WEBVTT 1 00:00:00.080 --> 00:00:04.160 Okay, let's kick things off. That daily frustration, right, juggling 2 00:00:04.200 --> 00:00:08.359 all those online accounts, remembering passwords. It's a real digital headache. 3 00:00:08.359 --> 00:00:09.640 We all kind of deal with it. 4 00:00:09.599 --> 00:00:12.119 Really is. But you know, imagine if that friction just 5 00:00:13.359 --> 00:00:14.679 disappeared exactly. 6 00:00:14.759 --> 00:00:17.480 Yeah, and well that's what we're digging into today, this 7 00:00:17.600 --> 00:00:22.039 whole journey of digital identity, how it started, where it's going. 8 00:00:22.320 --> 00:00:25.000 We're aiming this squarely at you, someone keen to understand 9 00:00:25.000 --> 00:00:27.839 this well, pretty crucial part of online life, but maybe 10 00:00:27.879 --> 00:00:31.600 without getting totally bogged down in technical jargon. 11 00:00:31.719 --> 00:00:33.640 Yeah, we want to make it accessible. Our main guide 12 00:00:33.679 --> 00:00:37.560 here is the book Learning Digital Identity. Really comprehensive stuff 13 00:00:37.640 --> 00:00:37.880 it is. 14 00:00:37.920 --> 00:00:39.079 It covers a lot of ground. 15 00:00:39.200 --> 00:00:41.920 So our mission, if you like, is to pull out 16 00:00:41.920 --> 00:00:45.079 the key ideas. What is digital identity really, why is 17 00:00:45.119 --> 00:00:48.439 it so important? And crucially, where's it headed. 18 00:00:48.520 --> 00:00:51.759 We're looking for those aha moments, the concepts that give 19 00:00:51.799 --> 00:00:53.320 you a practical handle on it all. 20 00:00:53.560 --> 00:00:57.960 Okay, so the book starts by outlining three main eras, right, 21 00:00:58.359 --> 00:00:59.640 how identity has evolved. 22 00:01:00.280 --> 00:01:02.600 The first one they mentioned is the centralized era. 23 00:01:03.159 --> 00:01:06.760 Ah, the early days, think, you know, individual websites, each 24 00:01:06.799 --> 00:01:09.280 with its own username and password. 25 00:01:08.840 --> 00:01:13.040 System very simple, but also completely separate, siloed basically totally. 26 00:01:13.239 --> 00:01:14.560 Then came the next phase. 27 00:01:14.480 --> 00:01:17.599 The federated era, and there was this big hope back then. 28 00:01:17.640 --> 00:01:19.439 I think it was around two thousand and three at a. 29 00:01:19.400 --> 00:01:21.879 Conference Digital Identity World, that's the one. 30 00:01:22.239 --> 00:01:25.879 Someone there basically said the goal was finally solving username 31 00:01:25.920 --> 00:01:27.319 password hell oh, I. 32 00:01:27.239 --> 00:01:29.959 Bet they got a cheer. Yeah, the dream of fewer passwords. 33 00:01:30.040 --> 00:01:32.760 Absolutely. The big idea was shifting towards what they call 34 00:01:33.159 --> 00:01:34.680 user centric systems. 35 00:01:34.879 --> 00:01:38.400 User centric so focus more on us, the users, rather 36 00:01:38.439 --> 00:01:39.120 than just the companies. 37 00:01:39.280 --> 00:01:42.280 Decisely, the thinking was, let's build systems that actually serve 38 00:01:42.319 --> 00:01:46.920 your interests. This led to using trusted third parties, identity 39 00:01:46.959 --> 00:01:49.040 providers or IDPs. 40 00:01:48.840 --> 00:01:51.879 Like using your Google or Facebook account to log into 41 00:01:51.879 --> 00:01:53.280 some other website exactly. 42 00:01:53.319 --> 00:01:57.159 That. That's federation in action, a single sign on hopefully 43 00:01:57.159 --> 00:01:58.480 making things easier. 44 00:01:58.159 --> 00:02:01.120 Definitely an improvement on having dozens of separate logins. 45 00:02:01.280 --> 00:02:03.640 It was a big conceptual shift, and around that time 46 00:02:03.680 --> 00:02:07.079 you had people like Kim Cameron developing his Seven Laws 47 00:02:07.079 --> 00:02:07.760 of Identity. 48 00:02:08.080 --> 00:02:12.439 Ah. Yes, the book mentions those laws as being really influential, 49 00:02:12.680 --> 00:02:14.960 still relevant today, it seems very much. So. 50 00:02:15.560 --> 00:02:20.800 They provided a kind of framework principles for building identity 51 00:02:20.840 --> 00:02:24.800 systems that put the individual first, you know, user control, consent. 