pillars. One, the concept of SSI that we just described. Two, the principles of SSI that provide richer meaning than the concept, like the idea that users should control their identities. And three, the technology that is enabling the realization of the concept and the principles. So we talk a lot in this podcast about the importance of developing standards for digital identity generally. We do that so you can understand what's needed to make self- sovereign identity happen. If you want to dive deeper on the pillar surrounding SSI, because it goes way beyond my explanation, we've got some resources for you in the show notes, so you can dive deeper. In the meantime, Kalia will go more in depth about why you should care about digital identity. So Kalia, I'm interested to learn about your work with the Internet Identity Workshop and the kinds of conversations that were happening around 2005 related to identity. What was going on then? What problems were you trying to solve?
Kalia: Yeah, so way back then, we had a term called user centric digital identity. That's the words we had at the time. A community and network called Planet Work was considering what was needed to support individuals connecting and sharing information and coordinating together to help address the environmental crises on the planet. They actually had a meeting in 1999 with 50 different environmental groups at the Presidio, which is this giant park in San Francisco. They came out of that meeting with two very unsatisfactory answers. One was that everybody, all those groups could coordinate and collaborate together potentially to build one giant platform that would network all of them together and all of their followers and donors and activists into one thing, or they could say separate. There was no middle ground of actually networking the people in the orgs together. Out of that sort of inability to have a good answer, they put their heads together between the year 2000 and 2002, and wrote a paper called the Augmented Social Network, building identity and trust into the next generation internet, and made the case that open standards for user- centric digital identity were really important. That we needed to own and control our digital selves in order to work together. They published this in 2003, which is before Facebook was founded. So it was around that time that I joined the conversation and started working with the folks pioneering in this space. We founded out of that, those conversations, that next generational conversations, the Internet Identity Workshop. As the conversation changed, in many ways it's the same, which is like, it turns out these problems are pretty challenging technically to solve. Although I think I'm very optimistic about where we are now in that there's a kind of depth and understanding of the humanness of all of us and that we can't just be simplified into bits. Any conversations that deal with how humans are represented is inherently complex.
Jessica: What does it mean to have open standards for digital identity and why is it so important?
Kalia: So open standards are basically recipe books that anybody can follow. If you follow the recipe, then you can talk to the other people who follow the recipe. It's really democratizing and leveling and means that you can get scale similar to the scale that we had with HTML and SMTP, which is everybody can use them because there's no barriers to entry. That prevents proprietary lock in. It prevents one or two large companies owning and controlling everyone's digital self. We're coming up on a potential real struggle where if we don't push really hard for the open standards, we could end up where, because of their control, the handset operating systems, Google and Apple could literally own everybody's digital selves. There would be no alternatives because we'd have to use their wallet and they would have total control of their wallets because they control the operating system. If we collectively, businesses, governments, and people don't want that, because I don't want to live in a future where those two companies control everybody's digital selves. We need to really collaborate together to make sure the open standards are there. So any company who wants to can create a digital wallet that works in this ecosystem. Any company can issue a verifiable credential, which is the standards for expressing attributes about people can do so, and it'll fit in any of those wallets that all follow the same recipe book. It's not a recipe book controlled by one company. It's a recipe book that is out in public that anybody's free to implement. So open standards, once they're finished, they're like frozen recipes. So version one of the verifiable credential standards was completed two years ago. We're about to actually start a process around version two, but then when version two is done, it's done. There's no more innovation. So it's more like the open standards support anybody who wants to follow a recipe, being able to follow it, and that we can have things work in the way that we have with email today, which is different programs. So we have Gmail and Yahoo and Outlook and Hey. com and Thunderbird and another hundred other email clients and programs, and everything works because they're following the email recipe that actually was finished decades ago. So we're in the process of creating these new standards for digital identity. As they get finished, now we can use them and create this new layer based on these standards instead of one company owning and controlling how we... one or two or three or four companies. There's more than four banks in the world. We need a world of tools and services that agree to serve people and agree to serve people in open standards that don't cause lock in. I used to talk about this all the time where people are like, well, Facebook's just going to own everybody. I was like, I'm sorry, is there one bank in the world? Don't I own my money at the bank? They're a custodian for it. I want to go to the bank and move it from one bank to another and still work in a global banking system. We need these same tools for both our identities and then also our personal data so that we might collect and manage all our interactions over time and then move them between service providers that help us.
Jessica: Which businesses would really stand to benefit from self sovereign identity? The financial industry comes to mind, for example.
Kalia: Yeah, well you named one, the financial services industry. I think this is where we're seeing the first early adoption, in part because the protocols themselves are more secure than the current options. Those institutions are risk averse. The credit unions in the United States have collaborated together to implement a tool called bonafide and support their credit unions, kind of baking in this technology under the hood, in the apps that they provide to their customer owners. So that's what sometimes we forget, that the patrons of credit unions are the owners of those credit unions, and that when they call customer service, instead of being asked that crazy list of questions, the app that they have has this inaudible communication protocol under the hood and they tap their app and then they can talk to the representative. They don't have to share all that information again, to prove they are who they say they are. So, that's a great example of a real world thing that's happening.
