KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Testing. We're good.
Alright, clicker. You need a clicker? Alright. Welcome. Welcome. We're going to be talking about the the city hub, which is the sustainable and interoperable digital Identity hub. This is a new initiative that was just kicked off last year. Let me do a quick round of introductions and I will start with myself. Gail Hodges. I'm the Executive Director of the Open ID Foundation. And to Nick, I'm Sho Chief, I Chief Identity Strategist at the Open Identity Exchange. I'm Mark. Hi. I wear several hats, but today I'm representing the Open ID Foundation.
I'm Deborah Campin, I also wear several hats. And today I am representing the Secure Identity Alliance.
Hello, I'm Nick Thorn. I've got lots of hats too. I am a former British diplomat and I'm here to talk about governance and future threats. And now you're trapped in the door. Thank you Abby. Great. So we're going to have a, a quick introduction by Deborah who's gonna explain the background to the city hub and then I'll all pick up and talk about the strategy that we're we're taking on.
Then we'll turn over to Nick who's gonna talk about the trust framework analysis that's already underway by OIX and the collaboration with other trust framework thought leaders to scale across jurisdictions. Mark will talk about some of the minimum requirements to achieve interoperability across implementations of digital identity. And then I'll be pulling in Nick to talk about some of the gaps that we're seeing in the, in the global ecosystem.
So Debra, why don't you give us, Come here. Oh, well that's all of us. It's the goal. Yes. Thank you Gail. Hello and welcome everybody. So the good news is that there's a lot going on in this space in the digital identity space. The bad news is that I think we're just not there yet. So when I say there yet, I mean that there are a lot of different activities, programs launched in various jurisdiction to set up digital identity schemes. But when it comes to a global coordination and achieving cross border digital I interoperability of digital identity, we, we don't have it.
And that's normal. We are at the beginning of our journey and this is where Citi hub comes in.
So we, we think, we believe, we firmly believe that we can only achieve this by collaboration. And we have a lot of bits and pieces done by all these great organizations.
Some, some of those are represented here, but Citi hub is much more than that. So we are representing Citi hub today. But essentially what we decided as a community was that we have to get together, we have to collaborate. And I think this is really to me is the greatest part about this initiative. So Gail will get into all the bits and pieces, but just the, the idea, the fact that we were able all of a lot of standard organization governments to sit down and say we have to work together in itself to me is a success. And now it's the beginning of the journey.
So to be more concrete, this is when we launched Citi hub and Gail mentioned that is really new initiative. So it is as new as last year, November. So that's the first time we called the community to meet. We explain why we were there and what is our objective and we see if we had buy-in 'cause it's not a given, right? So look at the logos over there. You might know a few that are a lot of efforts.
So from securing hardware to protocols and and and privacy efforts and we, we met in Paris and we together with the governments that you see on, on the right part of the slide and also some multilaterals like World Bank, OECD in various UN agencies. And we had a full day, full day of, of this, of great discussions. And that's when we ask to the community if it's worthwhile continuing this. So is this a problem? Is it a share problem and do we want to continue that?
And so we had quite a favorable opinion and that's when we started to build all the different work streams in which all these different organizations are contributing. And we didn't stop there because one of the feedback of the discussion was that we need to meet the people where they are. And so we need to make sure that we are inclusive. So if we want to achieve cross-border interoperability, we can't have u US Canada discussions. I mean those are great but the world is much bigger and so we have to go meet other regions.
And to do that we built an incredibly ambitious plan that we are going through this year that is having different city summits in different continents. So this, this is the, the first one that was in May, right? It's just two weeks ago?
Yes, two weeks ago. It was the first one. So we went to Cape Town to meet actually the African community and we did like, again, one day exercise, it was a, a workshop to try and understand what their issue were when it comes to cross-border interoperability. And the nice thing is that we heard things that we didn't think of and that's exactly why we are doing this exercise. And then yesterday we were here in Berlin and so this is to hear about European, from European folks and of course good representation from the US and, and some other, some other countries as well.
And those are the participants. So you see the slide here and again it was a one day workshop and every time we we move forward in another continent, we always increase, we have more material, more work done. So it'll be more and more focus as we move along over time. But important thing is that we always talk about use cases and we get the perspective from the region. Great.
Sorry, quick. So as I mentioned, we we're staying humble, so we always ask is it worth continuing? This is important because we don't start from the assumption that we have the answer or this is necessarily the right way of moving forward. So every time we have a survey and this is the response that that we had, which is is quite positive, it is obviously different based on the region. And now we are looking forward for the next step which will be in the United States and then in Tokyo and then in Brazil.
But Gail will tell you more about this and I think with this nice transition I will leave it to Gail. So now you had the sense of, you know, why we are doing this and what what we have built and she will get, she will drill a little bit more into the details.
Great, thank you. Thank you so much Deborah. I'm gonna stand up 'cause I like walking around a little bit. So some of you might've seen this slide earlier. There's a couple of repeat slides from this morning. But just to kind of tee up the problem, this is a chart that was in the paper that Elizabeth Garber and Mark Hane sitting up with us present prepared last year as lead editors of the paper, human-centric digital identity for government officials. And in that chart they kind of laid out a spectrum of the types of deployments we're seeing amongst countries today.
Those that are more centralized, those that are more decentralized, starting to take wallet based approaches or other verifiable credential based approaches. Those that are more public led from government led like Adhar in India and those that are more private, private sector led like the bank ID implementations in in Scandinavia. So we have very different starting points based on values, based on norms within different jurisdictions around what feels comfortable, the type of technical approach, right?
But trying to get to actual interoperability across all these different deployments is a non-trivial feat. And the flags on the screen are just a very small representation of the tens of digital identity deployments that are live today. There's actually tens of millions of people in in Nigeria with digital identity credentials issued by and managed by Nipsey. There's also new, you know, many credentials issued in Ethiopia, South Sudan, Morocco, a lot of countries you don't typically hear from here at EIC Bhutan also has a deployment of digital identity.
So there's a lot going on all around the world and it might be, you know, clouded over if all you're thinking about is the European digital identity deployments, there's quite a lot happening in the rest of the world at the same time.
So the, the goal that I personally see is that it should be as easy for an individual to present their digital identity credential wherever they're from, whatever that tech stack is that sits behind it to a relying party as easy as sending in, you know, giving somebody your email address and you expect it to just work or you give your phone number and you expect it to just work or your passport, right? A very well worn path of decades of standards development so that your passport be a digital or physical version that that can be presented and then accepted by the border border patrol.
So how do we actually get there? I tested this, this sequence of slides out in, in Africa, so you're, let me know if this works for you, but if we want to kind of, you know, spit out of our tech stacks interoperable solutions so somebody doesn't get stopped at the border with their adhar credential that they wanna present here in Berlin, that's currently what would happen, right? People are stopped at the border and you can't, you can't cross over the divide. But we need the wallets, the APIs, the federated implementations that are going to ultimately interoperate with each other.
So what we need is kind of the tech stacks using my analogy here of a manufacturing plant. You want the man manufacturing plant to spit out the trains and the tracks that are gonna interoperate. So how do we make sure that those, those tech stacks or those manufacturing plants get there? We need good blueprints, we need checklists that are gonna allow for certification and conformance. But of course there's even more than that and you as technologists and experts will appreciate that you also need policies. You also need your checklists of like requirements.
You need to have contracts that are going to require of your vendors solutions that use open standards maybe in some cases that are using open source code and that even the financial compensation is tied to certification and conformance. You also need standards that are interoperable. You need science like things like the presentation, attack detection or liveness and other biometric best practices that needs to be incorporated into into your requirements.
Open source code is my little icon there in many jurisdictions, particularly in the global south, they're moving very quickly on use the use of open source code. And then here in the global north Open Wallet foundation is, is something many of you're familiar with. And then there's also metrics me, metrics and measurements of the progress. And I have this little box here to kind of show that in an implementation that one might have for NMSI and Nigeria, in some cases it might be bolting on some capabilities that would allow for that cross-border interface to happen.
But bolting that little green box on is incredibly difficult and Mark's gonna talk about that in just a moment. So what is city hub? What is this sustainable and digital identity hub? Well it's a bit amorphous, it's a community. It is not any of those things on the right hand side. It's not a legal entity, it's not a governance body, it's not a standards body, it's none of those things. It is just a community of people trying to solve for these problems.
And our hope is that our superpower is that we're not one of these things because the moment you become a legitimate entity then you're worried about who's controlling, who's calling the shots. Is this driven by the us? Is this driven by, you know, some funding donor of the Gates Foundation? Like everything could become very polarizing very quickly. But in the spirit of world trade organization, best practices for standards development one, there's a theme of consensus, there's a theme of transparency.
So we bring these themes of transparency, accountability, inclusion and trying to bridge between the north and the south by bringing the actual subject matter experts who know what on earth they're doing together into the same conversation to actually solve the problems in a super pragmatic way. And that we do not need all these formal structures to accomplish. But if we don't come together as an a community of subject matter experts, no wonderful policies from the G 20 are magically gonna solve the problem of cross-border interoperability.
They literally don't know what they should be putting into an MOU to ensure that they're gonna end up with something that's interoperable. It's people like the, you know, those of us in the room and those of us floating around EIC that would actually take a European credential and make sure it interoperates with a California credential or could possibly interrupt with an ad hoc credential and vice versa, you know, various other configurations. So this is, this is our, our our way of thinking. Can we achieve our superpower through community.
On the top hand side are the, the actual decision making bodies, nothing changes, right? Multinational organizations still, you know, will do their G 20 and UN related activities. Governments will still be the ultimate decision makers when it comes to issuing their own credentials or providing regulation for digital identity credentials in their jurisdictions. NGOs and standards bodies will continue to do their good work and private entities will continue to build products and services and sell them into some of those players on the left hand side.
And then academia has a important role to play here, which we'll talk about in a, in a little bit later in this talk on how we can kind of scale and collaborate in a much more mature and structured way than we currently do as an identity community. So we have five work streams that we identified as part of our, our strategy discussions since our November meeting. And those were informed by surveys that we did with the participants in Paris to make sure that we were actually addressing the topics that felt appropriate for a community of this nature.
