Hello, everyone, and welcome to this Road to EIC webinar. These are a series of webinars that are bringing us topic-wise, introducing the speakers that you'll be able to meet at EIC, which is the European Identity and Cloud Conference.
Today, we've got a fantastic topic. I can't wait to ask our guests today a few questions on deep fakes and misinformation versus decentralized identity. So our topic today is really asking the questions, do we need to escalate this arms race, so to speak, around deep fakes, misinformation, or do we already have the tools to combat that with decentralized identity? So I've got exactly the right people to talk about that with us today. I've got Wayne Chang, who is the CEO of Spruce Systems, and we've got Kim Hamilton Duffy, who's the executive director of the Decentralized Identity Foundation.
And the great thing is about the talk today is this is really just a warm-up. If you want to continue the conversation, make sure you get even more questions answered. Be there at the EIC, either in person or virtually, because we'll have this panel there as well to go a bit deeper, excuse me, and with a few other people involved in the conversation as well. So with that, let's jump into the conversation. I'd like for us to do a round of introductions.
Kim, would you be able to kick us off, explain a little bit about yourself, of course, how you're connected to digital identity in general, but specifically decentralized identity? Yeah, hi, thank you for having me.
I'm Kim, the executive director of Decentralized Identity Foundation, and I've been involved in the identity space for about seven, eight years. And I got in from working on efforts to make academic credentials portable and verifiable through decentralized technologies and that led to a series of events where I focused on decentralized identity standards, verifiable credentials, and decentralized identifiers. And so I've become very interested in the standards and have been really committed to figuring out ways to deploy these standards, principles, technologies into the world.
So very excited to be here today. Thank you for being here and making time for us and bringing your expertise along with you.
Wayne, how about you? How did you get to be where you are today?
Yeah, so my name's Wayne Chang. I'm the founder and CEO of Spruce ID. Our mission is to let users control their data across the web. Instead of people signing into platforms, platforms sign into your data vault and interoperable standards. And a lot of the technologies we have in the decentralized identity space, I think, are the most streamlined way to get there. My background is working on these technologies at a company called ConsenSys before this. And my first startup was a health care startup.
So in the US, we dealt with some pretty big frustrations about data portability and health records, trying to pass many laws to, as a country, we pass many laws to try to make this better. But I think we still can see some improvement for interoperability for health records. It's especially a challenging issue because if you're trying to just get health care and your doctor can't get your health records and then you can't get health care, that's an awful outcome, in my opinion, for something that can be solved with tools we have.
So that got me started off this journey on how do we give everyone data vaults and let them control more things about their digital lives. And I think that, again, we have some of the tools that might be handy for fighting deepfakes and misinformation.
Great, thank you. And to introduce myself, I'm Annie Bailey. I'm a senior analyst with Kupinger Coal. My areas of research cover everything related to digital identity. And so that includes decentralized identity and self-sovereign identities, reaching towards identity verification, combining the two into reusable verified identities. So there's really a lot happening in this space. I'm really thrilled to bring the conversation here to a rather interesting topic. How do we use decentralized identity for combating deepfakes and promoting content authenticity, among many other options?
Before we really dive into the conversation, I'd love to hear from the audience as well. At any point during this webinar, you can submit your questions. We'll be able to answer those throughout the webinar. And if not in the middle of our conversation, at least at the end of our conversation, we'll get to those. And we can also hear your opinions on a few poll questions that we've prepared. So our first question that we'd like to hear from all of you in the audience is, are you already familiar with the term decentralized identity? Is this something new for you?
Or are you here because you're an avid fan and you need more information? So take a moment. You should see that come up on your screen, give a quick yes or no answer. And we'll come back to those results at the end of the webinar as well. See if there's any interesting insights there. So while you do that, I've got a first question for our panelists. So we're here to talk about deepfakes misinformation. What are the main ways that these are currently impacting digital interactions? And how do you think this is going to evolve in the near future?
Wayne, do you wanna take this first? Sure thing. I wanna say that it's multimodal. There are many different kinds of channels and media that will be affected by this. I'm gonna go over just two examples.
One, well, two near-term examples, and then there are long-term examples too. So, and one long-term. So the two near-term examples that we're already seeing impact the industry today are basically phishing attacks are on the rise because it is easier for anyone to sound like anyone when they're writing an email, a text message or anything else. Before there might've been indicators to see if someone is crafting a message in the native language or what their situation was. But now it's a lot easier for someone to pretend that they are someone else from a pure text medium.
A lot of the generative tools out there can do that extremely well, right? So, and then a lot, and the next media that will be compromised. So it seems voice generation is becoming very convincing and also harder to detect. It's a cat and mouse race. And we see some websites, the notorious OnlyFake for example, and others utilize image generation tools so that they can generate pictures of licenses and other important images that some systems on the internet today in production, they take uploads of these images and use it as a basis for biometric authentication, right?
