Let’s talk about digital identity with Bo Harald, Founding Member at MyData Global Network.

In episode 68, Bo discusses all things eIDAS 2.0 – what eIDAS 2.0 is and how it differs from eIDAS 1.0; the opportunities with Self-Sovereign Identity (SSI) and eReceipts; public and private sector involvement; what the world can learn from the Nordics for projects like eIDAS and GAIN; and how smaller players can influence the Commission’s decisions.

[Transcript below]

“Some people say that this is more important than the Internet, I agree… During 40 years of digital work, I’ve seen a lot of important things, but this is the biggest by far.”

Bo HaraldBo Harald has been named as one of the most influential technologists of the 20th century by Institutional Investor, and has been awarded for advancing the Information Society by the Finnish Ministry of Transport and Communications. He currently works as an independent advisor at Findy.fi, a Senior Advisor at the Finnish Council of Regulatory Impact Analysis, a Founder and Steering Committee member at MyData.org, and with the publicly funded Real Time Economy programme. He also has an active role in the Finnish eIDAS 2.0 workgroups.

Connect with Bo on LinkedIn.

Find Bo’s open letter to the EU Commission posted in Finextra –https://www.finextra.com/blogposting/22017/open-letter-to-the-eu-commission

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: You might have heard of eIDAS before, especially if you are in the payment industry. But now in the recent years, the European Commission is working on a new version, eIDAS 2.0. We’re going to talk about that and especially from the perspective of Finland. We have a special guest who has been working in Finland. And our special guest today is Bo Harald.

He started his career in banking in the 1970s by promoting and building electronic banking, payments, and e-business services. He developed Nordea’s Electronic Banking and payments operation for 30 years, after which he started working with TietoEvry as the Head of Executive Advisors.

He has also served as the Chairman of the EU Expert Group on Electronic Invoicing, the Chairman of Mobey, Mobile Financial Services Forum, and has held and holds directorships in various companies and associations. He has been named as one of the most influential technologists of the 20th century by Institutional Investor, and has been awarded for advancing the Information Society by the Finnish Ministry of Transport and Communications.

Bo currently works as an independent advisor at Findy.fi, a Senior Advisor at the Finnish Council of Regulatory Impact Analysis, a Founder and Steering Committee member at MyData.org, and with the publicly funded, Real Time Economy programme.

Hello, Bo.

Bo Harald: Hello, and thank you for having me.

Oscar: It’s a pleasure, Bo. Thanks for joining us. And definitely, I want to hear all these very interesting things about eIDAS 2.0. So let’s start, let’s get started. Let’s talk about digital identity. We’d like to hear from your very extensive and varied background in banking and technology. Please tell us a bit more about your career journey – how everything until today working in the Finnish eIDAS 2.0 workgroups.

Bo: Yeah, it’s a long ladder, and I want to call it a ladder. It started back in the late ’70s, when we developed the first versions of home banking, the PC banking in the very early 1980s for private customers at Union Bank of Finland, and nowadays Nordea. And also for SMEs long before internet. And the first step was obviously with payments, invoice payments, typically, bill payments. And then we moved on to put all banking services actually into e-banking before internet already. And so that was the first phase.

The second phase was about interconnecting bank customers, not only with payments, but also with e-identification, e-signatures, e-invoice and e-salary, for example. This was a very important step when you look at the benefits for society at large, you get the economy of trust the economic reuse, the economic repetition, the economy of scale, and all that.

And from here, when internet then came in the mid ’90s, we had already half a million people on e-banking in Finland. And we were the biggest bank in e-banking in the world, in absolute terms for many, many years, all the way to Nordea.

So from here, we established then the public-private real time economic programme, focusing very much on e-invoicing, accounting automation, real time income register for the tax authorities. And that’s what I tried to also promote when I was the Chairman for the EU Commission Expert Group.

The next phase, if I condense this ladder, was the MyData principles that started to grow out in 2016, putting the citizen in control of all of his or her data, naturally supported by the legal promise from GDPR in Europe. But we could see at that early stage that there was no practical way of getting this data to travel from the enterprises that had the legal obligation to send it and that’s where we started to look for a new solution in 2017 and ’18.

