Self-Sovereign Identity On The Blockchain with Katherine Noall
Listen to the podcast here:
Self-Sovereign Identity On The Blockchain with Katherine Noall
I have an interesting person to interview. She’s coming to us from Auckland, New Zealand, so we’re talking around the world. Katherine Noall is the CEO of Sphere Identity. She’s a lecturer at RMIT. She’s a seasoned educator in blockchain technologies. We haven’t had an education on blockchain, so I’m excited. She was a Ph.D. candidate specializing in the architecture of international cryptosystem for two years. She’s a firm believer in distributed technologies in their ability to secure and empower consumers within a largely globalized world. Katherine’s thoughts on distributed technologies and their use in self-sovereign identity and know your customer processes might be of interest to all of you out there. I think that this is blockchain-enabled technology at its best and at its highest use case. Katherine, welcome to the show.
Tracy, thanks very much. It’s great to be here. I’m excited to talk about these things. We’re going to have some fun time.
Talk to me a little bit. Have you always been working in blockchain? How did this interest you?
I came across blockchain a few years ago. I’ve always worked in international technology space and always been interested in how you use global tech to get things done. Something that was never right in that space was payments. I was working on a startup. We had international payments and there was not one payment provider on the planet that allowed us to control money. In those days there was Bitcoin and it was the first use case for blockchain technology. I looked at it and became totally addicted and haven’t done anything since. That’s why I’m in this world and building solutions using blockchain technology. We’ve moved away from the financial transactions that were the first use case and have moved on to identity. That’s one of the things that need to be solved not only in the blockchain world but also in the real world.
We talk a lot here about trust and distrust and there’s a high level of that around our identities. We have a couple of problems that you’re working on solutions for. One of those is do we own our own data? How do we own our own data? That’s what you call self-sovereign identity. I own the ability to that. The other side I want to touch on is this idea that we have refugees in other places that their identities are compromised and they can’t do anything about it. They can’t prove who they are because they had to leave their homes in a moment’s notice. What happens in global crises like earthquakes? We’re going to have that happen again as we had that come up. That’s also a different side of it. How are we going to help people if we can’t trust them to prove who they are by our metrics?
Those are good use cases because they show extreme change and that we as humans need to prepare for extreme change. Regardless of whether we’re just busy professionals or international travelers are leading exciting lives or whether we’re forced to flee our countries because it’s not safe anymore. We’re going to need to transfer information about our identity across borders and we need to do that securely because we might move from one situation where we feel comfortable to another where we’re not as comfortable and want to be careful and protect things. Self-sovereign identity is not about keeping secrets. It’s about deciding who you want to share something with and for how long under which circumstances. It’s great to be able to build technology that enables that. I would like to apologize for the term self-sovereign identity. There are many terms in the blockchain world that are confusing. If it was a teddy bear, you wouldn’t cuddle it.We're still using email and passwords to sign up. That is no longer a secure way of doing things. Click To Tweet
It sounds off-putting, doesn’t it?
It does. What it means is having you as the person who uses it more in control.
We talk about content being king. Why can’t our data be queen in this situation? You’re making me think about some things that have been going on in the world. I had a respiratory infection as I’m sure many people heard me croaked through a few shows that I’ve had to do. That’s happened so my voice has been rough. I had to go to the clinic’s office and I signed the form because we’re all about HIPAA privacy here in the US. We’ve got these privacy laws about our health data. They make me fill out a handwritten form of which I have to stick my Social Security number. All I can think about is, “You’re making me sign a form with my Social Security on it on the most insecure thing possible, a piece of paper so that I can tell you that I don’t want you to share my data with anyone.” That seems insanely wrong. There’s nothing about that’s trustworthy.
