Let’s Talk About Digital Identity with Kaliya Young – consultant, conference organiser, author, activist.
In episode 36, Kaliya and Oscar discuss the long-running Internet Identity Workshop (IIW) that she co-founded, the effects of moving to virtual identity conferences in 2020, insights from Kaliya’s books – ‘The Domains of Identity’, newly published in 2020, and ‘A Comprehensive Guide to Self Sovereign Identity’ – plus some great tips for all business leaders on how to view the role of identity in their organisation.
[Scroll down for transcript]
“I think we may be selling self-sovereign identity all wrong. It should be infinitely scalable, low-cost federation. That’s really powerful!”
For the past 15 years, she has been working to catalyse the creation of a layer of identity for people based on open standards. She co-founded the Internet Identity Workshop (IIW) in 2005 to bring together technologists who want to see decentralised identity come into being. In the fifteen years their community has been meeting, they have created standards being used all over the internet, like OpenID Connect and OAuth. In 2012 she was recognised as a Young Global Leader by the World Economic Forum.
The next IIW is in April. Sign up on Eventbrite.
Kaliya is widely recognised for her community leadership. She travels to Africa and Asia at least once a year to ensure the development of person-centric identity is truly global and inclusive. Most recently, she co-founded HumanFirst.Tech with Shireen Mitchell, a project focused on creating space for diverse voices and building a more inclusive industry.
In 2009, she was named one of Fast Company’s Most Influential Women in Technology.
Regular listeners of Let’s Talk About Digital Identity will know that Oscar asks every guest for their top tips on how to protect our digital identities. For 2021, Oscar has a new burning question for all LTADI guests – “for all business leaders listening to us now, what is the one actionable idea that they should write on their agendas today?”
Go to our YouTube to watch the video transcript for this episode.
Or subscribe with your favorite app by using the address below
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thanks for joining another episode of Let’s Talk About Digital Identity. Now, that we are starting the New Year 2021 and we are very excited to present a fantastic guest today. She has many interesting things. She’s an author, a speaker, of course an identity expert and she has done so many interesting projects. You are going to hear more about that. So let me introduce you Kaliya Young.
She is the author of two books: The Domains of Identity and A Comprehensive Guide to Self-Sovereign Identity. For the past 15 years, she has been working to catalyse the creation of a layer of identity for people based on open standards. She co-founded the Internet Identity Workshop in 2005 to bring together technologists who want to see decentralised identity come into being. In the 15 years, their community has been meeting, they have created standards being used all over the internet like OpenID Connect and OAuth. In 2012, she was recognised as a young Global Leader by the World Economic Forum.
Kaliya is widely recognised for her community leadership. She travels to Africa and Asia at least once a year to ensure the development of person-centric identity is truly global and inclusive. Most recently, she co-founded HumanFirst.Tech with Shireen Mitchell, a project focused on creating space for diverse voices and building a more inclusive industry. In 2009, she was named one of Fast Company’s the Most Influential Women in Technology.
Kaliya Young: Welcome! It’s nice to be here.
Oscar: Great talking with you, Kaliya. You have so many interesting projects and we want to hear that in this New Year. But first of all, please tell us how was your journey to this world of digital identity.
Kaliya: So, I had a very unconventional path. Many people come to digital identity because they’re working with computers already. They are programmers. So, I was not a programmer. I was an idealistic young student at UC Berkeley in California, and I went to a conference called Planetwork Global Ecology and Information Technology in the year 2000. And that event was full of inspiring visionaries, and one of them I remember Jan Hauser was the CTO of Sun Microsystems at that time was basically describing what would become Uber. He’s like “You’re going to have a mobile phone.” We didn’t have mobile phones really, ubiquitously or smartphones at least in the year 2000, right? “And you’re going to be able to hail a car and share a ride.” And we’re all like, “Wow! Really?”
They did a really good job of bringing together two threads that are prevalent in Northern California which is the conversation about how we address the environmental crisis on the planet and technologists thinking about innovation. And now, green and tech are sort of mushed together all the time. But in the year 2000, they were the first people really to do that and that community started gathering after that event in something called the Linktank, considering what piece of infrastructure might be missing at an internet level that would be needed to support people connecting and organising to address the planetary crisis.
