The following article is an adapted transcript based on the audio recording of Season 2, Episode 1 of the Mr. Open Banking podcast. The audio version is available here.
In the first episode of Mr. Open Banking’s new season, we explored the intriguing subject of digital identity, a critical facet of Open Banking.
Digital identity is data about you: who you are, what you’ve agreed to, and who you trust. Some people even argue that your digital identity includes everything you say and do online. According to our guest, Nat Sakimura, this isn’t far from the truth.
Nat is considered one of the foremost global experts on the subjects of identity and privacy. He’s known for his work at both the OpenID Foundation as chairman of the board and the Nomura Research Institute as an identity and privacy standardization architect.
In his over 30-year career, Nat has penned some of the world’s most widely used open data standards and strives to help communities understand and organize themselves around innovative ideas of identity and privacy.
What is digital identity?
For Nat, the essence of digital identity is a set of attributes about any entity. When this entity is a living, breathing human being, that identity is also known as personal data.
“As long as it is actual data that can be linked back to a single individual, we treat it as personal data.”
Some would say “personal data” is a bit of an oxymoron. They feel that it inherently wants to be free and there is no such thing as personal data at all.
Nat argues that those perceptions of data are viewing “personal” as something possessive. In reality, personal data is simply data that can be linked back to a person in any way.
Interestingly, Nat uses the term “linked back to” as opposed to “owned.” A lot of dialogue around personal data comes back to this word: ownership. However, Nat says that data cannot legally be owned. You can’t establish a property rights type of ownership over information, because it can be copied.
Dichotomy
This is where a dichotomy comes into play. The difference between data and property is that the more you copy and paste data, the more valuable it becomes. Unlike property, which is gone once you use it.
Our structures of laws and rights are built around this zero-sum structure. For example, we can’t both own a piece of land or a piece of property. But when it comes to data, it isn’t that simple. Nat explains:
“It’s more like copyright. So, you have copyright, and you have economic rights around it, as well. And the music, for example, can be copied many times. But the value of the music itself doesn’t diminish.”
Since your personal data is linked to you, you should have certain rights. This includes an economic right to any value generated by that data, just like an author or songwriter would have economic rights to the data they’ve created. However, at the heart of all the data, we create every day remains this core of identity.
OpenID’s identity layer
Nat has spent decades trying to solve the difficult problem of how best to maintain an identity in a digital world. He and his colleagues at the OpenID Foundation are creating a new layer of the Internet — an identity layer — which will underpin all of our digital identities well into the future.
“It’s a technical facility which allows an individual, as well as corporations and governments, to manage how their attributes are being transferred or expressed to another party.”
Since our personal data is distributed all through the internet, the OpenID protocol gives us a way to bring it all back together under one common identity and create a single view of our distributed data.
This is where Open Banking comes in. The fact is, we rightly expect a certain degree of protection when it comes to our money. That’s why the standards created by the OpenID Foundation are so crucial to Open Banking efforts around the world, defining how customers are identified and how they agree to securely share their financial data.
Within the OpenID Foundation is the Financial Grade API (FAPI). This group is working on the high-level security protocols for identity transactions. Today, FAPI is being adopted as a de facto security standard in the open banking world, specifically in places like the UK and Australia. The bottom of the security stack is the base on which OpenID is built: OAuth 2.0. Nat explains:
“OAuth 2.0 is a framework that allows you to delegate access to an API. It’s like creating a special purpose key for the safe so that a person can only perform that action.”
The next layer in the security stack is OpenID Connect. It builds on OAuth 2.0 to create a protocol that allows a party to express who the user is to the other party.
The layer
The layer above OpenID Connect is FAPI. OpenID Connect provides various levels of security, but elaborate security measures can become overkill for most consumers. FAPI constrains all of those measures to the option that can support the highest security scenario.
Recently, another layer was added to the stack called Client Initiated Backchannel Authentication (CIBA). This layer deals with cases where the user is not online directly.
Between all of these technologies, OpenID offers a way to authorize and authenticate in a distributed manner. No matter the service being used, it’s always adopting the same standards and mechanisms. Plus, those mechanisms are secure.
