Successfully reported this slideshow.
Your SlideShare is downloading. ×

Data Con LA 2022 - Pre- recorded - Web3 and Decentralized Identity

Data Con LA 2022 - Pre- recorded - Web3 and Decentralized Identity

Harrison Tang, CEO at Spokeo
Emerging Tech
Digital identity is who you are in the digital world, and you should be able to control your own identity. In a world where Big Tech controls data on millions of its users, how do we claim our digital identities? Self-sovereign identity gives people the control over their identities by empowering them as intermediaries of identity-related transactions. People are the platform, not Big Tech or governments. Decentralized identity leverages technologies like blockchain and token-based economy to ensure that the identity infrastructure is not controlled by a few companies. Despite the decentralized infrastructure, federated identity enables identity information to be easily aggregated, processed, and available to use for good. Personalized identity individualizes the sharing of identity information (e.g. selective disclosure) based on different people's needs and sharing contexts. Secure identity makes sure that the access to identity information will be more secure, authenticated, and accountable. And lastly, intelligent identity helps streamline identity management.

Harrison Tang, CEO at Spokeo
Emerging Tech
Digital identity is who you are in the digital world, and you should be able to control your own identity. In a world where Big Tech controls data on millions of its users, how do we claim our digital identities? Self-sovereign identity gives people the control over their identities by empowering them as intermediaries of identity-related transactions. People are the platform, not Big Tech or governments. Decentralized identity leverages technologies like blockchain and token-based economy to ensure that the identity infrastructure is not controlled by a few companies. Despite the decentralized infrastructure, federated identity enables identity information to be easily aggregated, processed, and available to use for good. Personalized identity individualizes the sharing of identity information (e.g. selective disclosure) based on different people's needs and sharing contexts. Secure identity makes sure that the access to identity information will be more secure, authenticated, and accountable. And lastly, intelligent identity helps streamline identity management.