And the starting point was the champion use cases, just like any private sector entity that's deciding where do I build my product? Where do I build my services, how do I scale out? You need your lead use cases. So what are those champion use cases that we should be focusing on as a city hub community that will build those initial interoperable foundations over which additional use cases can be layered on over time. But what are the first ones and who decides? Well it's not really any specific country's job to decide or any standards body's job to decide.
So we think we should try to decide which are the use cases that will help us build out those initial rails. Then how do we achieve interoperability between these incredibly different tech stacks and complicated tech stacks. This is a painful problem which mark and the other co-chairs of the working group and Deborah wish they didn't have, but it's really ugly how one would achieve interoperability with these different stacks. So how are we, how do we break that down into its component parts and turn it into an engineering problem that becomes solvable. The trust framework mapping.
Nick has done an excellent job starting to analyze the first eight trust frameworks and I'll talk a bit more about that, how we wanna extend that across a very large number of of countries. And then metrics of success seeks for itself in city hub governance is both within Cub, how we conduct ourselves as well as identifying gaps that are not being fully addressed by a given standards body or pair of standards bodies or other entities. You know, what are the other gaps? What can we do to, to solve those?
So this calendar year, as Deborah said, we have a very ambitious plan to meet people where they are with Cape Town two weeks ago here we, we had Berlin just yesterday and we'll do the survey with yourselves and then in North America we'll meet in Washington DC September 10th in Asia in Tokyo. The Japanese government will host us on October 25th and then we're working with the Brazilian government to confirm the date to have in Rio alongside the the G 20 which is the middle middle of of November. There's also a various amount of readouts.
So I should have a little star next to Berlin for for EIC which is today to gather some feedback from yourselves as an audience as we get to towards the close of our, our talk. There's a whole lot of activities going on to get to where we are today. All of this is kind of volunteer time, there's barely an organization for this community group.
So we've pulled it together and secured some funding from the EU along with some key contributions from the Open ID foundation, the Secure Identity Alliance global platform, the Turing Institute and and some others to be able to fund about $300,000 worth of work to take us through this body of of delivery ultimately to help us get to the the G 20. And we'll also be seeking some, some funding support from other sources like, like is o to ideally continue this work going into next year.
We are applying a methodology in the champion use case work stream to try and both flesh out the use cases and we had a very good discussion yesterday to to flesh out about 10 of the use cases and then start to kind of define some of the key criteria like what is the cross-border interopability challenge, what is the scale of the impact, what's the impact on wellbeing, different use cases can have a more ma more or less material impact on people's lives. What are the identity inputs and outputs?
And we'll continue to add to that criteria and refine it so that we do bubble up a set of use cases that will lead us to the, what we'd like to have is three use cases so that we don't get pulled in one direction versus another too much. So here's a a brief slide talking about like how we're approaching the champion use case selection process using a lot of the publicly available resources as well as some of the city hub conversations. So we met in Paris we had a workshop to define, you know people brainstormed use cases in the eu There are 11 specific use cases.
So the large scale pilots have been selecting and working from the EU and the US had a TTC kind of bilateral agreement where they identified about six, seven use cases, the W three C and their work on the credentials community group. They also structured a set of use cases and then city hub in Cape Town recently, again yesterday in Berlin where we've also been fleshing out those use cases. What we wanna kinda get to is not only being able to select them with desk research to the best of our ability, right, this is volunteer time.
We're really trying to be as transparent as we can but we also are looking to kind of use some of our funding or additional funding to do field research. So once we've selected those top few actually going into the field in some of these global south countries, global north countries and making sure that those use cases are actually gonna serve people's lives the way that we would like to see them do. So here's just a quick slide to kinda show you all the different sources.
There's a list of EU digital wallet use cases you're probably familiar with the EU and the US had their bilateral agreement with some, a lot of overlap on those 11 items. We've done a bunch of surveys and, and we'll do the survey with you towards the end of the session. So this is a point of pause, ask you for feedback and I'll ask Elizabeth to kind of scribe in case you guys come up with some good suggestions. So here's the list of use cases that we've been thinking about so far and wanna see if anything looks like it's missing to you.
Do you think that there are any champion use cases that would really make a difference, you know, for you in your personal lives and what you see and know about users that you think we might not have covered? If you'd like, I can bring a mic to you. Does this mean we've got them all? Maybe I see a hand After taking my time to read through them. Do you have something around recognizing skills across borders?
Yes, it should be up there. Education Certification underneath that.
Okay, Cool. Education certification underneath that there's you know, asserting any professional credential that you've earned but yeah, keep them coming. Hopefully we can fit him. Hi my name is Hank. I was thinking two things. One is more general authentication 'cause it's probably in every use case and the other is that you can take any use case going through them. There's probably some that I can think of but I would stress the importance to clarify the user populations that you wanna run through them. 'cause that will me will make the biggest difference here.
'cause it's all people like me with a smartphone and digital literacy and then any use case will be easy but it's the the other people that can't go through it that easy. I'll jot down persona like persona and development. I think that's a good, a good build on the process. Speaker 10 00:21:28 Any other words? Speaker 11 00:21:34 Just one thing. It might be on the parent child and caregiving guardianship. That's something that potentially should be looked into working from Bank of the in Norway.
This is definitely something that's high on our lists for Yeah, connected to that birth registration, death registration. Thanks Type. So you can multitask. Any other suggestions?
Yeah, So a health care, your, your health journal or health history, accessing those data when you're traveling. So like the international patient record but beyond that to like one's actual health history as well. Which ones? Sorry? Could be vaccines as well. Vaccines. So mark sorry, voting. Voting. Voting. Absolutely. I can be a polarizing one but at the same time a relevant and worthy one.
Yeah, the one in the back. Speaker 10 00:22:52 So you have a educational certification vote employment certification, employment history, Employee. Employee verification. Employee verification, employee history. And Speaker 10 00:23:05 The second one, is it sort of sub but you a household Household. Speaker 10 00:23:16 Household. Household linkages. Like connections between family.
Yeah, exactly. Speaker 10 00:23:22 Like especially when you're talking about things like aid Yeah Speaker 10 00:23:26 Somebody from your family. Your family. Yeah. A related point that came up from Disney was temporary guardianship, like coming into the parks. This adult has care for my child and my child can go into the, the game park that Actually came up when we were deep diving into the refugee use case yesterday. Temporary guardianship when a minor is unaccompanied was a good one.
Yeah, travel is, Yeah, yeah That that was what Travel. Okay. Yeah. Okay. I Speaker 12 00:24:00 Don't know if it comes under some of the government services maybe, but things around accessing insurance like when you're abroad and access travel insurance.
Yeah, like rather Theft. Yeah, the theft use case kind of came up like I have to get a police report. And the trouble of doing that when you're in a jurisdiction that's foreign to you and the back Buyer seller identification is that under cross border trade And so more at a personal level, eBay or buying tickets, those kind of things. Sort of individual transactions on eBay or buying tickets overseas, those kind of things.
The next tell us with concern, what about like a negative thing, like a rap sheet if you have been a child molester or something else and you need to be, you need to be stopped from being the caretaker of a child in a situation like a refugee or something else. And then I have a a question to one of them, the human person to plus content signing what, what is this human person concept because we don't say human marriage and human traveling. So what other persons than human could be content signing? I can give a little bit of clarification on that.
Most of these have a description but it's linking to AI so it's like human person signing content. Like I am the author of this particular piece of content so that there's a level of confidence around DeepFakes but it's the signing of digital content that was the direction that was going in. So this is a picture or video I am signing as the author of this and it Can be linked to the individual person, Gail, or it can be, this was like, I think there's probably two separate use Cases there. Okay. Alright.
Yeah, there's quite a few that one can imagine are multiple scenarios. There's definitely a deep, let's see if there's one or two more and then we can take others offline Speaker 11 00:26:10 And this might be an umbrella, but fraud mitigation, financial fraud, what have you, fraud mitigation when it comes to all times of different identity fraud, financial fraud, what have you. Sort of an umbrella of all of this, but clearly something that's quite important.
Okay, last one, one more One. Maybe moving abroad or like yeah, like a live event. Moving from a house you need to supply a lot of information Definitely beyond just the refugee use Case and in that one from Erasmus. So I went through the pain of moving to many countries for Erasmus, at least for US Europeans. And that's really nightmarish for everything that deals with identity management. So maybe that would be solved with e iida for sure. But I think that's a good one. Great. Well thank you for the crowdsourcing of additional use cases.
I'll just briefly summarize that three that we saw bubbling up that we chose to kind of anchor our discussions yesterday around we're opening a bank account, refugees and education and certification. So those are just three that happen to bubble up in both the Cape Town discussions as well as in the Berlin discussions. Those numbers reflect votes in the room number of people who raise their hand and say, yes, I actually see the value in that use case of opening a bank account, 19 of 30 people in Cape Town and 16 of 35 people in Berlin and that, so that's what those numbers refer to.
So this is more like a temperature check. This is by no means a qualitative, you know, fully analyzed view. But these are a handful of the ones that kind of bubbled up towards the top out of the, the 20 or so you saw on saw on the prior page that we've elaborated. I don't think Sanjay's in the room. He was here earlier today. He's out. Oh good, good.
He's, he's hanging out. So I'll just very briefly talk about one of those three because it's not as commonly discussed in, in EIC and in Global North conversations is the U-N-H-C-R challenge that they're facing.
And I, I was had the benefit of of taking part in a workshop they had in Cape Town two weeks ago, which is where some of the, the source material comes from here. You know, Sanjay would say that they've done seven implementations globally to date integrating into national identity systems where they have either a host country or a destination country where refugees are, are located or they're coming from. So they've already done integrations to Ethiopia, Uganda, Kenya, and Malaysia.
