The 311 Podcast

S2 E7 - The Future of Trust and Identity with Tim Bouma

Tim Bouma Season 2 Episode 7

Share episode

 Today my guest is Tim Bouma. Tim is Canada's public sector digital identity expert. He's held key roles in the federal government for years and was a key player in the Pan-Canadian Trust Framework, which brought together regional and federal government players to define standards and best practices for digital identity.

Tim now sits as a special advisor to Canada's Digital Governance Council, Conseil de Gouvernance Numérique, a member driven nonprofit working on responsible design, architecture, and management of digital technologies for the public service. 

Guest information:

Tim Bouma, Special Advisor, Digital Governance Council LinkedIn

Digital Governance Council Website LinkedIn

Public Sector Profile of the Pan-Canadian Trust Framework | Cadre de Confiance pancanadien

The 311 episode with guest and shared friend, Ashley Casovan, that recommended Paul look to Tim Bouma for Canadian expertise in the digital identity area: S1 E1 - Governing A.I. with Ashley Casovan, The 311 Podcast

Additional information on some of the technologies mentioned in the episode:

This is a show about the people that make digital public service work. If you'd like to find out more, visit northern.co/311-podcast/

We're going to keep having conversations like this. If you've got ideas of guests we should speak to, send us an email to the311@northern.co.

Northern LinkedIn

Paul Bellows:

This is the 311 Podcast. I'm your host, Paul Bellows. This is a show about the people that make digital work for the public service. If you'd like to find out more, visit northern.co. Today my guest is Tim Bouma. Tim is Canada's public sector digital identity expert. He's held key roles in the federal government for years and was a key player in the Pan-Canadian Trust Framework, which brought together regional and federal government players to define standards and best practices for digital identity. Tim now sits as a special advisor to Canada's Digital Governance Council, Conseil de Gouvernance Numérique, a member driven nonprofit working on responsible design, architecture, and management of digital technologies for the public service. For what it's worth, I'm also a member of the Digital Governance Council, which is one of the ways Tim and I know each other. A bit of table setting for our conversation. If you're not from Canada or maybe if you are, we're often confused in our governance structure with the United States. There are similarities and differences. Like the US, we are a federation, but unlike the US we are an asymmetrical federation of provinces, territories, and indigenous nations. This means that unlike the States, which are all quite equal, the various constituents of Canada's federation have varying levels of power and responsibility. And unlike the states, each of which joined an existing Union, Canada's federation was designed from the ground up to bring together separate colonies and regions into a stronger federation. What this means is that over Canada's history since 1867, there has been a constant tug of war in terms of power and responsibility, both between regions and the federal government and between the regions themselves. This means that when we look at something like digital identity, it's unclear who is best positioned to own the responsibility. In my mind, this actually makes Canada an ideal testing ground for concepts like digital identity. We've got the expertise to do this, but the real world complexity that's required to test the concepts of federated identity exist here. The second point to make is that digital identity itself is a sprawling and complex technology space. There are many competing technologies and goals. Devices and operating system players like Apple and Google own biometrics and sign-on technology. Platforms like Meta and YouTube own your personality, taste, hobbies, relationships. Retailers own your spending habits and demographics. Advertisers have a vast repository of information about where you travel, what you eat, what you wear, and your political and social opinions. All of this adds up to what some call your digital twin or the version of you that exists in Cyberspace. But government is different. At key moments government needs absolute assurance that the you they are interacting with digitally is really you, handing out medical information, crossing a border, filing taxes and more key transactions are examples. But unlike other digital practitioners, government doesn't want to own or even be aware of your digital twin. There's an intentional anonymity to our relationship with the government that we all want to preserve. One exception is law enforcement where certain information may be tracked securely for risk mitigation purposes. Either way, government has a security and privacy mandate that vastly outstrips the private sector's burden. Tim is someone I've been looking forward to speaking with for years. We met up in the public space of Canada's National Art Center in Ottawa following a Digital Governance Council meeting where we were planning for an upcoming G7 summit hosted by Canada. It was a great space for what I hope you'll find to be a fascinating and occasionally in the weeds discussion of digital identity and government today. Here's my conversation with Tim Bouma.

Tim Bouma:

