Ransomware Attack – How to Prevent

There has been an increase in ransomware attacks here in The Netherlands, mainly targeting SME and Startups. Our Tech Lead, Eduardo Elias Saleh, kindly wrote an internal memo detailing how we should prevent and protect ourselves from a ransomware attack.

“Security is not something we do once, it’s a culture.” – Eduardo

We thought that these tips could provide value to many more so we decided to share what Eduardo wrote. Here are some actions we need to take to avoid being victims of an attack:

Ransomware Attack: Definition

Ransomware is a type of a attack, a malware, where an hacker blocks a user’s access to their data, encrypting it and requesting a ransom for it to be unlocked and decrypted.

Never open unwanted attachments

Even when coming from a known person, avoid opening attachments that you don’t explicitly asked for. Known people contaminated by the virus can spread it and most of the times the emails are quite compelling. 

innovation in banking security

Backup everything

Not only because of the virus but because HDs (even SSDs) fail. Keep at least two up-to-date copies of the important documents you have in your possession in external drives.

Don’t download/execute apps you don’t know

Pirated, unofficial and non-commercial software can carry trojans. Only use/download/execute software that came from known reliable sources.

Q: “What should I do if I suffer a ransomware attack?”

This is a very complex answer. If you don’t have a backup of your data, either you pay or it’s gone.

The “politically correct” answer is: don’t pay, call the police and pray. But there’s nothing the police can do. It’s highly improbable they find the culprit and, even if they do, they won’t find the keys that encrypted your disk.

The only solution is to prevent and have a backup or pay. Otherwise, you just have to accept it’s all gone and move one.

Additional Security Measures

Strong password login: Only you should be able to have access to the data in your HD. In case someone gets physical access to it, it shouldn’t be easy to access the data.

Encrypt your storage: Doesn’t really matter if you have a login and password but your HD is not encrypted. If someone steals your machine and your HD is not encrypted they can remove the HD and grab the data from another computer.

You can chat with Eduardo in his linkedin.

If you’re into Digital Identity, here’s the most complete guide on Identity Management with Blockchain.

Innovation in Healthcare: 4 ways Self-Sovereign Identity will disrupt Healthcare

innovative technology government banking healthcare education

The number one innovation in healthcare you should be paying attention to – whether you work in tech, innovation management, policy making or digital transformation within your healthcare institution – is private and secure digital identity. This blog will tell you why.

Our expertise in this space has led us to recently being funded with a seven digit figure and to winning awards by The Chivas Venture, the Blockchain Innovation Conference, The Spindle Innovation and more.

We have covered extensively on this guide about blockchain and identity management how a modern digital identity management system can maintain the security and privacy of its users by decentralising the data storage and by minimising the quantity of personal data stored.

By implementing the innovative technology of Self-Sovereign Identity, users own their personal data and are able to access services from an organisation, proving who they are and ensuring trust without the need to disclose any personal details. This greatly reduces the amount of data an organisation stores and thus reduces the possibility of Personal Data Regulations infringement.

Let’s dive in on the 4 reasons why Self-Sovereign Identity is a major innovation in healthcare:

Innovation in Healthcare: Efficient Identification

The importance of identity is paramount in the healthcare industry. According to a World Bank report on The Role of Digital Identification for Healthcare

“Providers need to know a patient’s identity to access relevant medical and treatment histories and ensure that they are giving consistent and appropriate care. 

Patients also need documentation to prove enrollment in insurance programs or other safety nets that cover medical expenses. (…)

Health insurers need to be able to identify patients to ensure that those for whom claims are submitted are actually insured and to facilitate the adjudication of claims based on the patient’s history. 

A secure, inclusive, and responsible method of uniquely identifying and authenticating healthcare users over time and across facilities is central to each of these needs and the goal of achieving universal health care”. 

identity management solution blockchain

Although this World Bank report focuses on the use of unique identifiers – that are a matter of concern privacy wise due to the possibility of correlation – the reasons they present for the importance of identification in healthcare we deem as valid.

Efficient identification becomes jeopardized in countries where identity and information systems are weak. Either because their records are paper based or because their digital identity management system do not allow for interoperability with other systems. Impeding record or data transferring between organisations. Which ultimately leads to less efficient health services.  