The efforts of the OpenID Foundation have become critical to the success of Open Banking around the world. The stack we explored, made up of OAuth 2.0, OpenID Connect, FAPI, and CIBA, is now the gold standard for Open Banking readiness, putting Nat and his team right at the center of the action.
With these standards, banks can build powerful ways to track consent, using well-defined technical constructs like claims and grants to manage securely who has agreed to share what data with whom.
Standardizing digital identity
How is identity to be managed in such a fragmented and distributed way? Realistically, the world is still figuring that out, like banks, governments, and giant tech companies all vie to become your favorite, and perhaps only, identity provider.
If you look around the world, different countries are taking different approaches to this question of managing identities for their populations. Nat feels that moving to national identity schemes won’t protect people from privacy invasions.
“The privacy violation comes from the use of the data. Just replacing the privately run identities system with a government-run identity system doesn’t change the situation. In some cases, many people fear that having too much data accumulated makes the government even more dangerous than having that data in a private company.”
That is certainly the case in many places. People trust their governments even less than they trust social media networks. Unfortunately, the current situation feels like a choice between trusting our government with our identities or trusting social media giants and other private digital providers with our identities.
Nat suggests that standardizing digital identity can ensure identity providers all operate on the same interface. That way, it will cost less. But what does this mean in the context of Open Banking?
Open Banking and digital identity
One of the advantages of cash is its ability to support anonymous transactions. Many of those who lament Open Banking worry that the government or the corporation is going to see all of their banking activity. They want their transactions to remain anonymous.
Nat says there is a way to maintain the anonymity of cash in a digital world. You can use a wallet system that holds anonymous digital money. However, if you lose that device, just like if you lost cash, the money is gone.
Regardless, Nat sees Open Banking as an effective lever to help drive adoption and education of identity management and consent management. He explains:
“Whether you like it or not, if you start using the banking services in the Open Banking context, you will be exposed to that framework and people will learn to think in concrete actions much better than in the abstract.”
And if you still trust no one, there are more solutions. Take self-sovereign identity, for example. Nat explains:
“Self-sovereign identity is a concept which allows you to maintain your internet identity that is created by yourself and will not be thus revoked by any party.”
It almost seems like everyone should move towards some form of self-sovereign identity. However, Nat says the important thing to remember is that you are still not the authoritative source of your data. Other parties can retain control over your data.
Nat says you might have to doubt if your own name even belongs to you. In reality, the government is the authoritative source of your name. This can make it feel like identity diffuses into almost nothing. Nat sees it in another way.
“Identity is not diffusing. Identity is a constant, which can only be instantiated with a relationship and with a point in time. Identity is an abstract notion, which only gets embodied in a particular context.”
Digital identity is key to making Open Banking work
Who are you? What makes you, well, you? Capturing our digital identity — the official expression of who we are online — demands that we claim certain data as our own, while still being able to share it with others.
Meeting this seemingly impossible challenge is the work of the OpenID Foundation. The standards they create, including OpenID Connect, FAPI, and CIBA, help answer these philosophical questions in a way that code can understand.
Using their technical constructs of grants and claims, we can begin to capture the consent to share data in a strong, reliable, and meaningful way.
No group has embraced these new standards more so than the global Open Banking community. The reason is clear: Open Banking is wholly dependent on digital identity.
Without some mechanism to track and verify people’s identity, the whole notion of a common, Open Banking ecosystem falls apart. At the same time, digital identity efforts are useless without something practical for them to do. The truth is, Open Banking and digital identity need each other to succeed.
Real or fake?
But is identity even real? Is it a specific thing that you can point to? According to Nat, not really.
Identity only becomes visible under the lens of a particular context. Your identity towards your family, your bank, and your government are all different. Yet, all are valid and all are real. Your identity belongs to you, but can only be seen through the eyes of others. How this comes to be in the digital world remains a work in progress.
To learn more about Nat and his work with OpenID Foundation, visit his personal website and the OpenID website.
Listen to the full podcast episode and subscribe via your favorite player.
Visit Mr. Open Banking @ http://mropenbanking.com.
If you missed the first season of the podcast, discover it here.