We're back, it's Berlin. It is towards the end of the day, which means there's only another 65 hours of content just today alone. So thank you for spending the remaining brain cells that you have left with me. I actually truly and deeply appreciate it if you saw me earlier today. I mentioned that our industry is additive. Our successes are layered on top of other people's work collaboratively.
And these are just some of the people that truly over the course of decades have contributed to this talk and know that almost all of them have never seen it, have never seen a draft of it, but they added to it. And that means a lot to me. And I have to say thanks. So let's get the bad news out of the way. What if I told you that despite decades of work by our industry myself very much included, we actually haven't gotten a lot done.
What if I pointed out that like we still struggle to solve real common problems? The reality is that you would have probably a negative reaction.
You would, you, you wouldn't necessarily believe me, at least a party of you wouldn't. And you'd say things like, let me look at all of these sweet smelling standards and the products that embody them and implement them.
I mean, more bluntly, look at all the money that has been invested in and spent on identity management. And of course you are correct, but problems still remain, right? We struggle to govern access. We struggle to manage user accounts and we still struggle to overcome the gap between ourselves and our security peers and our developer peers.
So the better half of the first family of identity, Pam Dingle once said, we actually haven't solved anything yet. We're just now building the tools that we need to go solve something. She was and continues to be correct.
We struggle to solve many problems in identity and in some regards, this is because we struggle to actually apply identity management. Consider this. Nobody except for the people in this room and their peers who are still trapped in Las Vegas care about logging in and nobody actually cares about showing an image that purports to be a mobile driver's license. What they care about is what happens next. What they care about is the application of identity. And so I wanna spend a little time tonight talking about this idea of applying identity management.
And I'm gonna use this concept called counselors to actually work through it with you because I believe that we are closer than ever to actually achieving something that will go do real world outcomes for individuals.
And we're gonna walk through this notion to, to sort of see if that's true or not. And the legitimate first question to ask is, what is a counselor? Exactly? Well consider it's a digital agent backs on your behalf. It can make suggestions about services or things to interact with. And it generally speaking, looks after your interests.
It is an active client, meaning it is running on all of your devices and it's going to step in before you provide some information to say a risky site. Gee, wouldn't it be nice if something could stop you from sharing data late at night after a conference? Yes. And along the way can actually inject some pseudonymity into the process. So I'm gonna give some love to this side of the room. Now a counselor should be something that I could go to say, look, I need you to go get me a ticket to Berlin.
Here's the dates. Sort it out and it can go off.
And no, I'm a star Alliance flyer. I like a window seat. I'm leaving Washington DC and not come back with just some search results, but actually come back with a booked airplane ticket. Simply said, a counselor is something that can actually get something done on my behalf.
Now, to build one of these things takes six components. Let's start with the ones that we're most familiar with. So if this thing is gonna act on your behalf, it means it's really acting like a persona, okay? And that means it also has to use the credentials associated with that persona. And good news. We actually know how to store credentials. We know how to actually represent these things. And similarly, we know how to store and manage pass keys. Fantastic.
And one can imagine that as verified credentials come into the fore, these two will be part of the mix because nobody for the next, I would say 20 years will only have passwords or only have PAs keys or only have verified credentials.
We're gonna have a mix of all these things. And so if that's the case, then we need some sort of brokerage over all of them so the counselor knows which one to use in what setting. So we start with that brokerage agent. But we know that life is more than just signing in. Wait a a minute, I think I lost some of the audience.
Alright, altogether. Now we remember that life is more than just signing in. I don't think you are. I don't think there's any hope for Europe. I mean if like really one more time, okay. Life is more than just signing in. We will get there. We'll get there because after I sign in, what do I do in order to get something done? I provide some information, might be a shipping address, might be a form of payment, might be a student identifier, but I use information actually get something done.
Good news.
Again, we know how to store this kind of information. Maybe not too sexy, maybe not too glamorous, but our browsers know how to do form fill and they certainly know how to broker payment. So we have means of doing this, but we can't ignore the fact that there are definitely use cases that require more verifiable data. Fantastic. So we have all of the hard work going on around verified credentials, which I hope present standardized, or at least standardizable way of representing this information and the presentation thereof.
And if that doesn't really work, we can always fall back on form fill and comma separated value files. Because let's face it, they just always work. So we have this data manager, right? This is the thing that's going to present information that I need to get something done. Or more importantly, the counselor needs to get something done on my behalf.
And again, one can imagine as verified credentials coming to the fore that it, they serve this purpose as well.
But I really want to think about how the counselor can help individuals. And let's think about this real world, what we would call street smarts is reasonably common. You've got an innate sense, maybe I shouldn't walk down that alley or well that cash machine, nah, I just don't think I'm gonna use it. But the digital equivalent of that, that's not as common. So that's why we need the nudge. Isn't it obvious? No. What the hell is he talking about? You ask?
Well, pretty straightforward in Yiddish, a nudge is someone who pesters, right? What we need is a little bit of well intended pestering to think before we hand over information. Imagine that these counselors can step in and say, hold on a minute. Not a good idea. This is not the site you think it is. And guess what? We actually already have some of this.
Our browsers to differing degrees can give us indications of relatively speaking authenticity and safety of a site. So one could imagine we could scale this up to do more than just say URLs, but even think about services, APIs, et cetera.
And along the way it's a perfect opportunity to inject pseudonymity one time payment tokens, burner email addresses. We have that capability today for sure. So we start with things we already know about credentials and data. We start adding to that in this process of application, there's something important that's missing. There's a dead giveaway. It's because there's white space on this slide. So how are we gonna fill it?