And there we could see that Self-Sovereign Identity and Trust over IP was the solution to go forward with. And we established this public-private Findy cooperative as the solution. And it was a real eye-opener and this is soon coming to eIDAS to see that we were able to solve the pressing need for being able to trade and issue non listed, unlisted shares.

And there you have this pretty tricky situation that you need to serve private shareholders, organisational shareholders, the issuer, the state, the trade registry, the banks, for payments, for trading, for settlement, for delivery, for keeping up the registers. But when you issued all of these parties, with the same generic wallets or fact wallets, we prefer to call them fact wallets – identity wallets is the other name for it. Then it was astonishingly easy to interconnect these parties – four coders, four months, and it worked like a dream.

So that’s when I got the eyes open for the eIDAS architecture needs. That’s the ladder. And actually, the ladder is important to understand that you should have all the ranks or the steps on it, you know, enabled to rise to the higher platforms in between. That was the path, my path.

Oscar: Well, very, of course, been long, long journey and super interesting all the type of projects you have been involved. And now, you are working very heavily on eIDAS, especially this new version 2.0. If you can tell us about that but also tell us for the ones who are not so familiar, what is eIDAS? And then tell us the difference between the current eIDAS 1.0 and the new one, eIDAS 2.0.

Bo: Yes, eIDAS 1.0 and eIDAS 2.0 are two entirely different things. eIDAS 1.0 failed. It was focusing on cross-border identification services with pretty stiff requirements. And there were two things missing that led to the failure – supply and demand. There is such a limited need for identifying citizens, organisations, cross-border. And in the Nordic countries, we already have extremely well-functioning identification services in place, mainly run by the banks in Finland, also teleoperators are involved, I think that may be the only country in the world where teleoperators are doing this as well. It’s good with competition.

But when you talk about eIDAS 2.0, it’s not a question of identification, it’s a question of identity. And that’s a totally different thing. You could say that the identity is built from credentials from all sorts of sources in the private sector, in the public sector, statements about your knowledge, your skills, your vaccinations, where you live. We’re disclosing as little as possible, thousands of different statements that build a person’s identity all the way to – you might call it a “digital twin”.

And, here, obviously, eIDAS 2.0 is promising that every European will get a wallet issued by qualified issuers, possibly also by the states, if needed. And these wallets are then the ones where you will get these credentials, statements, the verified data about you when you need it.

So that’s a big difference between eIDAS 1.0 and eIDAS 2.0. And obviously eIDAS 2.0 is an absolutely enormous opportunity for the economy at large on the one hand, and for building a real single digital market on the other hand.

Oscar: As you have mentioned wallets, earlier you mentioned fact wallets or identity wallets, does it already exist? Just to understand that concept better, could you describe how it would be in practice? Is there anything like that today so we can have an idea?

Bo: Yeah. There are already wallets out there, pretty many, many versions of them actually. Obviously, Europe is working on trying to establish what kind of standards such a wallet should have, be it then an application in your mobile phone, which seems to be very much in focus now, mainly serving citizens, also, perhaps smaller enterprises.

But obviously, these kinds of applications or wallets, ID wallets or rather fact wallets, are also needed by larger organisations. And then the mobile application is not the solution, but an application, a computer or in the cloud. But obviously, all these wallets, be they then in a mobile or in a computer or in the cloud, should be interoperable by design. That’s the whole idea here.

Oscar: OK. Yeah, understanding now the, what is this new concept of eIDAS 2.0 based on identities that you say in wallets, tell us more about the opportunities that this new framework is going to provide for the future across Europe.

Bo: Yes, I’m very happy to see that the commission work is really embracing Self-Sovereign Identity, which is obviously the standard, and I can’t see any alternative to that. And in many, many countries already Trust Over IP stacks are the starting point like they are here in Finland, and have been already for five years.

And here, what will happen is that the data rights holder, you as a citizen, or you as working for a company, you are in the driver’s seat. You can go to a data source, public or private, and say, that now I have a life event of this sort, looking for a job, establishing a company, somebody has died in the near family, which is the most stressful life event, and thousands of other life events, and now I need the data from all of these, all relevant sources. And I have a wallet, and the wallet is helping me to find those sources. And then I get the data to my wallet. And then I go to a service provider of my choice, I have this data and you are specialising in this particular life event. If I need financing, it may be a bank. And could you please take care of the need.