And they thought about it a lot and there were really nascent social networks that they could see. And they said user-centric digital identity was going to be really key and they wrote a paper about it called The Augmented Social Network Building Identity and Trust into the Next Generation Internet. And that’s sort of where I joined the stories after they’ve written this paper and started having monthly forum meetings beginning in 2002 after the Rio summit and they publish the ASN paper in 2003. And then by 2004 I was working full-time on digital identity with Identity Commons looking to catalyse the vision that they had articulated in the ASN paper.
Oscar: All right. Excellent. So, you didn’t come from tech as many people you have met probably in this journey.
Kaliya: Yeah, but I’m technically inclined, right? Like, I went to two Canada-wide science fairs in high school. I was in honours math and science. But when I looked ahead to the future as a young woman I was like, “What am I going to do in a lab, in a lab coat? The world is in crisis, I need to like go do something.” And which is why I studied the major that I did which was Political Economy in Human Rights.
Oscar: Wow! Excellent. OK, I think that life had already planned this for you, so you just took a delay until you found this path. Fantastic.
Kaliya: I mean it’s been really interesting as someone who has learned all the things I know about technology from actively participating in the communities building it, that I’m a bridge between normal people and the deep, deep coding and details that are needed to figure these things out. And my skills as a community organiser and leader are really helpful and useful and have been critical to us as a collective innovating in this space. So that’s the gift that I bring to the challenge and the problem set.
And friends of mine have said, “Well, aren’t you a little bit frustrated that you can’t code?” And yes, I’m like “I wish I could get there and build it.” But it means I have to use the power that I have differently which is in convening and paying attention to the whole space and making sure key conversations happen sooner rather than later. I actually just did that this week, well last month, in trying to prevent two different centres of gravity diverging from each other instead of figuring out how they work together. So, I’m hoping that that conversation actually succeeds but nonetheless, I did my best in terms of preventing forking before it happens.
Oscar: And that’s a very important role that definitely you are taking because there are so many mostly technically led initiatives but as you said they can completely diverge when they join forces. And bringing to this about how you moderate, take part in these events, take this lead, tell us about the Internet Identity Workshop I think that you have been doing for quite a while.
Kaliya: Yeah. So, where we left off my story was just before the Internet Identity Workshop. So, I had travelled to the Digital Identity World Conference which was all about enterprise identity and access management. And at that event, all of the people focused on end-user customer human identity on the internet sort of found each other. We stuck out like sore thumbs amongst all these enterprise folks.
And then we started a mailing list, affectionately called the Identity Gang. And that mailing list was a conversation hub around, what’s the path for individual empowerment with digital identity on the internet? And eventually that mailing list had enough of a rich conversation it became clear we needed to meet. And that became the first internet identity workshop in the fall of 2005. And I’ve been a co-convener of that event ever since, every six months which is actually unusual, right? Many events happen once a year and we started meeting every six months and that was really essential to our pace of innovation because so much changes in the tech world in six months.
And it also fostered a real depth of community. And at that event, we don’t pre-set the agenda, so anybody with an interesting idea or project can come to IIW, literally raise their hand in the morning and say, “I would like to share my project with you” and get a slot on the agenda because we co-create the agenda live the day of the event.
Oscar: And there are always interesting topics and people with enough things to share and work together.
Kaliya: Right. And it is a workshop, right? So, there is probably at least a dozen mailing lists who use IIW as their face-to-face meeting and so they are able to continue the conversations that they have been having amongst themselves but also with all of the other people who happened to be at IIW, so the conversations sort of expand and who has access and attention to them for that window of the week we’re together. And then those conversations head back to their mailing list and then come back together every six months at IIW. Sometimes they say like a week at IIW is like six months in a mailing list because you can move key conversations forward faster with the bandwidth you have with white boards and human beings and side conversations, right?
Oscar: Have you stopped in 2020?
Kaliya: We did not stop. We actually did an incredibly successful transition to online. We’re lucky enough that a friend of mine, Lucas Chaffee, had built an online platform for a range of use cases but one of the use cases in the mix was specifically open space technology, the method that we use to co-create our agendas. And so, because of that we were able, with six weeks’ notice, transition IIW online. We kept the same dates in April, and miraculously I think we had the same kinds of breakthroughs that we had experienced in the face-to-face in the online space because people brought their full selves there. They had to do a little bit more pre-work but there was a breakthrough between that CHAPI people and the DIDCOM people and they finally understood each other and stopped misunderstanding each other, which is really important when you’re trying to build common protocols and tools for all these systems, verifiable credentials, all the new decentralised identity technologies to work together.
Oscar: If you can tell us briefly the breakthroughs in these sessions. There were two sessions in 2020 or one?