And that's challenging because none of the security features or very, very few of them that were designed for physical cards are applicable over webcams. So it's kind of a bad idea to begin with, but now the cracks are turning into fissures because it is easier and easier. And longer term, we can see everything spoofed from interaction patterns against the browser that some CAPTCHA systems start using to determine if this is a bot or not, et cetera. It's more convincing.
In general, we're moving away from a world where facts and circumstances, incidental occurrences were sufficient for authentication. We're moving towards where we need more certainty because those things are spoofable or getting to that point.
Yeah, thank you. Kim, do you have anything to add here or other observations?
Yeah, those were great examples. And I think the overall trends or patterns that we're seeing is that underlying trust in digital interaction. So it's just increasingly hard to verify the source and lineage of content. So we're seeing it on the personal side, social media, of course, personal communications, but also businesses are increasingly starting to lose large amounts to these kinds of attacks. And I think one thing that Wayne touched on has to do with the idea of the message, the origination of the messages can come to you in many ways.
So maybe something starts out with a text message or voice message that sounds a lot like your relative. And so it's these sort of as we cross channels and it becomes just very easy to find some way in that you're able to sort of match something that people think they can trust, but ultimately is not the source that they expect.
So yes, as the technology advances, we're just seeing these threats become more sophisticated. So yeah, that's why we're here to talk about the role of a decentralized identity. And so very excited about that.
Yeah, to add to that, you could try it for yourself with one of the many chat tools, right? Hey, write this message as if from a young college student in need trying to ask for some money or something, or write this message as if it came from a banker asking for an authorization. The messages look very well-generated and you can imagine what the delta is before of someone who, let's say they're trying to defraud someone in English and that's not their natural language, right? It used to be that they would have to figure out how to get their English to perfect.
They'd either have to go through a translation service or something else, right? And that's higher barrier, but with a lot of generative tools, they can sound like a native speaker fully expressing their intent. So try it out for yourself. If there's any kind of skepticism around its current state.
Yeah, and I think both of you touched on a really interesting point. Is this a social problem or is this a business problem?
Of course, it's both. And the connecting factor are we as individuals, we are part of an organization, we are leading an organization, we are individuals acting on our own personal behalf. And we have the same susceptibility to these sort of attacks, feeling familiar, feeling authentic. So how are organizations then typically addressing these threats? How are there really methods that are matching the rate of change that we see in deep fakes and increasingly realistic phishing attempts?
Yeah, I can start. The most popular ones at the moment are also AI techniques, which are great and effective in terms of detection. And a lot of them may be based on pattern matching anomaly detection. But one of the points that we keep coming back to is that, okay, so those get better. And then the sort of fraudulent techniques get better. And then so we keep alternating to race to the bottom or cat and mouse game, however you wanna characterize it. But basically that's a very valuable tool in the toolkit for organizations, but it's always going to be a moving target.
And so, yes, that's one of the biggest, I would say the biggest method relied on currently. I also think that in addition to what Kim said, definitely agree about the common cat and mouse games. But some organizations, what they're doing now is effective and they have to lean into it more to make sure to stomp out more threats.
So a lot of organizations that are on some compliance programs, including ISO 2701 or SOC 2 is popular in the United States are basically requiring people to use multi-factor authentication, single sign-on, et cetera, very traditional IAM techniques to basically make sure that we have a strong degree of authentication if you're doing workforce identity. And I think those techniques are actually pretty effective, but it's only effective if people are communicating inside those boundaries.
So if you're on the corporate Microsoft Teams or Slack chat and everyone has authenticated, then the risk of a compromise is still there, but it's much lower. Compare that to an employee receives an out-of-band message from what seems to be the executive saying that they've locked themselves out of the system and I need you to help me with this two-factor code or something. And then that's a completely unauthenticated channel outside the boundaries of the enterprise security plan. So I think in terms of those kinds of threats, good policy, good training can help with those.
But I do see those techniques, if we continue to lean into them from the culture and the organization, from the tools available to employees and the convenience with which they can use those tools, we have some ideas to move forward on those. But what I'm concerned about is there's a broader open internet question, right? Where we don't have those fine controls in place because that takes coordination, that takes investment in the tooling and training for everyone. It's literally someone's job.
So their employer can have requirements for how they access the systems, but no one really tells someone else how they access eBay or Amazon or whatever. So for the consumer internet, I think it poses some significant phishing risks and even the out-of-band channels used to attack some enterprise systems too, right? So what are ways that we can equip folks or start to think about the infrastructural tools that can assist this open internet? Or is it gonna be dominated by rogue AIs and just gonna be horrible for everyone?
