Fall event highlight - Steve Wilson says digital identity is dead, so where do we go from here?

I became a podcasting geek long before it became a thing in B2B. But podcasting, in my view, has nothing to do with "lead gen," "monetization," and all that happy blah blah we hear about now.

The beauty of an audio-only podcast is getting an unfiltered, no-BS sit-down with someone who has big ideas - and exploring the motivation behind them.

Hopefully you emerge with a decent recording, and a conversation that gets to the heart of things. How does this line grab you?

I absolutely say without apology that the digital identity movement has failed to deliver.

At Constellation Research's Connected Enterprise 2019, Steve Wilson, VP, Principal Analyst and the man responsible for that zinger, was my perfect foil. Why? He publishes provocative blogs in the public domain (e.g. Identity is Dead), informed by deeper research we may not have access to.

If you call a blog post "Identity is Dead," I'm going to press you on what comes next. Same with Wilson's longstanding critique of blockchain, exemplified by his notorious 2016 post, Blockchain: Almost Everything You Read is Wrong.

"Digital identity is dead" - reality, or rhetorical flourish?

So, we ripped out two podcasts, one on grappling with identity, and one on blockchain myths and realities. (The identify podcast is embedded below). One podcast leads to the other; we start with identity. So, Mr. Wilson, why have you been tracking identity for twenty-odd years? And how did you end up with a digital safety and privacy focus at Constellation Research? Wilson:

My background is digital identity for about 25 years now. I'm going to keep calling it identity, but we might get around to speaking about why I want to change that word sometime. But for now, let's call it digital identity, privacy, and cryptography. A couple of years ago, Ray Wang and I decided to wrap all that up under the banner of "safety."

"Digital identity" opens up a huge can of worms, or what Wilson calls a "sea change" in the entire field: 

It turns out that the problems we've been trying to solve in digital identity are actually much bigger problems across the digital economy, to do with verification of claims and verification of data - the provenance of data.

So what about Wilson's assertion that "identity is dead"? Acknowledging the rhetorical flourish of his blog title, Wilson explains his motivation:

I absolutely say without apology that the digital identity movement has failed to deliver on a big promise that we had 10/12/13 years ago - that you would be able to re-use digital identity across all of your walks of life.

A secure, portable identity? A promise unrealized

Here's what I find disconcerting: we've certainly made huge strides in terms of convenience, from mobile banking to hotel bookings, but a truly secure, portable identity hasn't kept up. Our identity is confined by siloed apps, and constantly prone to hacking and fraud - to the point where even informed vigilance may not protect us from device firmware or software flaws.

But as I told Wilson, the most disconcerting part is that the latest next-gen identity verification tools, from facial recognition to fingerprint recognition, are either deeply flawed, or raise as many troubling issues as they solve. Wilson, however, isn't that pessimistic - a crucial point to note. He believes we've made significant progress on the tech of identity "plumbing."

We are making fantastic progress. Down in the plumbing, your listeners may or may not know about the protocols and the standards, but they are going really well. We have really easy-to-use bio-metrics for unlocking an iPhone or any phone... It's actually quite difficult to hack some commodity fingerprint readers now - but not impossible to hack. And so it's all about expectation, and it's all about scale.

Two-factor identification is a potent example. Some two-factor identification approaches are highly effective - others problematic. And even if you provide two-factor, will individuals use it (and will their employers compel them to use it?). Wilson:

It depends on what you mean by two-factor - using SMS messages for two-factor is a disaster. It should have never happened.

Exploring the upside - progress on digital identity

But - there is progress. Why not the phone itself?

Now we've got the idea that the phone as a second factor...  We can rely on the fact that people look after their phones. It's very rare to actually lose your cell phone. You know, that it's gone within minutes, unlike a wallet.

My phone is never out of my control, and I've got it pin-protected. I've got it biometrically protected. So why don't we take advantage of that? This is what the FIDO Alliance is all about - it leverages the fact that almost everybody's got a phone, and almost everybody protects their phone. (Editor's note - the FIDO alliance is an open authentication standards organization dedicated to developing better identity solutions than passwords).

