Blockchain and the Limits of Trust

Last week I was privileged to be a guest on This Is Imminent, a new form of Web TV hosted by Simon Waller. The given topic was Blockchain and the Limitations of Trust.

For a replay of the Web TV event go here

As regular readers will know, I have been immersed in the world of Blockchain, cryptocurrency and digital assets for over four years – and while I am not a technologist, I think know enough to understand some of the potential impact and implications of Blockchain on distributed networks, decentralization, governance, disintermediation, digital disruption, programmable money, tokenization, and for the purposes of last week’s discussion, human trust.

The point of the discussion was to explore how Blockchain might provide a solution to the absence of trust we currently experience in many areas of our daily lives. Even better, how Blockchain could enhance or expand our existing trusted relationships, especially across remote networks. The complete event can be viewed here, but be warned that it’s not a technical discussion (and wasn’t intended to be), although Simon did find a very amusing video that tries to explain Blockchain with the aid of Spam (the luncheon meat, not the unwanted e-mail).

At a time when our trust in public institutions is being tested all the time, it’s more important than ever to understand the nature of trust (especially trust placed in any new technology), and to navigate how we establish, build and maintain trust in increasingly peer-to-peer, fractured, fragmented, open and remote networks.

To frame the conversation, I think it’s important to lay down a few guiding principles.

First, a network is only as strong as its weakest point of connection.

Second, there are three main components to maintaining the integrity of a “trusted” network:

  • how are network participants verified?
  • how secure is the network against malicious actors?
  • what are the penalties or sanctions for breaking that trust?

Third, “trust” in the context of networks is a proxy for “risk” – how much or how far are we willing to trust a network, and everyone connected to it?

For example, if you and I know each other personally and I trust you as a friend, colleague or acquaintance, does that mean I should automatically trust everyone else you know? (Probably not.) Equally, should I trust you just because you know all the same people as me? (Again, probably not.) Each relationship (or connection) in that type of network has to be evaluated on its own merits. Although we can do a certain amount of due diligence and triangulation, as each network becomes larger, it’s increasingly difficult for us to “know” each and every connection.

Let’s suppose that the verification process is set appropriately high, that the network is maintained securely, and that there are adequate sanctions for abusing the network trust –  then it is possible for each connection to “know” each other, because the network has created the minimum degree of trust for the network to be viable. Consequently, we might conclude that only trustworthy people would want to join a network based on trust where each transaction is observable and traceable (albeit in the case of Blockchain, pseudonymously).

When it comes to trust and risk assessment, it still amazes me the amount of personal (and private) information people are willing to share on social media platforms, just to get a “free” account. We seem to be very comfortable placing an inordinate amount of trust in these highly centralized services both to protect our data and to manage our relationships – which to me is something of an unfair bargain.

Statistically we know we are more likely to be killed in a car accident than in a plane crash – but we attach far more risk to flying than to driving. Whenever we take our vehicle out on to the road, we automatically assume that every other driver is licensed, insured, and competent to drive, and that their car is taxed and roadworthy. We cannot verify this information ourselves, so we have to trust in both the centralized systems (that regulate drivers, cars and roads), and in each and every individual driver – but we know there are so many weak points in that structure.

Blockchain has the ability to verify each and every participant and transaction on the network, enabling all users to trust in the security and reliability of network transactions. In addition, once verified, participants do not have to keep providing verification each time they want to access the network, because the network “knows” enough about each participant that it can create a mutual level of trust without everyone having to have direct knowledge of each other.

In the asymmetric relationships we have created with centralized platforms such as social media, we find ourselves in a very binary situation – once we have provided our e-mail address, date of birth, gender and whatever else is required, we cannot be confident that the platform “forgets” that information when it no longer needs it. It’s a case of “all or nothing” as the price of network entry. Whereas, if we operated under a system of self-sovereign digital identity (which technology like Blockchain can facilitate), then I can be sure that such platforms only have access to the specific personal data points that I am willing to share with them, for the specific purpose I determine, and only for as long as I decide.