So those are a lot of the lines of thinking that the industry has to grapple with. Yeah, and real quickly before we go to the solutions, I think it really stands out that, we're not here to sort of say AI bad. And because I think we're seeing the value and the benefits of LLMs in our daily lives of productivity tools.
And I think therein comes the huge risks, as people see the benefits and the ability to say, maybe summarize content so that they can quickly act on something or people are starting to use it to produce presentations, give summaries, help them organize to-do lists, just all through their daily lives, finding ways to be productive. And then I think that what companies are realizing is that there's this, the big challenge for people in terms of finding ways to use AI in their daily lives is like, what is that interface between you, the person and these tools, right?
And how do you get the most of your personal information in there to make it actionable and customized for you? How does it learn your voice and all this stuff so it could help you craft an email, something like that. And so I think that the risk really stands out in terms of the amount of data that people will feel comfortable sharing because it feels like the safe space, right? And so I think that there's a lot of concerns as a lot of safety considerations all around.
And so what we're really talking about is ways that people can use these techniques in a way that is safe and comfortable for them and not necessarily being used for malicious purposes. It's used on models that they know the provenance of and all of these types of considerations. Really great point, Kim.
Yeah, Wayne. Oh yeah, I was going to agree. So I think another way to put it is how can we help people enjoy completely the economic benefits of AI and mitigate as much as possible the downsides, right? That's not unique to AI. That's any technology shift that we encounter. I'm sure that people were thinking a lot about as computers were coming online or motors existed.
Oh, it can try many combinations on the protected vaults, right? Much faster than the human can. What are we going to do to secure that? Whenever a new technology emerges, it can be used both ways, right? So I think that focusing on how do we tailor profiles so that we increase the utility and minimize risks that are undesirable side effects. That's really the goal here. Absolutely. And as you both hinted at, there are solutions. There are new ways of thinking.
How do we structure our defense, so to speak, to keep the tool, but keep it in a trusted environment and keep trust within the equation? Wayne, do you want to kick it off?
Yeah, sure. And I think that a lot of the elements we might look to solve the problem is to basically allow you to, and I think that maybe the red herring here is trying to detect was this AI generated or was this human generated, right? But because I think that's going to be effective for a while in terms of utility, unless there's a very specific regulation or something that says must not be AI generated, right? Then I think that really what we're trying to prevent is fraud and unauthorized use.
And I think that if we can have ways to determine if someone authorized the use, that helps get us there, right? For example, if you used AI to write an email, like Kim was suggesting, and it was very long email and you were like, I don't know, disputing something with your insurance company or whatever, right? Because they're using AI tools too. So you kind of have to tool up to be able to have a fighting chance, right? Of getting a fair result, right? So it's fundamentally empowerment of the individual and increasing in your capabilities as a person.
Well, okay, that's how to, is that, assuming that that's a valid use case, I think it is. How can we make sure that it's not someone pretending to be you, right? And that you have authorized the use of AI for this purpose. And I think that having a tool that allows you to think about the entire data supply chain of this stuff, everything from provenance, why do we think that this is Wayne trying to authorize the tool? How do we know that the tool was authorized to do something? How do we refer to other data payloads?
All these come from different disparate systems and they have to be interoperable somehow, right? So basically whatever system is part of the solution should be able to tie all these different things together and allow anyone who wants to inspect or whoever I wanna present that data supply chain to, to be able to verify those facts, those connected statements about reality, right? So I think those are some of the elements of a solution and better yet, if I can be in charge of the data supply chain then I don't have to talk to a ministry of information who managed it for everyone, right?
That's probably a much more compatible architecture for a lot of the frameworks like GDPR and the way that EIDIS is going and certain states in the U.S. are pioneering user controlled identity. So I think the solution has elements of those things. Thank you.
Kim, what's your take on it? Yeah, and one need we keep coming back to that I think sort of as Wayne and I talked about how people might use AI and the workflows. So it may be totally reasonable for say use of AI in medical scenarios, right? Like maybe some AI tool helps the doctor be able to detect some disease, categorize something more rapidly, right? But what we don't want the sort of dystopia that we don't want is something where AI is necessarily just blurting out some kind of answer, misdiagnosing you.
And so one of the most urgent needs that we keep coming back to is the ability to establish whatever output, whatever end result that you're getting was reviewed by a human and that could be used in a range of use cases. Obviously medical stands out as a very urgent one, but it's for a communication even between friends or something, I may start to feel insulted increasingly over time if I feel like everything coming from this person is just generated by their AI bot. And so I'd like to have some kind of notion of the human element involved.