Kaliya: No, we’ve already had two in 2020 and our April event will be online and our current plan is to go back to face-to-face in the fall of 2021. And really it’s about, the last set of breakthroughs was around a new verifiable credentials signing format called, it’s a very long set of letters but I would write it down if you’re paying attention, this is what you should follow – the JSON-LD ZKP with BBS+ signatures is a unifying verifiable credentials format that gets what the JSON-LD people want. It gets what the ZKP people want, which previously had two totally incompatible credential formats. And hopefully the JWT people can go along with it and love it too.
Oscar: So, this is going to harmonise, unify the initiatives in decentralised identity.
Kaliya: Hopefully it’ll become the common format for verifiable credentials rather than having a market split between three different formats.
Oscar: Well absolutely it sounds very, very promising. I saw you live in 2018 here in Helsinki, in MyData and I know in some people who know you, know that you are typically in almost every identity conference and you’ve been traveling a lot going to conferences. And now, as these times have changed, are you missing the face-to-face conferences?
Kaliya: Yeah, I miss the side conversations a lot. Obviously, we’ve still been going to various conferences and speaking. Last month I spoke at MyData online, but it’s really the conversations with people who I might not work with every day, so the work in our communities continues. It’s very intensive. I’m on many, many working group calls every week. But there are people who are just outside that bubble who normally I would see a few times a year and have a conversation with that I haven’t. And so now I’m like “OK, who do I need to talk to over the holidays or in the coming months?” just to reconnect on that informal social work level because I’m not in working groups with them particularly every week.
Oscar: Exactly this like coffee room or the party, the after party, these kinds of events where you have a chance to meet people and talk a bit more relaxed and approach people who are maybe you are not planning to meet.
Oscar: But you can say that, for instance in this year 2020 you had workshops and also on other events, virtual events, you’re still getting a big impact in terms of what the world needs in identity.
Kaliya: I hope so. I mean I think COVID has accelerated digital transformation and it’s accelerated the need for the type of credentialing that we offer, right, with the verifiable credentials and the decentralised nature of it. So, it’s accelerated the demand for what we’re developing.
Oscar: Yeah. That’s definitely a good thing and hopefully we see the finalised products, I don’t know if they are coming soon. And from your facet as an author, you have two books.
Kaliya: I know.
Oscar: And the latest was launched in 2020 was Domains of Identity. Could you tell us what are these Domains of Identity?
Kaliya: Yeah, so this is a really exciting piece of work that I developed while I was a Masters student at the University of Texas at Austin, getting a Master of Science in Identity Management and Security. I’m one of the only very few people in the world with this degree so it’s kind of fun. And while I was there, we were a cohort class so it was the same group of students for all of our classes, all 10 classes that we took and we would get a new teacher for each of the different topics we covered.
So, about Class 5 or 6 the new teacher would come in and they’d be like “Let’s talk about identity.” And we’d be like, “Oh, we had this conversation as the first class of our last class, and we’ve been here the whole time and welcome to the party.” But at some point, five or six classes in and we’re learning identity and security, the conversation is just going all over the map as if identity is one thing. I’ll give you a few examples.
So, Target had a large breach, and that breach was the result of their HVAC system, their air conditioning system. The hackers got in through a vulnerability in their HVAC system and then over into their credit card, where they store the credit cards, right? That type of issue with enterprise security is a different set of issues and conversations about whether government should be collecting biometrics and how they should be checking people at borders. And it’s also a really different conversation than how do I prove my age to the soccer club my kid plays in? They’re all identity management problems but they’re not the same problem and they’re definitely not in the same, what I came to call domains.
You know the domains existed in the world. I named them and said, “Look, here is a framework for understanding contemporary identity systems in society and how they work.” And I divided the world up into these 16 domains. So, the first domain is me and my identity and that’s where I am and I’m collecting my own data for myself and managing my own interactions with me. The next domain is you and my identity which is where people are delegating their management of identity to others. So, children do this automagically because they have parents who enrol them in systems as infants and then as they continue to navigate the world like the parents are the ones who are responsible for seeing medical records and school records, etc.
The first two domains are the source of information for the next 12. And the next 12 cover our relationship to government, so getting government-issued IDs; civil society so healthcare institutions, schooling institutions, social clubs, unions, professional associations. That’s all civil society organisations. It’s very broad, but remember the point was to create manageable clusters. And some of the issues with patient management and student management are similar because you’re in a relationship with these institutions for a very long time, and they’re care or service based.