Advertisement
Advertisement

More Related Content

More from Data Con LA

Advertisement

Data Con LA 2022 - Pre- recorded - Web3 and Decentralized Identity

  1. 1. Identity in Web3
  2. 2. CONFIDENTIAL About Harrison, @theCEODad • CEO & Co-Founder of Spokeo • Co-Chair of W3C Credentials Community Group • Dad of 3 sons About Spokeo • Spokeo is a people intelligence service that helps over 15M users a month to search and connect with others • We are the only Data + UX company in our space, organizing over 16 billion records into 600M entities • We generate about $90M/year and have been profitable without VC funding since 2008 About
  3. 3. What Is Identity? Identity is the accessible data about an entity
  4. 4. CONFIDENTIAL Identity is accessible data or characteristics that define a distinct entity. It answers who we are • People Data: Include name, contact info, personality, behaviors, demo, credit, reputation, … Data sources could be first-party, second-party, or third-party • Entity Being: Entity is a thing with distinct and independent existence. The constituent parts could change over time but remain connected • Access Control: Make sure that the right people can access the right data or resources. Include authentication, authorization, and audit processes What is Identity?
  5. 5. CONFIDENTIAL Identity today is the How to the What, or a means to an end. Itʼs the much-needed fabric of the Web that empowers: • People Search: Connect and verify people with trust • Genealogy: Research ancestors and heritage • Fraud Prevention: Identify and prevent fraud • Financial Crime Compliance: KYC, AML, … etc • Credit and Payments: Facilitate financial transactions • Authentication: Secure account access • ID Protection: Secure digital identities • B2B Marketing: Find sales leads and customers • Marketing Analytics: Optimize ad spend and reach Identity Use Cases
  6. 6. CONFIDENTIAL Identity market is huge and generates more than $70B/year in the US alone (a non-exhaustive list of segments below): • B2C People Search: ~$500M • B2C ID Protection and Password Managers: ~$5B • B2C Genealogy: ~$1.5B • B2B Identity Verification & Fraud Prevention: ~$20B • B2B Authentication & KYC: ~$10B • B2B Identity & Access Management: ~$5B • B2B Credit Bureau: ~$15B • B2B FCRA Employment Screening: ~$2B • B2B Marketing Tech: ~$75B Identity Markets in the US
  7. 7. What is Identity in Web3? Identity in Web3 is the Decentralized Identity
  8. 8. CONFIDENTIAL Web3 is the decentralized web that heralds the concept of digital ownership • Decentralization: The distribution of control or power to multiple entities rather than a single one • Digital Ownership: The state or fact of legal possession and control over digital, intangible properties in the metaverse • Tokenomics: The economics and factors around how to value and price a token or cryptocurrency If Web1 is Read and Web2 is Read & Write, then Web3 is Read & Write & Own What is Web3?
  9. 9. CONFIDENTIAL The problem of decentralized identity can be broken down to decentralized entity, decentralized data aggregation, and decentralized data access Decentralized Identity Entity Data Access Centralized SSN, Passport #, Twitter Handle, Facebook ID, URL, Vendor IDs Big Tech, Government, Credit Bureaus, Data Aggregators Social Login, Federated ID, Big Tech, Govern. Decentralized Decentralized Identifier, Soulbround NFT, Entity Resolution, HD Keys Verifiable Credentials, Personal Data Store, IPFS, De. Reputation Self-Sovereign Identity, Self-Issued OpenID Provider
  10. 10. CONFIDENTIAL Decentralized identity will overtake (but not kill) the current centralized identity paradigm because: • Data Regulations: CCPA, CPRA, and GDPR has created data rights. FCRA, HIPAA, and other laws require user consent. eIDAS in Europe requires SSI • Data Quality: Multi-party (1st + 2nd + 3rd-party) data validation and the incorporation of UGC ensures better data quality than single-party approaches • Network Effect: Identity as a multi-sided platform enables virality and network effect • Web3 Movement: New genʼs distrust for big tech will lead to decentralization and the next ebb/flow in Social Cycle Theory Why Decentralized Identity?
  11. 11. Self-Sovereign Identity SSI empowers users control of their identities
  12. 12. CONFIDENTIAL Identity can be modeled as a multi-sided network with 3 IAM (Identity and Access Management) roles: • Searcher & Verifier: User or business who wants access to Data Subjectʼs identity for ID verification, authentication, investigation, … purposes • Data Subject & Holder: User or business whose identity is being accessed. Ex: User who wants access to a service, person being investigated, … • Issuer & Data Source: User or business who creates identity info about the data subject. Ex: DMV (driver license), Uber (driver profile), users (user ratings), … • The same person can wear one or multiple roles Identity Access Model Identity’s Role-Based Access Control Model Data Subject Searcher Issuer
  13. 13. CONFIDENTIAL Centralized Trust Model Holder / Data Subject S e a r c h e r r e q u e s t s i n f o a b o u t D a t a S u b j e c t f r o m D a t a S o u r c e s w i t h o u t D a t a S u b j e c t ’ s k n o w l e d g e Verifier / Searcher Issuer / Source / ID Provider 1. Anonymous Search Data Subject is unaware of id transaction The power over ID transactions lies outside of Data Subjectʼs control 1. Anonymous Search: Data Subject is unaware of ID transaction 2. ID Verification: Data Subject is unaware of how it works 3. Social & Federated Login: ID Provider (ex: Google Login) intermediates ID transaction 4. FCRA Employment Screening: Company intermediates between Data Subject and Data Sources Current ID Access Model
  14. 14. CONFIDENTIAL Centralized Trust Model Holder / Data Subject V e r i fi e r r e q u e s t s i n f o a b o u t D a t a S u b j e c t f r o m D a t a S o u r c e s w i t h o u t D a t a S u b j e c t ’ s k n o w l e d g e Verifier / Searcher Issuer / Source / ID Provider 2. ID Verification Data Subject is unaware of how it works. Ex: ThreatMetrix, Ekata The power over ID transactions lies outside of Data Subjectʼs control 1. Anonymous Search: Data Subject is unaware of ID transaction 2. ID Verification: Data Subject is unaware of how it works 3. Social & Federated Login: ID Provider (ex: Google Login) intermediates ID transaction 4. FCRA Employment Screening: Company intermediates between Data Subject and Data Sources Current ID Access Model