“As a result, 3.5 billion people worldwide who do not have access to quality essential health services” 

Private and secure channels for data transfer, that provide trust between health facilities, patients, insurers and government is thus of absolute importante. One that a Self-Sovereign Digital Identity could provide.

Innovation in Healthcare: Interoperability and Trust

By using a common identity metasystem, institutions within the healthcare industry could easily and seamlessly verify digital Verifiable Credentials issued by other organisations (and even issue some themselves). A healthcare facility could trust the authenticity of a patient credential without even having to check the actual data there contained.

identity management blockchain device

These privacy maintaining channels would be assured through cryptography and Zero-Knowledge Proofs. The verifying organisation would just have to check the blockchain to verify the authenticity of the signature of the attesting organisation or physician. If the signature matches the one in the patient’s credential, it’s authentic.

And you may ask, “But how do we know whether to trust the physician?”.

Phil Windley, Sovrin’s Chairman, answers this question: “Professionals can also create proofs from verifiable claims written about them to show that they have specific qualifications, certifications, or work at specific institutions. These claims are, in turn, verifiable in the same manner, creating a chain of trust.”

innovative technology government banking healthcare education

Non-interoperable identity systems are costly for the institutions and troublesome and stressful for the users. When patients arrive at the new facility, the need for duplicated registrations and paperwork increases bureaucracy for one side and frustrates patients in need of care.

“By allowing for secure and accurate identification and authentication of patients and enabling information exchange, they can increase the efficiency of patient management, improve the quality of treatment, reduce administrative burdens for patients, facilitate access to insurance, reduce fraud, and improve data collection.” (World Bank Report)

The digitization of healthcare identity systems is not enough though. Institutions must make sure their digital records are private and secure. Centralised healthcare records pose a major privacy risk for both patient and organisation. 

Self-Sovereign Identity is the innovation in healthcare that provides the decentralization, security, privacy and interoperability for a more efficient healthcare system.

Innovation in Healthcare: Birth Registrations

1.2 billion people around the world do not have an identity. Some of them because they never had it in the first place. Having no identity has grave consequences for these peoples’ lives as they are not able to access healthcare, education or banking services. 

An interoperable identity system would be the major innovation in healthcare that allows hospitals, midwives or birth facilities to easily communicate a birth to the government who can instantly issue a digital birth certificate.

Innovation in Healthcare: Identity and Access Management

Identity and Access Management Softwares (IAM) are used by companies to authenticate, authorize, manage and create a central repository of their users/employees.

innovation in healthcare

Whenever a new employee is onboarded into a company, a whole new set of accounts has to be created. A lot of different accounts. From a simple email account to databases, servers or even Slack. 

Once this employee leaves, all these accounts have to be revoked as they were created: manually one by one. One instance of a not properly revoked credential can open the door for vulnerability. As a malicious former employee can access the company’s network and steal data. This is specially important given how sensitive the information in the healthcare industry is.

Through the use of Self-Sovereign Identity the user would be onboarded on all the different services using his own credential or one created by the company. One that the employee would store on his identity wallet. On the moment of revocation, only one credential would have to be revoked to cut access to all of the accounts.

Self-Sovereign Identity could also be an innovative technology for the Identity and Access Management space by improving the audit trail. For compliance reasons, these enterprise softwares register a log of user access for fraud prevention. Though the method through which that log is created – sometimes a text file – is of concern as privileged users could modify or delete logs for nefarious reasons. Blockchain, due to its immutable nature, could be a prime use case for access log security.

More Resources:

– Our Definitive Guide on Identity Management with Blockchain (Updated for 2020)
– Our Digital Identity Management System that brings privacy and security to personal data.

Interview with Darrell O’Donnell (Founder at Continuum Loop, CTO at CULedger)

What happens when an organization does not own my identity anymore? This is a question that Darrell O’Donnell –  founder at Continuum Loop Inc., currently CTO at CULedger, investor and advisor at several companies (including Tykn) – has been answering with his work in the Digital Identity space.