Prior to the podcast, Wilson gave me a look at his latest Constellation research on data supply chains. One of his key arguments: data brokers are here to stay. The daunting problems they pose cannot be ignored.

We need to keep plugging away at this because they're brokering our data every single day now. So we need to figure out solutions.

"Data brokers" is a broad umbrella; Wilson concedes this field will change considerably as our business models shift. But at the core, it's about addressing a world where data is a core resource - and a business asset.

Every day, we generate massive quantities of data exhaust that pass through a bunch of intermediaries, some of them unknown and, perhaps, unregulated. That's where Wilson's concern lies. He makes a distinction between data mining, and data refining. Many of these "data brokers" are in the refining business, applying analytics to our data and so forth. And while " data brokers" can come off as a derogatory term, some of these brokers are adding value. It doesn't mean they shouldn't be regulated.

On the surface, this is a dark picture:

Most of this comes under surveillance capitalism, and it's pretty dark, and it's a double whammy. We've got shady characters making money out of our data without us knowing it, and worse, to rub salt into the wounds, they're getting breached. And that's a terrible thing.

Wilson warns that our cynicism can be an impediment:

You don't throw the baby out with the bathwater. The reality is that data is valuable. It's actually too valuable for people to look after for themselves.

Now we're onto one of Wilson's core points: putting all of this on individuals is wildly unrealistic.

This is not the Wild West. We need to evolve security from the sort of do-it-yourself security, pack-your-own six-shooter and keep-the-bad-guys-out. We need to evolve through the pony express stage of data management, and get to a point where there are responsible data intermediaries who are being held to account.

We may be jaded about regulation, given that so many digital regulations seem to either lack teeth, or digital nuance. But Wilson holds firm: savvy regulation is part of the solution here. And, for the good news: he sees a shift even in the U.S., amongst privacy-lax consumers:

We have actually detected, in the last two or three years, a shift in sentiment towards GDPR in the USA. By and large, you know, the people that come to this event, Constellation Connected Enterprise, are pretty measured in their view about privacy management.

I think most both people in the C-suite in the USA appreciate the need for data protection. Data privacy is good. It's going to be good for business, and it needs to come with a measure of regulation...  California has passed GDPR-like regulation and we think that it's the start of the right level of regulation that goes with the digital economy.

If digital identity isn't dead, then where to we go from here?

So where does Wilson's research go from here? As he riffed, now that identity is dead, what is next? 

Let's repurpose our thinking. We've got some really cool protocols. I mentioned the FIDO Alliance. There's a number of standards that we don't need to go into, but they are all about verifying claims.

As per our podcast talk on attributes, verification is going to shift constantly:

Identity management, for me, is about proving things about myself. I want to log onto a bank and prove that I have a particular bank account. Sometimes I want to log on and prove that I am the controller of a multi-party bank account with my wife. And sometimes I want to log onto a health service and prove my health identity. So this is all about proving things about me in different contexts.

More good news, from Wilson's vantage point: if we can make progress here, we can apply it to other vexing issues:

This is actually a very similar problem to what we have with fake news and provenance in the real world and in the IoT.

Ergo, the disillusionment with overhyped identity solutions gives way to better things:

If identity isn't doing what we thought it was going to do, the good news is the protocols and the devices and the chips can be repurposed to do something, and it's much bigger and grander and actually more important.

So I'm really optimistic that we're going to see some order in the supply chains of data. In some sense, blockchain is a bit of a go at that. Some of the good things about blockchain have been a well-intended effort to produce some order in the chaos of supply chains.

It's not often you'll hear Wilson say something that positive about blockchains - but his critique of blockchains is another discussion for another post. Oh boy - that will be fun.

Here is the entire podcast for playing and downloading - I didn't cover off nearly all the points we addressed in the audio.

You can also download the podcast or subscribe on iTunes...