Jessica: What are some of the challenges you've seen come up in creating more user centric digital identity?
Kalia: Well, this first generation of tools that came out of our community are literally used a billion times a day. I'm pretty sure almost all of the people listening are on a daily basis using products that are community developed. So we developed a protocol called open ID connect. Every time it says login with Google, Facebook, LinkedIn, Amazon, whatever the smorgasbord of choices, that's open ID connect. That is the protocol behind that. So we had success in some ways. We got billions of people and companies serving billions of people to use these tools and technologies. The problem is that we ended up with these things called identity providers, which is the Googles and the Amazons and the Apples and the Facebooks that are dis- intermediating everybody from the entities they're interacting with. So that was kind of a... we succeeded wildly in some ways. Then the architecture and the people who chose to show up and really design the last sort of standards, shaped them in such a way that they resulted in this architecture that now this new generation of self sovereign identity technologies is trying to get us out of.
Jessica: What got us to this point where our data is siloed within a few companies?
Kalia: Yeah. So this is one of my motivations from the very beginning. You were asking earlier about how did I get into this space? Why have I spent 20 years of my life, which is very long time working on this. That is because the internet, as we have it today, is built on this foundation of open standards. There are literally tens of thousands of them, at least thousands, like a lot. We know almost none of their names, but they help all the wires and the bits move between things. Some that people have heard of are, HTML is the one for expressing webpages. SMTP is the one for email. The folks looking at Planet Work, looking at how they could help, were inspired by those earlier generations of protocols saying, we need one now for identity and digital identity that centers people in that the innovations that we came up with with the first generation had limitations. They helped us not have 200 accounts, and instead sort of funnel everything through a couple accounts, like at Facebook or Google, but that centralized control instead of keeping it distributed and keeping it centered on people.
Jessica: So we're trying to get to a point where people have true ownership over their data and the people decide how their data and identity is used. But right now our digital identity in many senses belongs to the big tech companies. How do we get out of this paradigm and what makes this digital identity issue so complex?
Kalia: The current architecture is that our accounts... we have accounts in these services and they issue to us are identifiers. And because they own our identifiers, they have the ability to delete or manipulate our digital representations of us. So the power structure in that dynamic is architectural. So I have an account on Twitter in Twitter's private name space. I have an account in Google in their private name space of Gmail addresses, right? So what we're trying to do with SSI on one level with the open standards is to end that identifier power relationship and start to have identifiers that on software we control, we're anchoring and using as a starting point for our digital representation. So. That's a decentralized identifier. The other thing is to add on another component that helps separate the identifier from the attributes about us, which is collecting attributes from a variety of sources that we can then share when and where we want. So attributes being like, did I graduate from university? What's the address that I get my utility bill at? Do I have the qualifications to fulfill a job in a certain profession? Did I go to yoga class last night? It doesn't have to be giant, super important things. Then instead of those being stored, like they have been in prior architectures in Google or Facebook or LinkedIn, which is sort of inappropriate for a lot of those things, they're stored in the individual's own wallet. Then they can choose where and when to share that information with relevant parties that need to know.
Jessica: Many people don't really notice that this is an issue, but going back to what you were saying earlier about the humanness of all of us and this idea that we can't be simplified into bits, how does this idea of self sovereign identity tie into that idea of humanness?
Kalia: Everyday people in their experience of the web are kind of fine. We navigate the web, we buy stuff in eCommerce, we chit chat on Reddit or other social media and people are like, well, what's the problem you're trying to solve, Kalia? There is no problem. It's fine, it's working. In some sense that's true. There's also this issue of us being humans with many different accounts and many different systems, or if we're interacting with a Google or Facebook, they're owning all of the information. So it puts us at risk for not feeling centered and grounded. It's almost like digital wellness. How are we integrated whole human beings in our embodied sense? There's all this information about how we can manage our sleep practices and move every day and all that stuff. So that's about our bodies. What is our digital wellness for not being separated into different accounts all over the place and divided? How are we actually coming from a centered related place digitally to connect to businesses, to connect to our friends and to not have corporations dis- intermediate us. Because every time we connect to people through those services, through Twitter or Google or Facebook, those companies can disconnect us from our friends. But if we use open standards, like one of the standards that's coming out of the community, like decentralized identify our communications did come for short. We could own our own social graph and not be dis- intermediate by other companies owning our identifiers and those connections because they own the identifiers.
Jessica: There's a lot of convergence between web three and what we're talking about here with digital identity. Do you see any tie into the need for open standards and how people can scale web three applications?
Kalia: Yeah, definitely. I think web three has been a little bit slow to even understand what open standards are. They're like, we'll just build it and get adoption. Then you're like, yeah, but what are you building and how? I've showed up very nicely on some web three projects in our community and said," Hey, cool. It's really interesting work. What's your IPR regime?" They're like," What's IPR?" And I'm like, hmm, because one of the things with open standards is all the people who helped write it need to agree that it's free for anyone to use. You kind of have to get them to sign off on that agreement so that other people later feel safe using the standards. So it's all a process of how we create digital public goods that are available to everyone to use.
