Powerful AI tools that facilitate online fraud through convincing “deep fakes” are adding fuel to the fire in an online environment where fraud and identity theft are on the rise. Cyber-attacks on critical infrastructure such as the Optus and Medicare hacks have led to large scale identity theft that further erodes trust in digital services. Leaving major fraud aside, just google “create a fake bank statement” to see how easy and how prevalent minor fraud must be. Every time a plastic driver’s licence is presented at a bar or retail outlet, far more personal information than necessary is leaked.
The emergence of new web standards called “Verifiable Credentials” and “Decentralised Identifiers” offer a future where identity can be proven, and digital documents cannot be faked. The same standards also remove the need for centralised honeypots of sensitive data such as identity documents and medical records by empowering every citizen and business with sovereignty over their own secure data stores. Some sample scenarios will help visualise this more empowered and secure future.
- A government issued identity credential in a citizen digital wallet would allow citizens to prove their identity online (for example to get a mobile SIM) without providing copies of identity documents.
- When bank statements, insurance certificates, educational certificates and so on are all issued as digital credentials to the subjects, then verifier parties like rental agents, customers, employers can be confident that they are not fake.
- Greenwashing is rife with up to 70% of environmental or social claims being fake or misleading. But if digital compliance certificates from independent auditors accompany products, then unsustainable behaviour will have nowhere to hide.
So what is a Verifiable Credential actually? It is a portable packet of data that is digitally signed by the issuer following an international standard from the World Wide Web Consortium. A very fundamental idea is that VCs (e.g. a degree certificate) are created by “issuers” (e.g. Oxford University) and stored by “holders” (e.g. John Smith) in their wallet of choice and can then be presented to any “verifier” (e.g. potential employer ACME Pty Ltd). There is no need for the issuer to have any prior knowledge about who will verify and, more importantly, there is no need for any communication between the verifier and the issuer so there can be no surveillance of use. In many ways, a VC is similar to an e-passport which is issued by a trusted government entity, carried in your pocket, and verified at any border gate world-wide without the need to contact your government. The only way to fake a VC is if the fraudster has managed to steal the private keys of the issuer which are usually very well protected.
VCs have a few other very useful features. They are both machine readable and human friendly at the same time and so are easily verified either in-person or online. They can be selectively redacted to protect private information without loss of integrity. So, for example, a citizen could hide all data on their driver’s licence except their photo and date of birth when buying alcohol. They are revokable so that a verifier can immediately see that you no longer have the permission indicated (eg driving, visa conditions, etc).
The other key tool in this new digital trust architecture is the Decentralised Identifier (DID). Unlike other identifiers such as business numbers, passport numbers, and so on, a DID is self-issued by the holder. DIDs are sometimes referred to as “self-sovereign identifiers”. In most cases, a DID is a meaningless (but globally unique) string of characters. Why on earth would that be useful you might ask? The value of a DID is that it includes a cryptographic public / private key pair which can be used to prove without doubt that the holder is the rightful owner of the DID. Without DIDs, VCs would be subject to “replay attacks”. Every time you present a VC, you are sharing a full copy (unless selectively redacted). So what’s to prevent the verifier keeping that copy and then pretending it’s theirs? When VCs are issued to DIDs as the subject, then only the holder of that DID has the private key that is used to verify ownership.
GoSource has world-leading expertise in digital trust. Our staff have delivered a VC capability for the Australian Border Force called the Digital Verification Platform. We have authored white papers on VCs for the United Nations, and are leading VC-based international supply chain traceability projects.
Almost every business or government agency is an issuer of some kind of documentary evidence that has value. By issuing these same documents as digital verifiable credentials you are empowering your customers and contributing to online digital trust. It is easy to do and does not require any fundamental change in your business processes or systems.