52 00:02:24.599 --> 00:02:27.520 Foundational stuff, right, which I guess leads us to the 53 00:02:27.599 --> 00:02:32.000 third era, the latest evolution, decentralized digital identity. Right. This 54 00:02:32.080 --> 00:02:35.280 is presented as the sort of next frontier in giving 55 00:02:35.280 --> 00:02:36.919 people more control exactly. 56 00:02:37.080 --> 00:02:40.840 Decentralization takes a step further aiming to reduce reliance on 57 00:02:40.879 --> 00:02:44.159 those central authorities, even the federated ones. Will unpack that 58 00:02:44.199 --> 00:02:44.599 more later. 59 00:02:44.719 --> 00:02:47.159 Okay, sounds good, but before we get into the how 60 00:02:47.319 --> 00:02:49.680 of all this, let's nail down the why. Why is 61 00:02:49.759 --> 00:02:51.280 digital identity such a big deal? 62 00:02:51.400 --> 00:02:54.520 Well, the book puts it very directly. It says digital 63 00:02:54.560 --> 00:02:57.439 identity is at the heart of every online service. 64 00:02:57.039 --> 00:02:59.080 And interaction, at the heart of everything, and. 65 00:02:59.080 --> 00:03:01.439 Why that position makes it one of the most important 66 00:03:01.439 --> 00:03:04.120 technologies you can work on. Just think about it. Everything 67 00:03:04.159 --> 00:03:08.680 you do online, sending an email, banking, social media, it 68 00:03:08.719 --> 00:03:12.159 all relies on some form of digital identity working correctly. 69 00:03:12.479 --> 00:03:15.400 It's almost invisible infrastructure, isn't it. Yeah, because it underpins 70 00:03:15.639 --> 00:03:16.400 well everything. 71 00:03:16.560 --> 00:03:19.960 It really is the bedrock understanding. It helps you navigate 72 00:03:20.000 --> 00:03:21.800 the whole digital world more effectively. 73 00:03:22.039 --> 00:03:24.319 So this brings up a really fundamental question. The book 74 00:03:24.360 --> 00:03:29.919 tackles what actually is identity because like we immediately think 75 00:03:29.960 --> 00:03:33.479 of logins or maybe passports, birth certificates. 76 00:03:32.919 --> 00:03:36.240 Right, the credentials. But the book pushes back on that 77 00:03:36.280 --> 00:03:38.840 a bit. It quotes descartes, you know, I think, therefore 78 00:03:38.879 --> 00:03:41.120 I am, and points out he didn't say I have 79 00:03:41.159 --> 00:03:42.840 a birth certificate therefore I am. 80 00:03:43.039 --> 00:03:46.000 Ah. Good point. So identity is more than just the 81 00:03:46.039 --> 00:03:47.960 paperwork or the password, much more. 82 00:03:48.280 --> 00:03:51.319 It's also about relationships, your own internal sense of self. 83 00:03:51.759 --> 00:03:55.639 There's this dual nature how others see and define you 84 00:03:55.800 --> 00:03:57.280 and how you understand yourself. 85 00:03:57.360 --> 00:03:59.759 Okay, that makes sense, internal and external aspects. 86 00:04:00.080 --> 00:04:03.639 To make it less abstract, the book uses some everyday examples, 87 00:04:03.719 --> 00:04:05.520 like a movie ticket. 88 00:04:05.599 --> 00:04:07.639 A movie ticket, how's that identity? 89 00:04:07.680 --> 00:04:10.960 Well, it identifies you as someone who has the right 90 00:04:11.080 --> 00:04:13.879 to be in that specific seat for that specific showing. 91 00:04:14.360 --> 00:04:16.319 It grants you access in that context. 92 00:04:16.600 --> 00:04:20.240 Ah. Okay. It's a temporary identifier for a specific purpose. 93 00:04:20.800 --> 00:04:21.199 Got it? 94 00:04:21.360 --> 00:04:24.920 Or an invoice? It identifies a payment request, who it's from, 95 00:04:25.040 --> 00:04:28.920 what it's for. It's identity working within a business, transaction 96 00:04:29.160 --> 00:04:30.040 or relationship. 97 00:04:30.360 --> 00:04:33.360 So identity isn't just about identifying a person. It can 98 00:04:33.399 --> 00:04:38.160 be about roles, permissions, even things within the system exactly. 99 00:04:38.319 --> 00:04:41.600 And look at a car's identity record, the vin the title. 100 00:04:42.000 --> 00:04:45.040 It's a whole system designed to manage the identity of 101 00:04:45.040 --> 00:04:48.879 that car for specific purposes like taxing it, regulating it, 102 00:04:49.079 --> 00:04:50.199 knowing who owns it. 103 00:04:50.199 --> 00:04:51.560 It's an identity system for the. 104 00:04:51.519 --> 00:04:55.279 Car, precisely, which leads to a really crucial distinction. The 105 00:04:55.319 --> 00:04:58.800 book emphasizes we often throw around the word identity when 106 00:04:58.839 --> 00:05:01.399 we actually mean something like an account or an identity 107 00:05:01.399 --> 00:05:02.759 record or just an identifier. 