Interestingly in Malaysia they're using W three C VC 1.1 and like printing out QR codes onto U-N-H-C-R issued identity credentials. So that's a, that's a first for them. And then in terms of like destination countries, they have an integration into the, the US government to to kind of share, you know, here's the refugee as they're kind of entering into the US but scaling that across all of these 50 some different countries where they have refugees scattered. I think it's 130 million people that they have in countries around the world that are in the care of U-N-H-C-R.
In some cases there's a very collaborative relationship with the government like South Africa where they can have, you know, a more trusted relationship. But people are sometimes for decades in the care of, of the UN and you know, some proportion of them will, will leave a few hundred thousand maybe per month or per year into some of the destination countries. But all that integration, kind of using the same icons, you've got the people coming, the sources like from within maybe an African community and where you need references to village connections.
And then the bottom left hand quarter is the Ukraine where they were playing a material role in helping people repopulate, but they had source identity information from the Ukrainian go government and many of those people had phones. So what they need to do to serve certain refugees can really vary. And then the integrations with the different source and destination countries is a big challenge. So we hope we're going to be able to help them as a community to address that.
And maybe by aiding U-N-H-C-R, it's one of those foundation blocks for how you can build the interoperability across jurisdictions. Okay, mark?
Yeah, so my mission for yesterday's event was in part to promote the technical conversation a bit more, but also I took it upon myself to lift the energy levels in the room. So rather than have something like this where the people at the front are talking and everybody else is listening, we put together an activity for everybody to participate in in a very interactive hash.
And the, the background to that was that we were, we've, we've got the hypothesis that the solution to this problem is gonna be looking at the problem space as a network of networks problem. There are going to be many, many very diverse technical solutions and existence around the world that we ideally would like to find a way to integrate.
Oh, thank you Gail. And there is no right single solution. I think one thing that I discovered very clearly on my trip to South Africa for ID for Africa was that there's a significant difference in the general architectural choices for the African continent than what I've seen in the US and Europe. And that seems to be working well for the, at the moment it might not be the sorts of choices that would be taken in a European or US context, but those are the choices that have been taken and they're delivering real change and real benefit to their populations.
So, you know, what, what right do any of us have to, to suggest alternatives? But what that does mean is we have quite a, a dramatic and diverse range of technical solutions that are deployed internationally. There's also the challenge which Nick's going to go into in a bit more detail, that the rule setting is very different in different nations around the world. So that necessarily affects all sorts of aspects of the technical solution that's delivered within that context.
And we, we need just to accept that there's going to be diversity caused by all sorts of factors coming in that we need to respect if we, if we're hoping to deliver something that everybody wishes to participate in. The, the challenge that we set was a little bit open-ended, it was in some ways by design not terribly well formed because that was going to lead into a deeper conversation. And I think it's fair to say for those of you that were there yesterday, there was a lot of conversation promoted in the interactive activity that we had.
We showed this diagram and said, you know, there's three very high level archetypes of, of implementation. There's the, what I refer to as classic federated. So that could be open, ID connect, it could be saml, there's wallet based, which could be, you know, the ISO MDL side of things or open ID connect for VC based solution or some combination of those. And then there's the direct API solutions such as what exists in India and in Nigeria. And if we draw all of the potential interactions between those three, we end up with with nine.
And you might think that's a a slightly high number, but when we look at the, the deployments even of two open ID connect implementations, we often see that they're subtly incompatible. So there's an interoperability problem between one national open ID based system and another national open ID based system. So we need to address that interoperability challenge as well.
So we, we split up into three groups and we handed out three of the archetypes to each group and said here's some ideas about how we might fix it, what have we missed, how do we solve it? And so there was a really good solid hour of discussion about all sorts of factors involved in that interoperability. And I think on the next slide I've got a few quotes that came back from the, the feedback.
So we, we did the interactive session and then we had a, you know, the group came back together and reported from each of the three teams what they dis discussed in the session. Oh that slide's not there.
Okay, I'm gonna have to try and remember them Deb. Yeah, so the first was the layered approach. So go one by one.
So I, I can elaborate on the, so one of the feedback was this is quite complex, so as Mark said, there are nine cases, so six plus three, let's say six cases and other three sub cases and we risk to boil the ocean, if that's how you say it in English, right? Yeah. So we have to proceed in a layered approach in a certain methodology. I've got another one here I'm remembering now. The Second one was the, the, So there's the one about taking into account the context of the use case and the source and destination jurisdictions.
So you know, that one unfortunately gives us the challenge of perhaps not being able to find a single solution to all of the interoperability challenges. We need to allow for all sorts of policy, legal, cultural differences and that may give us challenges. Oh yeah. And then there was the, the one about eec, the economic slash commercial aspects From Scott Of a given use case as well, which drive, which parties bear cost and which ones derived benefit from a given use case essentially.
So, so there was some really great feedback, I'm sorry we've not managed to get that slide in, but we are gonna be doing a write up and publishing the output from the session. So that's gonna be available for anybody who's interested via the usual city hub communication channels. I'm just gonna move forward.
We then, excuse me for a short period after the focus on the kind of engineering imple integration side of things, we moved into the trust management space a bit more and had a bit of a discussion about the separation of the definition of entity metadata that's needed when communicating trust between organizations and the transport mechanism. So if we're, you know, doing what good engineers do, which is to slice the elephant up into bite-sized pieces, no elephants were harmed in the making of this presentation by the way.
We, we've got the, the definition of the metadata side of things where we've got input from the OIX trust framework analysis that Nick's going to tell us about. There's some stuff coming in from the trust over IP foundation and we've got other contributors offering their local metadata definitions. And then there's the topic of how to transport that metadata and when to transport that metadata. Do we do it in advance and have effectively preloaded trust policies or do we find a way to, to exchange this stuff at runtime?
And there's a, there's a range of approaches also in existence that may prove useful in solving that side of the problem as well. But that's effectively going to be a topic for discussion more deeply in the workshops that we have on a regular basis online and following events like we had yesterday and now it's next turn Nick mother show. That is 'cause we do have two nicks. Thank you.
Oh, thanks Mark. Brilliant. Thank you. So Yesterday we had a couple of sessions prior to this we had session on DAC and what's going on there and then trust over IP as well in terms of the evolution of their followed their, their diagram.
If you're familiar with trust over ip, they've, they're moving to a second version of the diagram as they're thinking and as the world around them has evolved, I then went on to talk about the the OX analysis we've done and also some work we've done around frameworks for wallets and how these two things are coming together as important pieces of work from an interoperability perspective. So we've analyzed eight different frameworks around the globe. You can see them on the screen here. We selected some diverse frameworks and solution types.
So we've gone here, we've got a mixture of mature, well established frameworks such as Sweden, Singapore where the, the penetration of use in the population is very high. We've got some things like the UK which is brand new and it's just rolling out eu. We analyzed E-I-D-A-S two. So we looked at all the different components that were available at the time. We've since added the R version 1.3 to our analysis. We've evolved it a little bit. We looked at the US NIST obviously mature standard if you like, not a digital ID ecosystem as such.
And we looked at version four of that as that had been just released for review. Thailand is a kind of federated solution and mostly, you know, you know is a, a kind of platform based outta the back of adha. So very different solutions and approaches and we deliberately selected that diversity to give us a different view of the trust framework world. And what we found, we coined the term this this DNA of digital identity and that came from when we laid out findings from a distance.
So we zoomed out, we saw this kind of detailed and you know, unreadable to a human eye strip of information that looked to me a little bit about the, you know, the kind of DNA outputs you see on, you know, you know crime dramas and that kind of thing. So that's where that came from. But it's a good analogy because what we found is they're all the same species essentially as you might expect, but they have different traits, characteristics that make them unique and we found that they have a such of general policy rule areas and we specifically drilled in on the identity assurance policy area.
'cause these are digital identity trust frameworks. The thing they do that's special is whatever it is they do around identity assurance, making sure the user is who they claim to be and then making sure when they assert their identity that it is still that user. So we we, we did some deeper analy analysis in that area turning into a little bit more on the general policy areas. We grouped them around 15 areas. These are the headings that we've got in the analysis. And what we found in there is there are kinda 79 different policy characteristics breaking down into 283 possible values.
So what this means is there actually aren't that many different characteristics that frameworks exhibit just under 80. And in our analysis, you know, we started over here, we started with the uk, then they did the eu, we jumped from 47 to 70. Then after that the EU is quite a comprehensive framework. The number didn't grow that much. In fact when we did some normalization and consolidation it actually dropped down. So that means we've probably found, you know, the different characteristic areas that we need to, we're going to model the values for.
The characteristic though did continue to go up. But that top line is studying off. And what we're seeing is, you know, within each of these areas we we have, I pick an individual characteristic. Sometimes there is one or two values, sometimes there are eight. There are never more than eight 'cause there are only eight frameworks. So that may, that means they're all unique in what they do. So just to run into an example of that. So this is the results of the analysis in the data management area. So what we've ended up with is a whole set of these characteristics.
So you can see things here like what do we do around anti profiling, user agreement for data sharing, consent rules, consent approach. So we're able to draw these out as common characteristics that frameworks address. And then we drew out the values. How do they do these different elements. So what we can see there is in user agreement for data sharing required, there are four different approaches to that. And you can see with the why's there who does what in which way sometimes they do use more than one option.
So the US there's got a couple of values and we have this for the full kinda 78 values of the analysis. The other area we looked at, as I said, is identity assurance as a specialist area that these frameworks address. And one of the things we found there was that they, when they have an identity assurance model, a published policy that they tend to be zeroing in on several of these five, what we ended up calling golden credentials. These are the way they identify the user to bring them into the national ID, into the ID ecosystem. And often it's just the national ID card.
If that's an issue and everybody's got one, it's a matter of digitizing that and enabling people to have a digital version that they can present where there isn't one of those in places like the UK and the US parts of Europe. Then other documents have to be used as a proxy for the identity to then establish a digital identity. Passports driving licenses very commonly used where people don't have those. We get into using bank accounts and telco accounts or we get into using combinations of these to get a higher level of trust for the individual.
And what we found in analyzing the five, outta the eight that have a published identity assurance policy model is that they all actually go through the same process. We were able to draw out a common methodology for this.