My name is Tim Bouma. I am a special advisor with the Digital Governance Council. It's a not-for-profit organization here in Canada. It focuses on developing standards and is actually developing conformity assessment programs. I'm actually a public servant. I've actually been on what's called an interchange program where the government of Canada lent me out, if you will, or assigned me to work on the outside of government. And so I'm in this very unique role. It's almost like a liminal space where I'm in between the public sector and in the not-for-profit, but have quite a bit of exposure to the private sector as well. I joined the public service mid-career. Before that I was in the software industry and actually the management consulting industry. So I fell into the area of what was then called identity management, which is evolved to digital identity, which is now sometimes called self-sovereign identity. Different labels when I joined the federal government, they recognized the work I had done on identity management and I ended up at Treasury Board Secretariat, which is a central agency of the Government of Canada, and actually developed all of the digital identity policy like from ground zero. This is going back more than 15, 15 years longer than that, maybe almost 20. And then logically following from that. I did a lot of work with the provinces and territories and worked on what we call the Pan-Canadian Trust Framework. As most Canadians know, would know, maybe not outside of Canada where Canada's a federation, where there's very autonomous provinces and territories, indigenous communities. And so we always have a challenge of developing policies and approaches that respect the sovereignty of the provinces and the territories, and respect the differences across the country. And I was in the middle of that, of developing an approach, if you will, or a framework that would enable the federal government to take advantage of the capabilities of the provinces and territories. So I did that work and then the pandemic hit lots of changes and that decided I wanted to make a change. And then the opportunity came up where I could go on interchange to the Digital Governance Council, which again, it's a not-for-profit. And I actually work on national standards and conformity assessment programs. My specialty, my proclivity is around digital identity, but I've also done work on electronic transferable records setting up a conformity assessment program. And then, I pursue passions on the side. I've been focused on some projects on decentralized identity or decentralized protocols. Being an engineer in my training I like to build stuff and kind of learn you, learn from practical experience and been involved in some interesting projects there off the books, so to speak.

Paul Bellows:

Absolutely. I. Yeah so you have a little bit of experience in this space. No, I love it, Tim. And as a funny little anecdote, the way you first came into my sphere of people I was aware of I was talking with someone who's a shared friend of ours, I think Ashley Casovan.

Tim Bouma:

Oh, yes, yes.

Paul Bellows:

And she was a guest on our first season of the podcast with an AI perspective. And I was talking with her afterwards. I said, look, I wanna know who's the guru at Government of Canada about digital identity, who really knows what they're talking about. She said you just gotta talk to Tim Bouma. And so I've been watching you. And then we ended up together on the Digital Governance Council and actually got to meet, and that's how we ended up in our conversation here today. So I appreciate your time and thank you, by the way, just for anyone who's listening. We're in the lobby of the National Arts Center of Canada, and it is a gorgeous building. And if you hear anyone wandering by it's because it's a very popular destination too. But we've got a, we've got a wonderful spot here, so thanks for suggesting the location celebrating Canada's long history of the arts as well as digital progress.

Tim Bouma:

Yeah. They like to call this the living room of the nation. So if you ever come to Ottawa and you need a wifi landing spot, come to the National Arts Center.

Paul Bellows:

There you go. It will now be on my list of places I can camp when I'm traveling and working not just coffee shops. So Tim, I wanna kinda go back a little bit here.'Cause I think identity management is a space where there's just, there is so much information and it's just such a wide space that as we get into public service and digital identity, it, it is really different from what you might see in a retailer or a commercial context. The problems to solve are just different problems. So I wanna dive in a little and make sure the audience for the podcast really gets into the depth of why this is a challenging space and why it's more complex than what we call single sign-on, or just giving people access to systems. And so do you have a working definition with a public sector lens of what digital identity management is?

Tim Bouma:

Yeah, we defined it in the policy just I don't have the definitions verbatim in my mind, but with the Treasury award policy we came up we had, a definition for identity. And the definition we had for identity was a reference or designation that for a unique individual, we didn't define it in terms of attributes. It's basically I need a reference to you and how that gets implemented as an ID number or a set of attributes or whatever. We would leave that to the implementation. And then as we evolved the policy suite we introduced the concept of a trusted digital identity. And the idea there was it was an identity that could be accepted for the purposes of providing services on behalf of the Government of Canada. And again, I don't remember the exact definition, but the key thing is that we did all that definitional work, all that policy work. And we codified that and then we brought that into a national standard with the Digital Governance Council, like an accredited national standard. So if you go to the digital governance council site, you can find all the standards and you'll find all the definitions there. We have definitions for credentials, credential verification, identity verification. We came up with very precise definitions because when you're called on to interpret policy you're almost like a lawyer where you have to, decisions hang off these definitions. So you have to be pretty. I always say precisely vague, you wanna have a definition that has enough cogency around it, but it actually gives you enough latitude to account for the different types of implementation. I dunno if that answers your question.

Paul Bellows:

It starts to for sure. And I think say, starts to,'cause it is a large and sprawling space.

Tim Bouma:

Yeah.

Paul Bellows:

And it's a lot of new concepts. The concept of trust itself. Do I trust so you said, government needs a way to interact with an individual, a person, as defined under the law what is a person. And we need to be able to interact around communication, around services. So it's essential for everything that government's trying to do digitally. Why is the word trust important in that definition?

Tim Bouma:

So the precursor to trust was assurance, and we formerly defined that way back in 2012 with a guideline on defining authentication requirements. This is in the very early days of the identity management policies. The definition that we had for assurance was a level of confidence that something was genuine and genuine or true. And then we developed like what we call an assurance level assessment tool. And we took the idea that. What's the impact when something goes wrong, what's the level of impact? And we made it very clear that this was different than a risk assessment where you have, a likelihood times level of impact. We said just assume likelihood is one. If you're in the business of providing service to a Canadian providing service, you will fail, period. Okay? So we want to know, your service, if your service fails what's the impact on the individual? And then we came up with four levels. And again, I, it's been a while, but, level one was, yeah, whatever, it's not a big deal. Level two is oh, inconvenience it's, annoying. Level three is it's a pretty serious situation. Then level four, it could be irreversible damage. So we just came up with that gradation. So always the question was that, if you're providing a service, like issuing a passport, for example, likely falls into level three because if you give it to the wrong person, it could be very serious consequences. Didn't really get into too many level four scenarios. I think one of them. That we talked about, was witness protection, for example. But the majority would fit into level two or level three. So we formalized that as assurance levels and had an assurance level regime to actually categorize the service.

