Hi, everyone, I think we should go straight
to the other panel for the sake of time.
So if I can call our panelists here, and I'll
take this time actually to do an introduction.
So we have here with us Steven Bellovin, who's
a professor of computer science at Columbia
School of Engineering.
Hi, how are you?
And we have also Professor Anupam Chander,
who's a law professor at Georgetown University
Law Center.
We have Valerie Khan, who is the co-founder
and VP at Digital Equity.
And we also have, Aubra Anthony, thanks for
being with us.
She's team lead for USAID strategy and research.
And we have Catherine 'Katie' Chander who's
a professor Oops, sorry.
Highet who's the lead for FinEquity's technology
Working Group at CGAP.
So thank you for being with us as well.
My name is Ronaldo Lemos as John mentioned,
I'm a visiting professor here where I teach
Technology Policy, especially for the developing
world.
So I would like to start this conversation
just by saying that governments, and I'm not
sure if you will agree with me, will have
a very hard task to transition into digital
platforms, they cannot afford not to do so.
If a government doesn't become a digital platform,
most likely it will lose the capacity to govern.
Problem is, this transition can be planned,
like Estonia did.
We all heard from Toomas early this afternoon.
Estonia had a plan and it basically put that
plan into action, and it turned the government
of Estonia in probably one of the most advanced
digital governments we have.
However, for the developing world, this transition
might actually be completely accidental.
So no plan whatsoever, you will be doing that
in patches, maybe the private sector will
come up with certain solutions that will be
adopted, and will be integrated without much
thinking about the consequences, and so on.
So, this panel is for us to discuss digital
IDs, because if governments will transition
into digital platforms, digital IDs will most
likely be the login into those platforms.
So this is one of the issues that we are going
to be discussing today.
And of course, issues like data ownership,
privacy, surveillance, do we need digital
IDs?
All these question I think are up for grabs
in this particular panel.
So let me start first with Aubra.
And I would love to hear from you about your
experience in this field, and basically, how
do you address some of these questions that
I raised?
Sure, I'm happy to.
So as Ronaldo said, I work at USAID, the US
Agency for International Development.
And we work across a number of different countries
and we do programming across multiple sectors.
So we work on resilience, we work on food
security, global health, democracy and governance.
My team the strategy research team sits in
a smaller kind of think tank space where we
look at the role of digital technologies across
the work that we do, both assisting governments,
and working with private sector partners and
NGOs in-country to do this different kind
of sectorial work.
And my team has researched the role of different
digital technologies in this this broad space
that we work in, specifically looking at digital
identity.
And so a lot of the work that we do relies
on the need to identify individuals.
So if you're doing case management, or if
you're working to get cash assistance to refugees
in need, you need to be able to identify that
individual who's on the other end of services
or receiving goods and services.
We also work with governments as they are
working to stand up voter registration systems.
And so increasingly, we see digital identity
being a key component to all of these the
different work that we do.
And so as my team has researched the role
of digital identity in the different sectors
in which we work, we've looked and kind of
treat the landscape the the broad universe
of how we interact with this and how this
affects the country's development.
And so over the course of a couple of years
and looking across the different ways we make
investments, we see that if we're not approaching
this with a mindset of long term self reliance
and growth, we end up contributing to a fragmented
digital ID landscape.
And we, we need to be very careful in investing
in systems that are locked into specific vendors
that don't foster interoperability, because
ultimately that undermines a country's ability
to continue to develop.
And so what we've done as a team and also,
you know, throughout the agency is try to
work with across multiple sectors and with
different partners to foster a greater sense
of building the foundational components of
identity systems when we are making these
types of investments.
How can we structure them in a way that they're
contributing to the longer term growth of
countries?
How can we identify what is in place in the
country and try and meet the landscape of
the ecosystem where it is and strengthen the
existing ecosystem rather than creating systems
that are going to be operating in parallel,
or in silos and ultimately undermining the
growth of those in-country systems.
So that's the kind of nice narrative about
how we build stronger ID systems.
The flip side to that is that when we're working
in countries where governments may not have
the ability to protect private information
about individuals, we ultimately could be
putting people at risk if we're pushing toward
greater integration of systems, greater interoperability,
and so there's kind of a double edged sword
of acting in this space working to promote
the use of foundational identity systems in
a digital age, while also ensuring that we
are walking away from the digitization of
the systems when privacy or security is being
put at risk.
And this is increasingly an issue when you're
working places with an authoritarian influence.
So I think there's a number of things that
we'll talk about on this panel, but hit on
some of those things.
But I think it's important to remember that
it's not actually ID is an issue that is being
frequently discussed across all of the countries
in which USAID is working.
This is something where some countries are
far ahead of where the US is in the space
but actually have strong foundational digital
identification systems versus a functional
driver's license type system is, you know,
different types of functional systems that
we rely on as foundational.
And I think, you know, as we work to create
the types of growth that are going to lead
to inclusive systems and sustainable use of
these systems, it's incredibly important that
we think about not only the the technical
interoperability of systems the way that we
can crowd in multiple stakeholders with the
private sector and public sector in using
the systems and being able to transfer information.
But ultimately, the individuals, the users,
the people whose information is being collected,
how we're meeting their needs, and how we're
building systems, not to just as previous
panel was highlighting, not just extract information
about these individuals, but identify what
their needs are, what their privacy concerns
are, and meet them where they are and build
systems for that particular objective.
I think I'll stop there and wait for the questions.
Yeah, that's great.
I'm glad you raised issues like architecture
and design, have always to remember that technology
is never neutral, it is exactly the opposite
of what we usually hear because it is the
product of design.
And when we heard about the case of Toomas
and his country Estonia, how they designed
like the x road in order to compartmentalize
data.
And these are actually the hard decisions
to make.
Do you centralize the data?
Do you decentralize the data?
Do you centralize public services?
Do you decentralize them?
So these are like, actually very hard questions.
And I'm glad you raised also the right decision,
because that's a great point for calling Steven
into the conversation.
And I'd love to hear more from you about this
needs.
Thanks.
Yes.
I'm actually going to talk about two very
different issues with digital identities privacy
is indeed one of them.
We have the technology to completely invade
people's privacy, to make these completely
anonymous journalists, and we need that and
there probably needs to be middle ground.
So I'll give you a concrete example.
I'll actually start with 1973 when an advisory
committee to the then cabinet department health
Education and Welfare issued a really seminal
report on privacy.
Starting in the 60s, people started worrying
about giant computer databases.
Technology wasn't quite there yet, but very
clearly government people were worrying about
what do we do about this.
And one of the things of this report strongly
said is we must not allow the social security
number to become the universal identifier
for lots of different things, all of which
will be linked together by this one unique
number.
This advise was not heeded.
To put it very mildly, technology is actually
created another unique number, it's the phone
number for your phone.
For most people, their phone number is something
that they got when they got their first phone,
your phone number, your area codes is where
we live in when you were, say 10 years old.