So they, they list the accepted credentials, accepted evidence that they will enable into the process. They then validate that is it a valid piece of evidence? Is this genuine evidence? And if it's a passport, that might be by taking a scan of it, reading the chip of it, they then verify who the user is against that evidence. So if we're using a passport that's taking a separate selfie and validating the selfie matches the photo on the chip for instance.
And what they then do is they combine these in different ways, these different validation and verification techniques of which we've got kind of eight of each to raise the level of trust in the individual. So they might say, well a scan of a passport isn't enough. I also want you to check it against an authoritative source. And once you've done those two things, I've got trust in the passport and it elevates the level of trust. Then they combine those validation and verification combinations to come up with something like a level of assurance, a level of confidence.
And this model for all five, in fact all eight because the other three are a national ID that is converted to digital stands and works. So we're quite excited to be able to draw this out. And what we've now got is a way that illustrates how we can use these different components to come up with levels of assurance. And that this, the theory of this is that we're now talking about how we're going to look at interoperability of levels of assurance.
Are we going to be trained to agree that an IAL two from the US is equivalent to a UK medium, is equivalent to an EU substantial or does that not matter? If I've got credentials in my wallet that can be used to calculate an IL two, then I can achieve an IL two in the context of a European transaction. So we're looking quite excited about this concept of reformulating levels of assurance wherever we go because they are in the eye of the beholder, in the eye of the reliant party, in the eye of the destination trust framework.
Making them interoperable is going to be tough because every framework is, I know there's international standards that say there's kind of, you know, blue, medium high, but the derivation of that and how it's done is subtly different everywhere we go. So it may be easy to recalculate the OA. So that's something we're exploring. So what are we doing with this now? So we're going a number of different directions. So we will be openly publishing this, I'm just agreeing that with some of the frameworks we analyze at the moment and then we then we need a tool to publish it.
We talked yesterday about, you know, what should that tool look like? How should it manifest?
What, what, who would the users be? So we've got some good insight now into, you know, how we can build that. And then over the summer I would like to get that built. So in the autumn city summits we're able to show something or at least a prototype of what we're going to release. We are going to do more analysis. So we want to move towards analysis where possible of the 4G 20. Now not everyone has a framework, but countries like Japan, Brazil, Australia, kinda top of the list at the moment to do more analysis. And then after yesterday New Zealand as well, we would add to that list.
We want to create a comparison tool. So this is part of publishing it, you should be able to compare the frameworks, but can we give a tool there that lets frameworks load their values and do a comparison. And so to compare that one, that one and that one and see what the, the, the twos and differences are.
So we, we want to work towards that. And then what we've got here is data that is essentially key value pairs. It's the criteria and the value. So how can we turn this into a machine readable set of metadata that can be used to express policies and that not just by the frameworks themselves, but by relying parties when they're saying this is the criteria I will accept from a wallet and from the credentials behind it and from the issuers as well, which say, this is the, this is the policy criteria I attach to my credential when it is used, I require this kind of consent to be gained.
It cannot be used in these areas. These are the prohibited uses of it.
So this, this language, this expression of policy can be used by all of these parties and interpreted by this thing in the middle, the digital idea of the wallet to work out how it needs to be behave. That's making that thing in the middle quite complex. It becomes more than just a storage wallet. So the next part of what I'm gonna talk about is how do we deal with that as this, this, this more dynamic world of policy expression unfolds. And what all this will do is enable roaming wallets.
So my wallet, if I, if I had one issued in the uk, assuming let's assuming let's look a couple years down the line. We've all got wallets, we've got UD wallets, I've got a UK based wallet. My wallet is full of credentials. They're all approved and and recognized within the UK framework. That's a certain standards. The issuers put rules against those as they came into my wallet. When I jump on a plane and fly to the US I want my wallet to work still in the same way as Gail said at the start, as my banking information does, as my phone works.
Now not all my credentials will work and not all my credentials are relevant. My loyalty cards for my local cooperative store won't work in the us My BrewDog members card, however will work wherever I go and it should work 'cause there's blooming everywhere. Now we went past one the other yesterday as we were working through Berlin, there was one in in Vegas last week. So certain of them won't work. But those that do that are built to internationally recognized standards can then be used by the reliant parties in the destination framework under the destination frameworks rules.
So this is what we're looking, looking at, how do we enable this world of roaming wallets? And I talked a little bit in prior around dynamic identity assurance and the way we think this might work on this somewhat Heath Robinson sequence diagram for a sequence diagram expert, please don't criticize my attempted work here. Relying party once in a is in a destination trust framework. So this is a relying party in the US for me from the uk. They request a level of assurance. The wallet goes well actually, I dunno what that is. This is an IL two, I'm in the US now.
I'm gonna go off and discover what we've called an ID proofing provider who can work out whether this user's got that level of assurance. So I go off and and find one, I pass that request to the IDPP. They determine the candidate re credentials that could meet that requested LOA. So that's my final of five golden credentials or more of them that come back. That comes back to the wallet with a priority order. The wallet filters which credentials it's got that can meet that.
And if it's got them, it then asks the user if it can share them in priority order with the IDPP, the user grants agreement to share the IDPP gets those credentials, formulates the level of assurance to the local rules and then issues the derived credential or a new credential for that new level of assurance, which can then be stored in my wallet. And I then agree to share that with the relying party. So all of that can happen dynamically as I arrive in the US and as I'm requested for a level of assurance.
We've got a number of derivatives of this and we've got other diagrams with credential selectors as a new role in here rather than the wallet itself. It's, this is the simplest one we've got. So I thought I'd share this with the group. But so we continue to work on this in the working groups. Moving on to the second part of what I want to talk about is we've been doing a lot of work around the evolution of trust frameworks. We're seeing that happen all around the globe, particularly here in the EU where we're moving to ES two and the UD wallets.
Our traditional frameworks had a, were all about a digital identity provider. So if you go on our website, you'll see we talk about a framework about digital identity provider. Our framework already talks about issuers, but most frameworks don't. The eight we've analyzed there don't really address the issuer.
They address the proofing bits, the idea assurance rules and they address whatever happens after you're proofed in terms of something you use to manage and present your identity at the moment it's usually something in the cloud or it might be an app, it's going to be a wallet in the future. But this reusable ID wallet thing also has its own set of rules. The rules around security for it, the rules around how it manages credentials, rules around presentation. So we already have that, that's today's model. And we have authoritative sources providing data into it.
We have relying parties consuming data as we move to the world of wallets, this model gets significantly more complex. So this is the new model that we're now seeing. I'll go back. Those two roles are still there. They haven't gone away. We've still got identity proofing providers, we've still got reusable wallets and ID providers. But in order to make this work now as a full identity and credential trust framework, we need to start worrying about what these people are doing. The issuers they need to be part of the ecosystem. We need to know who they are.
We need to issuing things in a consistent way. So we need credential schemers for them. We need schemes that bring collections of them together to get them into the market. And we have a new rollover here and I mentioned a credential selector earlier on that might be in here. But for now we've got this thing which is a use case process provider where we've got complex use cases or even perceivably simple ones. So lemme take age as an example.
If I want the age of an individual from the wallet that that's not a necessarily a simple request to the wallet, it's asking for a data minimization of a credential. But there's probably rules around which credentials are acceptable. Therefore the brokering of that between the party in the wallet might need some kind of a agent. We've called it a use case process provider.
If it's a more complicated process like employment where I need to get history of employment, history of education, background checks done, all of those need to be done to certain rules, then that use case provider would provide the facilities to do that. The rules around it, it would help the user potentially. So we might have a user interaction get through that process by taking information from its wallet or wallets. And we're drilling into this at the moment with a number of sequence diagrams with a credential selector role to try and work out how is this gonna work in future.
But this isn't just a pipe dream that we've come up with. The blue boxes are what EIAS two is doing. So we've got the a f which is the, the core wallet. We've got the PI rule book which references standards, which is the the ID proofing provider element. We've got EAA rule books at the moment. There's a kinda stu in there for MDL, but we're gonna need them for all of the other credentials. And we've got the mention of attestation rule books, which means there are some rules around presentation and that's where we, this use case provider fits.
So this is a model that we see already in the eu, in the UK framework in its next evolution. It will have a holder service provider role, a proofing provider role. It already has an attribute provider role and schemes. And this role here is, is also a scheme role. So you can already do all of this within the UK framework as well.
We, Speaker 13 00:56:35 So between the presentation, it's schema provider and the credential, basically this is the amount of work the wallet have to do. So the are the wallets? Speaker 13 00:56:49 Yeah, the the wallet.
So the, it depends now how, how much trust you wanna have in the wallet. I think theoretically there should be no mapping between the credential and the presentation should be easy one-to-one. So the role of a trust anchor for the audit is the lease with one credential. One.
Yeah, yeah, Yeah, yeah. It should be.
But it, it is where we've got complex use cases where we've got multiple credentials and I'm not suggesting that that schema changes this schema. So this is gonna be the schema for the credentials and define what they are that will be fixed. That schema is how their credentials are assembled as a package to deliver on somewhere else or minimized.
Yeah, Speaker 13 00:57:37 The challenge from our use cases is to have a straight line between, so this is the minimum starting use case for interoperability. So this is how I look at it. Yeah. Got you. Yeah. Okay.
So, so we're doing work on that and then what we asked people yesterday was to think about the, what new rules do we need in those rules books if you like. So what rules do we need for issuers? What rules do we need for credential providers? And specifically what governance do we need around the credential issuer process if we're going to achieve interoperability? So we asked the attendees yesterday to, to go through these questions. So we talked earlier about trust framework comparison. What do we need for such a tool? What do we want, what do we want to put in it? Who are the users?
What are the rules are required for credential trust and use case trust? And what governance is required for credential trust? Who should be involved? What's global, what's local? And we've got some, we've got some really good input from that. And we're gonna be then building on that in the next phase of, of what we're working on. So our next steps, we're gonna publish the analysis. We're gonna work out, that's gonna be evolving into a, a, a comparison tool. And that's probably part of publishing it. The two things go hand in hand. We'll add more G 20 countries to the analysis.