Paul Bellows:

I think it's really useful, and I love just the principle of, with internet security, it's never if it's when or

Tim Bouma:

Yeah.

Paul Bellows:

When it has already happened more often.

Tim Bouma:

Yeah.

Paul Bellows:

We usually discover these things after the fact. And then yeah, like having a classification framework to talk about, what is the nature of this service? What is the potential risk that could happen? So you understand what actions or what posture to take towards that service.

Tim Bouma:

Yeah.

Paul Bellows:

Yeah. Okay. That's really helpful. I like that. So a classification scenario is essential. Trust framework being, do people believe that you've taken the appropriate actions? And that the, does this appear to me as a citizen, can I trust this service?

Tim Bouma:

So trust is related to assurance and, this is where we introduce the concept of a trusted digital identity and the idea from the federal point of view, is that we're willing to accept a digital identity from another provider, namely a province or a territory. And what do we need------to what do we need to do to accept it? As our own if you will. And then we put together with the Pan-Canadian Trust framework, we put together a whole assessment framework that would look at a program top to bottom. What's your identity proofing practices? How do you define identity? What's your identity information how do you do authentication? We came up with, I think in total about 400 criteria that we would analyze. It would take months and months, a better part of a year to assess a program. So when we did Alberta and BC it literally took months to go through. At the end of the day you can't fail and trust is paramount, especially for public institutions. So you have to do all that due diligence upfront. You just can't say we, we failed. We didn't, didn't take this into account and too bad, so sad. In the private sector, typically you can just fix that with through financial remedies. You can't do that in the public sector institutions. We always erred on the side of super due diligence and ensuring that, that we always maintain the trust of Canadians. Some might criticize, oh, you're going too slow or whatever, but that's the fact of life.

Paul Bellows:

You gotta go slow and whoops is a nuclear event.

Tim Bouma:

Yeah.

Paul Bellows:

No, absolutely.

Tim Bouma:

Yeah.

Paul Bellows:

So in Canada, with the fact that we are a federation and so much is managed at a provincial level, but there's such a strong relationship to the federal level, Canada's an interesting lens for other jurisdictions who are looking at this to say, there is often this federated, like federation being a political concept or an organization concept, but also a technology concept of federated technology where we bring together multiple systems into common technologies. So I think Canada provides a really interesting lens for other jurisdictions and why this identity management thing is hard.

Tim Bouma:

Yeah.

Paul Bellows:

So Alberta and BC are, I think, two, the early movers in digital identity here in the country. Both have done different things, but I know they're looking at each other right now and learning from each other. Right now there's a lot of information sharing happening. Where do you see practices emerging here in Canada that you think are promising.

Tim Bouma:

Practices emerging in Canada that are promising? So we sit in between the American approach and the European approach. The American approach is market driven, Wild West. Okay.

Paul Bellows:

Plus their real ID measures where they've brought in a level of like biometric authentication and an ID level, et cetera.

Tim Bouma:

Yeah.

Paul Bellows:

They have that piece. It's still pretty new.

Tim Bouma:

Yeah. They have the federal, like the real ID act. There's really no coordinated strategy in the US, but it's very technologically driven. Very, state by state. It's it's different. And like the vendors like Google and Apple are very active in that.

Paul Bellows:

Absolutely.

Tim Bouma:

Your European approach is much more top down, like they have the digital identity legislation, eIDAS version 2.0. They've come up with a whole bunch of implementing acts, they're trying to legislate before implementation, so it's okay that approach might work. We sit in the middle where I'd say we are taking a grassroots market driven approach, but we're very quietly putting in a policy framework that actually supports like a Pan-Canadian approach and just keeping it on under the radar screen and just quietly developing standards. For example, the national standard that we developed, the Digital Governance Council, we took all the federal work and literally took the old wine and poured it into a new wineskin. But it's all the materials verbatim. And then letting the rest of the world see this and see if it applies in their context. A lot of the original work, what we did a number of years back was publish it directly on GitHub. So it was totally available. And it's quite often people know of me because of the work that I've done and the work that I posted publicly, and it's oh, okay. That's really interesting. So a lot of people are paying attention. It's like an open source approach. Working out in the open, having people see it. And yeah, just moving forward, like just very carefully and very incrementally.

Paul Bellows:

Yeah. It is one of those hallmarks of government digital work, which is, unlike commercial spaces, we don't exist with competition. What works for Canada may work for someone else, but there's no advantage to Canada keeping that closed or confidential.

Tim Bouma:

Yeah.