Finally, taking control of, and being responsible for managing our own personal information (such as a private key for a digital wallet) is perhaps a step too far for some people. They might not feel they have enough confidence in their own ability to be trusted with this data, so they would rather delegate this responsibility to centralized systems.

Next week: Always Look On The Bright Side…

 

Australia’s Blockchain Roadmap

The Australian Government recently published its National Blockchain Roadmap – less than 12 months after announcing this initiative. While it’s an admirable development (and generally, to be encouraged), it feels largely aspirational and tends towards the more theoretical rather than the practical or concrete.

First, it references the US Department of Homeland Security, to define the use case for Blockchain. According to these criteria, if a project or application displays three of the four following requirements, then Blockchain technology may offer a suitable solution:

  • data redundancy
  • information transparency
  • data immutability
  • a consensus mechanism

In a recent podcast for The Crypto Conversation, Bram Cohen, the inventor of the BitTorrent peer-to-peer file sharing protocol, defined the primary use case for Blockchain as a “secure decentralized/distributed database”. On the one hand, he describes this as a “total oxymoron; on the other, he acknowledges that Blockchain provides a solution to the twin problems of having to have trusted third parties to verify transactions, and preventing double-spend on the network. This solution lies in having to have consensus on the state of the database.

Second, the Roadmap speaks of adopting a “principles based but technology-neutral” approach when it comes to policy, regulation and standards. Experience tells us that striking a balance between encouraging innovation and regulating a new technology is never easy. Take the example of VOIP: at the time, this new technology (itself built on the newish technology of the internet) was threatened by incumbent telephone companies and existing communications legislation. If the monopolistic telcos had managed to get their way, maybe the Post Office would then have wanted to start charging us for sending e-mails?

With social media (another internet-enabled technology), we continue to see considerable tension as to how such platforms should be regulated in relation to news, broadcasting, publishing, political advertising, copyright, financial services and privacy. In the music and film industries, content owners have attempted to own and control the means of production, manufacture and distribution, not just the content – hence the format wars of the past in videotape, compact discs and digital file protocols. (A recurring theme within  Blockchain commentary is the need for cross-chain interoperability.)

Third, the Roadmap mentions the Government support for Standards Australia in leading the ISO’s Technical Committee 307 on Blockchain and DLT Standards. While such support is to be welcomed, the technology is outpacing both regulation and standards. TC 307 only published its First Technical Report on Smart Contracts in September 2019 – three years after its creation. In other areas, regulation is still trying to catch up with the technology that enables Initial Coin Offerings, Security Token Offerings and Decentralized Autonomous Organizations.

If the ICO phenomenon of 2016-18 demonstrated anything, it revealed that within traditional corporate and market structures, companies no longer have a monopoly on financial capital (issuance was largely subscribed via crowdfunding and informal syndication); human capital (ICO teams were largely self-forming, self-sufficient and self-directed); or networks and markets (decentralized, peer-to-peer and trustless became catch words of the ICO movement). Extend this to DAOs, and the very existence of, and need for traditional boards and shareholders gets called into question.

Fourth, the Roadmap makes reference to some existing government-related projects and initiatives in the area of Blockchain and cryptocurrencies. One is the Digital Transformation Agency’s “Trusted Digital Identity Framework”; another is AUSTRAC’s “Digital Currency Exchange” regulation and registration framework. With the former, a more universal commercial and government solution lies in self-sovereign identity – for example, if I have achieved a 100 point identity check with Bank A, then surely I should be able to “passport” that same ID verification to Bank B, without having to go through a whole new 100 point process? And with the latter, as far as I have been able to ascertain, AUSTRAC does not publish a list of those digital currency exchanges that have registered, and exchanges are not required to publish their registration number on their websites.