We've got this roaming wallet approach. We we're quite down in the weeds of how do wallets, can they adapt?
We've got, we've got static trust list that need to declare the wallets and the credentials. So exploring that at the moment. And within that, we're eliciting this role of the credential selector, which sits somewhere in that use case provider domain. Build out the credential and use case trust rules and specifically the governance around that. And then explore more this question of LOA interoperability, are they going to align or are we gonna do local formulation or is it gonna be a mix of both? So we continue to work on this.
We're doing this in the liaison with, you know, the, the team at the city hub and then, you know, within, inside our OAX working groups as well. Nick, can you elaborate on that a little bit? Like what you, what you're doing within the walls of OAX and what you're trying to do in the walls of City Hub. So people wanna get involved, they understand kind of where to Yeah. Put themselves. Yeah. Yeah. So within OX we have a, a working group construct for, for members.
So we, we, we've been running this work stream for a couple of years now. It originally came as a gain program. So we're quite deep into that and we continue with those work streams.
So those, they kind of meet once a month, hour and a half. And then where, this is where we're going through different aspects of this, between the working groups, we're coming up with thinking and exposing that to the working group, the working group's giving us feedback.
So we, we continue to, that bounce battles and forwards. And what we'll do in the, on the city element is feed new iterations of that in to get broader feedback as well.
But they, that will be in a, a kind of shorter, punchier manner. So that if you, if you wanna get deep into this, into what we're doing, then the OX working group's the place for you. And we will be looking at this and, and other elements within the, the broader city construct. Okay Scott, Speaker 14 01:00:53 Thank you. First I wanna applaud the work that's being done in the city hub for years.
People, the technology people have been saying how can I take the policy and make it into requirements that I can build to and what you're doing here. That DNA analysis in particular I think is gonna be very useful. And what it reminds me of is for those people who've been doing software for a couple of decades during the period of secure software development work, the orange book and all that history, there was attention to the work in architecture of a guy named Christopher Alexander who had a pattern language for architecture.
And what they were doing in the secure software development was saying what are the patterns of secure software that we can use? This allows us to look at the patterns you've exposed in the DNA chart. You're exposing patterns of those different policy terms. Speaker 14 01:01:48 And so in the same way as the secure software development EV evolved from looking at the patterns to then iterating the patterns and figuring out commonalities and differences so they can be built to, you've allowed that to happen.
Now on the technical side, and I think that's extremely valuable 'cause that's one of the main complaints is, hey, I'm not a lawyer, I'm not a business person, I'm a technologist. How can I possibly build to this thing? And by exposing the patterns of it, you're allowing it to be rendered in terms of technical requirements. So I really think you're doing a wonderful job at that. So thank you. Thank you.
Mark, do you wanna elaborate on like, work on the standards to kind of take policy and bring it into protocols? Okay.
Alright, we'll, we'll we'll spare the audience. It's about half 11 now. Okay. Alright. Any other questions for Nick in the back free pass for you, mark? So Nikki, as you can tell from my accent, I live and work in Australia and the in memoria of Vitor, the five golden credentials. That's absolutely rings true.
However, sort of as part of the referendum on indigenous voice to parliament, what sort of came up in our conversations is that there are other ways to verify identity than those golden credentials. And the notion was that by relying on those we entrench inequality, especially sort of for cultures that have been around for much, much longer than sort of the cultures that we use to work in. Is there any concept of integrating that as well?
So by, by way of example, a lot of the identity of indigenous Australians are based on place on ancestry and they generally don't fit those golden credentials. Any any thoughts on that? It's not an area we've looked at yet. No.
So yeah, we should let, let's take that offline, have a conversation on that. Yeah, Well I, I was gonna plot on that one actually. So I'm aware of the work that you're doing down there through DMA and it fits quite well with something which I think is UK originated, which is vouching. And I think the reason it's not included in this analysis is because it's not reflected, you know, vouching is not reflected in any of the trust frameworks so far. So what we're doing is an analysis of the trust frameworks.
I think it's a really good point to, to highlight that as a gap in the trust frameworks that people may wish to fill in due course. Yeah. Yes it is. And I guess one of the input yesterday was that, you know, we need to include vouching in it as well. But you know, it's not there at the moment. And this is an interesting thing 'cause there's, there's things like vouching that's in there when you look at the analysis, there's several like credential standards. The only one that really prescribes anything at the moment is the eu. 'cause nobody's got there.
So we've got, we've got in those policy areas, there's bits missing that we know we're gonna need as we go to make this this work interoperably. But yeah, that's, that's a good point. We'll pick up on that.
Yeah, Speaker 11 01:05:20 Yeah. Thanks for the interesting information Nick. And my question was really, have you also considered that the wallet could receive credentials from, let's say another trust framework?
I mean, it, it to me it looked like the wallet sort of belongs in the framework where the issuer is as you sort of get this derived credential or whatever it is, and then presented to yeah, a verifier that belongs in in the other framework. But have you also considered Yeah, the other angle Yeah. On that. So on that one for instance, this, this destination IDPP will issue a derived credential from. And that's, that's they exist in the destination framework.
So yes, we, we expect that will happen. That the wallet will then accumulate credentials that have come from different frameworks. Speaker 11 01:06:16 Okay. And which Means the wallet to do that, the wallet needs to be recognized by the destination framework as being fit for purpose for holding credentials in its domain. So if we're separated out this the concept of is a credential acceptable to a destination framework and is a wallet acceptable?
So the more detailed this is, this is a use case within a more detailed diagram where we're looking at how do we work out whether the wallet itself full stop can be used in the framework before we even go to this question. Speaker 11 01:06:48 Okay. Yeah. And the static and dynamic versions of that. So that could be using the policy criteria to dynamically assess whether the wallet meets the local policy criteria of the new destination framework. Or it could be a trust list approach where, well, we use the policy criteria tools we're creating to do a desk, desk-based assessment.
And then as a result the wallet is added to a trust list or the wallet's framework is added to a trust list that it's more likely that what any wallet from this framework should meet these policy criteria. Therefore it's acceptable in our framework.
So we're, we're exploring that at the moment. Speaker 11 01:07:27 Any other thoughts or questions before we move on?
Okay, I'm gonna have to Go forward to page, I think. All right.
Yeah, I think I'm gonna pull up Nick for a couple of points here. Lemme put down my water and Phone, Right? So within the governance and operations and metrics work stream, we've kind of collapsed two work stream together for convenience. Right now there's kind of four areas of work. So one is our internal processes, which we won't bore you with today. There's also metrics, you know, what does good look like, for example, sustainable development goal 16.9 is about enabling foundational identity documents for 8 billion people on the planet.
Should we have a similar goal for digital identity credentials? Should that also be 8 billion people who have access to a digital version of that foundational identity document?
So we're, we're kind of contemplating what good looks like on that side, as well as it more granular KPIs. But within, we thought we'd share with you some of the gaps that we've started to identify and see whether there are some other gaps you'd like to, to throw out there and add to the mix. And they're all gaps. But we've called out a few that we refer to as, or I refer to them as big rocks. So using a bit of an American expression, and I'm gonna have Nick Thorn riff on this a little bit here.
So on the top left hand corner, the, the big rocks that we, we recognize are how one does the policing of relying parties, the lifecycle management of relying parties. It may, as Nick described, be defined within the EU for the architectural reference framework and what would happen within a European context. But what does that look like across jurisdictions? How is that policing going to work? We obviously have many use cases that are crossing borders.
We have digital platforms, we have all these like, you know, this demand that's gonna come from policing, but the default mode of apple and Google magically solving the problem of policing relying parties starts to feel pretty uncomfortable when you're talking about government issue credentials. There's three, two other related points there around issuer registration.
So again, in the eu, one might register all of the issuing authorities centrally and have trustless or federation, as Giuseppe was talking about earlier, different ways within the EU to do issuer authority. What about other jurisdictions? What if you have the different credentials of driving license side by side with national IDs side by side with local jurisdiction issued credentials and passports? There's a lot of different credential types to think about.
Issuer registration and management and then legal entity linking of one can have relying parties magically created within an ecosystem and registered in whatever way an ecosystem might like. Or you have binding back to the legal entities, whether that's nationally registered entities or locally registered entities like in the US states are responsible for registering legal entities. So how does that get tied in and what are the way to solve it? So I was gonna ask, ask you Nick to, to riff a little bit around how one might solve these challenges.
'cause you've been through this before in governance of the internet with both public sector led models of governance, private sector led models of governance and hybrid models between the two. So maybe you can kinda share some thoughts on how the community tackles this issue. Thanks Gail.
I, I'll come and stand up here. I haven't got any clever prompts down here, but I feel better standing up.
I am the, almost certainly the least technical person in the room. That doesn't necessarily make me feel comfortable, but it's a word of warning because I won't be going into anything technical.
I, I was asked to get involved really to look at the, the longer term issues of governance and other potential threats with a small T which could come into play with what at this stage is essentially a technical exercise. And it's a technical exercise, which I'm sure you'd all agree is being manifestly well handled and well organized in a very flexible and ongoing way.
I, I'd like to touch on two points. One inclusion and two governance.
I, I start with inclusion because that applies at both ends of the scale if you like. We are talking a lot about internationally recognized norms and we're talking about international interoperability, which means that whether we like it or not and whether or not everybody in this room might have the best intentions to create a global public good, there will be those who will say if this is global, we need a hand in its management. Now that's I think, perfectly legitimate. Legitimate, I should say.
By the way, I was a British diplomat and ended up as the UK ambassador to all the UN organizations in Geneva for a period of five years and did lots of work with the UN before that. So that's why I'm talking about the international input. So city hub has done very well by adopting a policy of essentially wandering around the world, having meetings in nice places. Not just because they're nice places, but quite deliberately to listen to the input from those regions. It is not for Europeans or Americans to define the problems of Africa or Latin America.
We might be able to help to solve them once they've been defined, but it's not for us to start and it's a very bad habit that the west is actually getting out of. But nevertheless, we to do still tend to try and do things top down. So it's good to listen to their problems and then to see whether we can include them in the whole package and try and solve them. That's why I think the use case, the examples of where interoperability might solve a problem is so useful.