And it's not going to change where there's
no strong reason to change your phone number,
and there are lots of legitimate reasons to
give your phone number to various places an
there's another, call it the database key,
for joining different pieces of data, a centralized
sort of thing.
Now, we haven't talked about a digital identity
card.
In some sense, this could be a centralized
identity.
And that carries advantages, certainly, but
also carries privacy risks.
Well, cryptography can do all kinds of amazing
tricks.
We could just oh, so let's look at this university.
You could have a digital ID card that was
provably issued by this university but you
would generate as many sub identities you
wish that were not linkable to each other.
And you could use one to register for this,
and another one to go to a concert.
And another one to walk into a building is
normally locked.
But there are other things we really need
to have one real identity, for example, checking
out books from libraries, so they know whom
to come after if the book doesn't come back.
In a national context.
You may say hey, an anonymous identity is
great for register to vote and it is probably
unlinkable, but you want to make sure that
any one person only registers once.
So a lot of different things.
Some of which we know how to do cryptographically,
some of which we don't.
But it's really bad with the technologists,
and I have more than 50 years experience in
programming computers, and you don't want
to let the technologists make this decision
based on just what they want or what is convenient.
This is a societal decision, a social decision
that has to be made in countries that don't
yet have this identity infrastructure, know
where things can go and are in much better
position to actually make this decision consciously
and perhaps differently.
What are the real needs and then might be
a real national security or certain public
safety for certain kinds of clearly defined
linkable to one physical person identity.
Well, that doesn't mean that the Amazons,
the Walmart, the other multinationals, of
the world, should be able to track you that
way.
That doesn't enhance national security nearly
as much, or maybe it does but this is a decision
that should be made consciously and not by
the implementers, who no one ever intended
phone numbers to be a great database evil
linking things.
The US government was actually the first,
Social Security Administration was actually
the first to start misusing social security
numbers for a secondary purpose.
So you can watch for the convenient track.
This is one point.
The other point I want to make is very, very
different, and it has to do with how do you
establish the identity in the first place,
or recover from it?
How many people here have lost a vital identity
document like a passport or driver's license
had to cover.
You know what?
About 15 years ago I was in Paris with my
wife and son, and my wife's purse was stolen
with her passport and her son's passport and
they were flying home the next day.
We had to go through, apart from the many
hours the everlong in the 70 that Roger small
police station, get an emergency passport
the next morning.
How do you establish identity?
Well, in this case, it was relatively easy.
I was there with an American citizen I was
American citizen with my passport.
I was staying longer so I can I can prove
my identity.
Error recovery like this is not easy.
Building up identity in the first place is
not easy.
How do you establish your identity sufficiently
well when you're just starting out, or when
you've lost everything.
Disadvantaged populations are particularly
challenged when it comes to this.
Think homeless people in this country who
might be eligible for, for example, Social
Security, but can't prove their age or identity
because they lost all of those documents years
ago.
There's a couple of articles in the New York
Times just in the last couple of weeks about
Kenya's national identity system and how some
descendants of migrants or migrants or ethnically
different groups are being marginalized, fighting
harder to prove their identity.
I will take this as fact I have no on the
ground knowledge of this, but it becomes a
tool for social control and becomes a not
done properly.
it excludes a significant portion.
How do you handle what's called reader documents?
Well, it's going to be a culturally dependent
thing.
You know what, I got my first passport waiting
in line the passport office, and I noticed
a little sign about all the other ways you
could prove your identity and birth, date
birth other than the documents they told you
to bring.
It includes things like affidavits, family
Bible, birth records and so on.
There are all these fallback things.
But these have to be culturally specific.
And look, you have to make sure you don't
exclude people simply because you don't like
them because you didn't appreciate their culture.
So when you're building up a system like identity
system, you have to understand how do you
start?
How do you bootstrap it?
How do you handle exceptions?
One more exception, and I'll shut up when
my wife was born, her mother had, her parents
had one name, but she became a naturalized
citizen when she was about two years old and
changed her name.
There was no paper trail of her name change.
When she got her first passport.
She did with affidavits from relatives about
this was the name she's always use.
I used to one up, but at this point, the older
generation is gone.
If she ever lost these documents, she would
have a hard time restablishing identity without
this paper trail.
How do you do it?
And she is comfortably middle class, etc.
Yeah, this is a great point and I'm glad to
raise the social security problem, because
when we talk about identity, we wante to make
sure what we're talking about because one
thing is about, for instance biographic certificates,
so it is your birth record, it is your marriage
certificate and so one.
This is one thing.
IDs is the type document that proves who you
are.
That is why you have like your fingerprints
on them, other techniques.
It is about establishing an individual.
And administrative numbers, like social security
numbers, is what a government gives to you
regarding certain political or policy programs
and there is so much confusion between these
terms.
And sometimes people take administrative numbers
and try to turn them into identities, which
is completely dysfunctional.
So design is very important and it's very
important to keep it clear about what we're
talking about.
And design is actually what I'd like to raise
with you, Catie.
Not only design, but also gender issues.
I'm sure you're involved with important debates
about how to design a good ID and also how
to account for gender issues in ID so yes,
Great, thank you.
So I work with FinEquity, which focuses on
women's financial inclusion and I lead the
technology component.
It's part of the Consultative Group to Assist
the Poor, CGAP at the World Bank Group.
And we are a community of around 1000, I think
1300 people now who look at all of the different
ways that women are able and not able to access
financial resources.
And so one thing that we know that in low
income countries, for those people who don't
have a bank account, and they don't have any
form of identity.
It's the the piece of identity, the paper,
that is going to stop them from getting a
bank account.
We know that low low income countries 44%
of women don't have an identity compared to
28% of men.
So it's a real issue and in countries where
there are some gender norms that are more
severe, like Afghanistan, we have a 45% gender
gap in digital identity and only 7% of women
have a bank account.
So this is pretty, it's hugely effective in
terms of what it does for a woman's life to
not have a form of identity not have a bank
account.
Rules in several countries around actually
getting an identity are different for unmarried
woman as they offer unmarried men, so Saudi
Arabia Oman again, Afghanistan, they have
different rules to how you actually get an
identity.
And so, you know, going back to Aubra's comment,
you know, how do we meet the needs of the
people who we are trying to give an identity
to?
I sort of want to flip the question.
We talk about digital identity as if it's
a technology question.
And it is, but it's also about the kind of
the social and cultural norms around what
identity means and how you value what you
don't necessarily understand.
I have a, we every three years of World Bank
puts out findex data, which measures the level
of financial inclusion globally.
And there's been a huge amount of research
and data in recent years around India and
the India stack Aadhaar I'm sure you're all
very familiar with it.
And it's you know, it's a widely lauded as
a success, there are obviously some some issues,
but as a large scale rollout, now they said,
saying that 95% plus, I think my colleague
here is going to talk further about, have
an identity.
And so two years ago, the big piece of data
that everyone was very excited about was that
80% of Indians now had financial inclusion,
had some form of bank account fit, a mobile
money account or a normal bank account.