We have so many unhealthy, dangerous, stupid things around our data. Filling information onto a paper form that goes into a drawer somewhere that’s probably left on somebody’s desk and eventually goes into an archive and might be photocopied. People tend to photocopy something and a copy is left on the photocopier and you get the copy. That is silly. The same practice applies when we check into hotels and they say because they’re required to by law, “Can I see a copy of your passport?” They take a copy and put it in the drawer. The people taking that data aren’t qualified to verify any of that. It’s complete identity theater because even behind the counter, the check-in at a hotel doesn’t know. The medical practitioner that you were dealing with was not verifying Social Security Numbers. We need to do a lot of work to stop this ridiculous data collection because it gives the illusion of things being safe and secure and lots of checks being done but it’s creating a dangerous situation for us as individuals.
Before we talk a little bit about what Sphere Identity is doing, we’re starting to see that the problem of identity logins and all of these things need to be solved and we’re starting to see that because Facebook just decided that they’re putting their logins onto a blockchain. If Facebook is doing it, there’s got to be a good viable reason because their consumers don’t care. We’re essentially putting our data out there. We have to know everything is breached at this point. There must be a viable reason underlying it for them as well, liability reasons and other things. What’s going on that side from the corporation side?
Businesses are becoming increasingly aware that data’s a burden and if they don’t manage it correctly, terrible things can happen. Their reputation can be damaged. Customers can lose trust and leave. In extreme cases like with GDPR that we’ve seen up until February, 91 fines being handed out. Those were high profile, big amounts. We’re going to see more of that. There are also financial risks that corporations are carrying.
That brings me to something so interesting you say that. We have the privacy laws that relate to an email disclosure and your website’s disclosures. You have that European Union thing that has happened that we all have to comply with. I got to an issue where I called up a friend who’s an attorney of mine and said, “Could you help us write one that’s more global so that we can be absolutely certain that we’re advising clients who just have podcasts websites?” I have a podcast production company. Just so that their podcast websites, they’re only putting data out there. They are not gathering more than email addresses. They’re not shopping in the shops. I’m not advising any of those, “Could you do that?” They said, “No, we can only practice in our state. We don’t practice international law. You have to get a lawyer who practices international law.” How many small businesses have access to that? We’ve made it cumbersome in our ways. We want to have privacy and I get that. We’ve also made it cumbersome for companies to comply.
Which is ridiculous because we know if we take eCommerce as an example, that 56% of people do international transactions. We know in most towns and cities around the world, there are some people that came from somewhere else. What that tells us is that we’re regularly doing cross border data transfers. It’s sad that the service industries that support businesses haven’t caught up yet in terms of providing global tools because we can no longer say we 100% know that somebody somewhere else is not using what we produced.
Let’s talk about Sphere Identity. How long have you been doing that?
We started in 2017 as a blockchain project, looking at how blockchain can be used for digital identity. We launched our first products in March of 2019, which was exciting. The thing with blockchain technology is it’s difficult to build with. You’re doing new things for the first time. It’s always a heavy development load, but we have reached the point of commercialization. What’s important when you talk about blockchain, people often imagine blockchains as we know it is just registered data and transactions and that’s fully transparent. With identity data, that would be horrific once the identity data is to be fully transparent. Luckily there’s a generation of blockchain applications called blockchain-based distributed storage, that can be used to store data and store it incredibly securely. We are using that type of blockchain technology because we believe identity data needs to be distributed. You should not create honeypots.
That’s the whole point of blockchain. This is my number one way. I simply describe to my dad. If can get my dad, he’s always a fan of the show and he comes back and he’s like, “I still don’t understand blockchain. Keep explaining it to me.” I explained to him about identity was that our logins, our account information, all of that is put into a silo whereas you refer to it a honeypot. It’s got a big target on it that says, “Hackers come here,” because here’s where the good stuff is, here’s where the honey is. That’s a great way to describe it. Distributing that removes that centralized target. At least you’re removing that liability.
It also changes our role as a software provider. If we were a traditional identity provider, we would provide the software and store the identity data. What we enable is users to do that themselves. That, therefore, means this huge increase in security. If there was to be a security event or hack, it could only address one person, not 20,000 that might have their data in a database. We’ve put all security into our application to make sure that that is improbable and unlikely. We were able to do things with this technology that you wouldn’t be able to do with traditional technology and that’s what makes it more powerful.If we decide that we want to give up lots of information to a business, there needs to be more dialogue about what's acceptable and not. Click To Tweet
Is your goal with Sphere to be able to create, I’m going to call it by traditional means an API? A system or a block in which I can adapt your technology as the front to any applications or any things that I might build, my network for instance.
