"On the internet, nobody knows you're a dog." The cartoonist Peter Steiner identified this challenge in 1993. Three decades later, we still struggle solving it.
We were not doing a lot online back then, mainly Compuserve, Gopher and Usenet, which we accessed through a dial-up 28.8kbps modem. Phishing frauds existed, the consequences were not really that big, although the first internet banks started to appear a year or two later.
Needless to say, with the Internet population growing from 14 million to 5 billion in the past 30 years, and people doing a lot of critical transactions online, the fraudsters have also found multiple ways to abuse the online space. Hence, the problem of "being a dog" (or perhaps: "what kind of dog are you"?) online has gotten a lot much worse.
If you have ever seen me presenting, you know that I love this cartoon by Peter Steiner that was published in the New Yorker on 5th July 1993:
We still don't have any good way of proving who we are or something about us online. Last year, I joined an online forum about digital identity and introduced myself by name and company. The first comment I received was "Prove it"... And of course, I do not have a simple way to do this. And if somebody calls me and claims the call from the bank or the police (or "Microsoft support"), I don't have a simple way of verifying that they actually are who they say they are.
Even though there are a lot of details around the EU digital identity wallet (EUDIW) which are not clear at this time, I believe that we are moving in the right direction. We are moving towards an eco-system, where I will be able to present claims about myself, which can be verified by others; Verifiable Claims (VCs). With VCs, I would be able to prove that I am a human (bye, bye captchas), who I work for, my nationality, my age, my credit score, and pretty much anything else, for example proving that you are eligible for discount on public transportation (without having to reveal whether this is because you are of age, or have a medical condition). Only the imagination limits the use cases when we have the EUDIW infrastructure in place.
However... When I receive a claim, how do I know whether I can trust it or not? By using asymmetric cryptography, the origin, integrity and non-repudiation of the claim can be asserted, or in other words, the claim is exactly as it was issued by the issuer. Some would also claim that distributed ledgers (aka blockchain) is the answer to this.
A more challenging question is: who is the issuer of the claim, and can I trust them? This requires a trust infrastructure, and we already have this when certification authorities (Cas) are issuing digital certificates. If you want to set up a public webpage, you will need a digital certificate, which is issued by a trusted issuer. These issuers have gone through an official approval process, to ensure that certificates are issued in a trusted way. This includes checking the identity and doing background check.
Whenever you visit a website, your browser will check that the URL matches that of the corresponding certificate, making it very difficult for somebody to spoof the website. The same trust infrastructure can (and will) be used to issue VCs. And the same infrastructure will be used to handle revocation. A claim like "I am allowed to drive a car", may be revoked by the authorities, if for example you have been drunk driving.
But how do you know whether you can trust the issuer of the information. If a website has a valid certificate, it does not automatically mean that you can trust the information posted on that website. We've all seen a lot of websites with false information, but a valid certificate. So, a Certificate Authority will only assert the identity of the organization or person behind the website, not the credibility.
To conclude, we have not solved the "Nobody knows you're a dog" conundrum 30 years later. But despite the challenges mentioned above, we are definitely moving in the right direction. Personally believe the EUDIW, and similar initiatives around in the world will help solve the issue.
With over 25 years’ experience in digital identity, John Erik Setsaas is a pioneer in this space. He has deep knowledge in the areas of digital onboarding, authentication, electronic signatures and seals, time stamping and digital identity wallet.
He is a prolific speaker at fintech industry events around the world.