And the beauty of this is these three parties, the data rights holder with the wallet, the source and the service provider do not need to be technically integrated, do not need to be technically integrated. Because in this infrastructure, the technical connection is handled in the infrastructure, which is very cheap to build, of course, it needs rulebooks. And that’s the whole beauty of it.

Obviously, this infrastructure, we call it the data highway here in Finland is used both by the public sector and the private sector. That’s a no brainer, like a road is open to everyone to use. And it should obviously be a non-profit organisation that handles this. That’s why we have established this in the cooperatives to do that. So that’s how it works. And it’s not that difficult to understand, actually.

The benefits of Self-Sovereign Identity are absolutely enormous to reducing risk and friction in the economy at large. It’s of course, improving automation. It’s protecting privacy like nothing we have seen before. It’s preventing crime and grey economy. And this book that I mentioned to you, Self-Sovereign Identity by Drummond Reed, is quoting sources saying that the cost of cybercrime is something in the region of $6 trillion. So that’s a kind of a big picture. McKinsey for its part estimates the benefits of the trust infrastructure to be 3% to 6% of GDP, depending on the maturity of a country.

So this is an absolutely massive step forward. Some people say that this is more important than Internet, I agree. And some people say that the fact wallet is at least as important as the internet browser was when internet started. So you can see that this is something that every state, every government should actually do everything they can, and obviously, European Union to happen as fast as possible. We have no time to lose in this world. But they cannot do it on their own. And they are– the clever governments understand that they have to do this hand-in-hand with the Self-Sovereign Identity experts and the enterprises that are working in that field, and that’s the way it works in Finland.

Oscar: Yeah, definitely the way you say it sounds like there are definitely plenty of benefits. And yeah, we hope to see these benefits in the near future definitely.

Bo: Oh, I mean, it’s a kind of a responsibility of any government that are looking for reducing crime and improving privacy and above all, naturally, getting the productivity in place and the benefits of data according to the MyData principles. And this is the really only practical way I can see that they could implement the MyData principles, protecting people’s data. I’ve seen during 40 years of digital work, I’ve seen a lot of important things, but this is the biggest by far.

And if you want to go into the wallets, which will get a lot of so-called credentials or statements, verify data, the e-receipt is something of the highest volume. And even the lines in the e-receipts, if you look at the number of lines in e-receipts and e-invoices in Finland, and both of them will in a couple of years’ time be the only kind accepted legally. In accounting, there are some 20 billion of them every year and these can– each line can be verified on its own. So it will be by far the biggest volume of credentials sitting delivered from the seller’s wallet to the buyer’s wallet, be the buyer or seller private or an organisation.

And the reuse of this e-receipt is a fantastic opportunity. We all know what travel expense means for all of us. We know how difficult it is to get financing in enterprises, and you have an invoice there, verified by the buyer, it’s so much easier for insurance companies. In Finland only there is a calculation saying that about 100 million can be saved when e-receipts are actually available. And obviously the insurance fraud is a big issue in any country. That’s just one example. But there are any number of them that– what is the– when you get a verified data statement, a credential that can be used in so many different places.

Oscar: So the e-receipts is also part of eIDAS 2.0?

Bo: Well, it’s not directly but I mean, when you have eIDAS 2.0 in the right way. And I’m a little bit worried, I have to admit, about the Commission’s, let’s say, level of understanding of the importance of this 3% to 6% of GDP. They are focusing, in my opinion, too much on the private wallets and not enough on the enterprise wallets, to get the real benefit. If you focus only on private wallets, and for example, then government-issued credentials, then you get to a point 0% or 0.1% perhaps of the benefits. But when you have a full picture then you can get 90% of the enormous, enormous benefits.

That’s why I wrote this open letter, which can be found in my LinkedIn account. Also, if somebody’s interested to the Commission, but we should understand how big this step can be if it’s done correctly, and not only looking at some sort of additional identification tool and only government-issued credentials.

Oscar: Yeah, we’re going to add this, I read your open letter to EU Commission. So yeah, we’re going to add it also to the show notes of this episode so people can read it, definitely. How can we centre the users’ needs while at the same time balancing organisational priorities in any new solution?