What Eve was just talking about, in a lot of ways privacy is a major missing ingredient here. Now we gotta do two different things.
One is we've gotta be able to express what information am I okay? Sharing under what conditions?
Okay, so that expresses what I'm good with disclosing. And at the same time, the counselor and I need to understand what the heck a service provider is actually going to do with information. If you only have one of these things, nobody can make an informed decision. So what we're really talking about is something to resolve data use, essentially take a privacy notice and translate it into something I can understand and thus the counselor can understand. And we need a consistent representation of what information am I okay sharing under what conditions the problem.
We do not have standards in this space. Consider there is no standard schema representation for consent, let alone the things I'm describing.
But all is not lost. AI is actually here to save us, which I know should get laughs given what we've heard earlier. But actually legitimately large language models are actually pretty good about translating things. So translating a privacy notice into something one could understand as a for instance. So the component we need to add to the mix is really what I'm calling this preference resolver.
Essentially it expresses what information I'm okay using under what conditions, just closing. And then what is the service provider gonna do with that information in a format I can, and thus my counselor can reason over, but this too is still not enough.
See, white space, I gotta interact with this darn thing. And the nature of that interaction has to be robust. It has to be more than just a child's toy that oh knows 10 phrases, doesn't really have a sense of context.
And here too, generative AI and large language models actually can be useful. It's actually really good at doing these things. Now this interaction model has got to be multimodal. It should work as audio, it should work in text, it even has to work in touch because we want this thing to be usable by everyone and it needs to be multi-form factor.
So what starts as a mobile device becomes a wearable device, becomes an implanted device. And there is real evidence that as soon as tomorrow, thank you Heather. As soon as tomorrow Apple is gonna announce one of its AI models running fully locally on a device. The race to push these models to the edge without having to call back is incredibly important. And we're gonna need that because it's really that ability to run these models close to the edge that allows the counselor to understand my request of I need to go to Berlin.
So we have this multimodal and multi-form factor interface layer that then sits on top of the counselor foreshadowing. There is still something missing. And this is the scariest part of it. This is the most important part of it. If I want this counselor to be really useful, it has to observe, it has to observe me, it has to observe us what apps we use, what sites.
Heck, even down to the APIs. What data am I sharing? What credentials do I use?
Let's call this what it is.
Oh crap, right? Because if I want something to really be useful on my behalf, it's gotta study and learn from me. And I've gotta be okay with this. Guess what? This is what I call participatory surveillance. I have to opt into this whole affair. We all do this today. Don't believe me. Consider your loved ones. Consider your friends. If you are lucky enough to have an executive admin, they know what you like, they know what you dislike, they know you well enough to know when something's not quite right. That's an incredibly powerful thing on our daily lives.
This is the power of participatory surveillance. We actually need to bring this to counselors to make them truly useful.
Now, very obviously, given what they will observe, there have gotta be very strong controls over what they can see and what they can do.
Good, good news. We actually have the hints of this today. Consider in your mobile operating system, there are governors in place about what Siri can look at, what Google assistant can do in terms of what data it can interact with, even what apps it can interact with. Now that has to be greatly scaled up, but at least we can start to see the outline of something that can actually safely manage participatory surveillance.
So this exercise of applying identity management starts with things we are super familiar with. Credentials, data associated with an identity subject to that. We add a sort of safety net if you will, try to increase some digital street smarts or at least inject it from time to time. It's informed both by what the individual is okay sharing in terms of information, but as well what clearly service providers are going to do with information. And the way we interact with this works everywhere for everyone. And it's powered by this notion of participatory surveillance.
So these are the ingredients for building a counselor. But what we've just walked through is an exercise in applied identity. It starts with things we are familiar with. We take common IAM building blocks and we recombine them. We recombine them for the purpose of helping people get real things done in their lives. And that is far beyond just signing into stuff because
I'll give it to you, it's late. So I use this example of talking about digital ident to actually achieve real world outcomes. Now this example was more customer-centric.
Siam, I think we could agree, but there's no reason why you can't do this same exercise in other contexts to think about it from a workforce perspective. Think about it in a citizen social services perspective for the unbanked, for humanitarian situations. So the challenge I'm issuing is look beyond just user account management, right? Challenge yourself to say, how do we actually think about real digital identity management?
Thus, how do we think about getting these real world outcomes to do this is this notion of actually applying identity management for those real world outcomes. And if we can do this, we can do this, then we really achieve something. Thank you so much everybody. I told you it also, I'm gonna get a lifetime award for finishing early and making two minutes back to you. So
Congratulations. Thank you so much, Ian. Always entertaining, always informative. Great to have you on the EIC stage. Again.
One thing I wanted to ask you though is like what potential impact do you see counselors having on actual service providers and what could they do to prepare, you know,
Well I, I think there's simple things to prep for them. One is actually have privacy notices.
Like, like let's just start with that. But then being able to actually have those in a more processable form, that's important. Second is there's a variety of concerns we have to think about that says, as a service provider, I may, depending on my industry, need to know did I actually talk to Ian or did I talk to a counselor acting on me? Half of Ian, by the way, this is the same problem as did I talk to this patient or someone with their medical power of attorney and I'm talking on their behalf, the on behalf of problem we have yet to really solve.
And so whether it's another human you're calling on my behalf because you're doing me a favor or it's an agent acting on my behalf, those look very similar. And so, although some industries have thought about the problem and worked around it, I think that preparatory work, which we don't even know what it looks like yet. That's the thing we gotta crack.
So you've heard it from gl.
Thanks everybody.