And then we have the commercial sector, so companies that you buy things from – like a phone company or your washing machine or any number of things. And then employment identity as a whole separate realm, right, so our relationship with our employers, there’s a whole universe of enterprise identity and access management tools that fits in the employment domain.
And then for each of these contexts you have a registration process where you enter a system for the first time, transactions where you interact and do things with whatever identity you are issued in your registration process. And then you have surveillance happening in all of these contexts where information is collected about the people in those contexts and potentially ends up in databases. So the next 12 domains, is that grid.
And then you have the data broker industry which is pulling data from all of a whole range of different sectors and places. And then finally, we’ve now just built a whole universe of lots of databases, of lots of personally identifiable information. They are all vulnerable to attacks by bad actors, hackers and state actors in the illicit market where these databases are attacked and information is sold or used to harm people. So those are the 16 domains.
Oscar: Yeah, it’s super enlightening. As you explain that and the first time I saw it when I was seeing you in a conference, definitely, as you said the starting point if someone ask you about digital identity, it’s quite tricky to try to explain it in a single of these domains because in the others things are different. So, who should learn these domains? Who should really know well about these domains of identity?
Kaliya: I think they’re really helpful for policy makers and business leaders so they can ask their people questions and they can also think clearly about how they have to do things differently in different domains. Because most enterprises and organisations end up interacting with a range of domains or they might have some use cases that touch on multiple domains – but then you’re on two, not 16, right? Like, it’s all about trying to think clearly about how to build identity systems and the issues behind different types of systems so that we’re successful in our attempts to I guess bring order to the world. But it’s like you want to build systems that work for human beings. It’s important that we not get all muddled and confused and bring in problems from one domain when thinking about a different one that doesn’t necessarily share those problems.
Oscar: And all of these are domains for individual’s identity, person’s identity only, correct?
Kaliya: Right. It’s centred on the individual. I think that would be really interesting sort of potential next piece of work which is like what do these domains look like relative to enterprise identities? Because businesses have their own digital representations and we touched on them a little bit in delegated identity because businesses only exist – they’re real in one sense because we imagine them to be, but they’re constructed on paper and different people, natural persons have different roles with enterprises and act on those enterprises’ behalf.
So, the second domain, delegated identity, an aspect of that is companies delegating to people the power to act on their behalf whether it’s the CTO, a CFO, a CEO or a board member and that’s a really critical and complicated set of delegations to manage because you don’t want the recently fired CFO to still have access to the financial power to move money, right? And it’s actually a source of great concern and the centre of a lot of due diligence in the banking system is, is the person who claims to be opening a bank account on behalf of company acts actually authorised to do so? And how do you figure that out? Not an easy problem.
The good news is that the self-sovereign identity world is starting to address those problems in collaboration with GLEIF, the Global Legal Entity Identity Foundation. They’re very keen on verifiable credentials in part because you can sort of link these things together and go, “Here is the proof of the legal status of an entity and here’s proof that this person has the privileges that they claim they do” all using verifiable credentials. So, it could be a real breakthrough in terms of supporting effective reduction in complexity in managing those types of relationships.
Oscar: Yeah, exactly. In all this identity, the number two is as you said delegated. It’s where the identity of the individual plus identity of the organisation both have to be, of course verified. While talking with you I’m seeing the big picture of the 16 domains of identity and definitely as I said, it’s eye opening and enlightening for anybody who is, first of all as you said who are building the services, building the products or services not only from the technology point of view but also from other point of view. But also, as an individual to know where my identity is. Who else is somehow getting the hands in one way or another. And even in these last two ones, the data broker industry as you said, the black market, which I didn’t have any intention to do business with these two groups which is in these two domains but they exist…
Kaliya: Right. But your data is in those two domains whether you like it or not.
Oscar: They are.
Kaliya: We forgot about them like that’s where security people focus, and it helps us understand they are real. The good news is that people can buy my books and read them, but I also made sure that my publisher was not going to lock everything in the book forever. So, the actual definitions of the 16 domains are Creative Commons licensed and you can download them from my website if you just want to go be like, “What are they? I want to read them and look at the pictures.” So that’s a good thing.