108 00:05:02.800 --> 00:05:04.600 Okay, wait, break that down. What's the core difference. 109 00:05:04.600 --> 00:05:07.639 Well, your Amazon account isn't your identity. Your identity who 110 00:05:07.680 --> 00:05:10.920 you are is way more complex, more nuanced than what 111 00:05:11.000 --> 00:05:13.199 fits in a database record or even a bunch of them. 112 00:05:13.279 --> 00:05:16.800 Right, it's just one facet one representation online exactly. 113 00:05:16.879 --> 00:05:20.560 So while we have these identity systems and records and accounts, 114 00:05:21.600 --> 00:05:23.800 there isn't really such a thing as an identity in 115 00:05:23.800 --> 00:05:26.920 that singular, concrete way. It's more of an abstract concept, 116 00:05:27.199 --> 00:05:28.319 constantly evolving. 117 00:05:28.519 --> 00:05:32.480 That's a really important point. These online profiles are just snapshots, 118 00:05:33.160 --> 00:05:33.920 limited views. 119 00:05:34.399 --> 00:05:37.319 Well put, okay, so now maybe let's get into the 120 00:05:37.360 --> 00:05:41.319 basic mechanics, how these systems actually you know, function. 121 00:05:41.240 --> 00:05:43.120 Yeah, the nuts and bolts lay it out for us. 122 00:05:43.199 --> 00:05:45.199 Okay. So at a high level, when you try to 123 00:05:45.240 --> 00:05:48.959 access something online, two key components are often involved in 124 00:05:49.360 --> 00:05:52.759 checking who you are, that's authentication and deciding what you 125 00:05:52.800 --> 00:05:55.160 can do authorization. They're called the PEP and the. 126 00:05:55.040 --> 00:05:59.319 PDP PPM, PDP policy enforcement point and policy decision points. 127 00:05:59.360 --> 00:06:02.639 You got it. Pp is like the bouncer at the door. 128 00:06:02.680 --> 00:06:05.480 It intercepts your request right then it checks with the PDP, 129 00:06:05.560 --> 00:06:07.279 which is like the manager in the back office who 130 00:06:07.279 --> 00:06:10.000 has the rules. The PDP decides if you get. 131 00:06:09.800 --> 00:06:14.199 In, So PDP enforces. PDP decides simple enough, and the. 132 00:06:14.160 --> 00:06:17.800 PDP makes that decision based on policies and information stored 133 00:06:17.839 --> 00:06:20.759 in what's called an account store. This store connects your 134 00:06:20.879 --> 00:06:24.879 identify er, say your username, with various bits of information 135 00:06:24.959 --> 00:06:29.079 about you. These are often called attributes or claims, statements 136 00:06:29.079 --> 00:06:29.879 about you, like. 137 00:06:29.959 --> 00:06:34.120 Your name, your email, maybe your role in an organization exactly. 138 00:06:34.399 --> 00:06:37.399 And based on those claims and the rules, the PDP 139 00:06:37.600 --> 00:06:40.959 determines your entitlements, what resources you can access, and your 140 00:06:40.959 --> 00:06:43.360 permissions what specific actions you can take. 141 00:06:43.680 --> 00:06:46.920 Entitlements and permissions got it. Can you give us a 142 00:06:46.920 --> 00:06:48.720 really simple real world analogy. 143 00:06:48.839 --> 00:06:52.399 Sure. Think about buying, say a lottery ticket where you 144 00:06:52.439 --> 00:06:54.759 have to be over eighteen. You're the subject wanted to 145 00:06:54.759 --> 00:06:56.120 perform an action by the ticket. 146 00:06:56.240 --> 00:06:56.519 Okay. 147 00:06:56.600 --> 00:06:59.319 The shop assistant is the PEP. They enforce the rule. 148 00:06:59.360 --> 00:07:01.800 They ask for your that's your credential. 149 00:07:01.439 --> 00:07:02.839 Right, my driver's license maybe? 150 00:07:02.959 --> 00:07:06.000 Yeah, and that license contends acclaim your date of birth. 151 00:07:06.319 --> 00:07:10.240 The assistant checks the ID, authenticates it, and then based 152 00:07:10.279 --> 00:07:12.600 on the law and store policy that's the PDP's role, 153 00:07:12.639 --> 00:07:14.040 they authorize or deny the sale. 154 00:07:14.120 --> 00:07:17.600 Ah, Okay, that clicks ID is the credential assistant is 155 00:07:17.600 --> 00:07:20.680 the PEP. The age law is the PDP's policy. The 156 00:07:20.759 --> 00:07:22.399 info on the ID or the attributes. 