And so there's just a wide range of cases range from very mission critical to personal just having that personal touch on things where this sort of marker of saying, yes, this was reviewed by a human is super valuable to critical. I think it's gonna increase the value of in-person time which is why I'm even more excited to go to the EIC because if are you talking to the sense shield or are you talking to the real person?
Maybe the social media app, Be Real will take up a new meaning over the coming years requiring that people authenticated are live and present as opposed to using their AI agents to generate a presence. I think that additionally to this, Kim brought up a really important point about healthcare and AI and other kind of critical decision-making. I think a lot of it comes down to what's the chain of control, right? Is it a human ultimately who has originated the intent of this or did the AI start to do that? Because the latter starts to get very dangerous, right?
So basically keeping humans as the originators of intent and keeping that accountable, what are tools that we can use to express intent or consent? Yeah, and I think that like a sub problem of solving for expressing of intent is solving of consent because consent is your intention to share data in a certain way, right? And if you're able to ascribe that, then we have some tools to help with being able to manage consent and the same tools hopefully in protocols because this all must be automated. There's just too much data to manually go for forms, right?
So if we have tools to manage intent about what did you want to do with this AI, right? What were you trying to, what was your goal? I think that's very, very useful to start constructing other frameworks. For example, an organization can express intent to use an AI on PII, sorry, on PII that was scrubbed, sorry, data that has scrubbed PII, right? So how do you even specify that, hey, I want data that had PII scrubbed from it and we're happy to use one of these PII scrubbing algorithms that have been approved by the industry, right?
Today, there's not really a interoperable way for many organizations to specify that. However, you might see the need for this for even training of AI models. So what are ways to express this?
Well, it might come with some kind of assertion that the PII have been scrubbed by an accrediting entity or an issuer, right? And it starts to look a lot like models that we're starting to see more and more commonplace in the three-party model, so to speak, of issuer, verifiers, and holders.
Yeah, thank you for that, kind of setting the stage here and starting to think about what a solution could look like, okay, a single product, probably not, I mean, there's a lot of interoperability. The scope of this is just really quite large. Are we thinking more of an infrastructure? Are we thinking concept-decentralized? How can we start to think about this in a little more concrete terms?
Wayne, go for it. The weird thing about the word decentralized is that it is incredibly loaded.
Like, if all in the industry, you know, over like various tech industries over the past, like, 10 to 20 years, right? Even in the case of blockchains, even in the case of, by the way, I think we'll actually have a role to replay in the future, but basically credentials, et cetera, what is meant by decentralized, right? And I think, for me, the most productive definition for decentralized identity that I go off of is systems where anyone can play the role of issuer, verifier, holder, right?
So being able to have multiple, understanding that there will be multiple issuers, not just one that controls all the data flows and understanding that it's going to be imperfect because different organizations will have different challenges when it comes to issuing credentials, not just what technology choices they make, but also how they express the information or how they use the data being issued to holders for utilization with verifiers.
So that, as it is a nebulous industry, there's no specific set of, you know, there are no specific, if you implement this exact thing, you'll have a full decentralized identity system. I think it's more nebulous than that. We can get into more specific terms that have started to emerge, such as, you know, like user-managed credentials and device-bound credentials, et cetera. And those are specific things we can talk about and what the technical properties are and how to get there.
But to me, decentralized identity has a lot more connotations about the kinds of architectures that we're going to see. Yeah, Tim, what do you think here? And especially making the connection here, how are we getting to a solution state here?
Yeah, and I'm glad Wayne talked about, because your first question to the audience was, you know, are you familiar with decentralized identity? So I do like that he's providing a definition before we move ahead. And so what's interesting about that definition and super valuable, because I had never heard it before, was, you know, he talked about decentralized identity lets anyone be the issuer. But moving to the three-party model, it also lets anyone be the subject and anyone be the verifier, right? So the way that I typically define it is not perfect.
It's a little more passive, but the way I describe it is it's a set of technologies, a set of standards, technologies, and principles, because not everything can be solved with the standards and technologies alone that put people in control of their data, but that still has them as sort of the passive subject role. But the other thing as well is moving them to the verifier side, they can also verify data and sources of data, the authenticity of data coming to them.
And so that part's really powerful because a lot of what we do when we interact on the web right now, you know, the best we get is the browser checkmark, right? Saying that this is the whatever entity that you expect that you're interacting with. But I think, you know, in terms of the mainstream method of, you know, of sort of onboarding to an organization, we're used to the pattern of sharing a lot of information, but then not getting the same kind of, you know, mutual authentication is the way I describe it, right?
So it's the idea that we're used to sharing so much information so that people trust us, but we don't get that in return. And I think the symmetry of restoring that is one of the big aspects that decentralized identity provides.