Paul Bellows:

So open. If someone can improve it, if someone can benefit from it, there's no threats to Canada from that.

Tim Bouma:

Yeah.

Paul Bellows:

And in fact, keeping it open, we'll probably expose it to the threats that we want it to be exposed to. To make sure it is mature technology, mature ideas.

Tim Bouma:

Yeah.

Paul Bellows:

So I know BC has done their trust over ip framework. Alberta started with a more of a commercially driven digital identity platform, the ForgeRock platform there that is now evolving to bring more open source in, but I think one of the things with identity management is I don't think for government there is an off the shelf solution really ready.

Tim Bouma:

So one of the observations is that actually the technology figures very little into the equation. Alberta had a traditional SAML Securus search of markup language ForgeRock solution. BC so it wasn't trust over ip, that's a foundation. But they had the BC services card and they developed like their own app. They developed their own services. They used some of the newer protocols like Open Id Connect. But the way that we developed the trust framework, it was technology agnostic. We said, we want to accept a trusted digital identity. What we expect from the provinces is a unique identifier that resolves to one and only one individual. We want a few attributes, namely the name, the date of birth, and maybe a few other attributes. And we wanna make sure that when that stuff comes across the wire, it's correct. As for the province and we know it's actually that individual that's at the other end of the line. And then the technologies could be wildly different. Alberta was more of a traditional legacy system and BC were using later more modern protocols, if you will, and they had an app. But at the end of the day when that trusted digital identity came across the wire, we had the assurance that it was actually coming from the right place and it actually mapped to the right person. So the technology piece was actually pretty small.

Paul Bellows:

That's really helpful to hear, I think.'cause I think people get so wrapped up in what system do we use, how do we buy it, how do we install it? But it really is the broad practice and almost the philosophy of identity management. And I love that you start to look at who are the actors in this space. You come down to who issues identity, right?

Tim Bouma:

Yeah.

Paul Bellows:

It's like a driver's license is an identity, A passport is an identity. One of those is issued by a province here in Canada or a state in the US or a jurisdiction. But a passport's issued by the federal government. So both of those are identity issuers and then they be, there'd be some sort of a digital credential connected to that can push up to the internet layer to authenticate you into systems.

Tim Bouma:

I also maintain that like identity actually exists outside of the system. And what's inside of the system are identifiers and attributes and just to make some like distinctions like that. So like we would make very clear like passport's, not an identity document. It has identity, but it's a travel document. A driver's license is a driver's license. And that's where we had the notion of a trusted digital identity. It wasn't associated with a particular document issuance. In fact, with the provincial programs, usually what happens at their digital identity program evolves is an umbrella program over other agencies that are carrying out functions like registration, like Alberta has like the registration agencies, and then there's health BC and so on and so forth. And they get coordinated in providing that digital identity, as you said, like the issuer. That's one of the key things, and from the federal standpoint. We wanted to make sure it was at the provincial level, at the top level. You're the one providing it to us, like it's not coming from your driver's licensing agency or your health agency or whatever. You have to figure out how to coordinate that internally to provide that as a whole to the federal government so that those were some of the concepts. So when we negotiated the agreements between the federal government and the provinces was at that time her majesty in right of Canada with her Majesty in right of Alberta, for example. And we just made it very clear that we wanted to have everything at the top level.

Paul Bellows:

Absolutely.

Tim Bouma:

Yeah.

Paul Bellows:

That's helpful too. There, there's a concept that comes slightly outta sci-fi.

Tim Bouma:

Yeah.

Paul Bellows:

But I think it's a useful metaphor for no model is perfect, but some are useful.

Tim Bouma:

Yeah.

Paul Bellows:

So it, it's useful for photography, the concept of a digital twin. You know that there's me living in meat space,

Tim Bouma:

yeah.

Paul Bellows:

The person I am. But then at the internet level, there's everything, the internet knows about me. There's everything the government the different systems know about me. Which forms sort of a twin of me in this space. And, part of the work of digital identity is trying to find where are the edges of that person, that digital version of me and all the systems I interact with such that we can say, yeah that's Paul, that this entity digitally. So I know that's an abstract concept, but as you think about, the work of identity management, what the federal government's trying to do, do you think there's a place for that concept in terms of just how you actually look at the citizen and how you understand. I guess the reason I bring it up is people are afraid of the government knowing too much about them.

Tim Bouma:

Yeah. I'm lukewarm on that concept. I think it's good for as I understand digital twins, like if you're modeling a building or modeling a piece, an asset or whatever's out in the real world, and you have the corresponding asset digitally rendered in a system, you can actually use that to predict behavior and that, I'm not so sure that's an appropriate term for people. My, my idea is that I need to know that I'm actually talking to you or communicating with you and that the intentions you're communicating are your intentions. They haven't been like surveilled, they haven't been adjusted or whatever but I just know that I'm dealing with you in the moment. And so I look at it from that point of view of simplified Trust frameworks of actually having two layers. There's what I call the instrumental layer, which is all the technology, all the cool stuff that, that wires everything together. And then there's what I call the intentional layer is making sure that those intentions are conveyed truly and at the highest fidelity possible. So digital twin might figure in there somehow, but I don't really see that as a concept that I would pursue, vociferously in relation to people.