But 48% of those accounts were dormant.
And so this sort of speaks to a much wider
story around, what does it actually you know,
what does it actually mean to the individual?
How do you make these really abstract concepts
mean something, you know, worthwhile, what
is the use case that is going to make someone
sign up for a digital identity, a bank account,
and understanding you know, what the drivers
are and what the barriers are, it has to go
into the design process.
It's very, you know, it's very easy to design
for a specific need.
But often, you know, the development sector
is very guilty of, you know, being a solution
in search of a problem.
And we need to, we need to really pare that
back and sort of start understanding, not
only, you know, what are the needs of what,
what is the person going to use this identity
for?
Is it that they are a migrant worker, and
there they really see the value in being able
to send remittances easily back to their home
country?
What are the barriers?
So, you know, with agricultural workers that
don't necessarily have fingerprints, for woman,
you know, collecting a face scan or an iris
scan might be deeply problematic or have cultural,
some negative cultural hangups, I guess, or
ideas around it in some countries and so it's
you know, it's really we need to start thinking
about the whole process of identity.
For MasterCard, they have just are just getting
ready to launch a large initiative.
And it's heartening to see that they are offering
a variety of different biometrics as part
of that.
And to speak a little bit more about this
sort of abstract concept: artifacts, you know,
we might we might talk about identity as a
being very comfortable with what it is.
But tangible artifacts are very important.
You know, I think that we can't, that they
can be very important in explaining a process,
they might not be meaningful to us, but they
can help the initiative bring meaning to the
consumer.
You know, and if you don't, when we come to,
when we think about privacy in the last mile,
the sort of the rural poor, how you know,
how do you explain the you know, not only
the opportunities of digital identity, but
the risks?
And are we doing that?
Because I think that we try and push the opportunity
and tell people look at this great way you
can send remittances home and look at this
fantastic way you can have your saying in
local council, but actually we need to be
very clear about helping people understand
the risks and to do that we have to understand
the risks and what they are in that specific
context.
So I think, you know, from my perspective,
when I think about woman's financial inclusion,
and the the barriers, they are very, very
similar to those of a woman's digital identity,
their inclusion in the digital identity process.
And we need to make sure that we're not putting
people at greater risk, we're not giving people
a greater burden to manage when we produce
these, these programs, these initiatives.
I'm not going to get into the the sort of
the details of fatigue around multiple functional
systems.
This is foundational systems, I know that
my colleagues are going to pick up on that.
And I am aware that we're running out of time.
So I won't go into public private partnerships
at this point.
But we'll pick it up later.
It's actually a great topic.
And it's a good topic because we are going
to raise them with Valerie.
You're going to talk about some use cases,
but we had an interesting conversation before
this now.
And we talked about the role of the private
sector as well.
So one of the dilemmas of governments everywhere,
is that maybe if they don't stablish their
own digital identity, there will be a provider,
which can be Facebook or others that will
come up with a good enough ID system that
can maybe be adopted as a form of universal
identity, or at least good enough identity
for most services.
So what are the use cases that we've been
working with, and how we address the public
private dilemma?
Yeah, so um, first of all, maybe a quick introduction
on digital identity as a nonprofit association
and we work in general on digital transformation
projects.
And obviously, as an association, we have
the liberty to put forward principles under
which we think any digital transformation
has to be done.
So, I think coming from the digital transformation
wording, let me maybe just lift the terminology
of digital identity up a little bit, because
I think digital identity is a massively unsexy
term.
And it generally gives this feeling that it
is technology and that it is, I don't know,
a thing in a way.
But I have actually recently made a new friend
who was telling me about he's endeavor to
build a barn.
And he was showing me a picture of the barn
coming up.
And I got excited once I saw the walls coming
together, and I thought to myself afterwards,
this is exactly where we go wrong, because
we should be excited about the foundations,
we should be excited when we see the hole
in the ground, and we should be excited when
we see that being done properly.
And the same can be said about digital identity.
Digital identity is the foundation to I think
everything that we have spoken about today
already that we will be talking about in the
future.
Digital identity is the foundation to the
digital economy.
It's a foundational to the digital transformation,
as we call it.
And it's the foundation, I would say as well
to all the problems that we have just heard
about before, when we talk about data.
Digital identity is the source of personal
data, and for that reason, as well, I think
digital identity is more than just the functionality
or the foundational use case that we keep
hearing about that we've heard before in Estonia
as well.
It is the basis for every identity that we
come across it is Facebook, it is Amazon,
it is all the different types of of logins
that you use them.
And I'm saying that particularly as well,
because when we talk about development, we
get very excited about the ability to lift
people out of poverty, we're getting very
excited about the ability to connect people
to make them sell their things online, we
make them like maybe have access to markets.
But really, we should, we should be ever so
careful when we get involved in that space
to do the foundation right.
So let me just say a few words about maybe
starting with the digital economy.
The digital economy is a fantastic opportunity
for the development sector.
The estimation goes that about 15 to 50% is
added to GDP by digital economy.
I'm pretty sure that Estonia would have a
different number to this.
China is estimated to go up to 30%.
In many of the countries I've seen across
Africa, I would say that number definitely
is higher as well.
This is the opportunity right now to think
about lifting people out of poverty.
And it is the digital economy that we're talking
about.
But I think with all the advantages that we're
seeing, I would say that we've heard enough
today and I'm probably talking to the right
audience as well to say, don't we feel creepy
about it?
Don't we feel like it's it's coming on us?
It's watching us.
It's tracking us and sending suddently things
that we never wanted.
it's just like, there is a feeling of discomfort.
And I think there were very good questions
raised before as well.
Yeah, I want to be optimistic about the digital
economy.
But I've also got to be absolutely negative
about much of the things we've seen.
And I actually also want to take the opportunity
to saying, to thank John Battelle for the
work that was done by his team as well because
I think that's exactly the type of awareness
raising that we do need right now.
So another word that was mentioned a lot today
was trust.
And I personally think this word was massively
misused at the moment, we're talking about
trust as if it's the underlying foundation
of everything.
And yet we're not really doing anything about
it.
I think exactly the examples like the visualization
of where e-government means.
We're have to sign things because digital
becomes so elementary to our life, it's impossible
to live without it.
And yet, we have to sign up to terms and conditions
that we don't understand.
And if even if we were to read them and interpret
them, it obviously means something different
in reality.
So what do we really mean with trust?
And let me maybe just lay out a few elements
of what I think we should define as trust
and what we should look at.
And I think what both my colleagues already
have all three colleagues have already picked
up on this word.
Trust is something very systemic or it should
be addressed in a very systemic way.
It's not a technology for sure.
It's not a technology.
We're talking about laws.
And even when we have laws in place, are we
accountable?
Are we actually putting in the mechanism to
really hold people responsible for the wrongdoing?
We're talking about institutional arrangements.
Do we have mandates allocated our roles and
responsibilities clear?