Now, in terms of, you know, what is it and how we start getting to a solution. So yeah, definitely foundational infrastructure rather than one single standalone product or technical stack, all of these, just as Wayne was saying, it provides this framework, but then I also think, you know, pulling in the principles part and the fact that it's really not just standards and technologies or technical standards and technologies. It's something that needs to be solved with huge interdisciplinary input.
You know, obviously policy regulation is a huge side of that, but I think that this is, it's really good to have this conversation broadly right now. I, it would be very unfortunate if it gets relegated to, you know, oh, this is a technical problem to figure out because it needs everyone's input.
Yeah, I would argue that identities are really decentralized, right? Like, so think about all the different sources and documents that people use to prove their identity.
It's, there's no central authority for the world on that. And I don't know if that's a good model that people would support, right? But even in the US, each state has its own way of doing things. We see that states and also state DMVs have driver's licenses in the United States, and these serve as foundational identity for many people, but that's not the only thing that can serve as foundational identity. People also have passports. People also have permanent residency cards and green cards and work authorizations.
They also have utility bills that are sometimes used to prove addresses, et cetera, and it's probably similar in terms of this bottoms-up approach to authentication because, again, there's no really great way to, and nor should we impose that upon the entire world, right?
So if identity is already decentralized, then I think it makes sense that we take technologies that taper into what societal systems already exist and how things operate, being careful to, you know, normal problems with digital transformation, making sure that we have all those guarantees when we have things in the digital world. So I think investing in tools that allow us to taper to existing processes, I think that's actually the goal of having these protocols that assume that there are many issue and sources, and just like you can inspect someone's driver's license as just a person, right?
And they can show you that, right? What's the implication in the digital world? Should we limit the ability to verify to just a few select entities, or should we choose protocols where everyone can have a chance to verify because it could increase trusted interactions? What if I could, you know, over an end-to-end encrypted channel, talking to someone, run an authenticated session, meaning that they are identifying to me and only me with their state-issued identity and me to them, maybe not even my state-issued identity. Maybe they find acceptable my employee badge, right?
So I think that a protocol that can support both would be really useful in the situation instead of, uh-oh, now the two things can't talk to each other, right? So if we can align on technologies allowed to do this, I think that we create a lot more utility for society due to interoperability across different sectors. And also we create a market for products that companies, individuals, et cetera can buy. And when they buy it, it works, right?
And we're not reliant on bespoke implementations that are very expensive for someone to maintain, but think about how much utility someone has when they buy some cloud storage for like $2 a month. You can get like lots of gigabytes, right? And I think that is one of the really great outcomes of technology and being able to operate at scale, right? And how we operate at scale in this world with an explosion of different issuers, holders, and verifiers is through interoperability and principles, as Kim said. Absolutely.
Yeah, thank you for those ideas and kind of starting to bring it into things that maybe we can start to imagine in terms of a use case or really success stories in a small scale. Again, we're talking about huge interdisciplinary cooperation here for a really comprehensive solution, but we can take this step-by-step. So you're mentioning already bringing in identity verification for many other uses rather than simply a high value transaction or opening an account. There's a lot of potential here to use this for content authentication or authenticity, excuse me.
For example, what other concrete use cases exist already that we could think about this? Wayne, do you wanna go start? Sorry. I've been hogging the mic, Kim, if you want to, or I can go.
Okay, great. So basically there are a lot of workflows today that are highly depended on for security or identity assurance, and they're gonna go away, right? Like the idea that you can hold your identity card to the webcam, and then it's going to match that with your face from the webcam, and there's no additional checks happening. That is one of those examples where, again, there were cracks already, and now they're turning into fissures as technology accelerates, right? So that's a really important use case to get right because there's a lot of money being transmitted on that basis, right?
And I think that the most convincing figures is FinCEN, the Financial Crimes Enforcement Network in the US has measured, I think, 212 billion of fraud over a course of a year just related to identity, right? And we see that over 90% of data breaches have some element of identity in the compromise, either reusing credentials or something else, right? So how do we transition away from systems that, again, the cracks are turning into fissures and have solutions for ways that are much stronger and even more convenient for the consumer, more private.
You don't have to share the whole image of your identity card, right? It could just be a few fields that they need to collect and test against. I think those are really compelling use cases that we're gonna see in the near term. Other use cases are even just solving some age-old problems with decentralized identity and other identity sources, such as password recovery. It's a big challenge when you get locked out of your account and that's your universe, right? Think about if you're a Gmail user, how much access do you lose if you lose your Gmail account or your iCloud account for iCloud users?
It's a lot, it's kind of the, you've created your own little certificate authority for all your services through your email, right? So that's gone what happens. And is there another way to get access to your account other than trying to beg a massive organization to make an exception for you or to convince them in their process, right? So being able to demonstrate facets about yourself that are deemed acceptable, right?