Fifth, the need for relevant training is evident from the Roadmap. However, as we know from computer coding and software engineering courses, students often end up learning “yesterday’s language”, rather than acquiring flexible and adaptable coding skills and core building blocks in software development. It’s equally evident that many of today’s developers are increasingly self-taught, especially in Blockchain and related technologies – largely because it is a new and rapidly-evolving landscape.

Finally, the Roadmap has identified three “showcase” examples of where Blockchain can deliver significant outcomes. One is in agricultural supply chains (to track the provenance of wine exports), one is in education and training (to enable trusted credentialing), and one is in financial services (to streamline KYC checks). I think that while each of these is of interest, they are probably just scratching the surface of what is possible.

Next week: Brexit Blues (Part II)

 

Token ring – a digital ID solution

The latest event organized by DIG ID (the Melbourne Digital Identity Meetup) featured a Q&A with Steve Shapiro, CTO of Token, moderated by Alan Tsen, General Manager of Stone & Chalk Melbourne. Given the current level of interest in solutions to address online fraud, ID theft, data protection, privacy and personal security, the discussion covered a lot of conceptual and technical topics in a short space of time, so here are some of the key points.

First off, Steve spoke about his start-up and tech journey, that took him from IM (Digsby, Tagged, Bloomberg IB), to cryptocurrency and digital wallets (Case), to digital ID with the Token ring. The pivot towards an ID solution came about after working on Case, where he realized that most consumers don’t understand private key management and the issue of permanence (as compared to the internet, where password re-sets are relatively easy, and often regularly enforced upon users).

If the goal is to provide fool-proof but highly secure end-user authentication, the solution has to focus on the “signing device”, by making it much easier than the status quo. Hence the combination of two-factor authentication (2FA) and bio-metrics to enable Token ring users to live key-less, card-less and cashless, and without having to constantly remember and update passwords. In short, the Token ring works with anything contactless, as long as the relevant permission/authentication protocol layer (challenge and response process) is compatible with the ring’s circuitry.

In assessing the downside risk, gaining consumer adoption is critical, to ensure that users see the benefits of the convenience combined with the credentialing power. Equally, success will depend on the ability to scale as a hardware manufacturer, and the potential to drive traction through virality.

There is still a lot of design work to do on the hardware itself (to enable assembly, customization and distribution as locally as possible). And the platform needs to bring on more partner protocols, especially in key verticals. At the end of the day, this is still a Blockchain solution, with a UX layer for the cryptographic component.

When asked about the future of ID, Steve felt that in the medium term, consumers will no longer have to carry around multiple cards or have to remember multiple passwords. Longer term, governments will no longer be the central authority on managing ID: unlike today, a driver’s license will no longer be the gold standard – instead, solutions will be based on decentralized, contextualized and user-defined ID.

This led to a discussion about Sovereign IDe-government and digital citizenship (e.g., Dubai and Estonia) – and the break up of big government in favour of more city-states. (Which could result either in a “small is beautiful” approach to self-governing and sustainable communities, or a dystopian nightmare of human geo-blocking, as in a film like “Code 46”).

For the tech buffs, the Token ring’s IC hosts a total of 84 components, including the main secure element (as with mobile phones and other devices), finger print reader, optical scan, Bluetooth, NFC, accelerometer, MCU, Custom inductive charging etc.

Finally, there was a discussion about the risk of cloning, mimicking or breaching the unique and secure ID attributes embedded in each Token ring. While it is possible for users to encrypt other knowledge components as part of their individual access verification and authentication (e.g., hand gestures), there is still a need to rely upon trusted manufacturers not to corrupt or compromise the secure layer. And while the public keys to core protocols (such as credit cards and swipe cards) are maintained by the protocol owners themselves and not stored on the device or on Token’s servers, it will be possible for other third parties to on-board their own protocols via a SDK.

Next week: Startup Vic’s EdTech Pitch Night