Description: Managing and protecting our data and identity in the digital era gains importance by the day. We have many elements for a better system to manage it in finance, health care, and even marketing and advertising. But the pieces need to come together. Andrew Nash, immersed in identity for years, explains how real progress is possible.

This transcript has been lightly edited and condensed for ease of reading. 

Identity is the Steam Engine of the Digital Economy

(Transcription by RA Fisher Ink)

Kirkpatrick: Andrew Nash is managing vice president of Identity Services at Capital One. Did I get that title right?

Nash: Exactly.

Kirkpatrick: And before I ask him his first question, I was going to start the conference yesterday among other things, but decided not to do it, but I think identity and control of personal data is one of the central issues facing technology that’s deeply intertwined with the discussion of ethics and responsibility that we heard earlier, which was an excellent conversation.

And if Facebook really is a little-kid kind of company that is running around accidentally making mistakes because it’s so immature, which I think is arguably true, the big mistake it’s making has a lot to do with its failure to manage identity and personal data and to think about it intelligently. And he has a very interesting point in particular about that, by the way, which we’ll get to. And finally, what these people don’t realize though about Facebook is that identity was a complete mess, [an] unsolved problem on the internet to the point that nobody ever used their real name anywhere on the internet until Facebook came along.

Facebook did give you for the first time a place which was really somewhat secure to put your personal data, and your access to it was authenticated by who you selected as your friends. So you knew only your friends would see it in the early days of Facebook. Therefore, you would put your cell phone number, your email address, your family photos, etcetera. I think Facebook has sort of moved away from that design center, but it’s worth remembering that we did have sort of a little while of sort of a solution that at least seemed like it was making progress.

So you are a part of what you yourself called the Identerati, a group of people who for decades have been working to solve this identity problem through groups like OpenID, Liberty Alliance, Passport, which is all stuff from about 10 or 15 years ago, right? What happened after all that? Where are we, in your view, on identity and the protection of personal data?

Nash: That’s a great question. You know the funny thing about the identity conversation is everybody in this room already knows what identity is. Like down to your fingertips, you know exactly what it is, and none of you agree with each other.


And so whenever we have these conversations, you’re always in this really interesting part; which part of the identity continuum are we talking about? Facebook deals with social identities, for example. We tend to deal with high-assurance identities. About 15 years ago, there was a concept that we espoused called “Identity 2.0.” It emerged around about the Web 2.0 phase. It was about how do you put consumers in control of their own information. And so even with my own team at Capital One, we’d keep talking about: “Have you heard about X, Y, Z?” whether it’s self-sovereign identity, or Solid, or whatever else is going on. And there’s wonderful exuberance about, “Man, look at what’s happening in the world.” And the reality is we’ve been at that problem for at least 15 years now.

What was interesting was we started with OpenID. Most of you use OpenID even if you don’t realize it. So if you’re at Facebook login, then you’re using OpenID. Same with Google. [In] the original concept, there was let’s create an opportunity for every consumer, every individual, every person, to be in control of their own identity and to manage it directly.

Since then, over the last 15 years, the thing that’s somewhat troubling is we’ve done anything but develop identity. We have this whole thing called identity and access management, and really what it’s about is management of user accounts. It’s not actually about identity management; it’s about user management. Largely for the enterprises, but today almost nobody’s actually managing the concept of identity for consumers. So in fact, we’re seeing folks like Tim Berners-Lee, in terms of Solid, self-sovereign identity, the centralized IDs and all of that stuff, coming together, it shows that we’re now back at a point where at least the value propositions are consistent. People desperately want to help every one of us get back in control of our own identity information in some way.

Kirkpatrick: I would say that actually the combination of the Cambridge Analytica incident of the Facebook recent hacking with 30 million complete identities stolen, as well as just a whole rash of cyberattacks on people’s information, it has really changed the psychology of the consumer so that people now feel that protecting personal data is a big deal. And I don’t really think that’s really been understood that way until fairly recently. Would you agree?

Nash: I think that’s fair. I read a blog entry recently which is oriented around identity and its comparison to the steam engines driving change in the industrial revolution. I’m actually a machinist and engineer. I build things in my spare time. There’s a lot of history in that space. What’s really interesting is that 300 years ago when steam was first created, they knew what they wanted to do. It just took a very long time before they actually managed to pull together all of the ecosystem and the technology, the science, the materials capabilities, the ability to work all this stuff, to actually finally get to what they’d thought about nearly 300 years earlier.

Kirkpatrick: Three hundred years?

Nash: It seems like the same might be true of identity. I’m hoping it’s not quite that long.

We had a very clear idea about what we wanted to do 15 years ago. We didn’t necessarily have all of the pieces together. And I think consumer attitudes and recognition are just part of that. So all of a sudden people are—should always have been—caring because we had breaches through all of that time. But right at the moment, there’s at least a motivation where people are beginning to wake up and say, “I don’t know that I can trust the folks that have been running the ecosystem today. There should be a better way to do this.” And I think that’s one of the key parts of this, which is people care now.

Kirkpatrick: They do care. And an idea of an ecosystem is interesting. And you’re at a banking company. You previously ran identity at PayPal and Google. So the fact that somebody like you has gone to Capital One is probably indicative of a change in the ecosystem psychology, right?