Have they been disseminated to people, does
everybody know what that means?
We're talking about things like design issues.
I mean, what are we going to do about illiterate
people?
What are we going to do, especially in the
African context about people that speak five
languages?
I've read the other day that Google only allows
a handful of languages.
How are we going to pick up on these people?
We hear about women, how do we include them?
These are all design issues.
Then we talk about third parties that we bring
in.
A lot of countries find themselves locked
in in solutions at the end that they can't
get out of, or I see as well across Africa
solutions, that yes, may be the private partners
deliver on it, but all the sudden they also
collect facial recognition information which
then leaves the country.
We see laws where country where countries
are feeling, they're feeling the pressure
to put something in place.
So they say, well, we have laws now that demand
that the data stays within our country.
But I don't know, is that good law?
I mean, I can see why they want to do this.
But we need to help them to not feel like
I need to put these laws into place, but help
them to actually put better solutions in place
all together.
So I just want to finish by saying, apart
from having to address all of this, and this
needing to be a systemic approach, I do appreciate
very much that this is a university.
And I think there's a huge role university
can play in this.
I want to also repeat that this is actually
a project coming out of the Columbia World
Projects.
So I'm very excited to see what comes out
of this.
I hope that colleagues with the appropriate
information and the the research that's happening
already, are putting information into this
as well.
This is not something that I think we should
leave governments alone with and this is not
something that we should just let private
industry partners solve.
This is something that needs to work in partnership.
And I think it University has an undeniable
unbiased and very knowledgeable approach to
this.
So I very much encourage that work.
Great, and I'm glad that you mentioned trust,
because one of the reasons we're talking about
digital IDs today is because the internet
doesn't have an identity layer.
There is even debate whether that was a flaw
that from the start maybe should have had.
Of course, the repercussions would be huge,
like for things like disinformation, or, you
know, when you miss the authorship of what
is said in the internet that has repercussions
that are both good and bad.
But the fact is reestablishing this identity
layer and the strategies for doing it so,
I think is one of the pressing challenges
that we have right now.
We are talking about fundations, we are going
to talk with Professor Anupam right now about
Aadhaar, which means precisely foundation
in Hindi.
So I think it's a good term to start this
conversation, just for the sake of curiosity.
First time we collaborated, was in the remote
year of 1999, in which you wrote an article
for a book that organized and it's really
great to have you here, so.
And of course, you actually stole my opening
sentence.
So Aadhaar literally means foundation.
So my task here is talking a little bit about
the India situation, the India stack, which
you kindly teed up as well.
So the the president president Ilves talks
this afternoon about Estonia, a country of
1.3 million people, which he and others have
really led to the forefront of the digital
economy, largely by building on this foundation
of digital identity, right.
And so, India had took this move as well,
a decade ago, but began by trying to do this
kind of colossal task of taking more than
a billion people and putting them into a national
identification system.
There was no national identity card or number
or anything like that before Aadhaar, so this
is kind of created from scratch.
It included not just being a 12 digit ID and
name and address and things like that, but
also biometrics which have been mentioned.
So your fingerprint and or an iris scan, which
are both quite an important biometrics.
And as it has been pointed out, that a lot
of farmers who have worked their fingers so
much that they no longer have fingerprints
that are, you know, read, readable on on the
systems, so this is a fraught exercise, to
say the least.
But currently there are 1.2 million people
in this billion I'm sorry, number two.
So originally is literally 1000 Estonia's
that are in the Indian digital ID system,
okay.
And so and the idea really is that as the
foundation, this is part of the India stack,
that is other services, health services, education
services, financial services are all built
upon digital ID.
So it really becomes the foundation.
But I also wanted to pick up another another
point that Valerie made, which was the alternative
of a private sector led model.
And this goes back to John Battelle as well
and his incredibly important work.
So Facebook, really So as Ronaldo has pointed
out, the internet did not come with an identity
layer that was part of the design of the internet,
but other people businesses realized identity
is really important.
It's critical.
This is why cookies are placed every time
you move anywhere on the internet, if you
want to know exactly what you're doing, and
it makes their provision of services easier
to you, but it also makes their relationship
with you much more lucrative, right?
So Facebook has long sought to be that identity
layer.
So Facebook wants to be the single check in
point for everyone else in the internet.
So essentially, deep at the heart of the internet,
everything you do is Facebook.
Because Facebook has long had a real name
system, a real identification system.
Once we've paired you with a Facebook identity,
then we can populate you for everything else.
That's been Mark Zuckerberg kind of part of
his vision, to build.
So Facebook is the internet essentially, at
the deep level.
And this is why, this is what leads to Cambridge
Analytica and so Facebook's desire to to be
the critical foundation and to be valuable
to other enterprises in that in that way is
what leads to this this API problem.
And so the main issue with you know, one of
the key critical question from this context,
Steven has raised as well is the level at
which the database is able to be exploited
and to be abused.
And so this then depends upon how the API
functions, upon the kind of the very granular
questions about if that actual ID shared or
a hash of ID or some some kind of virtual
token or virtual ID which replaces that actual
number.
So instead of sharing your social security
number, you share something which is a mimic
of that number, which it can still be authenticated,
as Steven has pointed out.
So the system can authenticate you without
actually giving the key biometric or other
conventional way.
And so I think it's not, I think, if you're
coming late to the game, it's actually not
a bad place to be.
And so you have no legacy system to worry
about, you can now think through these problems
from the start.
And I think there's a lot of opportunity,
and I'm very glad to see folks like Steven
and my colleagues here working on it.
Yeah.
And it's interesting, because Estonia model
was designed around like, maybe 8 years ago,
10 years ago - 20 years ago.
India's was like, 12 years ago or so, right?
My question would be, how would you design
from scratch an digital ID system right now?
Would you move into the direction of a self
sovereign identity completely distributed?
One in which the state could not touch or
revoke, because it would be only up to the
citizen to basically managed a particular
idea?
So how would you do that?
Do you guys have any ideas about how would
you design a digital ID system right now?
It's very far from clear that such, there's
actually desirable to have any one solution,
Mark Zuckerberg notwithstanding.
As you pointed out, other academic writings
have pointed out, people have multiple identities,
and it's often very desirable to keep them
separate.
So I've been using Twitter far too actively
for a fair number of years.
And you want to go I set up a completely separate
Twitter account just for my photography.
I'm not trying to keep it anonymous and my
real name is associated with that acount.
But if people only want to know what I think
about photography and not about technology
or politics, they can just follow that account.
I'm someone different socially that I'm professionally.
And there is no strong reason to have only
one identity and a lot of reasons not to..not
even nafarious reasons.
It's just who you are.
You know, I'm going to be speaking for a government
body on Tuesday and affiliation was used for
identity purpose only.
I don't mind put that in, but really I want
to decouple it a little.
The university doesn't stand behind of what
I say.
Matters less in the University than when I
was in the private sector, working for a private
company that migh have actually care about
my name identified.