157 00:07:22.720 --> 00:07:27.319 You've got it. Simple example. But the basic principles apply online. 158 00:07:27.600 --> 00:07:31.600 Now. Something that drives everyone crazy online is how things 159 00:07:31.639 --> 00:07:36.439 don't talk to each other. Interoperability or the lack of it. 160 00:07:36.519 --> 00:07:39.079 Oh, it's a huge pain point. I mean, in the 161 00:07:39.079 --> 00:07:42.639 physical world, we mostly interact seamlessly. Right, you don't worry 162 00:07:42.680 --> 00:07:45.199 if your cash works in this shop versus that shop. Yeah, 163 00:07:45.279 --> 00:07:49.959 it works, But online it's so fragmented. Okay. Email is 164 00:07:50.000 --> 00:07:52.920 mostly interoperable because of shared standards like SMTP. 165 00:07:53.160 --> 00:07:54.680 Thank goodness for that, right. 166 00:07:55.040 --> 00:07:59.560 But think about messaging apps WhatsApp, Signal, I Message, Telegram. 167 00:07:59.800 --> 00:08:01.319 You need all of them because they don't talk to 168 00:08:01.319 --> 00:08:01.639 each other. 169 00:08:01.680 --> 00:08:05.319 Oh, tell me about it, different contact lists, different identities. 170 00:08:04.720 --> 00:08:08.319 Everywhere exactly, and that burden on you, the user, managing 171 00:08:08.360 --> 00:08:11.399 all these separate silos really highlights why we need a 172 00:08:11.439 --> 00:08:14.560 better approach, which brings us to this idea of an 173 00:08:14.600 --> 00:08:15.879 identity meta. 174 00:08:15.720 --> 00:08:19.480 System metasystem y sounds big. What's the core idea there? 175 00:08:19.720 --> 00:08:21.800 Think of it as a sort of foundational layer, a 176 00:08:21.879 --> 00:08:25.079 system on top of which other different identity systems can 177 00:08:25.079 --> 00:08:28.480 be built and interact. The main goals are well, user choice, 178 00:08:28.639 --> 00:08:33.200 better privacy across the board, and pushing towards decentralization. It's 179 00:08:33.240 --> 00:08:37.000 about creating a flexible base layer that gives individuals. 180 00:08:36.440 --> 00:08:41.080 More control, well, a universal adapter almost helping different identity 181 00:08:41.120 --> 00:08:44.759 systems communicate, but in a way that respects privacy and 182 00:08:44.879 --> 00:08:45.559 user control. 183 00:08:45.759 --> 00:08:48.159 That's a pretty good way to think about it. Yeah, 184 00:08:48.200 --> 00:08:51.200 and those seven Laws of Identity from Kim Cameron we mentioned, 185 00:08:51.320 --> 00:08:54.399 they're basically the design principles for this kind of meta. 186 00:08:54.279 --> 00:08:58.200 System, emphasizing things like user consent, sharing minimal. 187 00:08:57.840 --> 00:09:02.320 Data exactly, minimal disclosure, justifiable parties only sharing data when 188 00:09:02.320 --> 00:09:03.360 there's a legitimate need. 189 00:09:03.480 --> 00:09:06.919 It sounds fantastic, the solution all our problems. So why 190 00:09:07.000 --> 00:09:09.600 don't we have one? Why hasn't this universal meta system 191 00:09:09.799 --> 00:09:10.440 just emerged? 192 00:09:10.519 --> 00:09:13.440 Well, the book suggests it's tough because existing systems were 193 00:09:13.440 --> 00:09:16.799 built for very specific needs, often administrative ones by the 194 00:09:16.799 --> 00:09:17.759 companies running them. 195 00:09:18.000 --> 00:09:21.759 Right, they weren't designed with this universal interoperability in mind 196 00:09:21.759 --> 00:09:22.519 from the start. 197 00:09:22.960 --> 00:09:25.679 Exactly. They have their own structures, their own goals. It's 198 00:09:25.679 --> 00:09:28.679 hard to just morph them into this overarching meta system. 199 00:09:28.960 --> 00:09:31.639 But the concept of a meta system is still really valuable. 200 00:09:31.960 --> 00:09:34.440 It gives us a target, helps us see the limits 201 00:09:34.480 --> 00:09:35.600 of siloed approaches. 202 00:09:35.919 --> 00:09:40.320 Okay, now let's pivot to something huge, privacy. How does 203 00:09:40.360 --> 00:09:44.000 all this identity stuff connect with privacy concerns? 204 00:09:44.200 --> 00:09:47.679 Oh, they're deeply connected. The book really hammers home the 205 00:09:47.720 --> 00:09:51.000 importance of minimal disclosure and justifiable parties. 