KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
|
Applying the principles of self-sovereign identity to financial and social media sourced data points will enable businesses to make better and informed decisions about retention, acquisition and eligibility whilst relieving them of most of their obligations under GDPR. |
|
Applying the principles of self-sovereign identity to financial and social media sourced data points will enable businesses to make better and informed decisions about retention, acquisition and eligibility whilst relieving them of most of their obligations under GDPR. |
So zero party data. I think let's start with the two definitions. What does zero party data mean? And to the two key parties? First of all, let's think about it from a consumer point of view. Zero part data from a consumer point of view is about asserting or proving things without saying who you are necessarily from a business perspective, zero party data is about making informed decisions about acquisition retention, eligibility value, without necessarily assuming a lot of the legal and technical overhead of doing that and, and remaining compliant.
So my objectives in this next 20 minutes are I'll share with you the key hypothesis, all major software visions. If you like, or product visions really should start with anti hypothesis, what is it you think is going to happen? That's going to change the context for doing something and as a product guy, you need to understand what the technology's capable of, but also to some extent what the market needs.
So we'll share my assumptions about the hypothesis and then look at the way we've pieced together some key building blocks and, and what the propositions or the improvements are to the key parties. And then we'll, we'll stop in time for Q and a. So the fundamental hypothesis behind Valdo, as we're gonna talk about today is there are three fairly unstoppable forces. The first one, GDPR European legislation, an area where arguably we're leading the world is about giving people control and access and visibility and auditability over their data.
And we have extensive legislation in place and it's designed to help consumers, but of course, it's causing a lot of disruption to the way things work today. PSD two is another area where in Europe, we are undoubtedly ahead, PSD two is also legislation. What PSD two or open banking is about is about grounding access to the financial networks, to companies who are not banks subject, of course, to consumer consent, an SSI, which I would've spelled it out. But knowing that you had an extensive presentation on this, on the agenda yesterday, SSI is the emerging field of verifiable credentials.
Self-sovereign identity. It's once again a modification to the Bitcoin protocols. And it's building on a lot of initiatives that have looked at how the crypto building box might be used to manage permissions and control on an open network. And of course, put the keys, literally the private and public key in the hands of the data subject and, and, and Valdo the product I'm gonna speak to you about today sits right at the heart at the overlap of those three initiatives. It's about enabling people to assert something which could be proven from a bank statement without saying who they are.
So, first of all, why do we, why do we need something like this when we have open banking APIs? Well, we do have open banking APIs and the governments around Europe, and certainly in the UK have done a great job in imposing compliance and mandating compliance and finding non-compliance. But there are two fundamental hurdles to representing data via API from a bank. The first one reminds me of my time at Barclays. I was incredibly impressed. Novia Barclays is 330 years old this year.
I was incredibly impressed by how serious they took one particular foundation of the relationship between them and their customers. And that was that only two people can see their transaction history, the bank and their customer, and that no one else should be allowed. And banks spend a great deal of money in trying to make sure that that promise is defensible and maintained along, comes open banking. And with the click of a button on a website, all of a sudden someone can theoretically at least make available such critical, sensitive information to a relatively unknown company.
So there's a consumer barrier there. This is the most sensitive data most of us have, but it's not just a barrier for the consumer because the business as well in implementing, even through an API is having to assume not only a technical modification to the way things work, but the having to assume the contractual responsibility to play the role of data controller and the role of data controller under GDPR is the most onerous contains, carries the most onerous obligations you just have to look at.
There are various sites to see the significant fines being imposed upon companies around the world for breaches, many of which are, they were not necessarily to blame for arguably in some cases. So what have we done? That's different?
Well, by representing data as a very viable credential, we've enabled the bank to maintain its promise. If you like the promise, I mean, is that they will send the transaction history no further than the consumer. So in this model, the open banking APIs are still invoked through what is effectively a data wallet authentication to the bank is carried out using the rules, defined by that bank for their clients and historical data transactions are then curated and sent to the consumer. At this point, the consumer has assumed the role of data controller.
So they, and only they can see this data in our model, no version of it exists elsewhere. There are other models where that statement may not be true. And then at that point, it's up to them who they send it to. And that solves a problem on the business side as well, because the business now is no longer in that role of data controller and they can receive that information via chat, email, many other methods. So how are these credentials curated if you like. So from the consumer side, you start with a wallet.
This is a crypto wallet where a private key is installed in the, in the secure enclave. And in our service, we may, we, we require only one piece of information to activate that wallet. And that is a nickname we don't ask for any personally identifiable information. So once that nickname has been set and is unique, various credentials can be activated. And the process for activating them, where, where of course the source is banks is authentication to your bank, using the process defined by the bank. Now this is something that we don't see.
This is something that many of the audience will be familiar with. It's the foundation of open banking, data access. But in this model, what's happening is the data is being sent to our middleware or back office, the credential data interpreter and the credential processor. And once the schemer of the credentials are populat, then those values are updated in the wallet that could either be in a native app on the client's phone, or it could be cloud based. And at that point, the consumer is in charge over what is and is not visible.