That was a whole pile of different issues.
And one, is not clear you really want one
identity, even apart from the privacy concerns,
and I do have great privacy concerns, but
you are just different people to different
situations.
Aubra?
So I would jumping on how would you design
an ID system today by saying I think it would
be wonderful to hear great ideas pop up from
this room.
We were talking about this over lunch today.
I think the idea of self sovereign ID is a
fascinating one.
And I see a lot of potential there.
I think having an identity that accompanies
you wherever you go, there's no intermediary
that you depend on there's no node where you
must trust a central government authority.
I think all of those things are very compelling
when you think about issues like human trafficking
or forced child marriage, you the importance
of having an identity that no one can take
away from you, is just so paramount.
That said, and this is what you're talking
about at lunch I have yet to see, and maybe
this is just my own limited creativity, but
I have yet to see a truly inclusive, self
sovereign template, where those who are not
digitally literate, those who do not understand
the implications of loss of your personal
data would be truly empowered to gain from
having that ID and I think that's not to say
that we shouldn't aspire to that I think we
absolutely should re envision what identity
can look like.
But the caveat I would put that is it should
be identity for all and that's speaking from
the perspective of USAID, but also just as
a human being.
I think when we talk about a futuristic, self
sovereign state of identification where portability
and all that Is is ingrained, I think there's
often an assumption that the user will be
of a certain caliber of understanding or of,
you know, kind of a certain type of archetype
that we should not always make the assumption
around.
Related to that question, how do we make digital
identity systems politically resilient in
the sense that Estonia had a great president,
but what if in the future it elects, like
a malicious president, or one aligned with
the Russia or something like that?
How do we make sure that the checks and balances
are architecturally built into the system,
What do you think about that.
I can try that.
There was one component to a digital identity
solution, I think to any solution that incorporates
multiple users, owners, stakeholders of some
sort and that is is a governance structure.
And I think we've heard before as well that
we need a new governance structure.
The same can be said about identity solutions.
Identity solutions are massively dependent
on a solid governance structure.
I have seen some fantastic and maybe I think
I'll just throw in, when I think of a good
digital identity system, I really think of
it as a modular system.
I think it needs to be always extremely flexible.
And I've seen components of very good digital
identity systems across the globe.
But I would say none of them is perfect.
So I think 
the idea is let's take those different components,
let's put it together but at the top of all
of this, sits the governance structure and
that's right.
I mean, what if Estonia suddenly were to have
a, let's say Russian leader or I dont know,
someone with I don't know.
I'll knock on the table.
Russia has copied our system, they just don't
say it.
Well okay, but so, I mean, let's say what
if Russia was going to have suddenly a leader
that they didn't want?
What if it wasn't a leader that does necessarily
represent the the needs and interests of the
citizens?
And I'm sure some countries might relate to
this at the moment.
I know of a certain country
I grew up in Germany.
Definitely this has happened and systems can
be abused, so how do we make sure that this
doesn't happen?
Apart from a modular system?
I think it is that governance that is the
core towards it, so we keep talking about
distributed technologies.
I think we really need to dig into the distributed
governance as well and how that can play out.
How do you not have one party, one leader
that actually can turn and twist the button,
but like a bigger amount of people?
Were not necessarily anymore living in a world
that's made up by countries as well.
What if we were to give that type of ownership
as well to partners that we really trust?
So I think that emphasizes the need for a
multi stakeholder approach.
So identity is not only something that pertains
to the government, but it pertains to the
scientific community, to the third sector,
to the private sector and the more you'll
have those constituences actually in a governance
structure, it feels to me that you might have
better decisions rather than just taking them
unilaterally or with partial information.
With that said, what about privacy issues
and also, ownership of data.
Should we centralized data, should be decentralize
data?
What are the approaches we should take into
account?
I mean, I think regardless of whether you
centralized or decentralized data, one of
the you know, one of the key pieces around
privacy is you know, I know the pieces of
my data personally, that I want to keep private
and I have a sense of how to do that.
But if you don't, if you don't know that something
is valuable, how do you protect it?
And I think that so much of the work that
we're doing in emerging markets and development
is working with people who don't necessarily
have a concept of why this data is valuable.
And that's very risky.
Because if I don't know that, you know, I'm
not an American citizen, I have a social security
number.
If I don't know that I'm not supposed to share
that, then it's risky, right.
You know, and you you sort of, you have this,
you do have in many countries, very low levels
of digital literacy.
I've talked to lots of people and, you know,
countries like Papua New Guinea or Myanmar
where I've looked at their internet usage
and what not.
What chapter to chapter is going about their
internet usage.
They don't use the internet, I don't know,
what about this, oh, that's Facebook, only
use Facebook.
I've never used the internet, I, you know,
I go to Facebook, and that's where I search
for people, that's where I shop, that's where
I search for local restaurants or, you know,
that's my newsfeed.
It's a one stop shop.
And why would I be worried about that?
I have no sense of the risk around that.
And so I think before you even get to the
sort of the architecture of that privacy and
with a dangerous house, you need to really
pull it back to the user level and look at
know what that actually means.
And how abstract these concepts are to people
who are used to putting their money under
their mattress or burying it in the garden
because, you know, what is tangible exists
and the idea of putting it in a bank, very,
very far.
Very risky.
The idea putting it on their mobile phone,
bananas.
You know, the idea of suddenly being paid
in Bitcoin.
I mean, you're just you're taking them from
here to here without explaining any piece
of the journey.
And you know, the same applies with identity,
we need to be very, very careful.
People hang on to these paper cards we give
them.
They mean everything.
They loose the paper card and they don't have
a semblance or sense that behind the scenes
all this data is there.
I'm sure you could sort of talk to some great
examples from Aadhaar and, you know, what
happens at the last mile.
This is actually a great point because on
one side, we have amazing technology like
zero knowledge proof, cryptography, that,
in theory assures like a an interesting model
for identities.
But on the other side, you might have not
only the absence of digital literacy, but
you might have the absence of literacy in
itself, which is the reality of countries
like Brazil, India and others.
So how Aadhaar was introduced and what are
the cultural challenges and the antropological
issues that emerged.
So biometrics were largely because of illiteracy.
You could, you know, you don't have to sign
your name, you could just use your fingerprint.
Right.
That was the general, that was the origin
of introducing biometrics into this Aadhaar
system.
And so, but I think in general the issues
of privacy rights, India, you know, even though
it had Aadhaar, for a decade, didn't have,
is now putting together a privacy law.
And so, it's been very late to the game of
actually creating a substantial product, you
know, omnibus privacy regime.
It's actually a very robust I mean, I think
there's reasons to criticize it, etc.
But we can criticize it any privacy law, the
world, but it's a substantial improvement
to what existed before.
So I think that, the one thing I worry about
in the privacy context is notions of ownership
of data.
A lot of scholars like me feel that that acutally
is unlikely to prove very usefull.
Facebook right now says you own your data.