206 00:09:51.279 --> 00:09:54.600 Minimal disclosures share only what's absolutely necessary. 207 00:09:54.200 --> 00:09:56.919 Right, and justifiable parties only share it with those who 208 00:09:57.000 --> 00:09:59.679 have a real reason to know it. The core idea 209 00:09:59.799 --> 00:10:02.759 is stopping the unnecessary spread of your personal information. 210 00:10:03.159 --> 00:10:06.240 Sounds like basic common sense, but online it feels like 211 00:10:06.279 --> 00:10:09.679 the opposite often happens. Data gets sprayed everywhere it does. 212 00:10:09.840 --> 00:10:12.679 The book use is a simple example. Planning a party 213 00:10:12.679 --> 00:10:14.399 for Bob, you need to know if he's old enough 214 00:10:14.399 --> 00:10:17.440 to drink. Minimal disclosure is asking his age, not his 215 00:10:17.519 --> 00:10:21.320 exact date of birth. Okay, Justifiable parties means asking Bob 216 00:10:21.559 --> 00:10:24.240 or maybe someone who legitimately knows, not shouting the question 217 00:10:24.279 --> 00:10:27.440 across the room. These same principles should apply online. 218 00:10:27.679 --> 00:10:29.919 Systems should be built to ask for the minimum and 219 00:10:29.960 --> 00:10:31.200 only share with those who need it. 220 00:10:31.440 --> 00:10:36.000 Ideally, yes, and the type of identifier matters too. Public 221 00:10:36.080 --> 00:10:38.759 identifiers like say your phone number or maybe even your 222 00:10:38.759 --> 00:10:42.120 social Security number in some context, can link your activities 223 00:10:42.200 --> 00:10:46.080 across different places. That's a bigger privacy risk, ah. 224 00:10:45.720 --> 00:10:48.159 Because if lots of services have my phone number, they 225 00:10:48.159 --> 00:10:51.240 can potentially piece together a bigger picture of me exactly. 226 00:10:52.039 --> 00:10:55.559 Pure identifiers, which are often used in more decentralized systems, 227 00:10:55.840 --> 00:10:59.200 are designed to avoid that kind of broad correlation. Interesting 228 00:10:59.320 --> 00:11:01.519 and think about every time a website asks for your 229 00:11:01.559 --> 00:11:06.799 profile info, your address, your payment details, You're transferring attributes 230 00:11:06.919 --> 00:11:08.360 pieces of your identity data. 231 00:11:08.519 --> 00:11:10.320 Yeah, filling out the same forms over. 232 00:11:10.200 --> 00:11:13.240 And over, and the inconsistency in how sites handle that 233 00:11:13.360 --> 00:11:16.559 data is a massive source of frustration and potential risk. 234 00:11:17.279 --> 00:11:21.200 Federated systems like logging in with Google offer convenience but 235 00:11:21.320 --> 00:11:23.879 still mean that provider sees where you're logging in, right. 236 00:11:23.799 --> 00:11:26.080 Google knows I just signed into that other service. 237 00:11:26.320 --> 00:11:30.440 Whereas self Sovereign Identity or SSI, which we'll get to properly, 238 00:11:30.919 --> 00:11:35.080 aims for more direct peer to peer relationships. You control 239 00:11:35.120 --> 00:11:39.399 the data much more directly without needing that intermediary. 240 00:11:39.120 --> 00:11:42.679 SSI again feels like a really central concept for this 241 00:11:42.759 --> 00:11:43.840 decentralized future. 242 00:11:44.000 --> 00:11:47.240 It absolutely is. It's about shifting that power dynamic. But 243 00:11:47.600 --> 00:11:51.039 and this is crucial, there's often this trade off about 244 00:11:51.639 --> 00:11:53.200 convenience versus privacy. 245 00:11:53.240 --> 00:11:55.480 The easier it is often the more data we give up. 246 00:11:55.559 --> 00:11:58.919 Often, yeah, many services are designed for maximum convenience, which 247 00:11:58.960 --> 00:12:02.320 can mean collecting more data than strictly needed. And let's 248 00:12:02.360 --> 00:12:04.480 be honest, As the book points out, there are strong 249 00:12:04.519 --> 00:12:06.759 financial incentives driving that data collection. 250 00:12:07.039 --> 00:12:10.600 Surveillance is profitable, right, better service is the promise, but 251 00:12:10.759 --> 00:12:12.759 monetization is often the real engine. 252 00:12:12.759 --> 00:12:16.120 Sadly, yes, okay, quick detour. The book also talks about 253 00:12:16.120 --> 00:12:19.159 the life cycle of a digital relationship. 