So, there’s a starter version on my website so you can pick them up and use them to think you don’t need to buy the book for that, but people have really enjoyed it and one of the things I did to write the book was I spent a lot of time in class downloading papers about identity from the T1 Library that I had access to. And so, I had about 900 papers, I skimmed through them all to find papers specifically about different domains. I think there’s probably about 100 papers referenced in the book. So, it’s touching on different places where you could go more in-depth on particular domains. So, it’s really comprehensive and well referenced relative to the existing academic and industry literature on different domains.
Oscar: Yeah, absolutely. It’s fantastic. I think everybody who is listening to this episode should have a look at the 16 Domains of Identity which was brilliantly illustrated and explained by Kaliya. And now that talking about your books, about the first book, it’s called A Comprehensive Guide to Self-Sovereign Identity. As this topic is relevant to you, you work a lot on that, could you share just a couple of ideas about his book?
Kaliya: Sure. I mean the book is now two years old which is an interesting length of time in this industry. It’s still a very, very good starting point although a few pieces of it are out of date, but if you understand the book then you could catch up very fast as opposed to the struggle it is to get up to speed with all the latest things. It really does a great job of talking about the history of how we got to now with self-sovereign identity and contextualising it in earlier developments and technologies.
And it also talks about the four main components of a decentralised or self-sovereign identity system which are the issuers of credentials, the individual, the holder of those credentials, verifier of credentials, and then the distributed ledger technology infrastructure used to look up and manage cryptographic key materials which are essential to the whole problem.
But we explain what a blockchain is in simple terms as best we can. We explain what a decentralised identifier is, what a verifiable credential is, what JSON-LD is. So, we worked on explaining some of the key components in ways that nontechnical people can understand them instead of just hearing all these buzz words and acronyms go by, this provides a way to kind of have a little space to dive in and understand it better.
Oscar: Yeah, which is super important because well, the ones who know very well these topics speak like ta-da-da and acronyms and what the others are like “Oh… Slow down, slow down please!”
Kaliya: Yeah, exactly. We need to work on how we communicate better. I mean in terms of staying up to date with the latest in the industry I’ve actually started a newsletter every week with Infominer. Every weekend we sift through the last week’s news and put together a newsletter with all the highlights from different news announcements, podcasts, videos, blogs, reports, so that it’s easier for people instead of trying to wade through all that themselves. We’re doing a little bit of filtering that’s really helpful. And so that’s at Identisphere.net.
Oscar: Excellent, another excellent resource. Kaliya, as we are heading to the end of this interview, I would like to leave us with some idea that we ask all guests and now that we are starting the new year 2021, think of for all business leaders that are listen to us now, what is one actionable idea that they should write on their agendas today?
Kaliya: I think that business leaders should be really looking at how the emerging decentralised and self-sovereign identity can play a role in their business processes and in their future plans for the coming year. I think it’s quite powerful in terms of how it can solve some really difficult challenges that many folks have, and it shouldn’t be ignored. It may not be the right time to actively build something yet but if you don’t understand it and how it can be leveraged in your enterprise business processes then you’re behind.
Oscar: So, it’s important to understand it and to whenever they are building new products or services, well at least compare it to whatever is available.
Kaliya: Right. And think about it as a complement and also a way to reduce costs and solve problems. I mean I think we may be selling self-sovereign identity all wrong sometimes. It should be infinitely scalable low-cost federation. That’s really powerful. Once you can read a verifiable credential and someone’s showing up with one, it doesn’t matter where they came from. You don’t have to worry about building SAML gateways. It has a potentially significantly lower cost profile in terms of how to be able to receive information from the outside world coming towards your business and enterprise.
And there are also a lot of use cases that have nothing to do with people. So, the US government is using verifiable credentials to support effective custom clearance. So, if you have a company focused on moving things around, you should be paying attention to how these technologies can help you.
Oscar: Well excellent. Thanks a lot, Kaliya for this fantastic interview. First of all, remind us when is the next Internet Identity Workshop?
Kaliya: So, the next Internet Identity Workshop will be online and it’s April 20th to 22nd and the one after that is actually October 12th to 14th. And then if folks want to get in touch with me, they can come to my website IdentityWoman.net. There is a contact form. You can learn more about how I work with companies and enterprises, you can read my blog and check out my podcast, I do one most weeks, it’s called Privacy, Surveillance and Anonymity Today and I do it with Seth Goldstein from Spartacus.
Oscar: Fantastic. Many ways to find all the amazing work you are doing. So again, thanks a lot for joining this and I wish you a fantastic New Year, 2021!
Kaliya: Yeah. Thank you, Oscar and Happy New Year to everyone listening.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]