Jessica: Just to double down on the web three subject, how does self sovereign identity tie in?
Kalia: This gets pretty philosophical pretty fast, but how do you know that I got a master's of science and identity management and security from the university of Texas at Austin? Cause I say so. Well, where is my digital version of a certificate that I could show a proof to you or anyone else who wants to know that actually happened? So there's a kind of utility in having more information about people in businesses. One of the biggest attack vectors going on on the internet today is identity fraud and impersonation attacks. Well, those aren't going to go away web three. In fact, they're probably going to get worse until we have this type of infrastructure where I can prove attributes about who I really am. If I'm a business, I'm really incorporated and really this is an officer who has the power to do these transactions. We have to build this infrastructure, or it's just going to end up being a mess of bad actors doing bad things, and lots of normal people will get scared away.
Jessica: You've traveled around the world to ensure we build digital identity standards that are truly inclusive. Can you talk about the importance of creating standards that reflects people from all backgrounds?
Kalia: So let's just be upfront and say, this is not an issue that's particular to SSI. It's particular to the whole technology industry. In fact, my handle Identity Woman comes from the fact that, when I started my blog along with many other people in the industry at the time at the encouragement of Doc inaudible, I needed a good name. I was like, I'm the only woman I've ever met in a meeting about this topic. So I guess I'm the Identity Woman. That's the woman in the room. To this day that still often is the case, which is a bit disconcerting. I think there's also been a real challenge in how we are inclusive. I have to say it's getting better and better. So I think there's been additional attention paid to these issues, but it's predominantly people from the global north. It's predominantly people who are male bodied. It's predominantly people who are white bodied and that we cannot build identity systems that represent humans in all their beautiful flavors and colors and shapes and sizes and geographies, unless we have more people at the table. I think there's some really promising work going on, led by folks like Nikki Hickman to broaden who's at the table. She's been doing excellent work with a network in Africa called inaudible to support youth in Africa having educational credentials and a whole network that they themselves are part of the governance and leadership structure of. We need more and more of that.
Jessica: How can we ensure more participation from people, especially marginalized groups who tend to be left out of the conversation in tech development, to ensure we are building standards for self- sovereign identity that are truly inclusive?
Kalia: Yeah. Honestly, I think we need to flat out fund that participation. It's not going to happen by magic. I think there's also a role to engage with organizations who are advocates for digital inclusiveness to proactively participate in creating open standards. I think one of the challenges we have is that people feel at the affect of these digital systems. I have felt really empowered over the last 10 years by showing up and participating in the rooms where things are created. Then I don't get to complain at the end that it doesn't work well, because I was there trying to shape how it does work. I think the work that we've done and that our community focused on with the verifiable credential standard was centered around the assumption that people were connected to the internet and we're doing web based transactions. How, when I purchase a age restricted good, can I also share my age in a verifiable way so I can get that thing delivered to my house? That is all assuming web- based work. I think perhaps it's a blind spot that we had early on that hopefully now in the coming years we can correct, which is how do these tools and standards work for people who are offline, who aren't digitally connected, and for people who don't have phones necessarily. So there's a lot more work that we can do.
Jessica: Thanks Kalia. I think you've given our listeners a lot to think about surrounding the importance and the philosophy of open standards to make digital identity truly user centric. Any final thoughts?
Kalia: These standards are not created in vacuum. They're created in community. One of the places that the community that works on this gathers is called the Internet Identity Workshop. I don't think we've mentioned that yet. So we come together every six months and we have done so since 2005, and it's a place where all the innovators and all the early adopters come and figure out how to make this stuff real. I'd highly recommend, if folks are exploring this space, to send one of their technical folks. Business people are very welcome as well, but just coming alone as a business person, you might feel a bit overwhelmed. So it'd be good to bring that tech buddy with you to compliment and to engage with the technical folks that they might be working with later, as you move towards implementation or exploring implementing a project.
Jessica: Kalia, I think you've done an awesome job highlighting the importance of open standards and community and making self sovereign identity happen. I've loved the focus on the human aspect of identity and how you broke down the importance of getting web three builders on board with these concepts. Thanks so much for joining us.
Kalia: Thanks so much, Jessica.
On this episode of the Georgian Impact podcast, we are joined by Kaliya Young. Kaliya is an expert in self-sovereign identity. You might know her as Identity Woman. Kaliya has spent the last 20 years developing a layer on the internet based on open standards, with the goal of empowering people.
You’ll Hear About:
● The Internet Identity Workshop that Kaliya co-founded in 2005.
● What it means to have open standards for digital identity and its importance.
● What businesses would benefit most from SSI.
● Challenges in creating a user-centric digital identity.
● How data became siloed within a few companies.
● The link between digital identity and Web3.
● The need to create standards that reflect all backgrounds.