According to Darrell, holding a digital identity database inside an organization is a liability. It’s a huge expense in data management – unless you are Google or Facebook and have a financial incentive to host such a database – and the liability of having an “honey pot” of personal data that could be leaked, hacked or breached is tremendous. As seen, for example, with the Equifax case in which the personal information of 147 million people was exposed.

Self-Sovereign Identity – a model of identity management where users own and hold their own data – avoids the “honey pot” issue. There is no centralized database of identity to be breached. This is achieved through the use of blockchain technology. 

Through the infrastructure of a blockchain, the verifying parties can immediately verify data that is shared. They do this by using data anchored in a blockchain to check the validity of the attestation and attesting party (such as the government) from which they can determine whether to validate the proof.

For example, when an identity owner presents a proof of their date-of-birth, rather than actually checking the truth of the date of birth itself, the verifying party will validate the government’s signature who issued and attested to this credential to then decide whether he trusts the government’s assessment about the accuracy of the data.

Leveraging blockchain technology establishes trust between the parties and guarantees the authenticity of the data and attestations, without actually storing any personal data on the blockchain.

“The solutions that resonate well with blockchain are in areas where there is no one truly in charge. In digital identity there is no one truly in charge. There are different players. Companies, governments, individuals. But their job is not to own the whole problem. When someone owns the whole problem there is no need for a blockchain. All it is is a slow database. But in situations where there is no central point of control, and there shouldn’t be a central point of control, then blockchain is ideal.” (Source)

If you’re an organization looking into Self-Sovereign Identity solutions, Darrell believes two important questions should be asked to every vendor:

– What can you tell me about how your Self-Sovereign Identity system is governed?

– What happens to my Self-Sovereign Identity if your company disappears?

These questions let you know if the system is using Self-Sovereign Identity or if it’s just a “polished version” of the old thing.

Be aware of these red flags in the answers: If there is no governance or governance is automated “in the code”, Darrell thinks you’re in for a “world of hurt”. Governance is such a complex matter that it is not yet possible to have it automated. Heavy governance is just as bad. “Identity requires some light human governance” (source). Also, if a digital identity depends on a vendor and it’s useless if the company disappears then it is not self-sovereign. “It’s just relatively open”. The user must own his identity.

“In 10 years nobody will care that the advent of self-sovereign identity created a seismic shift in both technology and the balance of power. What they will care about is that their lives have been improved. They won’t talk about privacy, security, and other things that we talk about.

And somebody, in 10 years, is going to say “Really? You let a big company control your identity and monitor everything you did? Why would you do that?”.” (Source)

We had the chance to ask Darrell a few questions:

What is the biggest myth or misconception about Digital Identity/SSI?

That regular people care about it – they don’t. The Identerati see how it solves problems but the preaching doesn’t help. The key message that needs to be heard is that it helps us act like we do in our non-digital lives – naturally establishing relationships with reasonable privacy. Under the hood it certainly is a better solution – but no ordinary person ever said (or thought) “geez I need a better digital identity.”

Specific roadblocks other people in your space should look out for (and how to overcome them)?

Similar to the earlier question, we expose far too much complexity, which makes decentralized identity/SSI unapproachable for most. Please don’t misunderstand me – I know that the digital identity space is incredibly detailed and there are important distinctions. My point is that if your business isn’t helping make the key decisions for your customers you’re not adding value. One of the changes that I made at CULedger, for example, was to take a multi-week effort down to a few hours for a developer. Our API has 2 main calls. That’s it. That’s all that is needed to get started. If you can get a developer productive with a couple of hours of work they will invest more time to go deeper. If the learning curve is measured in weeks or months you will only attract a miniscule audience. 

If you had the chance to write something on all the boards in all the classrooms in the world, what would it be?

Learn how to learn. Your teacher is probably teaching you how to memorize…

In many many years, looking back to your life, what would make you feel you accomplished your mission?

I would like to think that there are people out there that have made more impact because of some small thing that I helped them with. Seeing a major shift to an internet that can be trusted more would be fantastic. Lately I have been looking at ways that I may be able to help out with a big impact with the climate emergency. I started my career in environmental engineering but was pulled into software – the landfill and wastewater treatment work wasn’t what I wanted. 