You know, all the companies say you own your
data, but really it has no meaning because
you licensed your data to them perpetually
throughout the universe in whatever form,
right?
So, as long as you have alien ability, ownership
is not particularly important, because especially
because the valuation of data is very fraught
and so people will alienated the data very
quickly.
So I think it really has to do with governance,
the exact kinds of rights and regimes that
you have.
But I don't think it's ownership and a kind
of libertarian vision of this is property
that will solve the problems.
I will very much agree with that in data is
not property.
I will say that, for all that I'm a privacy
scholar and technologist, I don't think I
have a good handle on what data about me is
floating around out there.
A few years ago, quite a shock, I had to go
set up an account with some firm which really
need a very, I had no prior relationship with
them.
They needed a fairly strong notion of my identity,
they resorted something called knowledge based
authentication.
They dipped into data LOS of a large data
brokers and asked me a bunch of questions
that they thought that only I would know,
the most surprising one was on that said:
Which of these companies have you worked for?
One of the company they listed was a small
obscure startup founded by a friend of mine.
They had that relationship between me and
him, and that he had founded the startup and
that I would know and I thought that was a
remarkable display of how the hell did they
get that.
In machine readable machine possible form?
Very good.
Let me take questions from the audience.
I figure is about time we did that.
Do we have a microphone here?
Excellent.
Please
Thanks a lot.
Im from the United Nations.
I know some of the collegues here, and I have
enormous respect for everybody up on this
topic.
This fascinating topic.
It's one however, as you can see over the
years, my hair has been pulled out.
On average, related to terminology on the
map is related to some basic concepts.
So let me start off by saying something I
think controversial, or to really clarify
things right.
It is utopian dream of ISIS, Al Qaeda every
terroristic criminal network in the world
for digital identity systems that are not
linked to the core legal identity system that
at heart which is birth registration.
And here's what I have to disagree with you.
Birth registration is the gold standard of
identity.
It is not simply an event, is the establishment
of identity and from birth registration, that
identity should follow the person from birth
all the way through life to death.
Nobody should be able to turn up in any country,
including in Estonia as an adult and simply
reinvent himself and saying completely inventing
a new name, a new identity, a new birth date,
and new citizenship on the basis of self identity.
It has to be linked all the way back to a
legal system that starts at birth.
So we have to be clear about that.
And I think also the idea that we were, that
I am not a mechanic to DMV, I'm John Smith
to social security and another name to passport
control.
That I've five or six different legal identities
issued in different documents?
That isn't just... that is a dystopian nightmare.
But to think about, you have to have, we can
have 1000 different identities, 1000 different
digital identities, but we can only have one
legal identity, the real you and it is on
the basis of that identity that your rights
as a citizen, as a human being in terms of
voting rights, citizenship rights and your
rights to welfare and education, that's the
identity one and only one of the most essential
rights.
I think that's a really, it's a really good
point, Niall and I think you have every reason
to be putting that under the table because
I think quite often we neglect to talk about
the importance of CRVS separate registration.
I do think that the lines become a little
more blurry when you think about other ways
that we leverage identity in day to day operations
for example for USAID or for other partners
that we work with, when you are going to,
for example, identify whether someone is creditworthy,
I don't need to know that they are John Smith
or Norm McCann, I need to know their behavioral
patterns that predict whether they can repay
a loan, and so quite often we'll partner with
organizations that they don't need that level
of assurance for the types of things that
I would think of as being fundamental: whether
someone gets a loan or whether someone gets
crop insurance.
And so I think there's this kind of gradation
between the fundamental legal ability to do
X, Y, and Z vote, you know, receive, you know,
the land title, things that need to be in
that legal domain, versus some of the activities
that sometimes are in the legal domain but
but often blur the lines, you know?
Any further comments on this issue?
Maybe just one small one.
I think the beauty will lie in options.
I know I mean, specifically I know in the
UK there is a lot of people desperate to prove
that there is some heritage in their familiy
that allows them to keep the EU passport.
There are multiple reasons, I mean specially,
unfortunally for people that come from Ireland,
there are reasons why this birth certificates
have gone lost.
I am not going to go into that, but there
are reasons why people lose that and is not
such because I lose it myself, but because
it was taken from you.
And I think in order to reestablish yourself,
talking about inclusion, making this possible
for everybody, we need to talk about options.
We need to be able as well to put things together
that we have tha equally justify, and just
very briefly in Nigeria, for example, if you
have nothing which is very often the case.
Nigeria is one of the countries which I think,
has the coverage of about of 5% of legal identities,
so how do you identify yourself?
They tend to go to notaries.
They go with maybe their father and mother,
they confirm that I am who I am, and that's
when they get.
So we need to have options for where there
is a gap in the society.
I worry when there's too much power given
to a government, when the government goes
bad.
Disenfranchising Jews, Romani, dissidents,
people cover disfavorite political party or
ethnic group or what have you.
We've seen too many examples of this, you
know, all to recent history.
And if you suddenly become a non person because
your digital ID has been cancelled, you're
in very big trouble too much is riding on
that.
Or if that starts to, you know, affect your
credit history.
I mean, it gets incredibly messy.
I agree.
There has to be options.
I don't have the answers as to how it's done.
Good, good
Questions?
We got one in the back.
I needed an interesting comment, we have distributed
technology, we need structure and distributed
governments or something like that.
Maybe more specific about what that looks
like.
Well put me on the spot.
I mean, I'm not I mean, I won't be able to
go into the actual technical logic of it.
But, and plus I do think that every solution
we look case by case.
There will be multiple variations to this
and especially when we talk about the development
sector, there will be for example countries
that you don't want them to use too much power,
so who can we bring in?
Let me maybe give you one example.
One example that I particularly am interested
in and I think it's got something quite to
it is the way the UK is appraching this identity
system.
And this is on the basis of there is not a
one office such, there is an ability to put
an ID together on the bases of 50,000 options,
which I think is very smart.
It draws on the institutions that exist in
the system already: the post office, the bank
and so on.
I think we have seen that as well in the Scandinavian
countries, particularly I think of course
Estonia is one, the option to bring in the
banking system and other like trusted providers
that can help build the solution.
But then, if I look into the UK system in
particular, it suddenly all comes together
in what they call the hub and that is the
area where it all gets blurred and it all
gets taken out.
And thats the attack, that is the point of
attack that you want.
Because that is one decision process now.
All the policy suddenly sits within that one
box.
And I think that is when we have to go in
and address the issue of distributive governance.
Now, who should all be included in that governance.
I mean, we need to figure some sort of partnership.
But the technology behind it will probably
draw on what we now know about distributive
technologies.
We have a question from President Ilves.
I would say you have to go beyond identity.
In fact the reason why my number and the building
contact are not working to any degree is that
you have an identity but you could be Rudolph
the Red Nosed Reindeer if you're calling yourself
that.
You have to be connected, you have to be,
you must be connected to a citizen registry
that is a certificate authority, a certificate
issuing authority, unless you do that, you
will not have any digital government.