Yeah. For our business application, we offer a very standard, easy API integration. The great thing about blockchain technology is it’s just part of the technology stack. The businesses get all of the advantages of using data that comes from a blockchain that is encrypted, but it looks, feels and behaves like a standard application. Our consumer application is like any app. You wouldn’t know that there’s all complex magic happening in the background.
We may need to move to that as network owners, as software developers or whatever that might be. We can’t expect our users to get it and come along for the ride. They need it to be user interface as easy as possible their way. At the end of the day, if they have more control, they’re excited about that. That’s a bonus. Talk a little bit about what’s going on the refugee side.
There are lots of projects around the world addressing refugee identity and there were huge problems with that. Traditionally, we’ve had organizations provide identities to people that haven’t been portable. If people move refugee camps, schools or health providers, they have huge problems. It’s great, in the last few years, we’ve seen the number go from two billion to one billion, so it’s definitely getting better. A concern that I have as an identity professional is that we definitely need to provide identity solutions to those who don’t have them. We shouldn’t use that as a reason to extract data from them. I’m a bit concerned that some of the projects are data-grabbing exchange for some technology.
I see what you’re saying in that particular way. Some of the problems that we’re having here in immigration, for instance, we have children who can be matched to their families. We have that problem when they get into the immigration system. We have similar things happening in the foster care system for instance. When we look at all of that, it also concerns me that we’re compromising these children’s lives by taking DNA from them and things that are invasive because that seems like the only solution. There has to be a better solution for that. That interests me that you are working towards having a better system as well within your identity platforms.
Our app is free for anybody in the world to download. We are looking at development projects that can use it, so that will be very exciting. In your example about DNA, I think we’re living in an exciting but dangerous time. DNA is relatively new or access to that as individuals is new. AI technology is new. Blockchain is still in the new category but getting up there. People tend to jump to these technologies and I should add biometrics to that list. If there’s a problem, they look at the latest, hottest technologies and apply them. They don’t think about the unintended consequences and privacy of vulnerable individuals is important. Whether it’s children, people escaping domestic violence situations, people whose governments might be after them, we need to do this in a smarter way. New technology is not always the answer.
It’s interesting because you were pointing out before, it’s not just one or the other situation, “I’m a refugee or I’m not.” You don’t know when that’s going to end up happening to you. You don’t know when you might be in a domestic violence situation. It’s not what you expected in your life and you put your life all out there. All your data and information is all out there and you need to pull it back in. It’s almost impossible. That’s where you’re at risk. How can we be more in control of that so that we can flex and flow with what goes on in our lives or earthquake happens and our lives are upset so that whole thing can change on a drop of a hat?
We know that on average something like 112 accounts is set up for any one person using the one email address.
That seems low to me.
It is low but it probably includes lots of people who hardly ever use the stuff unless they absolutely have to. I don’t think we’re probably average in that. What’s scary is we’ve been saying for a long time passwords are dead or they’re not dead. We’re still using email and passwords to sign up. That is not a secure way of doing things. We’ve been fortunate in our business application. We’ve created a solution where people can sign up to any website anywhere in the world with that one click and not using any typing, email or password because that’s an awful old way of doing things.
That would be great because now you’ve made my life easier. It’s not even about more secure. I’ve just made my life so much easier. Why not?
The thing that drove the work that the team here has been doing was I suppose a team passion for getting rid of online forms. You use the doctor’s form as an example. That’s a paper form. People have automated that. There hasn’t been a lot of improvement. We’ve seen some spreading of forms across multiple pages to try and make signup processes more comfortable, but we need to get rid of that technology. That is not the way people should be interacting with websites.The power of blockchain is that it's global by default. We need to make sure we don't cripple it by only doing local implementations. Click To Tweet
Let’s get rid of forms because I can’t tell you how many forms I’ve got in my business as it is, as you know because you had to fill out a form to become a guest on my show. I have to fill out a form to get it produced. If I could get rid of forms, I’d be so excited. I want this to all happen behind the scenes without me knowing about it. Katherine, tell me a little bit about the future that you see. You’ve created this API. You’ve created this process that you’re using. Some heavy lifting you guys have done underneath everything that the structure’s built on. Where do you want it to go from here?