So if you think about it at this point in time, I've effectively, it's a bit like I've gone through my bank statements, I've summed and totaled a few things. And I've created a piece of information that can assert something. You don't know who I am, but you, you are. We are able to allow that person to say, I'm employed. I earn more than this. I'm worth more than that to an airline PS Lloyds or HSSBC or Barclays said.
So, so how do we curate that data? Well, this of course is ongoing. And part of the, if you like secret source or expertise of the business data transactions through open banking are notoriously difficult and not necessarily intuitive to interpret, but there are pump companies and people and techniques that we can use to infer the core attributes that we need to turn raw data into what we call a verifiable credential.
When we, when I use the term verifiable credential, I'm referring to the W3C standard, the distributed identifier and VC. So it's a, it's a growing international standard. And I know, or I'm aware at least in the EU, there's a E B C I, I think it is who we're looking at further describing frameworks, if you like for the use of some of these techniques. And I think this is a huge opportunity. It's very exciting.
I think to be in Europe, not only do we have this advanced openness with regards access to the information, we also have a fairly, fairly enhanced, well developed standards, body looking at the right way to architect some of these things. And I'm sufficiently old to remember the role that the EU played in standardization of GSM decades ago and the huge businesses that it created in Ericsson, Siemens, Nokia, and, and, and many others, Jim, of course, and in France.
And so perhaps there's another opportunity for the EU to do something similar by which I mean established global standards for the way some of these things should happen. But of course, so what types of things can we infer from those transactions and how might they be used now, this is just one example. What I've used here is an example from a mobile network credential, the watermark in the back is basically your, the notarization.
You know, you, you can rely on this because it came from Lloyds, the nickname or the wallet address may be Popeye. That might be my nickname, but the watermark is Lloyds. So you don't know who I am, but you order as a business to have confidence, to be able to rely on, on this information.
Merchant is where the transactions, you know, to the, the, the payee, if you like since gives you an indication of history, when was the first transaction recognized, and that becomes important in things like contracts that might be coming to an end, you can relatively easily then calculate the age of a contract based on the first transaction updated explains how something, how current something might be the history field, 22, over 60 that's indicating the 60 indicates in this case, we've had five years or 60 months worth of transactions, but on this particular credential, we've seen 22 payments.
So what that would tell a business is this, person's been with that company for 22 months and where contracts are 24 months old, that might be a key indicator of propensity to switch or change. Average is obviously the sum view is how you deliver on the GDPR obligation to report to a consumer who has seen their data and score at a hundred percent is a sort of crude merchant or, or, or category specific credit rating. If you like, if we know you've been there 22 months and we've seen 22 equivalent payments, we can probably say you pay your bills. It doesn't mean this person pays all the bills.
It might mean they pay their mobile phone bills. But what open banking is to the banks in Europe, arguably I think GDPR is to many of the social media giants. In other words, it's law, which requires that organization to make available what they know about you and me to us.
And, and, and so, arguably I think these same techniques can be used in some way to, if not entirely reverse engineer, to at least start to take back control over what it is that is known about you. And of course what it is you are willing to publish or publicize about yourself or yourselves. And I use that term deliberately because I think in life in general, many of us have multiple identities. I'm a father, I'm a colleague, I'm a friend.
I'm a, I'm the guide pub. I'm the guy at my hobbies.
And, and, and our online lives have perhaps perhaps increased the number of identities that we all have, or, or, or curate throughout our lifetimes and a technology like this allows us to do exactly that, to say what information attributes we're willing to, to make available. And as I said, what, what open banking does to banks GDPR in its data portability clauses, I believe will have the similar effect on the social media companies.
So our vision for this product is not just to rely upon the bank as a data source, but to look at anything where we can have confidence in the authentication process to that data source. So that's a consumer perspective. We've looked at why it solves problems for banks.
You know, banks have got this hugely valuable asset, but it's, it's, it's, they've got a promise not to reveal it. And consumers want to make sure that they know who's seeing things. What what's the business perspective, the simplest way to think of it from a business point of view? I think the analogy I often use is it's like a magic pair of glasses, a magic pair of glasses through which a business can see the value or assess the eligibility or approve or reward people without necessarily knowing who they are.
For example, walking around with a, a credential, which, which, which summarized your value of as a consumer to a supermarket might replace a loyalty card that was Julian. Can I location Interrupt you? Yeah.
Julian, can I interrupt you briefly? So unfortunately we need to move on. So can you wrap up in the next minute this, Yeah, this is an ultimate slide. Fantastic. Thank you.
Yeah, thank you. I'm looking at my timer here, but thank you for the reminder. So the magic glasses are the vehicle through which a business can see these attributes they can, and they, they, they can evaluate people based on whatever criteria they define and they can apply these glasses through any channel, whether it's a physical location, geofenced, whether it's a scanning, a QR code or clicking on a link in an app or the eye zone, the reference to the eye zone is where things just happen. It's ephemeral, conditional.
If someone's broadcast something and I've prefer to see it, then the connection will happen. And that model has the potential to significantly impact the advertising world. This is the last slide now. So our aim as a business is to enable businesses to better value, retain, acquire, approve, and communicate with their audience as a segment of one, but without assuming many of the onerous legal and technical obligations of handling what most people use today, which is first party data. So thank you for your attention. And with that, we'll open up to the questions.