And I think it's from that exercise, the use cases which you've seen listed still a growing list will be whittled down to a few, is it three or is it five? Say try for three. So try for three. And then they will be gone into in much more depth to see what the solutions might be, what the problems actually are and how they might be resolved. But by listing all this great long list of problems, we are in fact identifying, or rather the participants are identifying the problems which could be addressed by an interoperable system. And that's good.
So one side of inclusion, global inclusion, and by the way the global south, I really don't like that term, but I haven't come across a better one needs skin in the game. They need to be involved. If they're gonna cooperate, it's in their interest to cooperate. There will be those who will argue that they probably shouldn't cooperate. But nevertheless, I think our role is to persuade the global south that some of their significant issues could be resolved via these techniques.
So include the global south and then I move on to governance and you've, there's a nice slide, you've got somewhere which had a list of options, but that's gone away. I mean essentially e essentially there are two ways. That was yesterday. There are 2, 2 2 basic approaches when when I retired from the dear old British Foreign Office, I went and worked for ICAN as the international relations advisor to the, to the then CEO. And that was fascinating to watch a multi-stakeholder system at work bottom up with all its problems.
But it worked and it still works when you dig deep, it doesn't have a lot of power, but nevertheless it works. The top down approach of governments only will not, I would argue others would disagree, but will not work in an effective way to cover anything which is internet based, fast moving and genuinely interoperable. There are just too many opportunities for a veto a block, a majority against something which is often for the greater global good.
So I don't think there's much question, but that we need to go either for a multi-stakeholder system, perhaps along a modified I can line or perhaps something more modern, which would be the sort of arrangements which have been put in place to bring together nation states users, donors, and manufacturers in, for example, the Global Alliance for vaccines in Geneva or the global fund against AIDS and malaria tb. I always forget which two they are. But they work these organizations, they have regular meetings, they have a diverse board which brings all stakeholders into the game.
And I think that's probably what we need to be aiming for. But to go back two stages in the first instance, we need to define what the problems are and what sort of scope those problems will cover before we actually come to taking firmer decisions on the sort of governance we want.
I, that's all I've got to say. If there were any questions, I'd be happy to ask Any questions from the floor for Nick, starting with Abby. Speaker 15 01:18:05 So Speaker 13 01:18:06 I'm not a hundred percent sure like how we could shape it in a, a way similar to what ICAN is doing. 'cause ICAN and I, the way I look at it is a transport type layer at the IP layer at the lower layer with some regulations.
But even with today's internet, the I icon is really non-functional because we have internet of Internets, we don't have one internet across within regional countries that want to do their own work. If you go to some eastern countries, their internet is a different bubble altogether. So we don't wanna end in that sit situation. I think there's a revolution and the way we want to address on credential, it has to be done through trusted means that, and using existing things without being controlled or regulated by by top top of it.
And this will go back into how you're gonna do that, whether it's a blockchain or basically web keys. You know, my gut feeling the web key is the way it's gonna go first. Okay? And this still will be managed indirectly by what the ICAN is doing. So you know, I think separation of, you know, the higher layer from the lower layer is very important. Otherwise we get stuck with the politics of how things will go with, you know, politics of the internet or whatever it is.
Yeah, thanks for that. I, I have to say that I personally agree with you that the ICAM model probably is too loose and wouldn't work in areas where we are talking about issues which will have to include national identity in some form or another. And the governmental input into ICAN is very, very weak.
Now I, I'm not suggesting it should be stronger in the, I can context, but it is very weak and I think almost certainly too weak for this sort of area. Nevertheless, it's an option which I, I think what I was trying to do was to set out the base points if you like, and we need something between a full scale un style governments controlled it and a rather weak I can, everybody's in the mix operation. So I basically agree with you. Thank you Abby. Question in the back, Scott. Speaker 14 01:20:43 Thank you.
You know, I wonder if something like a certification mark type program might be useful as a container where there could be different certifications for different levels using Nick's approach of the divisions. So you could have different clusterings of certifications, so it wouldn't be a certification of yes or no, but rather a certification of regions of within Nick's analysis of conformity. And so the, there would be a body that would oversee the governance of the certification marks as rulemaking, operations and enforcement, but there wouldn't be a single mark necessarily.
It might be that there's issued a variety of marks that could capture the texturing of the different approaches in different parts of the world, but be sourced from one place so that there would be, not necessarily comparability but convertibility among the marks. So it's something that would be a governance system without a perimeter in a way. It's something we might be able to talk about going forward. Thank you. I think that's a a, a very good and well articulated contribution.
I mean essentially it seems to me that you are gathering together as it were, issues and adopting the container of a, can I use the term CatchMark of a, of a, a standards container as an approach which might serve to keep the politics not out of it because you'll never keep the politics out of it, but to at least reduce the inputs. So thank you Julie. Noted when I've got a hand to do it, Speaker 17 01:22:32 One things Take a mic for online mine.
Yeah, just, just to add to that, one of the things that we're talking about yesterday and some of the side conversations was around where in in the analysis we've done, we've captured where a particular criteria is leveraging a particular standard that it's buried in the notes at the moment. But one of the things I think we need to do is to surface that out into a separate field in the analysis somehow so that that can be easily seen so that we can actually say, well we can zero into that area and say yes, these frameworks are using this standard so they're aligned.
Which is a more granular method of, I think you know what you're talking about, but I think we can start doing that now. Speaker 14 01:23:21 So, and the nice thing about certification marks, they're part of the trademark kind of notion, but trademarks are provenance of goods and services certification marks intrinsically are conformity with the third party's standards. So the nice thing about it is it stops that conflict of interest problem 'cause you don't issue a certification mark and then use it, you're not the same party.
So the certification mark is intrinsically an independent body from the parties that are consuming it as a signal and the parties that are using it to signal. So it's has a nice separation that's intrinsic in the nature of certification. So it's something that might be helpful for clarifying the relationship among the users of the mark versus the people who are benefiting from it. Thank you. Great.
Other co I Just, I mean once more thought on that, you've still got to generate a group of people who will control what goes into the certification container, but nevertheless, taking the politics out of it is, is is good and Will will follow it up because Speaker 10 01:24:33 The use is voluntary then not compulsory then it attracts people. So you wanna Speaker 10 01:24:39 Make a mark process one that's attractive. I think there's methodology science in, in certification and conformance. Other comments or questions for Nick? Hold on before we go back to Abby. Yep.
Speaker 13 01:24:52 Yeah, so certification will work but as long as it is you need to, this scope is regional, the crypto libraries are not the same in the world and what encryption you could use or not is not so end to end security is broken and it's by design and you cannot solve that problem. You have to live with that. So we'll, we'll add to the gaps how we think about certification and conformance. I think we can take note of that. Thank you Nick, for those comments. Feel free to keep a mic for any other things that come up around the countries and regional engagement.
So we're gonna open this up to see if there's any other comments from the group around gaps you can see on the screen. It's been up there for a little while. We have some work around technical gaps that have been underway, definitions across different implementations or standards there, there's some work to to do there. There's open sorts code efforts happening, particularly in support of the global south but not exclusively such as the open wallet foundation could be listed in that. In that category.
There's the work on trust framework analysis not just to extend to the G 20 but the rest of the world, right? Nick keep you busy. There's existing implementations of digital identity. How several of them, you know, how can they converge towards global interoperability. Some conversations with those countries listed have already started, the African Union is working on their own plan to go down a path a bit like the eu.
How can they think about cross border interoperability of digital identity setting that roadmap for themselves and Adam Cooper who's floating around from the World Bank, the world bank's been engaged to kind of help them think about that path to realizing interoperability across Africa. There's also some regional efforts, ECOWAS and EACI think it is two different regions. Their work, they have existing work on interoperability and last but not least, the MOU efforts amongst the countries.
So between G seven countries, they're already establishing, they already have a compendium, they already think they could kind of mutually recognize each other. They're thinking about how to turn that into more discreet MOU language. What can we do as a community to make sure what goes into those MOUs is actually going to deliver the results that they're, they're looking for. And it's not just bilateral between countries, but it's moving towards a multilateral approach that is again, scalable.
Any comments from the floor on other gaps that you think we should be contemplating and attacking together? I guess just purely from a historical context perspective, I'm wondering whether this needs a compliment in a technology risk assessment of some description because this I reckon could be a powerful enabler for a world where authoritarianism is more a pervading streak than the liberal world order that we have or grown up in. So that's the one part, and then I cannot stress enough the legal entity part. I think that's a really good compliment to what you've presented today.
So when you think, when you're talking about security risk assessments, are you thinking implementation end-to-end within an implementation cross-border end-to-end? No, it's, it's more so, so the classical, the Dutch did a census where they covered religious affiliation for the purpose of getting, giving everyone equals chance and then next thing you know, the Germans come in and pick out all the Jews off the back of that.
So I I, I haven't sort of seen anything that would suggest that it is something that you have in mind as part of this Just to, yeah, I think that's so important. I'll definitely capture that in our notes. One thing that the United Nations presented at our first city event in Paris was actually a tool that they've been working on developing over the last, i, I don't know how many years, but UNDP has put together a, a tool that's meant to help assess how well the identity system is achieving or not achieving human rights.
So I could, I can share that with you and the one of the guys who's worked on it is gonna be on a panel on Wednesday evening and we'll probably reference it but great, great build, thank you. Other gaps?
Okay, we'll move on. So we had another, another couple of open questions for you. We have a few academics in the audience here, but the question we wanted to pose is what are the issues that we'd like to have academic or other forms of research to help address? And we started this little brainstorm list yesterday.
So again, Elizabeth will help us scribe if we capture any more that we should take away. But to give you a couple of examples we put into a recent IOC funding request. Three areas of analysis. One is scaling trust framework diligence, like what Nick has already started, but further extending that governance of relying parties is a topic that we heard Nick Thorn speaking to the challenges there and trying to have independent academic analysis of governance models that stakeholders could review field reser research on the champion use cases.