We want to change the way that people interact with websites and the way that people use their data. Those are our two main objectives. We believe that they can be radically different from the way they are now. It’s not about increasing security and ability to decide what happens. That’s so ground level anywhere it starts. It’s about how do we get access to services? How do we buy things without giving up lots of information? If we decide that we want to give up lots of information to a business, that’s absolutely fine but we better be getting a lot back in return. There needs to be more dialogue about what’s acceptable and not. I don’t think we’ve seen much of it yet. We’ve seen lots of new forms that you have to take consent, but we haven’t seen businesses considering that and then reducing the amount of data they’ve got. That’s a trend that I would expect.
Are you working with some partners to try to make that happen? Where I’m thinking of, I work in the retail world a lot. I would love for retail to get much more streamlined. I loathe to shop at certain places and I’ll default to Amazon because it’s one click at the end of the day and you’ve made my life easier. If it happens to be there and it’s not radically different in pricing, I’d rather just do that because I’ve never had a breach of data there and I’ve been using them since 1998. The retail world is right for that. Are you working with partners to try and break into these industries and categories?
Yes, we are definitely looking at eCommerce or retail. We are also surprised by the types of opportunities that are coming to us. Onboarding, which is what our applications do, applies to anything that we do on the web. We are working on projects to do with HR. When you start with the new company, that process, and paperwork. That can be one click that makes lives of lots of people on both sides a lot easier. In terms of driver onboarding, ride sharing, tracking companies, we’re doing those things. There were lots of applications and it’s a matter of working through them one at a time, but they all have the same problem and it’s taking too long. We’re not sure that the data they’re getting is right because humans are typing it with errors and we need to get smarter about the way we do these things.
I have 50 employees worldwide. It gets complex. We had this issue where for the entire time that we’ve been working with two of our employees and they’re trustworthy employees. We have face-to-face with them at all times. Their names have been swamped. We’ve been calling them each by their other person’s name because they didn’t have an account with the HR agency that we hired them through. They were essentially using each other’s account. When the other came on board, she couldn’t create her account in her own name. She had to create a new account because she had loaned it to our friend. We ended up hiring them both and we have these complications, so she had to make up. It’s been two years.
We were using Slack before and because we switched to Facebook Workplace, they had to use their Facebook profile, which is set to the right person. They had to fess up to us what happened and we were like, “I can’t call you by a different name. This is confusing. It’s gone on for too long. You should have told us a while ago. We would’ve been happy to fix it.” It was a log in the situation and they didn’t want to lose a job because they wanted to admit they borrowed a friend’s login, which is understandable because you’re trying to find a job. You don’t have money. I get it. We would have been understanding about that, but they didn’t know us. How would I know that? They’re not in my office. I don’t see them every single day. I didn’t get a physical ID from them because these are worldwide employees.
Things like that are difficult. Identity mistakes when they happen are so difficult to correct. People can take years doing it. Identity theft is one of those examples. The amount of repair work that you need to do is awful and so time-consuming.
We have one of our new podcasters that are starting on our network. I wouldn’t say credit repair because that’s not what he does at all, but part of the program of what they do is they take a look at all of that. I cannot believe mine actually physically has my husband’s name as my middle name as one of my identities. I’m like, “That’s all wrong. How in the world does somebody think that’s okay and not fixing that?” Those things happen. To get that mistake removed, I think we’ve been working on for six months. It’s obviously not me. Katherine, where do you want this world to go with blockchain? Where do you see its applications could go deeper?