254 00:12:18.679 --> 00:12:21.519 A relationship life cycle, even for just buying something online. 255 00:12:21.600 --> 00:12:26.679 Absolutely, the stages are discovery finding the thing or person, Creation, 256 00:12:27.360 --> 00:12:31.639 initiating the interaction like placing an order, propagation the info 257 00:12:31.759 --> 00:12:34.960 moving through systems you actually using the service or product, 258 00:12:35.279 --> 00:12:38.240 and termination, ending the immediate interaction. 259 00:12:38.399 --> 00:12:42.440 Huh. Discovery, creation, propagation, use, termination. 260 00:12:42.840 --> 00:12:45.679 Even a super brief interaction like a one time purchase 261 00:12:46.000 --> 00:12:49.919 technically goes through these phases. Understanding this helps design systems 262 00:12:49.919 --> 00:12:51.440 that handle the whole flow smoothly. 263 00:12:51.679 --> 00:12:54.200 That's actually a neat way to frame it. Even quick 264 00:12:54.240 --> 00:12:55.360 online stuff has. 265 00:12:55.200 --> 00:12:58.120 Structure, it does, and thinking about that life cycle helps 266 00:12:58.159 --> 00:13:01.399 build systems that serve everyone in no matter how long 267 00:13:01.440 --> 00:13:02.480 the relationship lasts. 268 00:13:02.519 --> 00:13:05.360 Okay, let's tackle some slightly more abstract ideas. The book 269 00:13:05.360 --> 00:13:09.960 brings up trust, confidence, and coherence. How do they fit 270 00:13:10.000 --> 00:13:10.840 In trust? 271 00:13:11.440 --> 00:13:14.159 The book calls it the bedrock not just of relationships, 272 00:13:14.200 --> 00:13:18.039 but maybe even society itself. It defines it as basically 273 00:13:18.200 --> 00:13:21.159 being willing to rely on someone or something knowing there's 274 00:13:21.159 --> 00:13:22.519 some vulnerability involved. 275 00:13:22.559 --> 00:13:25.559 So trusting means accepting a bit of risk, believing the 276 00:13:25.600 --> 00:13:28.000 other party will act as expected. 277 00:13:27.840 --> 00:13:30.720 Exactly and the credit card system is a fantastic example. 278 00:13:31.039 --> 00:13:33.200 When you use your card, you might only interact with 279 00:13:33.200 --> 00:13:37.159 the shop assistant briefly, but that interaction works because of 280 00:13:37.200 --> 00:13:41.639 a whole web of pre existing trust relationships. You trust 281 00:13:41.679 --> 00:13:45.399 your bank, The bank trusts Visa or MasterCard, they trust 282 00:13:45.399 --> 00:13:50.639 the merchants bank, and so on. There are rules, technology processes, 283 00:13:50.720 --> 00:13:52.320 all designed to build confidence. 284 00:13:52.480 --> 00:13:55.600 It's an entire ecosystem built on layers of trust and 285 00:13:55.639 --> 00:13:56.639 agreed upon rules. 286 00:13:56.720 --> 00:14:01.000 Precisely now, coherence is about a group having a shared 287 00:14:01.080 --> 00:14:05.320 understanding being able to work together effectively. Trust and confidence 288 00:14:05.360 --> 00:14:07.159 are what make that coherence possible. 289 00:14:07.279 --> 00:14:10.120 Okay, and identity systems help create this coherence. 290 00:14:10.200 --> 00:14:12.759 They do, but in different ways. The book mentions four 291 00:14:12.799 --> 00:14:18.480 ways societies build coherence tribes, institutions, markets, and networks. Many 292 00:14:18.639 --> 00:14:21.720 current identity systems are based on institutions. Think your work 293 00:14:21.759 --> 00:14:24.600 log in controlled by your employer, or your social media 294 00:14:24.639 --> 00:14:26.480 account controlled by the platform. 295 00:14:26.639 --> 00:14:31.039 The institution sets the rules, yeah, manages the identity. Yeah. 296 00:14:31.159 --> 00:14:35.879 Decentralized networked identity systems, though, aim to create coherence through 297 00:14:35.919 --> 00:14:39.960 shared protocols agreed upon technical rules that let independent parties 298 00:14:40.000 --> 00:14:44.679 interact reliably without needing a central institution. Dictating everything. 299 00:14:45.039 --> 00:14:49.639 So institutional systems rely on authority. Networked systems rely on 300 00:14:49.679 --> 00:14:50.840 the shared tech rules. 