  15. 15. CONFIDENTIAL Centralized Trust Model Holder / Data Subject S e r v i c e P r o v i d e r r e d i r e c t s U s e r / H o l d e r t o I d e n t i t y P r o v i d e r ( e . g . G o o g l e / F a c e b o o k L o g i n ) f o r a u t h e n t i c a t i o n Verifier / Searcher Issuer / Source / ID Provider 3. Social Login ID Provider (ex: Google Login) intermediates id transaction The power over ID transactions lies outside of Data Subjectʼs control 1. Anonymous Search: Data Subject is unaware of ID transaction 2. ID Verification: Data Subject is unaware of how it works 3. Social & Federated Login: ID Provider (ex: Google Login) intermediates ID transaction 4. FCRA Employment Screening: Company intermediates between Data Subject and Data Sources Current ID Access Model U s e r / H o l d e r l o g i n s a n d a u t h e n t i c a t e s w i t h I d e n t i t y P r o v i d e r . I d e n t i t y P r o v i d e r t h e n i s s u e s a u t h o r i z a t i o n t o k e n
  16. 16. CONFIDENTIAL Centralized Trust Model Holder / Data Subject S e a r c h e r ( C o m p a n y ) r e q u e s t s i n f o a b o u t D a t a S u b j e c t ( C a n d i d a t e ) f r o m D a t a S o u r c e s t o p e r f o r m t h e s c r e e n Verifier / Searcher Issuer / Source / ID Provider 4. FCRA Screening Company intermediates id transaction The power over ID transactions lies outside of Data Subjectʼs control 1. Anonymous Search: Data Subject is unaware of ID transaction 2. ID Verification: Data Subject is unaware of how it works 3. Social & Federated Login: ID Provider (ex: Google Login) intermediates ID transaction 4. FCRA Employment Screening: Company intermediates between Data Subject and Data Sources Current ID Access Model Searcher (Company) requests the permission of Data Subject (Candidate) for employment screening
  17. 17. CONFIDENTIAL (4) Data Subject sends verifiable data presentation about them back to Searcher / Verifier Holder / Data Subject Issuer / Source / ID Provider ( 3 ) I s s u e r i s s u e s v e r i fi e d d a t a a b o u t D a t a S u b j e c t t o D a t a S u b j e c t The power over ID transactions lies within User / Data Subjectʼs control • Self-Sovereign Control: Data Subject intermediates ID txn and controls what to share to whom • Ultimate Decentralization: If all ID txn are self-sovereign, tens of billions of Data Subjects gain full control over their identities • New Economy: The emergence of identity ownership will empower new economy / capitalism Future SSI Model Self-Sovereign Identity User / Data Subject intermediates id transaction Verifier / Searcher ( 2 ) D a t a S u b j e c t r e q u e s t s I s s u e r ( s ) f o r t h e i r d a t a (1) Searcher / Verifier requests Data Subject for their info
  18. 18. Notable Technologies How to enable Decentralized Identity
  19. 19. CONFIDENTIAL Verifiable Credentials empowers decentralized triangle of trust via cryptographic proof • Credential: A set of claims (attributes about Data Subject) made by an Issuer. Like “record” or “row” • Verifiable Credential: Credential that is digitally signed by Issuer and can be cryptographically verified • Cryptographic Proof: Issuer signs cred with its private key. Verifier verifies cred with Issuerʼs public key • Issuer vs. Holder Signatures: Holder/Presenter aggregates creds into a presentation and signs it • Transitive Trust: Verifier can trust a credential without interacting with the Issuer. Decouple Data, Trust, Access Verifiable Credentials
  20. 20. CONFIDENTIAL Presentation is an aggregate of one or more credentials that represents a persona or a facet of an identity • Verifiable Presentation: A presentation doc digitally signed and attested by the Holder (e.g. Presenter) • Decentralized Aggregation: Localized data aggregation by Data Subject / Userʼs identity wallet • Selective Disclosure: The ability of Holder to make fine-grained decisions about what information to share • Zero-Knowledge Proof: Prove that something is true without conveying any additional information • Privacy Recommender: Recommend what to share to whom, when, and where Verifiable Presentation
  21. 21. CONFIDENTIAL Identifier is the name of an entity. Unique identifier uniquely identifies an entity and enables its existence • Decentralized Identifiers (DIDs): A new unique identifier that doesnʼt require a centralized registration authority and is often generated cryptographically • Self-Sovereign Control: Enable Controller or Subject to prove control without requiring 3rd-party permission • Cryptographic Proof: Signer signs DID with its private key. Verifier verifies cred with Signerʼs public key • Distributed Ledger: “Blockchain” tech often used as verifiable data registries where the DIDs are recorded • DIDComm: Communication protocol built atop of DIDs Decentralized Identifier
  22. 22. CONFIDENTIAL Entity Resolution creates a digital identity by connecting records referring to the same entity across different sources • Record Matching: Compare and decide whether two records refer to the same entity • Record Linking: Create and assign an unique identifier to records and connect them together • Horizontal Linking: Linking where all info required to generate an identifier is within a row or record. Ex: Phone IDs or Address IDs • Vertical Linking: Linking where info required to generate an identifier is not contained solely within its own row. Ex: Person IDs Entity Resolution
  23. 23. CONFIDENTIAL Authentication creates and/or proves the linkage between a physical identity and a digital identity • Multi-Factor Authentication: Multiple evidences across different dimensions ensure higher security • Inherence Factors: Who you are. Ex: Facial biometrics, fingerprint, voice authentication, typing behaviors, … • Knowledge Factors: What you know. Ex: Password, secret phrase, Knowledge-Based Authentication, … • Possession Factors: What you have. Ex: SMS One-Time Passcode, Email Verification, Hardware Security Key, … • Location Factors: Where you are • Proxy Factors: Trust authn. done by 3rd parties Authentication
  24. 24. Learn More Follow me @theCEODad or @Tang_Toks Follow @Spokeo, and check out Spokeo.com/Careers
  25. 25. CONFIDENTIAL

×