Paul Bellows:

I actually bring it up'cause I think it's almost a dark pattern in from a public service lens,'cause I also live in a world of digital where, there are people that do marketing and there's retail. They very much want to know who am I as Paul, what are my preferences? Do I have children? They wanna know a lot about me.

Tim Bouma:

Yeah.

Paul Bellows:

And I think a lot of the concepts of marketing that are around personalization or, tuning content. I think those are actually really dark patterns in government, who wants the government to know that much about them? That's not the purpose of my relationship with the government. It is very transactional when I need it. I want you, and I need you, I need to issue a birth certificate. I need to, get something done to my house and I need a building permit. I need to get a travel document'cause I'm leaving the country. And then I really want your knowledge of me to stop. So I think it's almost refreshing that you had a negative reaction to that.

Tim Bouma:

Yeah.

Paul Bellows:

As someone sits in the digital identity space.

Tim Bouma:

So like privacy and collection authorities are taken very seriously at the federal government level. And if you're only mandated to collect a certain amount of information, that's it. And there's what's, what are called privacy impacts. They err to the side of collecting as little as possible about you. And some might argue that well know that's a bad thing. But then on the other side of the spectrum, you've got other organizations that know everything about you and they feed you ads that you wouldn't dream of seeing. But then when you see them go, Hey that's really interesting. As I said, we always zeroed in on the absolute minimal information that we needed to actually make sure that we're dealing with you, period. Full stop. And it's actually collected within the appropriate authorities of the program. That's that again, it's easy to. You have to be really careful if you overstep your authorities, over collect information because then you could be like a sitting duck if that information gets compromised and it could just make the problem like a thousand times worse.

Paul Bellows:

It takes all those classifications and it raises the level of all of them. The more you have, the more risk you're creating.

Tim Bouma:

Yeah. Like I view, every piece of personal information you collect is a liability period.

Paul Bellows:

It's a great mindset.

Tim Bouma:

Yeah. Yeah. Just it's a liability.

Paul Bellows:

So from where you sit here, representing Canada in this conversation, looking at other jurisdictions, we talked a little bit about the US who have really, I think, taken a bit of a hands-off approach to this whole thing. There isn't really a strong, either on the privacy side or the identity management side, a strong push in any federal jurisdiction in the states. But I know some other countries have done really well at this and have boasted great outcomes. I think the longtime hero was Estonia, who have their program, the mythological kind of early mover in that space. But I think a lot of other jurisdictions have really eclipsed what or at least caught up with, or maybe in, in certain contexts eclipsed. Who's doing well globally in your perspective?

Tim Bouma:

The thing is that every, everything is appropriate within their context. So it's really hard, like the one big lesson that I've learned is that you can't compare one country to another.'cause you have no idea the socioeconomic or the institutional context. You don't, you have no idea of the challenges or the opportunities that they're facing. Like Estonia is great because, the, I guess that was in the late eighties, early nineties the Soviet Union basically bugged out completely and left a veritable greenfield for them to develop something right from ground zero. And they took advantage of that. There were some very, visionary folks and they built a system like, and a lot of times, like small jurisdictions can be very nimble. I think like Ottawa has more hospitals than Estonia, for example. It's a very small jurisdiction not to take away from what they're doing, but when you have a smaller population, you can really move quickly. You don't have a lot of the machinery and baggage of institutions that we have here. And there's a bit of a different mindset too a lot of the continental European countries are quite comfortable with centralized systems and comfortable with civil law, Napoleonic code kind of thing. And whereas when you're dealing with commonwealth countries like Canada and the US it's very much more decentralized. And so they're not very trusting of centralized authorities. I'd say that's pretty much the case in the US, in Canada, but a little less. You were in India recently. Yep.

Paul Bellows:

And India has done some things that I was really shocked by. I had no idea how far they've moved on payment, on identity, on centralized services. Having not been to the country, having not seen it on the ground, I'm reading their information on it and everyone's proud of what they've done. Do you get to experience any of that while you were on the ground there?

Tim Bouma:

Yeah. Like first of all, it's a country of 1.4 billion people. The city of Delhi is some more population than Canada or Delhi in the outlying region. It's a huge population compared to four 40 million versus 1.4 billion. They have the Aadhaar program, which is a centralized program. Everybody gets an ADHAR number, and again I don't know all the details. I saw like examples of the universal payment system as well, the UPI and what can I say? Some countries are quite happy to rule ahead on identity systems and the citizens just basically have faith in it and they're quite happy to, happy to abide by what the federal government's doing. It's interesting in India you could see that there's how could I describe it? Some tendencies, like authoritarian tendencies, which just, wouldn't go over in Canada, present your passport at this point. And foreigners pay this amount and domestic people pay this amount. That's really interesting. Different pricing. When you go to a tourist attraction, you the foreigners pay three, five times as much versus what the domestic person would pay. And that's okay, but I'm just not quite used to being, being differentiated on stuff like that. It's different values and yeah I really can't comment beyond that. And again, I have to respect what they've done. It probably wouldn't work in the Canadian context, but that's what they've done.