Yes, we could use state-issued identity as part of it, but the point of decentralized identity is that there could be other issuers too, right? And they might be able to give enough convincing assertions and in conjunction with you, be able to recover some aspect of your account while keeping the security level very high, right? So I think it maximizes the opportunity to provide good user experience, convenience, and improve privacy. And also there's a fact of not consolidating further power.
And even if you don't think that the people exercising the power will abuse it, it's also interesting to consider what of a, how much of a target that makes big issuers, right? So if you can only get credentials from one credential faucet, but that can be used to get a $100,000 loan, right?
And well, that's a bigger target on the back of that one issuer, right? And the more that the use cases emerge to use this credential, the more targets will appear on the singular issuer, right? So figuring out how to have some diversity in terms of data sources, improving methods could actually improve the resiliency of the ecosystem overall. Thank you.
Kim, what are your take on use cases? Yeah, one of the big ones that stand out is the risk of fake information spread through media or fake news, especially timely coming up on an election. And I like Wayne's term or phrase cracks turning into fissures because fraud has existed throughout time, right? I think what we're talking about is the gradual ease at which it is to commit increasingly realistic and convincing fraud. And so certainly with deep fakes and all these sorts of sources, it's becoming easy to create images that seem real, videos that seem real.
And so I think one area where we're seeing really good progress to solving that problem specifically around sort of, what is the source of this media? Has it been tampered with along the way? Is the CQPA effort? And in that approach, they are incorporating verifiable credentials to authenticate the origin of the content and help attest to changes made along the way.
So, and just again, to not assume that people are familiar with decentralized identity. So verifiable credentials are a critical standard in decentralized identity. And you can think of it as a very flexible envelope that the analogy starts to break down, but it can carry a wide range of information. So that information that it carries might be your course completion, university degree. It might be the fact that I own, control some kind of piece of property or something like that. And it could be also, have to do with the fact that I originated some content, I created it, something like that.
So you can think of verifiable credentials as this wrapper for claims. And again, back to Wayne's definition of decentralized identity, anyone can be the issuer of it. So there is a very flexible structure. And then again, with the envelope analogy starting to break down. So there is this sort of expectation that it can be, it comes with a set of standards that you can use to verify the fact that it hasn't been tampered with. You can verify the source of it.
So again, that's where we don't wanna fixate on the analogy too much, but no matter what the claim is, the receiving party of this claim should be able to verify it in a consistent way. So it really allows you to sort of get tooling in all parts of the ecosystem to know how to interpret the validity and the source of the claim. So for example, in C2PA, how they're using it would be a set of credentials. Then you might see embedded along with the image, there'll be a set of credentials.
And so maybe a media reader or tool may not display that full, messy verifiable credential data as JSON or something like that. But it may contain the key information from the structured data and say, here's the source, it's not been tampered with, something like that. So they're using it as this flexible wrapper to say a broad range of things like the source of the data, whether it's been modified by an image editing tool, something like that. So that's a really good example of C2PA where verifiable credentials have started to be incorporated.
Yeah, and I think that's a really tangible example. It's easy to think about what that could mean in terms of media or articles. Is this authentic or is this been created with a different intention? How do these use cases then vary across verticals? Could we imagine this then for the financial industry as something useful then in manufacturing? How can we start to think about use cases for those other industries?
Yeah, I feel very strongly about this topic in terms of use cases. And I think that any use case that people work on, you have to think about the entire end-to-end user experience. And that's the only way to get value. And typically it goes through the entire gamut of issuer, holder and verifier, right? Where do you get the credentials? How do you maintain them? And then where can you use them, right? And typically people aren't looking to download a digital wallet so they can futz around with digital credentials.
Although I know a few people like that, but most people will want to get something done, right? And whether that's being authorized to work somewhere, whether that's accessing content, whether that's certifying that your election video was not generated by an unauthorized AI, right? These are all the things that people are trying to do. And I think that working backwards from what the outcome was, is gonna be critically important in our experience working with different US states and some private sector companies.
We found this was the only way to get to good results for our customers, where basically we have to imagine the entire journey of all the different people involved in this credential life cycle. Yes, it's important to focus on the holder, probably one of the most important characters to focus on. How do they get the credential? What are they using today? Do they even wanna download another app as part of it, right? Is there a different way that they want to interact with their credential?
For example, in the education use case that Kim touched on, does a learner really wanna download a new app or is there an app that they have already that's relevant enough to add this functionality to, or maybe they have an institution that they're with for a long time and they think that's a good custodian for a lot of the credentials they have. Can it be exported, right? These are a lot of the user stories and basically things that we really have to get right. And we have to build things that are ergonomic to the end user and what their expectations are.