One (or more) book(s) that greatly influenced you and why?

As a founder of multiple companies, The Hard Thing About Hard Things (Ben Horowitz) had a huge impact. Knowing that CEOs around the world are dealing with the same thing was incredibly impactful. CEOs have huge responsibility and they are alone – knowing, strangely, that there are others going through what feels like hell often was oddly comforting.

I keep returning to Abundance (Peter Diamandis) as a recommendation for the folks that I advise as well. It explains that the world is changing faster and faster because of the convergence of many things. We have a lot of hard work ahead of us to correct some extreme problems (climate) but there is hope. 

Do you have a favourite victory/failure of yours?

I had a company that we had to wind up over a weekend. A key client (too many eggs in one basket) flipped a curveball at us and forced us to shut down. It was horrible. I had to lay off all of my team. Every one of them landed jobs within a couple of weeks with substantial raises. But every one of my direct reports told me over the next year that their time with me was by far the best thing that had ever happened in their career. It was hard to recover but awesome to see the impact. Years later I kept wondering if I should have left that business earlier but I know now that it happened at the right time. The lessons learned in that pressure cooker-style environment gave me a lot of tools that I didn’t realize were important for others.

In your field, or in life, what is the question that people should be asking more and they aren’t?

I’ll steal this one from Tim Ferriss – “what would this look like if it were easy?”

Bonus Question: Pineapple on pizza. Yes or no?

Good god no. 

We, at Tykn, would like to thank Darrell O’Donnell for his time and for sharing his ideas and knowledge with us (not only in this interview but also as our advisor!). Thank you, Darrell! Be sure to follow his Twitter.

Tykn is a digital identity company. If you’re keen on reading more we suggest:

  • – Interview with Daniel Hardman (Chief Architect at Evernym and Technical Ambassador at Hyperledger)
  • – Interview with Elizabeth M. Renieris (Law and policy engineering consultant focused on the areas of digital identity, blockchain and data protection)
  • – Interview with Stephen Curran (Technical Architect and DevOps Specialist on the Verifiable Organizations Network)
  • – Interview with Kaliya Young (co-founder of the Internet Identity Workshop and author of the Domains of Identity)
  • – Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)
  • – This Definitive Guide to Identity Management with Blockchain.
  • – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
  • – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.

Tykn’s 2019: Year In Review

2019 was a great and intense year for us. Here’s a highlight of our favourite moments.

Seed Investment

We were extremely happy to announce that we received an investment of 1.2 million euros from Dutch IT entrepreneur Johan Mastenbroek. With him on board, Tykn gained not only a financial partner but also an experienced business mentor.

In Johan Mastenbroek‘s own words: “I strongly believe in the principles and ideas of Tykn. They work together with international organisations, with whom they can provide a solution to a global problem and create a future of opportunities instead of a future of problems.”


One of our main focuses throughout 2018 and 2019 was 121. A source of great pride for us.

In February it was finally announced: In October and December 2018, Dorcas led the 121 Direct Cash Aid on Blockchain Pilot in Ukraine with Tykn’s Digital Identity backend & 510 Data Team of The Netherlands Red Cross‘ frontend & system.

The Chivas Venture

Tykn placed Top 5 in the world, over a 1000 companies, in The Chivas Venture Global Competition. Winning us $50,000, exposure, and equally important: the recognition of the urgency to tackle the United Nations Sustainable Development Goals 16.9.

Tykn digital identity management

The jury was composed of Zoe Saldana (actress, entrepreneur and philanthropist), Alexandre Ricard (Chairman and CEO of Pernod Ricard), Cemal Ezel (founder of Change Please) and Sonal Shah (economist and founding Executive Director of the Beeck Center for Social Impact + Innovation at Georgetown University).

It was a thrill standing on The Next Web‘s stage and presenting our solution to this jury and thousands of people.