Bo: Yeah, this is a very good question and an important question, and I don’t have all of the answers here. But I have some basic answers based on my experience from banking, and so forth. I think that the, the mission and the– must always be the passion in any organisation that wants to be successful is to think hard about what the customers need tomorrow. And it’s a familiar phrase is that you should never ask the customer what he needs, because he doesn’t know, you should know before he does.

And in this particular time now, I think it’s time to start all the service design from the customer’s life events. Both data is needed for this live event and where does it sit? How can the data be verified and available in real time? The value of data arriving one second faster is quite different from the one that comes later. And it’s then in this particular setting, natural for many, many organisations to issue these wallets, be they in a mobile phone or in a computer. And also then include the National ID, invite the government to make the root idea, the electronic ID card into these wallets, so that it can be used for opening bank accounts and whatnot, where this is always needed according to the law, at least in the Nordics, but also other credentials from the public sector.

Then you can produce fantastic value for the customers, be they private customers or for SMEs who are going to take and actually charge. So that you [indiscernible] and the costs are not big, that is the fantastic feature here with open source technology and open data and open standards. So, I see that the solution will be that the role of public and private sector organisations will be, and is already, in GDPR supply data, but it should be verified data. The value of verified data is a thousand times more than just generic data. Also for machine learning and artificial intelligence, to supply that data to citizens and SME fact wallets and these are generic tools, generic tools, standardised interfaces all over the place.

The data rights holder as I said before here, then herself decides which service provider is best suited to use the data, to solve the need. And then in an ideal world, the public sector would not need to act as a service provider at all. They can let the enterprises do that on their own, and that will save a lot of taxpayers’ money. But of course, we have to see to it that there are no walled gardens built, that data is flowing freely, that you can always change your service provider without any lock ins, and that the competition is serving us all.

It shouldn’t be that difficult because the whole Self-Sovereign Identity is built on open standards and no wall gardens and no technology and no– it’s a kind of religion in that so that’s why I feel so comfortable in promoting it.

Oscar: Now with your experience working in Finland in banking and several other projects until now, how can Europe – and even if we see it globally with initiatives like GAIN, the Global Assure Identity Network – how these can learn from the experiences in Finland and in the Nordics in general?

Bo: Yeah, I have to admit that I have failed miserably in one aspect. This e-identification services that GAIN is now looking at was started back in I think ’93 in Finland. And we have then taken it from here to the other Nordic countries so that the banks are actually the suppliers to the identification services. And I have been preaching this in conferences all over the world all the time, since then, and I have written any number of blogs, in the Finextra blog posts, you can you can find it on frequently. That banks should be doing this and not only by their own will but should actually be forced into this kind of service by the government. Because they are so suited, because they are trusted, trusted institutions and the economic trust is immensely important and they are legislated into it because of the anti-money laundering legislation and all that.

And now GAIN is looking at it and unfortunately, it is very late. And now with the wallets, you don’t need it in the same time as– in the same way as you would have done it if you had started 20 years ago, 25 years ago as we did. But I didn’t get in my way, there has been so many different crises in banking that has taken away the attention. A little bit the same has happened also in electronic invoicing, banks woke up a little bit late. I can only look myself in the mirror.

But the lessons learned in Finland was that the economy of reuse and the economy of trust, using bank ID for identifying in all kinds of services was really, really important. It became a generic tool, both in your private role and in your work roles. And now, when you have this in overflow of everything – I mean, the attention span is– if it is eight seconds, still, it’s good. I mean, the goldfish has nine seconds. And everything else is overflowing except time and the value of something that you know already and trust is growing exponentially.

But now, I jump from there to the wallets, a generic wallet that you can use at home and at work supported by a generic public-private joint infrastructure is, of course, even more valuable, many times more valuable than the e-identification services provided by the banks. And this is something that not only the banking sector should be providing but many other sectors as well and everyone should naturally use it. So we have to live with the times and realise that people don’t have time to learn anything new if it can be avoided.

Oscar: Now, seeing the evolution because eIDAS 2.0 as I understand is still being cooked, let’s say, so it’s not completely finished. So how, let’s say smaller EU countries, and even individuals, who are really concerned about this or how is it going to be the standard and the standard coming can have more power to influence the commission decisions that is going to affect so many residents?