Maybe downloading another app or something is gonna really kill the experience or maybe it's totally necessary because these things have to work offline, right? So those are a lot of product decisions and things that must be informed by user research. But at the end of the day, the person wants to present that they got some coursework completed and that they are amply qualified for a job, right? And the employer wants to be able to look at that in a nice screen and decide if that's a candidate that they like or not.
So I think focusing on those end-to-end experiences takes conversations with those specific industries and interviews and research with those individuals. It's really difficult and challenging for people who know about the technology to make all these guesses about what good looks like, right? So I think active engagement with those specific verticals are necessary. It's hard work though. One call out is like GS1 has done a lot of work here and it's GS1, I think they invented the barcode and Kim can probably talk a lot more about this one.
I think you actually have more of the details but I know that they've spent a ton of effort figuring out how do you represent parts of the physical supply chain using a lot of the interoperable decentralized identity technologies, right? And that takes understanding what the industry is all about and what the expectations are across the different shipping points to do a good job with that. So I think to answer your question in order for different industry verticals to emerge we need to have expressions of interest in collaboration with participants.
I think that basically if you're in an enterprise listening to this the best thing you can do is basically funding a pilot where it doesn't have to be a lot of money probably not a lot compared to what you're spending with your existing vendors but basically being able to make sure that your needs and what you want out of the framework what you want it to do for you are expressed in the ongoing credential schemas and how people are gonna do things in the protocols so that your use case is definitely possible, right? It's a pretty like a small investment for what will be outsized return I think.
Kim, anything to add to that? I know that you know a lot about some of these things. I'm really glad you mentioned first of all the importance of use case fit and user needs. I think that that's where a lot of early pilots that we saw kind of fell apart.
So just early on a lot of times the exuberance was around yay, we got a credential issued into a wallet and within speaking of some of my own earlier implementations then we would do user surveys and the users, the people using it would say, thank you, I'm not sure what new threats this opens me up to if I lose my wallet and we had plans for that. We weren't going to abandon them but there was a lot in terms of messaging and then resilience ability to opt out making sure that people know their data is safe. So I do want to underscore the importance of that.
Another area, so you mentioned some really good ones is supply chain definitely stands out as one. The other area that has its own buzz phrase now would be reusable identity or reusable KYC is something that's really popular. And so one area, so I think that also needs to, again, we're not good with naming in this world. Like we're just, we sort of throw out these names that seem like the best possible fit.
So decentralized identity we hate, reusable identity is kind of catching on but it doesn't mean that someone would issue a credential that then a relying party or some other site you interact with would accept and necessarily say, oh, okay, I'll take your word for it, this person's good. Reusable KYC, reusable identity may mean parts of the identity verification processes. Large parts are maybe trusted or relied on by a shared framework so that a relying party could then accept it and say, yeah, I'll accept these but I'm going to keep doing my own diligence.
So in finance, financial onboarding, we're seeing increased interest and it may be even use cases within an organization across jurisdictional boundaries where they can reuse large amounts of their KYC verification process. And so the idea is even, you know, not that it needs to solve all problems immediately but if it can shave off like this 80% of costs with identity verification and really get you a lot of the way there, that's what we're looking towards. So finance is another where we're really seeing huge increasing interest in.
I will hype that in Decentralized Identity Foundation, we have a reusable KYC focus schema effort coming out and we're working on that and a few other claims around user onboarding. Some have to do with age verification. So we're getting a broad range of interdisciplinary interest in that which is absolutely critical. They can't just be designed by technical people for organizations to rely on. A note on reusable identity, you know, just like I said about decentralized identity, well, identity is already reusable, right?
Like do you have to get a new plastic card every time that you open a bank account? No, you can kind of use the same one, right? So a lot of it is mapping our expectations from physical reality to the digital world, which we've had very, you know, a lot of attempts to do, a lot of thin representations of it. But I think that one really stark example is think about how much authentication and identity assurance is happening when someone just goes in person and shows their ID card, right?
I don't think we've as an industry fully appreciated how much we take for granted in that interaction, physical presence, card with many security features, you know, biometrics are in play, even though we don't have an algorithm for it, it's, you know, machine learning in the brain. And it's a ton of things we're doing already, right? And gives us a high degree of assurance. And we're only now trying to figure out, okay, what are the digital analogs? What are those pieces we didn't consider? And what are tools that we need to better represent them?
It's still gonna be imperfect, but what's gonna be good enough for the use case? Mm-hmm, yeah, there's so many good points that you guys brought up in these last comments and to kind of tie them together, especially bringing our physical existence into an ability to interact digitally and also in a hybrid manner where you're interacting in person, but you're able to show a digital credential instead of your card and vice versa. That flexibility to go both ways is really important. And part of it is being open to the concepts and the technologies that can help us get there.