Paul Bellows:

Yeah. I, culture is as important in as

Tim Bouma:

Yeah,

Paul Bellows:

this is and, social norms is as important in this is the technology impact far outstrips the value, the importance of the technology itself. But with that, it's impossible to not be aware of cryptocurrency, which of course comes from a, like a blockchain or a decentralized model. I know that's important in your thinking in some of the, the early pioneering work you're doing in this space as you said, on your own time. So as you look at, decentralized identity management, decentralized, whether it's a ledger was what. How does this concept of decentralization, which is much more akin to how the internet works

Tim Bouma:

Yeah.

Paul Bellows:

And the architecture of the internet. How do you think that plays into the identity space and what people have been traditionally doing?

Tim Bouma:

You look at the internet today, it's just a given, right. And it works between friends and enemies. Period. And of course you do have firewalls, you do have partitioning in that, but it's just a capability. Again, going to India, you go to a hotel or whatever, the first thing you do is you get on a wifi. You have mobile data everywhere. It's a capability that's there, period. Full stop. And I can communicate as easily in India as I could in my house. And so it's just ubiquitous and, the internet or the IP protocols reasonably decentralized. Of course there's some central points of control, but it actually just. It's designed to route around like adversarial points and that and that I would say identity management systems they've had their original genesis and like centralized administrative systems, and that's how a lot of like identity management systems evolved. Like either for like social benefits registration systems or vital statistics registration systems. But now you're starting to see protocols kinda what the internet was 30 years ago that are starting to emerge with some new I don't wanna get too geeky here. Some new cryptographic.

Paul Bellows:

This is the place for it though.

Tim Bouma:

Cryptographic primitives like the Bitcoin blockchain. Like what what was introduced like in 2009 by Satoshi developed a system that just basically operated on incentives. They completely externalized the notion of identity outside of the system with hashed public keys. And it was an entirely new architecture and this system has been running for 16, 17 years and nobody's taking it down. It just like, and I last heard, I think it's the fifth most valuable asset class right now. In terms of US dollars, I think it's 1.8 trillion in value now.

Paul Bellows:

Wow.

Tim Bouma:

And that's a system that just, it just works. So if anything, when that really took off then that put a lot of new interest and energy in cryptography. And what might the new architectures, be there, there was, I would say, for the better part of a decade, a lot of blockchain initiatives private blockchains, public blockchains with varying degrees of success. I think ultimately the use case for blockchain was basically Bitcoin and that's the only one that seems to have succeeded. Other ones can just be done with like databases and some of the permission blockchains are not much better than just having a database to begin with. But coming outta that, some new concepts of identity or public private key pairs and, and a lot of experimentation on what might be some of the new decentralized protocols to maybe not replicate what Satoshi did with Bitcoin, but at least augment on that. It's caused a whole wholesale rethink on what currency is, monetary theory. And now I'm starting to see that there may be some emergent capabilities that, governments or commercial entities just won't be able to stop. And that's what I've been actively looking at to see what protocols might actually succeed and what protocols might actually exist despite government. I think a good way to describe it is that there's if a fifth realm emerging, you have like land, sea, space and air, and now you have cyberspace as well. And we have to figure out how to deal with that fifth realm and yeah. It's a monumental challenge.

Paul Bellows:

It's huge.

Tim Bouma:

Yeah.

Paul Bellows:

So do you think as digital identity continues so Bitcoin itself specifically as an implementation of blockchain technology?

Tim Bouma:

Yeah.

Paul Bellows:

Bitcoin still is an application that runs on top of the internet layer on specific machines, versus the internet, which is, like a website runs on a specific machine and is distributed, Bitcoin runs, on an aggregated install base like Seti, the early days Seti, and some of these applications. But then there's the idea of internet protocols themself, which are the most abstracted and the most distributed. Is there a missing protocol on the internet for identity?'cause the internet starts as a fundamentally anonymous environment outside of IP addresses and specific computers that connect to the internet. The concept of identity isn't really contemplated in the architecture of the modern web yet.

Tim Bouma:

Yeah.

Paul Bellows:

Is it going that direction or is it still gonna be more like an application that we run?

Tim Bouma:

So the success of the internet. Was the concept of like segmented network addresses. And again, not to get too technical, like the routing protocols, like border gateway protocols. So the idea is that you could have a mini networks, but at the end it just looks like one network. And then you have things like, network address translations, so on and so forth. So when I communicate from here at the National Arts Center to somewhere else in the world. There's a sub network here or local network here. And the data gets magically translated with the addresses and that, and finally it gets to the other point of the world that's going to another local network, but it just looks like 1 single network. My view, like one of the genius protocols was the border gateway protocol, that enabled the the internet to look like a unified whole. Keep in mind, 30 years ago when the internet started to take off, everybody started to create their own corporate intranets, and it's look at my intranet. It's better than the internet. I have more resources and I've got my firewalls and only my friends and friends can get in or my employees, but that's all kind of melted away now. So you don't think about boundaries anymore. It's just a unified whole. And so I think eventually identity will get there. Of course the key technology is the, public key cryptography, not PKI. PKI is basically public key infrastructure that's built on public key. PKI has the idea of certificate authorities and that, and there's been like a, an infrastructure or set of services that have been built up over the past 30, 30 years or so.