Bo: And this is a very critical question, an important question. And to get anything done now, the first thing to say is that even if you have the best public servants in the world, they are not Self-Sovereign Identity experts. Even if the European Commission has said that the Self-Sovereign Identity is at the core of eIDAS, they haven’t yet understood– had time to understood the full picture perhaps.

The remedy is that EU and any country, sit down with the public sector and say that OK, you government, you have realised that you can have 3% to 6% GDP benefits out of this Trust Infrastructure. And you do understand that your lawyers and economists and whatnot, they are not experts in building this radically new infrastructure. You have to do it together, in this public-private team, formulate the narrative. And some basic use cases like the receipts, or whatnot, so that the citizens will actually start asking for it, demanding it from their own government. That’s what you need.

And from Brussels, because we do understand that the Europe is the biggest economy in the world and if it becomes one single market, the benefit for everyone will be absolutely massive. And this is real – this trust infrastructure is a bigger step than Internet. And the fact wallet is the new browser. So we have to get people to understand how big this is.

And then the countries, once you have done it in your home country, then you join forces with others, like we now do with Sweden, Norway, and Germany, Holland, and so forth, and influence Brussels so that it is not overregulated, which will make it too expensive for small players, and actually just help large organisations to protect their positions. They have money enough to do this, even if it’s very regulated. So it’s important to see to it that the competition from the smaller guys is possible.

Oscar: So yeah, it’s important to, as you say, join forces, right, with the countries that have already– countries and organisations that are already active in… yeah, quite knowledgeable and active today.

Bo: Exactly. And that’s what they are doing now. Very happy to see that our neighbour Sweden has been quite keen to work together with the other countries also.

Oscar: And when is it expected to be ready, eIDAS 2.0?

Bo: Well, we’ve had a very tight timetable when it was launched. And we were of course quite happy about that last summer, it was announced and this was exactly what we had been hoping for, and even more. So that was good. But then it has now taken a lot of time and gone into overregulation aspects, which we fear and not enough understanding for the need for organisational wallets and of course or for wallets for things and bets and whatnot to get the full benefit.

So I’m, let’s say, prepared to wait half a year more if these aspects get into the drawings so that you can get the benefits out of it. The economic benefits and privacy benefits and single market benefits. So we must work hard to avoid, let’s say, minimal mobile application for citizens only. I don’t know how long it will take but probably not much will be seen how in way of use cases this year, next year should be a breakthrough year.

Oscar: OK. In 2023, we’ll see some of the fruits at least will be available for people to use and as you say organisations as well, all together.

Bo: Absolutely.

Oscar Santolalla Excellent. Final question for you, Bo. For all business leaders listening to us now what is the one actionable idea that they should write on their agendas today?

Bo: Well, this is of course a very challenging question. But if I choose from a long list of experiences from the past in electronic banking, electronic invoicing, e-identification services and all and how they come together and form the ladder. And when this ladder was– when they started to raise this ladder, we were happy enough to have hundreds and hundreds of bank branches that could do the selling on a personal basis to the individuals. Now, we are not really that many bank branches left anymore so it’s a new, it’s a new game, you have to do it without much personal selling.

So my simple line would be to say that, for God’s sake, do not serve your customer, to have a life event, with the fact wallets for all needed verified data into the wallet, and you have to do it closely together with the public sector. And they should also help with the financing because so much of the benefits will be for the society at large and only a small part for the enterprises and such. But this is the joint effort, the biggest one I’ve seen ever.

Oscar: Well, thank you very much, Bo, for this very interesting conversation and shedding light about eIDAS 2.0 and everything that is, yeah, behind that. I definitely learned a lot from this conversation. I’m sure our audience had fun and also super interesting. If someone would like to hear more about you, or get in touch with you, or follow you, what are the best ways?

Bo: Well, I have such an unusual name so it’s easy to find me on LinkedIn and please feel free to contact me. I have written blogs for at least 10 years on Finextra. So there, most of the material that I have myself produced can be found there in a fairly condensed form, not too long texts. So please feel free to use as much as you like.

Oscar: OK, perfect. Again, thanks a lot, Bo, for this conversation and all the best.

Bo: Thank you very much.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]