So that's a great moment to take a look at our initial poll results. Are you, the audience today, familiar with decentralized identity?
88%, yes, 12% no. So it's great.
Thanks, both of you, Kim and Wayne, for taking the time to go through definitions, to still do this foundational knowledge building here. That's still a big part. And all of us who are already familiar, we have different definitions and different understandings. So it's good to keep the conversation going and move towards getting on the same page. To keep going on these comments that you've already made, we have a second poll question for you, which is on decentralized consumer identity. How important is this to your organization in the next 12 months?
And this really ties in to ideas of age verification consumer onboarding, being able to groove different interactions or use this for approving a high value transaction or getting a loan approved, for example. So there's some really interesting applications here of a consumer decentralized identity that bring us a little closer to these kind of well-rounded solutions for dealing with the authenticity in all modes of interaction, physical, digital, hybrid. So I'll let you send in those responses.
I have a few more questions for Kim and Wayne while those come in, and then we'll take a look at those results as well. To wrap us up, how do you envision the role of decentralized identity and decentralized technology to shape our digital landscape, including content authenticity, but also beyond?
Kim, do you want to start us off? Sure, yes, I'm excited about the critical role they'll play, not only enhancing the digital landscape, not only enhancing security, privacy, and user control and all of the scenarios we talked about now.
I think that a lot of the ones, when I originally joined the space in what continues to motivate me and many others is the fact that it can enable transformative new business models, approaches, use cases when we're starting to chip away at these kind of say like sort of gates, traditional gates that exist, whether it's in you need a four-year college degree, all of these things in the current model, there's no real reliable way of capturing the richness of you as an individual, your ongoing learning and experiences, whether that's better career matches, access to better loan rates or something through proof of reliable payment history.
I think we're really excited about the transformations that start to happen when you start increasing trust in these sort of nice primitives that come as part of decentralized identities. So if you can trust the envelope wrapper and you can trust the authenticity and it hasn't been tampered with, it can contain such a broad range of information. If you can trust a broader range of sources, you start to chip away at these sort of legacy, stiff requirements that used to be required. It used to prevent people's all kinds of access to new opportunities.
So I'm very excited about the widespread transformation that could happen. Great, I think one transition event or one thing very related to decentralized identity is how third-party cookies are going away. People don't really talk about that about like a year or two ago, but it's kind of like tapered off. But I think it's very important to consider because it's an opportunity to move to digital interaction models that are user forward. So instead of the cookies trying to track you and determining, did you just move to a new apartment? Did I market you?
Can we have a self-issued credential that says, hey, I'm looking for a new apartment. And now I just get all these offers and I already bought a sofa, so don't sell me that. And it's a way to reverse the interaction. And I think it's a much better model even for businesses trying to sell things. So it just, you didn't have time to respond to all those things before. And I think this culminates in to basically bringing back user agents in the original sense.
If you look at some of the really early specifications in the ITF and other kinds of groups that worked on protocols, user agents were a broader concept than just a little string that you send with HTTP requests. It was really about having your champion, having someone in the digital world who's gonna seek after your interests and eliminate the principal agent problem, right? So I think that we're gonna see the emergence of some of the early visions for the web and I'm very excited for that.
Yeah, there's so much to talk about here and we've really only scratched the surface. Unfortunately, somehow an hour has gone by like the blink of an eye. So thank you so much to Wayne, to Kim. Thanks for sharing your ideas here, your expertise, your experience. And let's keep the conversation going. So at EIC in June, the 4th through the 7th or the 6th, no, the 4th through the 7th, I should have that right, excuse me. Please join us, we're gonna have this session with the addition also of Linda Jeng who is the founder and CEO of Digital Self Labs.
So we're gonna continue this conversation, dive in even more to what does this mean for business implementations? What are really key important things to be aware of when it comes to policy, when it comes to interoperability? So please come with your questions digitally or in person. And thank you, of course, for participating today and giving your feedback as well and your questions. Just to wrap up, to read the room a bit, what are your feelings on decentralized consumer identities, especially for your business in the next 12 months?
Actually, no one in the room said this is not important. This is a really interesting observation.
Of course, we've got perhaps like-minded folks in the room, excited to talk about that and break it down even more when we're together at EIC. 37% of you found this neutral, no particular leaning either way. 36% find this important and 27% very important for your organization.
So yeah, let's talk about it. We'll see you at EIC either in person or virtually. Thank you to the audience. Thank you to Kim and Wayne for speaking with us today. And we'll talk to you again soon.
Annie, thanks so much for having us here. Of course. Thank you.
Yeah, it's a pleasure. Take care. Thank you.