The problem is that in United States for one
reason or Germany for other reasons, Japan
third reason, they do not make that connection.
And so you never will get to the point of
building up services because you cannot identify
yourself, digitally.
Yes, you can go across the border and now
in Europe, in the Schengen zone, show your
ID and that's fine.
And it was wonderful.
You cannot do anything that is secure because
there is no certificate issuing authority.
So it is more than, it is more than simply
having an ID.
The ID must be matched with something that
can then certify you are you and then allow
you access to services or do whatever you
want to do.
But the problem with this is that I mean,
too much, I think it's too much focusing on
Identity without the infrastructure, which
for anything effective will require a broad
certificate issuing authority foreign services.
Can I just quickly direct to this.
I think that this actually brings up something
that we haven't spoken about yet.
And I do think that it's very important.
Is the the Federated idea of it.
And I think that very much applies to Europe,
and very much applies Africa as well.
And that's maybe not so much I don't actually
know, I don't know enough about the the US
system.
But you might, he might have like one way
of moving around, whereas in Europe, you're
crossing borders and you suddenly are in different
jurisdictions.
And the same, of course, applies to Africa
as well.
And I think the concept of trying to find
a way that we can cross these borders and
still, you were talking about the the Finnish
- Estonia relationship.
I think things like this should also I mean,
should absolutely enter the discussion because
whatever I trust in my own, whatever I established
in my own country, in this modern global world,
it's just not going to be enough.
Right?
Comments?
Yes, please
Say it.
It's not just to issue, the certificate that
certifies your identity that's certainly important
part of it, and then we'll get into whatever
the world has that with passports.
Approximately 200 entities can issue passports,
that voucher identity to the satisfaction
of that country.
And you know, as you can either you can decide
whether or not you want to accept it.
But there's another piece to it.
And that is what technological you call the
authorization, what you're allowed what this
identity is allowed to do.
And there are other ways to do things we receive
an authorization credential, which is independent.
A dollar bill does not require me to show
my identity, a physical key is not bound by
identity.
There are advantages and disadvantages to
schemes like this.
But we try to look at it holistically.
Maybe this is the sort of the that there is
a place for, especially for privacy reasons.
I think, president Ilves has a response to
that
Very
Well, things are moving slowly.
Try it again.
Yeah.
I mean, you have the director of the European
Union, which says that every country must
issue or allow citizens of another EU country,
all the same digital services that offer its
own citizens.
The biggest loser in this is Estonia.
The greatest winner of this would be Greece
if they had an ID, but they don't But Spain,
for example, its issues which allows no service.
The goal should be at least I see in Europe
is that not only digital prescriptions, but
also health records would be I am sick in
Greece and I authorized a doctor he gets to
look at my medical records, he gets my medical
records already translated into Greek because
he would obviously would not know Estonian.
But the point is that you can do all these
things, unfortunately.
And you do all these things today.
There is no technological barrier.
The barriers are all political, and they probably
will remain there for the next 30 years.
So I mean, the technology is all there and
you can extend this you can go beyond the
Schengen zone.
Well, in the Schengen zone, including the
the Norwegians.
Theoretically you can have digital prescriptions
that work in the United States and vice versa.
All of this is possible, but you need to have
a certification, issuing authority, you need
the authorization procedures to access.
All of that is simply non existent.
So that's where we are, on the other hand
on the other point here on identity.
Now, the multiple identities, the big you
know, the big problem in espionage today is?
Facebook, because you don't have a history
anymore.
I mean, we used to be the old days you go
and find some some person who died at age
three and assume that identity, you can't
do that anymore because wherever you live,
you've not been on Facebook.
There are no record of you.
And so, new problem with espionage.
We are going to our final stretch.
Let me take a few questions very quickly.
I'll take one here, one there, one there.
Four questions and then we can.
Just make it short please.
Thank you.
Greg Shaton.
I guess making IPN activities and this conversation
is giving me flashbacks on the effect of GDPR
on width, which brings up much larger issues
of the effect of data protection laws on any
type of identity, accreditation, validation.
I think the data protection laws are moving
exactly away from everything this discussion
has taken place.
And if you want the case study, look at the
attempts that are being right, made right
now.
In the expedited data from policy development
group.
And I can try to create a validation system
for third parties to get who is they, who
owns the domain.
30 people have spent thousands of hours trying
to think about this and biting each other's
necks open, because the the social activists,
the intelectual property.
And it's made 10 times harder because it's
not multilateral trying to do this in the
private sector.
The only way to do this under current law
of the Schengen is entirely multilateral,
tried to the private sectors.
You're just not trying.
Yeah, good point.
Yeah.
I'm Joyce Searles.
I'm a trustee of the Sovereign Foundation.
And I would like to mention about, I take
the point that this isn't going to happen
quickly, that's for sure, but that things
need to be done slowly and can be done slowly.
It's sort of a one off kind of approach.
So that's what I like about distributed identity
solutions.
Or so they're often called self sovereign,
but self sovereign is not because I say I
am who I am, it's just that in the same way
that I have a wallet with, you know, 10 cards
in it, that I can present the card that is
needed for the situation.
It doesn't mean I make up the card in my back
office and give you my driver's license that
I made up.
So it's about being having the ability to
use your individual identifiers.
So my thought is that for decentralized identity
as a way to get started, because it all the
problems that are I've been brought up on
this panel, it's it's as if we could wave
a magic wand and say it's now 50 years from
now and will all be being done the same way
or In an interoperable way, I think what we
really need to do is figure out what are some
things that can be done right now.
And, and decentralize.
And particularly with governance.
I mean, that's one thing I like about the,
the sovereign ledger is, it has, it's heavy
on governance.
So it's just a matter of getting started with
it and not trying to solve every single problem
because you know, Human trafficking is a huge
problem.
And everything that is in the world that up
humans are big problems, but it can't all
be solved with digital identity like, overnight.
So my thought is that we can get started doing
something in the same way that Estonia got
started.
Thank you, Joyce.
Glad to have you and talk with us.
Some more, yes, last two.
Hi, I'm Virpratap.
I'm a second year student at SIPA.
I Really enjoyed the points that both Valerie
and Professor Bellovin brought up as well
as the gentleman from from the UN.
I'm just wondering whether there's a need
to change digital identities from being based
less on nationality and more just the basic
fact of being human.
So just to elaborate more on that.
We were talking, you were talking about countries
that have problematic leaders right now, India,
we have Prime Minister Modi, who is very actively
pursuing a policy to disenfranchise and persecute
Muslims and religious minorities, other religious
minorities.
In the event that that was to happen and they
were to be stripped of citizenship, or any
other basic right, should we not be focusing
more on having a digital identity that just
simply identifies you being human and that
may be even easier to implement internationally
as well.
Very good.
Last question.
We'll just to respond, the technical issues
that president Ilves said.
Can I ask you just hold your answers so we
do a final round
I'll be quick.