Nash: I think that’s true. What is obvious is that we’ve actually taken a line of various aspects of this over the last 25 years. And so I look across modern capabilities like self-sovereign,  what’s interesting is that almost invariably what has caused this to be unsuccessful, or only partially successful, in the previous iterations of this has had nothing to do with technology. And so there are all of these much more interesting questions about how do you actually get to the steady state that everybody envisages where life is wonderful and data gets shared, and we will feel comfortable about managing or being managed by someone? And so a lot of my time has been spent around this concept of how do we actually bootstrap this stuff? How do we actually get from here to somewhere that’s useful?

Kirkpatrick: With Capital One presumably a key player now that you’re there. What is Capital One’ s hopes for a role in this space?

Nash: So I can only share that partially, obviously, at this point. It’s the early days. We’re really in the process of deploying ID verification services as a vendor. And so we’re in the market of helping establish identities for people, but in this mode where we actually have consumers in control of how information is shared or that they actually make a decision about this. So we’ve actively been in that process.

One of the things that’s interesting about financial institutions as opposed to brands that are in the social networking space is that fundamentally financial institutions tend to have a higher level of trust. Not all of them, to be fair, there are always ups and downs. But fundamentally, the fact that we’re managing people’s finances tends to establish that, “Hey, maybe you guys are actually the right place for me to think about a trusted entity that could help me manage my identity.” So I think that’s our opportunity.

Kirkpatrick: So you’re optimistic we’re on the cusp of an ecosystem convergence that allows us to make some real progress so that people may gain the feeling they’re really in control of their information?

Nash: I think we’ve now understood a lot of the things that we’ve taken a run at. As a startup guy, if you looked at this from an enterprise perspective you’d say, “Oh my God, look at all those failures. Clearly none of this stuff every worked. You should run like hell.”

As a startup guy you can say, “Hey, having made all those mistakes, I think we now may be in a position to actually do something useful.” And that’s very much where I am. Which is, we’ve learned a lot.

I think one of the challenges is that some of the new efforts haven’t necessarily understood the history that’s gone before us and might have missed some of those aspects. But I think from a user experience perspective, the opportunity to use mobile devices more effectively, the concept that consumers ought to be in control, all those things are really interesting. One of our bigger challenges though is how do we actually create a user experience that actually allows mere mortals to interact with this system in some useful way.

Kirkpatrick: Yeah. This afternoon we have a session on healthcare innovation which I’m moderating, and this is a topic there too, because healthcare is a place where there is so much data about us. And the patients, the consumers, whatever we’re called, don’t even know where all of our data is. We do know that most of our doctors don’t have access to it when they need it to treat us, and so it’s pretty obvious there’s a problem that needs solving. And there are some great ideas, as we’ll hear on the panel, for ways it could happen. Although I think one of the real challenges is the institutions that control the buckets of data don’t want to cooperate.

But do you think healthcare—I mean, you work in financial services now. You’ve worked in other parts of the ecosystem before. Healthcare seems to be an area where there’s a crying need on the part of consumers as well as a lot of progressive thinkers about the industry. Is that possibly a leverage point for progress here?

Nash: You know, I hope so. The challenge though in this space is, often in this area of dealing with consumers’ own individual information and privacy, we seem to often take a very paternalistic attitude. And so one of the places I used to work for was running a healthcare system many years ago and based on the constraints of the healthcare system like HIPAA, there’s only so much that can be shared.

But we would have people who’d come to us almost begging to share their disease in the hope that someone on the internet might have had some way of helping them save their life. But we weren’t able to do it because we were constrained by the framework we were operating in. And so I think one of their bigger challenges is that at some point we need to wake up and understand that individuals are actually adults, and somehow we need to put them in control of their information in a way that actually both trusts them and helps establish they know what is going on.

Kirkpatrick: But how big of an impediment to that is it that a lot of institutions, businesses as well as hospital systems are very invested in not giving up the control they currently exert?

Nash: That’s a great question. This is what I call a three-beer conversation. It takes a little more time to talk about this than we have left, I suspect. The areas here that I think are interesting is that maybe more than verified information, fresh information is really interesting. If you could have a piece of information delivered to you that would help you complete a transaction more effectively both for your consumer and also from your own risk perspective, that would really useful. And then if we were not trying to hold on to all this information but could reference it from places that had this information, hopefully fresh, then we actually would take away a lot of the opportunities for breaches to take place, because many fewer of us would actually maintain that.

I think we’re right on the cusp of an understanding that there’s an opportunity here for businesses to step out of that mode and put themselves at less risk—you know, the risk is clearly enormous. Understanding that not only could you be at less risk but you could get better information that was fresher than your current data set, I think there’s an opportunity in there for us to cause change.

Kirkpatrick: That sounds like it could have something to do with what Berners-Lee’s idea for what Solid could enable. But it’s a very interesting idea. Rather than try to pull all this stuff that exists about us and bring it all together, just start afresh. And new data that’s created, let’s try that differently. I love that. I’m really glad Capital One’s making it a priority.

I’m so glad to have you on stage, so thank you, Andrew.

Nash: It’s been a pleasure, David. Thanks.