In terms of blockchain, I think there are a lot more applications. We use blockchain for storing identity data, which is absolutely the right thing to do but blockchain-distributed storage can be used for all things. I would like to see that being adopted by more businesses for standard use cases. While it sounds scary and something that people don’t know about, the integration that technology’s a bit more mature is a simple API.
You’re talking about your API being free. Of course, the development learning and there’s a learning curve and so you do have to have a team on your own side. What is your estimation as to the cost of a small business being able to afford to apply this?
Any business can buy from our website. The technology has been made simple enough to buy and download. You do need some help integrating it. We can provide support on that. We charge businesses per transaction. If you’re a small business, it’s not many transactions, it’s actually quite cheap. If you’re a large business, the costs are higher but at the same time, both of those businesses get the advantage of getting things done more efficiently.
Is there anything I haven’t covered that you’d like to talk to my audience about?
The important thing I think from all of this is that we need to see it push to more global identity products. Ours is one but there aren’t many in the world. We need those, just like you need your lawyers to be more globally focused. Technology solutions we’re providing need to be more global because businesses want to transact globally, people live globally. The power of blockchain is that it’s global by default. We need to make sure as humans, we don’t cripple it by only doing local implementations.
I want to ask you this question because it’s very obvious you’re a woman in tech and there are not a lot of us and it is a small community. Is that the case where you are in New Zealand? Is it still a small community because it feels small in the US?Your organization and your products should reflect the market. Click To Tweet
It is small. If I look at the blockchain ecosystem in New Zealand, there are not many women in it. I’ve got two thoughts about that. One is if you look at the percentage of women as developers, that’s a small percentage. It’s not strange that there isn’t a lot in more senior positions because there aren’t many to be promoted. I think that is an issue. I don’t think we should think it’s bad because it’s not 50/50. It’s not physically possible to be 50/50 at this stage in this industry. Having said that, at Sphere Identity, we’re clear about the way that we recruit. We only do skills-based recruitment. We don’t look at any other information when we make our decisions and we have a population where 48 are women and that’s not because of quotas or targets. We have just looked for the best person for a job. It shows if you don’t discriminate if you don’t recruit from networks because your networks are likely to be like you, there are actually lots of talented people out there and we wouldn’t have been able to build what we built without diversity.
I think that’s so critical. This is my main criticism of things like AI or when we adopt new technologies because we think the answer is if it’s just putting a Band-Aid on a problem that’s already old. The data’s bad because the data didn’t have diversity and how it was being shared and configured and how our artificial intelligence was being written to screen that. There wasn’t a diversity of thought in how it’s being guided, to begin with. That hurts us. The blockchain is the same way. One of the things that Monika Proffitt, my cohost and I, are trying to encourage women, minorities of all diverse cultural backgrounds, global backgrounds. We want that because if we can build that in, then the blockchain is going to serve us better as the new internet in a way. It’s the new infrastructure in my mind. If it doesn’t do that, then we are not serving ourselves. We can’t keep building on the old infrastructure. We sometimes need to discard it and start something new.
I don’t think it’s about diversity. It’s about understanding your market and being smart commercially. Your organization and your products should reflect the market. The markets don’t look like lots of companies that we see in this space.
They are diverse in and of themselves so they should match that. Katherine, I’ve enjoyed our conversation. It’s always fascinating to talk about the application and also talk about theory as well at the same time. Thank you again, Katherine Noall, from Sphere Identity. Thank you so much for joining me.
Thanks, Tracy. It’s been great talking to you.
Everyone at the New Trust Economy, I’m Tracy Hazzard. As always you can follow us on @NewTrustEconomy. Thanks, everyone. Until next time.
About Katherine Noall
Katherine Noall, CEO of Sphere Identity. Previously a lecturer at RMIT University, Katherine is a seasoned educator on blockchain technologies and was a PhD candidate specializing in the architecture of international cryptosystems for two years. Katherine is a firm believer in distributed technologies and in their ability to both secure and empower consumers within a largely globalized world. Katherine’s thoughts on distributed technologies and their use in self-sovereign identity and know-your-customer processes, might be of interest to your listeners as an interesting, viable application of blockchain-enabled technology.