301 00:14:50.919 --> 00:14:54.360 That's good summary, and ultimately the value of any digital 302 00:14:54.399 --> 00:14:58.120 relationship hinges on establishing enough trust and confidence for it 303 00:14:58.159 --> 00:14:58.559 to work. 304 00:14:59.080 --> 00:15:02.879 We talked about venience versus privacy. What about the trade 305 00:15:02.879 --> 00:15:08.639 off between privacy and authenticity? Knowing someone is who they 306 00:15:08.639 --> 00:15:09.159 say they are. 307 00:15:09.360 --> 00:15:12.639 Yeah, that's another critical balancing act. Sometimes proving authenticity with 308 00:15:12.639 --> 00:15:15.440 a high degree of certainty might mean revealing more information 309 00:15:15.600 --> 00:15:17.440 which could impact privacy, like. 310 00:15:17.440 --> 00:15:20.200 Needing a government ID check versus just proving your over 311 00:15:20.240 --> 00:15:21.320 eighteen Exactly. 312 00:15:21.399 --> 00:15:25.080 The book circles back to justifiable parties. Should this specific 313 00:15:25.200 --> 00:15:28.639 entity really need this level of proof, this much information 314 00:15:28.799 --> 00:15:32.440 for this interaction? Is the higher certainty worth the privacy cost. 315 00:15:32.639 --> 00:15:35.519 It's finding that sweet spot, knowing enough for the interaction, 316 00:15:35.600 --> 00:15:37.320 but not necessarily everything right. 317 00:15:37.639 --> 00:15:42.960 Too often, system's default to wanting maximum authentication, creating these permanent, 318 00:15:43.039 --> 00:15:47.279 strongly identified links when maybe a more temporary, pseudonymous or 319 00:15:47.320 --> 00:15:49.600 even anonymous interaction would have been. 320 00:15:49.519 --> 00:15:52.440 Fine, Which is where things like privacy by design come in, 321 00:15:52.519 --> 00:15:54.519 building it in from the start exactly. 322 00:15:54.639 --> 00:15:59.039 Privacy by design privacy as the default setting thinking about 323 00:15:59.080 --> 00:16:02.919 these trade offs during design. Not tacking privacy on as 324 00:16:02.919 --> 00:16:06.639 an afterthought makes sense, and transparency is key to being 325 00:16:06.679 --> 00:16:09.919 really clear and honest with users. What data are we collecting, 326 00:16:10.000 --> 00:16:11.600 Why do we need it? Who sees it? 327 00:16:11.799 --> 00:16:16.000 That builds trust, honesty and specificity, And things like GDPR 328 00:16:16.039 --> 00:16:19.240 are pushing in this direction right User control, minimal data. 329 00:16:19.320 --> 00:16:23.360 Absolutely, GDPR is a major force globally reinforcing these principles 330 00:16:23.360 --> 00:16:26.759 of user control, minimal disclosure, and justifiable parties. 331 00:16:26.879 --> 00:16:29.840 Okay, this leads us neatly into the rise of what 332 00:16:29.879 --> 00:16:33.480 Shoshana Zubov called surveillance capitalism. In the Web two point. 333 00:16:33.320 --> 00:16:36.320 Zero era, Zubov asks that big question, can the digital 334 00:16:36.360 --> 00:16:39.360 future be our home? The book argues that many current 335 00:16:39.360 --> 00:16:42.279 systems are fundamentally administrative. 336 00:16:41.799 --> 00:16:44.320 Meaning they serve the company's goals first and. 337 00:16:44.240 --> 00:16:48.080 Foremost, pretty much, they're designed to manage us, the users, 338 00:16:48.159 --> 00:16:50.960 often treating us as data sources for their business models 339 00:16:51.320 --> 00:16:54.799 rather than primarily serving our needs for connection or expression. 340 00:16:55.399 --> 00:16:57.279 There is an inherent power imbalance. 341 00:16:57.440 --> 00:17:00.000 We become the product essentially our attention. 342 00:16:59.720 --> 00:17:03.320 Our that's the critique. Yes, yeah, but the potential of 343 00:17:03.360 --> 00:17:06.519 a more decentralized internet Web three, as some call It 344 00:17:06.839 --> 00:17:10.400 offers a different vision, a chance for more authentic digital 345 00:17:10.440 --> 00:17:13.039 lives that aren't constantly under surveillance, and. 346 00:17:12.960 --> 00:17:15.039 The solution ties back to those core principles. 