So a couple of times it's come up, including
the last question what happens if a bad government
has access to this data.
But what hasn't been brought up is what if
another country gains access to this data.
In 2017, there was a massive data breach of
the Aadhaar database.
1.2 billion sets of 10 fingerprints and Iris
scans, presumably now reside on the databases
of Russia, China, US and Israel, and that
will affect the national security of the country
of India for the next 50 or 60 years.
And until all adults are dead in India.
Now.
That is, the difficulty of securing this data
for so long against such advanced persistent
adversaries is basically impossible.
Isn't this strong argument against such systems.
So let's do a final wrap up.
And let's start with you, Steven.
These risks from Aadhaar were known.
India was warned about this in advance, about
the privacy risks of uncompromising.
No privacy, personal security, security person
was the least bit surprised that this happened.
And yes, there's a risk.
There are identity systems that are more resilient
against this sort of thing.
But they have other disadvantage, like what
you need to have the one true identity to
vote to collect social benefits or whatever,
what have you.
But it as president Ilves pointed out, at
some point someone is about to go certified
work identity.
About 200 countries in the UN, 200 certification
authorities and they can delegate the stage
of problems as if they want.
The question is how are you get them to unrecognized
when they group is systematically disenfranchised.
This is a real problem.
It is a serious problem.
And I don't really know what to do about it.
I'll add on very helpfully, I also don't know
what to do about it.
I think you've hit on one of the key things
that we at USAID are grappling with, which
is the tension of protection of very sensitive
information when we're working with governments
or designing our own systems.
We want to make sure that breaches like that
are not possible.
They will always be possible, though.
And so what steps can you take to encrypt
the data ensure that there is no honey pot
of information that's a target for malicious
actors.
But you always have to balance that and it's
very hard for me as a privacy advocate, is
you always have to balance that with the utility
that having these systems in place brings
to the least advantaged of us, right.
And so having an identification and document,
some people will make the calculation that
that's worth the risk that might be borne
out by these data systems.
And I think that's one thing that we can afford
to give a lot more attention to better quantifying
the perspectives of the individuals that have
to make that calculation ultimately.
It could be that the people whose information
was in this huge database, were willing to
have their biometrics at risk like this, because
it allowed them to get the subsidies that
they desperately needed.
Your face is basically what my face does whenever
I have this argument with colleagues, but
I think there's definitely this utilitarian
approach that you can either let perfect be
the enemy that could construct systems that
are bulletproof, and that would never allow
for a breach.
Or you can take these risks and try and figure
it out as we go, what are the steps that we
can build in that at least inhibit some of
these more egregious breaches, right?
And I think that's the balance that we all
want to strike and it's just a Question of
of having these types of dialogues and trying
to share what's worked and what hasn't.
Yeah.
Yeah, I'll just note to the gentleman in the
front.
I mean, again, I think there's a lot of validity
in what you say.
It obviously strikes horror and to the hearts
of many people who work for international
governments or are more focused on the state
as a center of identity.
But to Aubra's point, we don't need to be
utilitarian about this when I think about
the most vulnerable, and what it could allow
them and and not only.
I mean, of course, there are, you know, cash
transfer systems that serve the vulnerable
but what we don't account for is the time
and energy and effort that goes into these
processes.
And so this kind of like this singular identity,
that it's not based on any nationality.
It's worth having that conversation.
It is worth having that debate there there.
There is certainly negative, you know, there
are negative possibilities that would come
out of it.
But there are also, you know, huge advantages
to just having this one system that could
then be tied into a national system.
Valerie
So maybe starting with the, I think, call
it, did you call it the human ID?
I don't know.
Maybe I'm making this up.
Okay.
All right.
So the the ID that goes beyond national borders.
And I mean, I think we have that.
Facebook is a global ID, if you wanted it.
Amazon is a global ID.
I mean, all these private industry IDs are
global.
Which is not done right.
So I think we need to, we need to think along
these lines of saying, it comes back to the
idea of having multiple identities and it
comes back to the definition between a legal
identity, a foundational identity, and all
the many functional identities, and I think
it's really a combination of the many that
will probably give you the right privacy that
you want, but we really have to start avoiding
the wrong ones.
And I think with this, I also want to address
the point about the urgency.
I mean, I do feel I do feel there's a massive
urgency.
And this is coming to the point as one of
the data theft or the data breaches that we
see.
I mean, this is not just India.
If I was, if I was an evil person, I probably
want to get my hands on the Experian.
It's an Experian?
The Equifax exactly sorry, yes, database,
because all the sudden I could bring down
the entire banking system in the US.
I mean, we've done all of this already.
This is utmost urgency.
The point however, I want to say around how
to do this, we have done identities.
For many years, I have watched many identities
and I've analyzed many identity systems as
well, that have failed, and we're wasting
a lot of time we're wasting a lot of money
because we rush into the solutions.
We get excited of our technologies or we get
excited about something else.
And then we end up with a mess that undoing
is harder than having not even started.
So I think this is urgent, but we need to
properly, we need to address exactly the needs
that are being expressed by the people.
And I think something that isn't just own
by my government is one need that is expressed
multiple times.
But it needs to be done properly.
So that's really all I want to say.
And I just want to pick up like, I think somebody
was holding up the phone saying before, this
is here.
I mean, let's not fool ourselves.
We are so digitally connected.
This has arrived, this is not going to go
away.
So let's just do it properly now.
I didnt labeled it.
Great.
So I think that's exactly right.
So Valerie points out that this is here.
And I think whether it's done by the public
sector or the private sector, it's happening
digital ID is critical to what people do.
Companies need to know who they're dealing
with.
Governments need to know who they're dealing
with.
You need to know who you're dealing with.
Identification is a key part of life.
Now, that said, I'm glad that that isn't an
identity layer on the internet, that all humans
are connected, and everything that we do is
not been connected by human ID because that
would also be problematic, because as we know,
anonymity is also critical to freedom of speech,
freedom of expression.
Even more so in countries in which, including
the United State, in which you might be target
for your speech.
So I think that.
I also just want to emphasize, you know, the
scope of the breach, the Aadhaar breach, there's
some questions, I don't want to take the representation
exactly as it's been made - but I'll leave
that to the side.
We know that Equifax, through the FCC settlement,
is about 140 million people, social security
numbers, names, etc.
So Equifax's break -- then you had the OPM
breach, the federal government employees,
enormous, all 6 million or so people.
The Israeli voting records in about a week
or two ago, and so at least that's the possible
scope of the of the breach.
So these things are being breached.
Encryption, of course, is the key tool to
me, you know, breach doesn't matter if you
can't read the stuff that's that you just
accessed.
So I think that's, it's true.
But essentially, this is happening, we need
to be thoughtful about this, and I think it
has tremendous value, it so I think it is
huge, you know, basis upon which we build
financial inclusion, and I think and other
kinds of inclusion aside.
Great.
So, let me thank you very much.
And thank you for your questions.
Dean Merit Janow, pleas