We might be able to fund a little bit of field research, we'd like to be able to do more. And then in the Berlin conversation yesterday, there was a lot of interest in privacy, super tracking the recourse for misuse best practices and human rights. So like further, further work there, detection of different attack vectors during binding proofing, authorization, authorization sources at the edge. How digital ID signals can be as effective or more effective using different verification methods.
There was some economics questions, a few of them that came up, you know, the structure of the question was verifiers or verifiers tend to get all the benefits of having digital identity eco digital identity credentials available to them. But the issuers are bearing all the costs.
Like how can we, how can we reset that and, and much, well you'll see the survey in a minute that we're gonna do at the end, but there's some other questions in there around the overall cost of issuing these credentials and the overall benefits that would accrue in terms of GDP growth, the, you know, financial inclusion, other types of inclusion use of ID is a development tool and biometrics and encryption in their role in, in supporting the e ecosystem. So that's classically a good area of research on, on biometrics.
So those were some brainstorm not perfectly documented from yesterday's as scribing. I was typing that in real time as people brainstorm. So sorry Elizabeth was typing. Any other comments on what academic research, you know, would be useful to help us unpack this problem of cross-border interoperability?
Yes, Mark's got you in the back. Speaker 18 01:32:00 Thank you.
Yeah, so I think one area that's under research generally, not just in this space but in many others, including in other sessions going on right now, is cases where disagreements in the attributes of a data structure. Our data. So say cases I'll use a a a simple one leaving one country entering through a port of entry in another country and there is a disagreement over the status of a travel document. Not that that happened to me on in route to an conference on identity, but, but there are cases where that needs to be reconciled.
And there are also cases where, and I think this gets to something that was said before, there are also cases where we have to live with the lack of reconciliation between, you know, the, the status of an attribute where one country says no this value is x and another says Y and we have to figure out how to turn that into data rather than necessarily resolve it. Speaker 18 01:33:07 If that makes sense.
Yeah, I I just wanna bring that up as I think that's, that's an under-researched area 'cause and last thing and then I'll shut up. I think usually it gets resolved to a problem of inter coder reliability and that's been the case in diagnostic systems where it's like okay well we have a disagreement between X and Y. Let's that's a problem, it's noise and we're gonna go resolve it.
But as we have more and more inter, you know, inter-organizational workflows and analysis flows, we're finding that's, it's not a problem of inter coder reliability, it's actually that's useful data and I think that's, especially when we're dealing with medical information, I think that's, that's definitely an area of interest. Yeah, Super. A lot of work to do. Other suggestions for academia Connected to the privacy and the human rights. When I read it, it connects to me to protection from government surveillance.
I think it would be good to add also protection from big tech surveillance there in the line of what Professor Zov has been writing on data surveillance and how that affects people because especially with a wallet, we're gonna equip every person with high quality data and they're in control with a very vulnerable to the influencing the manipulation by various big tech companies to release that data.
I, I think that's great, right, there's certainly within the standards discussions, a lot of focus on governments potentially not, you know, trying not to see information and the digital platforms, the ones I'm talking to usually aren't interested in seeing information, but it may depend on the DI digital platform where it's based, you know, what norms happen in those jurisdictions and what does that mean for the user, you know, in some cases just the transparency of what's happening with their information. And when you cross borders the norms could change.
Like you're used to something in the EU and you cross the border into a China or into an India and it's a different set of norms that you're going to be confronted with. Okay, thank you. Speaker 12 01:35:19 One area that I think sometimes gets slightly overlooked because, and I dunno if it comes under the attack vectors, but we look a lot at sort of the prevention of fraud and identity fraud and not as much sometimes on the identity repair.
So like what happens when, if a credential is sort of hacked or now cannot be trusted, how do you, how does that individual then deal with trying to essentially re issue credentials that can be trusted and sort of bring that back together a little bit. So it's kind of like that lifecycle management for the user with the digital identity credentials, but then that also is related to the physical identity credentials. Like you lose those, those are a problem. You're reestablishing the source documents as well as the digital version of those credentials.
Yeah, Speaker 13 01:36:12 Good point. And this is the difference between a credential refer credential versus like KBA and where you get the profile behind your back. And I know from experience if your identity got stolen and you have to answer KBA, you have to answer the question that the C did. So you can go through the system because they are measuring you, you don't have control with this, the issuer can correct the problems for you.
So the, you ha you as a consumer have the ability to fix errors in your identity. If I, if I can add to that before you jump in. Both the US government through the Department of Homeland Security and California, the DMV are both very interested in the emergency response use cases where there's been, you know, natural disaster, there's a hurricane, there's fires, things like the paradise fire. People lose everything that they have. And what are the ways of like reissuing credentials?
So things like mobile driving licenses being a possibility to reissue to people in the field and also to be able to credential the support staff that come in from across different parts of the US to serve in a crisis. And then of course, it's actually one of the things we do as humanity pretty well. There's a major problem and a crisis and a whole bunch of people from the UN and from different aid organizations converge on the Philippines or converge on a place in China and are trying to serve that local community.
You need identity to identify both the staff as well as to re credential the people who might have lost their information. So it's a, we should add it to our list of use cases. Emergency please go ahead. Speaker 19 01:37:50 Yeah Gail, so quick question with regard to funding and research. Have you considered, ICAN has about 200 million in funds, they just closed the first trance for 10 million. Have you considered applying for any of the grants in that area?
No, but Michael I. Love that idea. Okay.
I like, well the Speaker 19 01:38:10 Fact we missed, we missed the first 10 million. The first 10 million trance was just closed about two weeks ago. And I know of at least one organization that did do an identity inter, if you will, a federation exchange. So I will talk to you during lunch.
Yeah, We'll take the second 10 million. It's fine. Speaker 14 01:38:33 One, I wonder if we might also engage people in the social sciences in to be working in applied social sciences. I once had an anthropology professor who said the last time anthropologists had an, a real job was in the beginning of the industrial revolution when they were told to go measure people's feet so they could get a bell curve of the sizes that should be in stock of hats and feet.
So similarly here, if we're talking about identity, we talk about identity credentials and from kind of from the signaling part of identity. But if we're, if we have an interest in being bottom up, why not engage people who are doing sociological anthropological work, take the metrics that they have and say, hey, might a subset of these metrics feed into Nick's analysis with the DNA? How can we start to represent that texturing?
Last point I make about it is the, there was an MIT study recently where they went around and did the trolley car problem in three different cultures and they got three different answers. So we're, so the nly, if we wanna discover things that are not outside of the colonial enterprise, perhaps we should engage people who've been doing that for some time and see if they have some metrics lying around that we might reapply. Thank You. Great Cross-disciplinary, love it.
Speaker 20 01:39:55 So the one word I haven't heard is the one that tends to derail projects a lot is the word liability and anything where control is being defined as to who is in charge, who is in control. There's a discussion there about transfer the benefits to the cost bearers and things like that in a lot of wallet discussions and a lot of digital identity discussions, a lot of discussions which have been about transferring control to the individual. It also is a transfer of liability to the individual frequently to individuals who don't know how to handle things.
And that is not covered anywhere. And that's often in my experience, going to derail a bunch of these projects and it needs to be covered somewhere. So I love that it's a same individuals taking the liability and also governments who don't take liability often. Right. Yeah. All right. All right. Any other last comments on academic studies?
I'll, Speaker 13 01:40:56 It, it depends on, I'll try to on the trust framework. Yeah. Liability. So if you take a look at the idea, the trust framework, it takes into consideration liability and the compensation model including the issuers and usage. So it's all tied together, Right?
You, you ask for research ideas, right? Here's one, so you have a list of use cases somewhere.
Yes, we did. Exactly. I would send those to some like to somebody who's willing to do an economic analysis and figure out which are actually real use cases, right? Yeah. Right. TI tend to have these Fanta fantasy use cases that aren't actually based in reality. Yeah.
Or, or have no economic value in the end. And I would actually suggest filtering those out at an early stage and only looking at use cases that have actual value and are somehow implementable or you know, tractable. I su I suspect that you will find a bunch of stuff that is really, really hard and it's hard for a reason, haven't done be haven't been done because it requires the collaboration on multiple sort of verticals and that's simply been unachievable.
And the reason you can kind of do some of them sometimes is because of political sort of somebody invests political capital in getting them down, right? But having like actual use cases on a list to be able to point people at and said if you actually wanted to do cross-border authentication and and identity, these sort the things you start with because they have real value, right? And for that you need the help of like organizations like who can understand economic sort of ca like co and economic forum or something like that. Or you actually can do analysis like that.
That's a great point and it reminds me, and I don't know that we've actually reached out to the authors of the McKinsey report, the digital inclusion, you know, the key to unlocking. We should definitely just write to them. Yes at the same time that sometimes the consulting organizations are not trusted as much as the academics are for their formal economic analysis and sizing of use cases. So I think very, very valid.
Okay, we had some other questions, but I don't think we're gonna have time to probe all of these like roles of academics. Is there a research capacity gap?
The, the conclusion out of Cape Town where we had a joint session with the cheering institute, which includes like Cambridge and work university and a association of of different European and and African stakeholders there, the, the kind of conclusion was there are 600 some academic reports on identity related topics, but very few of them actually have application and that are being consumed and helping to drive our work forward. There are definitely exceptions.
We had Stu Guard up here earlier today talking about their great work on security analysis, other great isolated piece of work like Scott is is doing some fantastic work and I can point out others but they're not, not yet all kind of combined together and joined up. So how can we do that I think is one of the, the questions we're, we're posing. All right, so checking time. We got 14 minutes so I'm gonna save five or six minutes for a survey, interactive survey at the end. I wanted to tee up two more questions.
So one is gonna be messages for the G seven and the G 20, but before we get there wanted to see if there's any asks that you have as an audience for our various different work streams that we've teed up here. We'll take note of anything you particularly like us to work on. Maybe it's criteria for, for a champion use cases maybe as Mark and Deborah introduced the minimum requirements in this incredibly thorny nine different permutations of ways to solve for interoperability. Maybe you wanna dive in there or the trust framework mapping building on on what Nick's presented earlier.