347 00:17:15.119 --> 00:17:21.680 Yes, user consent, minimal disclosure, justifiable parties, directed identity principles 348 00:17:21.680 --> 00:17:24.920 from the laws of identity. Applying these in a decentralized 349 00:17:25.000 --> 00:17:27.839 architecture could help fix many of the privacy problems of 350 00:17:27.880 --> 00:17:28.920 Web two point zero. 351 00:17:29.000 --> 00:17:32.960 So decentralization isn't just a technical shift, it's potentially a 352 00:17:33.000 --> 00:17:35.319 shift towards more autonomy and privacy. 353 00:17:35.440 --> 00:17:38.319 That's the promise, definitely. Okay, shall we switch gears a 354 00:17:38.319 --> 00:17:40.160 bit and talk about the underlying tech. 355 00:17:40.559 --> 00:17:43.559 Cryptography, Yeah, let's get into the magic behind the curtain. 356 00:17:44.000 --> 00:17:45.319 Public key cryptography is. 357 00:17:45.240 --> 00:17:48.640 Central, right, absolutely fundamental, the whole idea of having a 358 00:17:48.640 --> 00:17:51.599 private key you keep secret and a public key you 359 00:17:51.640 --> 00:17:55.480 can share. This allows for things like digital signatures. You 360 00:17:55.519 --> 00:17:58.000 can sign something with your private key and anyone with 361 00:17:58.039 --> 00:18:00.640 your public key can verify that you find it and 362 00:18:00.640 --> 00:18:04.000 that it hasn't been tampered with. It establishes trust without 363 00:18:04.079 --> 00:18:05.480 needing a middleman, like. 364 00:18:05.440 --> 00:18:08.119 A super secure, unforgeable digital seal. 365 00:18:08.279 --> 00:18:11.319 Pretty much now, it can be a bit slow for 366 00:18:11.480 --> 00:18:14.359 encrypting large amounts of data, so often you use it 367 00:18:14.400 --> 00:18:17.559 in a hybrid way. Use public key crypto to securely 368 00:18:17.599 --> 00:18:21.240 exchange a secret, one time key okay, and then use 369 00:18:21.279 --> 00:18:25.559 that faster secret key symmetric encryption to encrypt the actual 370 00:18:25.599 --> 00:18:26.680 message or data. 371 00:18:26.960 --> 00:18:30.119 Ah. Best of both worlds. Strong security for the key 372 00:18:30.119 --> 00:18:32.480 exchange speed for the bulk data. 373 00:18:32.519 --> 00:18:36.000 Exactly. Now, building on public keys, we have digital certificates. 374 00:18:36.039 --> 00:18:37.880 These are the things that make the padlock appear in 375 00:18:37.920 --> 00:18:39.039 my browser often. 376 00:18:39.160 --> 00:18:42.839 Yes, A certificate basically bundles your identity information like a 377 00:18:42.880 --> 00:18:46.319 website's domain name, together with its public key. And crucially, 378 00:18:46.680 --> 00:18:49.480 this bundle is digitally signed by a trusted third party, 379 00:18:49.680 --> 00:18:52.359 a certificate authority or CAA, so the. 380 00:18:52.240 --> 00:18:55.400 CAA is vouching saying yes, we checked this public key 381 00:18:55.519 --> 00:18:57.119 really belongs to this entity. 382 00:18:57.359 --> 00:18:59.880 That's the idea. It builds a chain of trust, but 383 00:19:00.160 --> 00:19:03.200 it's not fool proof. Certificates can be compromised, so they 384 00:19:03.240 --> 00:19:04.119 need to be revoked. 385 00:19:04.359 --> 00:19:05.240 How do you check for that? 386 00:19:05.359 --> 00:19:09.240 There are mechanisms like Certificate Revocation Lists CRLs and the 387 00:19:09.319 --> 00:19:14.799 Online Certificate Status Protocol OCSP. Browsers are supposed to check these, 388 00:19:15.440 --> 00:19:17.519 but support can be patchy. 389 00:19:17.680 --> 00:19:21.240 So that padlock isn't always a one hundred percent guarantee 390 00:19:21.240 --> 00:19:23.119 that everything's perfectly secure right now. 391 00:19:23.200 --> 00:19:26.920 Unfortunately. Now it's a good indicator, but revocation checking is complex. 392 00:19:27.400 --> 00:19:32.960 Now shifting to something really cool, zero knowledge proofs zkps. 393 00:19:33.079 --> 00:19:37.279 Zero knowledge proving something without revealing the information itself sounds 394 00:19:37.279 --> 00:19:38.119 like actual magic. 395 00:19:38.319 --> 00:19:40.279 It kind of feels like it. The core idea is 396 00:19:40.319 --> 00:19:42.839 exactly that prove you know a secret or that a 397 00:19:42.880 --> 00:19:45.759 state can is true without revealing the secret or the 398 00:19:45.839 --> 00:19:46.680 underlying data. 399 00:19:46.880 --> 00:19:48.079 How on earth does that work? 400 00:19:48.200 --> 00:19:51.680 The classic analogy is Ali Baba's cave. Alice wants to 401 00:19:51.680 --> 00:19:53.839