Paul Bellows:

So like SSL where someone re releases you a key, you have a certificate, there's a signing authority.

Tim Bouma:

Yeah. That, yeah. You have to get a certificate authority in that. And you have to, the browser vendors have these root programs to say who are the good certificate authorities. I think what I'm witnessing now is, there's a way to decompose those certificate authorities into public private key pairs, and then have those things actually sign whatever the heck they want. You can actually self generate these public private keys yourself. You don't have to rely on a certificate authority. So I'm starting to see that certificate authority model That worked really well. They took the, 19th, 20th century concepts like certificates, actually going back further probably to medieval times and actually put the new technology on it. But now I am seeing where you can go beyond that. You can actually decouple those certificate authorities into like public, private key pairs that can sign anything. Maybe I'm being a vague here, but I'm just seeing, now you can blow apart that whole certificate authority structure. You don't actually have to worry about someone making a trust decision on your behalf and then having them use that as an authority over you. You can generate your own public private keys. You can decide which ones to trust. You can build your own network. And, governments could build their own network. People can build their own network. Businesses can build their own network. And there's no way for one actor to push their agenda over another actor. I've been spending a lot of thinking time around that. There was a key advance about 10 years ago what was called the issuer holder verifier model with self-sovereign identity. A lot of excitement around that and a lot of key advances. A lot of, the idea of verifiable credentials came on the scene. But when you start looking at that stuff very closely, I started to see problems with that a couple years ago, get some weird feelings that maybe something wasn't quite right. You could build out an infrastructure. But then what I started to see was that it seemed to accord special rights to the issuers and the verifiers, and left the holders holding the bag. And then, the issuers, naming certificate authorities or organizations or governments realized that, this technological approach actually helps them maintain their position of privilege. And then it's oh yeah, we're all in because this is just gonna maintain the status quo. And the verifier say, yeah, it we're all in because then we can be gatekeepers and it's maybe that's not right. So where a lot of my thinking is now is that are there new protocols or is there a way to recompose a problem that I as an individual have no advantage over you? Or a government organization or a government or a state has no technological advantage over the individual. Where the advantage comes is an institutional advantage. People trust you or whatever, but, and you take away that technology advantage. So that's where I'm putting a lot of thinking to have is there an architecture, is there a protocol that completely levels the playing field for everyone?

Paul Bellows:

So maybe to bring you to a metaphor, which is my unfortunate tendency, like we've got an old world where you've got say a royal seal, which might be, or like a corporate seal is like. Someone has authority, by that authority they manufacture some device that they stamp documents with,

Tim Bouma:

yeah.

Paul Bellows:

That gets credentialized the scarcity of that device.

Tim Bouma:

Yeah.

Paul Bellows:

To bestow. But what you're talking about is something more like a handshake where two people are equals we create a handshake. We've met, we've established our identity together. We've struck a deal or we struck, but it's really the presence of two people. And there's no. The authority has to be earned back or bestowed by some other external agency that the protocol itself, the technology itself is fully democratized in that sense.

Tim Bouma:

Absolutely. Yeah. That's a great analogy. That handshake has as much authority as that royal seal, where the difference is the authority that's vested in the agents using those the technology doesn't give the advantage.

Paul Bellows:

Yeah.

Tim Bouma:

That's the key thing. It's about the individuals. And that's where I'm spending a lot of time thinking about what that might look like.

Paul Bellows:

If you take a power theory view of this all, it really eliminates the power from the institution. It puts the power back into the individual's hand.

Tim Bouma:

Absolutely. One of my arguments is that issue holder verifier model actually amplifies the power imbalance. And. The ones that are on the good side of that power imbalance, just basically say, we're not gonna say anything because, we're gonna say it's gonna give more power to the individual. It's gonna make things more convenient, but at the end of the day, they're the ones that are the gatekeepers in that. And not necessarily a bad thing, but inappropriate advantages usually end badly over the long run.

Paul Bellows:

I think that describes a lot of our world right now.

Tim Bouma:

Yeah.

Paul Bellows:

You showed me something yesterday that I was, I just blew my mind, which is some of the technology you've been working on. And I know this is still early stages and it's still in, in your private world here. Yeah. But I know you probably won't want to share some of this, but you should be just an interface where, you know, between two of us just with having a phone and being a human, you could send, your, your made up currency, it's, all currency is made up. Yeah. It's just, some of it is actually accepted by the government. Can you talk just a little bit about what you're hoping to achieve with that?'cause this is, I think, a really good example of what might be possible based on this new architecture, this new model.