Any, any thoughts from the floor on and asks for the work streams? Alright, hold those. Maybe you can still think about that. I'll move on to the fun one 'cause I'm gonna really wanna hear what you say here.
So the, the G seven, at least for this calendar year has already incorporated digital identity into their kind of planned area of support. So as part of one of their work streams, a technology work stream, I've forgotten the title of it, they already included in their report in March the digital identity as part of their areas of focus. They've already been working on this compendium of analysis across the seven implement seven different countries. And so there's, there's alignment already emerging out of those, those seven.
And it is getting rolled up into this digital public infrastructure initiative, which is a combination of digital identity, open banking and open finance and faster payments. And then you tie that together with civil registry infrastructure and digital digital government services. That's kind of the constellation of things in DPI that the G seven and the G 20 are working on. And then the G 20 is coming up later this year in November and we're, we're feeding into that process as well, starting with a pre-session that I'll be joining in in two weeks time to prepare for.
We'll see, we'll see what they're doing. Mostly they're trying to define DPII think at the moment. So interested to open it up to the floor. Any asks that you would have of the G seven and G 20, what do you think good would look like? If you could talk to any of those multinational organizations, what do you think they should be doing to unlock cross-border interoperability?
Speaker 21 01:46:29 One of the things we haven't picked up on, but it is a key topic across the eu across about 12 different areas, Australia, New Zealand, Canada, Philippines, South Africa, India is looking at age appropriate design. I mentioned in the very first session, 30% of people online globally are under the age of 18. And it's not just identifiers that will be through government documents, it is the harder ones.
So yes, partly vouching, it could be that you're also looking at parental consent but all of the evidence shows that that is not enough and you have to look at estimation and other proxies as well and look at immersive as well as online. So I think one of the key elements has to be looking at that age appropriate element and not forgetting that actually that is 30% of people, if you ignore it, Well said Scott, Speaker 14 01:47:30 If they've bought into the ideas that you were just talking about an identity, et cetera.
One of the things that may be PO made possible by that is to start to look at emerging systemic risk as a category from those things that they're now paying attention to on identity and banking, et cetera. So that the the, there are risks that are known associated with those type of systems, but then the systems of systems, once you start to have metrics and attention to those subparts, you start to have a compounding type of systemic risk.
And that may be of interest at that level of analysis, it's an abstraction but it's an abstraction that becomes possible to track as a result of them paying attention to identity as a thing and the finance parts, et cetera. Speaker 19 01:48:19 So with regard to the G 20, is there any way that you can think about linking the work that G Life has done with organizational identifiers?
Because it was the G 20 that actually was the impetus for G Life and point to the success of G Life and how they've actually used that to appear in national law and say just like this was a success with organizational identity, this is what can be recognized when we provide identities to individuals. It's just, you know, the G 20, it's a nice way of saying, oh you were really great and this is kind of the next step. Just part of the overall messaging may help. Thank you Michael. Just a few comments.
Having talked to go life a couple weeks ago on, on this topic, I think within the Golia organization they see for themselves a a future where they could be the home of entity identification more broadly beyond the financial services mandate that they currently have. I think the question is whether that mandate will be broadened or not, right? So whether that's through the G 20 mechanism that's kind of empowered them to date or whether it's another model, it's one of the kind of gaps, it wasn't listed on the page, but one that we recognize, how does that work, right?
ICAN has one model that we've discussed for domain name, service registration, then of course GLY is another model. Are there others?
You know, how, what is the best way to resolve it and ultimately tie it back to that issuing authority identity. So thank you for the suggestion Michael. Other topics points, Speaker 14 01:49:54 You know, another one that occurs to me is maybe looking at unbundling of sovereignty. So they're all sovereign states that are dealing here and we talk about individuals and their rights and their abilities.
When you have digital identity, especially when it works cross border, then you start to have a, not just the conflict of the sovereigns as, as we alluded to in the passport idea, but then people acting as sovereigns with respect to their digital identity. So I'll use, let me clarify. So an artist when they're creating a painting is sovereign in their art, but if they drive to the grocery store, the artist has to follow the traffic rules. So they're not sovereign in traffic rules.
Here we're empowering individuals to be able to be sovereign in certain things in their identity, independent of the state because they'll be able to do things they couldn't do otherwise, independent of the state and their commercial aspects to it, et cetera. Speaker 14 01:50:58 That empower the individual, that dynamic of the individual gaining a trans sovereign power might be of interest as a future trend for sovereigns to understand because they'll wanna do that in a controlled way.
They won't wanna be releasing the idea of an individual as a member of that sovereign state, kind of the leviathan idea. They won't wanna be releasing that just willy-nilly. They'll wanna have a structure around it. And I think, again, getting back to Nick's DNA, that allows a specificity in the allowances of sovereignty in an unbundled way. And that's pretty abstract stuff. But I think it, it is a real issue for nation states which previously had auspices over their entire population in tax they still do, right? You if you're resident of a country, you're taxed on your worldwide income.
So there's, but those things are becoming attenuated as the empowerment of the individual increases. Speaker 13 01:52:09 At the risk of sounding not caring, I, I don't really agree with what you're saying. You have not done identity standardization at the, in 2006 to 2008, my biggest problem in standardizing digital identity definition was Germany because digital identity is not recognized as an identity in the German law. So we had to make an exception when we did the first identity model. This does not apply to Germany, so you don't want to go that route.
You know, you, what you're saying is the enablement is a use case of expression within the context of rules. So let's give it out of city, you go into a city and city will die the next day. Okay. Alright.
So a hot, a hot topic one last point and then we're gonna do prep. Prep the survey, you can start scanning. Oh well you can join any of the work streams, city dash HUD bot community and we're meeting regularly on these work streams and this will be the QR code. So while we take one last question, you can start scanning. So you headed up on the slides already, but in terms of the spectrum that you opened up between centralized and decentralized and public governance versus public provisioning.
It would be really, I important to me that we encourage the G seven and G 22 retain choice for individuals who they would like to leverage for identity verification. And there's some blatant self-interest in being part of Connect ID in Australia, but it to me sort of the combination of public actors and private sector actors is really, really important. And as an outflow from that, and you mentioned it already on the slides, the ecosystem needs the funding to evolve.
And on the public sector side, I think that's relatively easy where that money comes from on the private sector side, it's not something that should be taken for granted and in order to avoid that infrastructure falling into disrepair, there needs to be a way for especially the issuer to have an incentive to maintain it. Love it. Thank you.
Okay, I'm gonna ask our tech team in the back if they can switch over to the dynamic. There we go. Great. So as you scan the QR code, you'll, your responses are going to pop up magically on the screen and if I can find my phone I will progress the questions. There it is. Speaker 16 01:55:03 Yeah, Yeah, tell Speaker 16 01:55:05 People they may have hundred points to, Yeah you have a hundred points and there is obviously the, the risk of bias that the use case at the top of the list will need to be moved around.
But this is the same exact survey we prompted people with in Cape Town and the same yesterday with some of the participants in the Berlin City Hub summit and IDENTI diverse last week. So we're looking forward to kind of comp, getting a little bit of regional comparison between the answers and again, it's really more of a temperature check, not a scientific study that is So interesting to see React.
Yeah, yeah. Alright, we've got five responses in so far. I see quite a few people staring at their phones, hopefully sorting out their point allocation. This is the hard question. The other other few will click through real quick. We got nine in, I think I'll wait for about 15 and then I'll move on to the next one. So far mobile driving license is doing well and people wanna assert their aged access benefits or content signing contracts. Nobody's worried about social security in the room. We haven't got the right age bracket maybe. Thank you.
All right, we're at 16 so we're gonna move on to the next, next page. Let's see if I'm able to get this done. Okay. Do you think we humbly ask, do you think we need to continue this work on city hub?
Yeah, we got to 16 way faster here. We're showing our vulnerable side Asking what you really think and we can't track you down. For the first three times we ran this survey, we had no nose, we had a hundred percent maybes or or whatever. So 90% plus from our first three times then we had more grumpy people. Yesterday we got to 73%. Yes with more maybes one.
No, here we got a couple of nos, but you held out to the end. That's pretty impressive.
Okay, moving on to the next slide. Disinformation concerns. So this is again, completely untracked and anonymous, whether you're concerned around disinformation disrupting plans for digital identity. For the second one, assume it says digital identity as well, not digital information. And some of you may have no concerns about disinformation.
All right, we're up to 15 so we'll move on to the next one. How much do you think it would cost to deploy digital identity to 8 billion people? So this is completely arbitrary, right? But very curious to see what you all say. I do. I get a kick out of it Because this of course goes back to that academic question of well how, what are the benefits, right? And ultimately we can probably size reason within reasonable tolerances what it would cost to deploy digital identity. And you know, just global fraud alone is $1.4 trillion of global fraud. So that's one type of risk.
What about all of the inclusion benefits that you can have? What about all of the GDP lift that we've seen from that McKinsey survey? It dwarfs the costs in my opinion, of enabling this, but we're not looking at it top down strategically that way. And I think this is part of what we need to size with great academic research and then take that to the G 20 and be like, hello, you know, let's solve these problems.
Okay, last one. This is one that's useful when we're talking to, to country audiences to get at the jurisdiction jurisdiction view, but feel free to pick whichever jurisdiction you most want to estimate what you think it would cost to deploy in your jurisdiction digital identity. And I think that is our last question. Alright.
Oh, do one more. Volunteering at City Hub. So this is the address if you would like to get involved. We're again not tracking this, so if you actually wanna get involved, you have to find Abby, you have to find Elizabeth or Mark, myself, Deborah, Nick, any of the people working on City Hub and we'll help you get connected to the areas of interest that you personally have. But great to see a fair few of you Could be tempted to weigh in. So thank you in advance. And that is the end of our dynamic survey.
Thank you very much for joining us this morning and we appreciate all this feedback, Elizabeth, who has been dutifully capturing your comments and we look forward to engaging with you further on this. Thank you.