Tim Bouma:

Yeah. So what I was showing you is actually real money. It's actually backed by Bitcoin. So as I said, it's only a matter of time before, like Bitcoin becomes a reserve currency. It's an asset. I think we said earlier it's 1.8 trillion. A lot of the financial companies are getting into it and investing like crazy. So it's something that you'll be able to trade across the world, across boundaries, and then. The nice thing is that unlike gold is something you can transmit across the world at at speed of light. And then, so you have the Bitcoin blockchain, you have a lightning, which is a way of opening channels to shuffle value back and forth. And then I've been experimenting with another technology on top of that, which is Chaumian ecash, which was literally invented in the late eighties, early nineties. And the cryptography is well understood. Where it really failed was that it still needed a centralized clearing house, namely a bank to enforce the double spends in that. But now you can all do that with with a Bitcoin and lightning. And so now you have this settlement and clearing network that's global. It works without banks and works without government. So I've quietly been building a wallet system on top of that. And there's some newer decentralized protocols. There's one called Nostr, which stands for notes and other stuff, transmitted by relays that's taken the Bitcoin architecture and applied it to the first use case of social media. And basically there's what are called events and they get signed cryptographically, and then they get relayed. By relays similar to Bitcoin relays and the architecture I won't get into all the detail here, but it's very versatile because at its root, everything is cryptographically signed and every event is self validating. Every event can exist independently. So I've actually taken that architecture of the and the Nostra relays, and I actually built a component that. Can live out there in the network, independent of applications and actually independent of devices. So I was spending a lot of time thinking about what a new capability might look like. And as I said I'm trying to make something that no one entity can shut down, government's included. And people may say, oh, that's really bad. But the fact of life is that if it can be engineered, it can be built, it will be built. So I might as well just figure it out and then show to the policy makers, myself included, what's, how are you gonna deal with this? How are you gonna deal with the internet? Like the first reaction was to shut it down. And now it's just part of everyday life. I see a day when anyone will be able to transact directly with one another. And I'm really focused on building a capability that empowers anyone. And I've really boiled it down to the concept is that what everybody wants is mobility. They want to have physical mobility. They want have social mobility. They want to have economic mobility. Mobility is actually a term that if you look at our charter and rights and freedoms, there's a concept of mobility rights that you can move anywhere within Canada. You have the right to work anywhere in Canada. You have the right to enter and exit Canada. It's just basically in the charter rights. I'm looking at a capability that maximizes my mobility or my digital mobility and enabling that capability where nobody gets in between.

Paul Bellows:

I love that you brought up earlier the idea of the fifth realm, of cyber being the fifth realm, because this really speaks to, the metaphors and the imagination that got us solutions from a terrestrial, lens just simply don't apply. You just start to have cyber native.

Tim Bouma:

Yeah.

Paul Bellows:

Mindsets here. I love it. Now, Tim, Hey, I just wanna say thanks for your time today here. This has been just fascinating for someone with your perspective in the many years you've spent in this space just getting your experience. I think this could be really helpful for people that are on the, in the earlier stages of confronting this stuff. And hopefully this is useful for our folks in understanding where identity is going. So thanks for your time.

Tim Bouma:

Yeah. Hopefully. I made sense.

Paul Bellows:

It doesn't always make sense.

Tim Bouma:

Yeah.

Paul Bellows:

But I think you're in the space of the liminal space of, the bleeding edges of all of this,

Tim Bouma:

yeah.

Paul Bellows:

And I think we need to confront that too.'cause we're not done, in this move towards digital identity.

Tim Bouma:

No I feel like the work that I'm doing it literally feels like 1992 and, i'm just seeing, I remember back then the early days of the internet I was involved there and I just feel like it's the same right now. And I just wanna be part of that new wave.

Paul Bellows:

Absolutely. Let's bring it on. Thanks so much for joining us for this conversation. Tim is a unique expert in the field of digital identity, and it was great to get his perspective in this space. Some of the points I want to underline include: Canada's work on digital identity through the Pan-Canadian Trust framework is now openly available as standards published by the Digital Governance Council. You can find that on their website, dgc-cgn.ca. Trust is essential for digital government initiatives and identity management. Along with the pair, practices of privacy and security are essential for getting digital government right. Government organizations need to learn to classify their data in order to develop a mature digital identity practice. We've gotten upcoming podcast scheduled with an expert in data classification, so watch for that one coming later this season. For government, digital identity management is more about process, culture and governance than the technology itself. There are also many stakeholders. This space is complex. The internet itself was designed with a certain anonymity built in. There is actually a missing identity layer, and that's why digital identity management is still so challenging. The future of digital identity may lie in decentralized systems, much like cryptocurrency, blockchain, and Bitcoin. Tim was able to share some of his early experiments in this space. I hope you enjoyed the conversation. Please do subscribe and follow us for more. I'd like to thank my colleagues who worked with me on this podcast. Kathy Watton is our show producer and editor, Frederick Brummer and Ahmed khalil created our theme music and intro. We are gonna keep having conversations like this. Thanks for tuning in. If you've got ideas for guests, we should speak to, send us an email to the311@northern.co. The public service is about all of us, and when it's done right, digital can be a key ingredient for a better world. This has been the 3 1 1 podcast and I'm your host, Paul Bellows.