We spent some emotional weeks in the SDG Impact Accelerator (SDGia). The first of its kind in Turkey to address the issues of the refugee crisis. Turkey houses approx. 3.6 million refugees and spends nearly 37 billion dollars on it.

tykn digital identity refugees

We have had the opportunity to engage directly with refugees and organisations such as the United Nations Development Programme – UNDP, UNHCR, the UN Refugee Agency, International Labour Organization, Food and Agriculture Organization of the United Nations (FAO), IMO – UN Migration, Turkey Red Crescent, Republic of Turkey’s Ministry of Foreign Affairs, Internal Affairs, Agriculture and the Directorate General of Migration Management.

Putting ourselves in the shoes of people affected by displacement and ID-related problems is key in our journey to craft a solution inclusive for all.

One of the challenges presented by the Accelerator was on how to provide refugees with livelihood opportunities through digital ID solutions.

Tykn’s participation in this challenge became part of an ongoing dialogue with stakeholders all over the country. Where we have become actively involved in designing, testing and implementing digital identity solutions over the next few years that can serve the refugee population in Turkey.

tykn digital identity refugees

This accelerator was led by the Turkish Ministry of Foreign Affairs and the United Nations Development Programme. Supported by the Bill and Melinda Gates Foundation, Eczacıbaşı Holding, Limak Holding and the World Food Programme – WFP.

It was great to have been part of it!

New Office and Brand Identity

We started the year moving offices to The Hague, the city of peace and justice. It made sense not only because of the symbolic value of The Hague but also because of the strong NGO and social impact startup ecosystem. We became proud members of ImpactCity, a community of companies focused on doing business and doing good.

Our office-warming party was also the perfect opportunity to launch our new brand identity. One that reflected the humanity in our vision and mission. That accurately portrayed why we are doing what we are doing and showed that we are more than a tech company.


Our work is far from done though. We have been working hard behind the scenes to launch our own platform in 2020: Ana, making the refugee integration journey easy and safe. Creating a future of opportunities. Because people matter.

We hope you have a great 2020!

Team Tykn

Interview with Daniel Hardman (Chief Architect at Evernym and Technical Ambassador at Hyperledger)

Photo: Hyperledger Global Forum

Daniel Hardman is one of those inevitable names that come up whenever Self-Sovereign Identity is mentioned. He is the Chief Architect at Evernym, one of the world’s leading companies in Digital Identity

Evernym was the catalyst behind the creation of Sovrin, a Self-Sovereign Identity network based on a public permissioned blockchain. The Sovrin Network is run by a Federation of Stewards who are responsible for validating identity transactions to ensure consistency about what is written on the ledger and in what order. We are proudly one of those Stewards who are allowed to run a validator node. Along with IBM, Cisco, T-labs and 68 others (with the aim of having up to 300 Stewards within the network in the long run for optimal decentralised governance).

In an identity management scenario, a blockchain, like Sovrin, enables everyone in the network to have the same source of truth about which credentials are valid and who attested to the validity of the data inside the credential, without necessarily revealing the actual data. This brings privacy and security to Digital Identity as each person holds their identity credentials in their own devices and controls the digital relationships those credentials are used in and for. The user decides who gets to “see” them and how much of them they get to “see”.

But if one stores their digital identity credentials on a digital identity wallet on his devices (like a mobile phone), it begs the question: what if my phone is lost or stolen?

To answer this question we always draw from Daniel Hardman’s excellent paper.

According to him there are two steps to be taken

The first one is to revoke the device’s authorization to use credentials. Digital Identity credentials are only valid if used from a device that was authorized to do so. If a user’s phone is lost or stolen, that user could use another authorized device, like his laptop, to write on the blockchain that his mobile phone’s authorization is now revoked. 

This would take immediate effect and stop anyone from using the digital identity credentials on the phone. The thief would not be able to impersonate the user even if he has her passwords, biometrics or phone because the blockchain, immutable and secure, would contain a revocation registry for the phone.

Revocation of the device’s authorization impedes the thief to impersonate the user to create new relationships. The second step impedes the thief to explore the existing relationships between the device and other people or organisations. The second step thus is to revoke the existing relationship keys (pairwise connections where each of them has a unique key).

These two steps stop an identity thief to use digital identity credentials to access new services or explore relationships with existing ones. While conveniently letting the user still use his credentials on another device.

We had a chance to ask Daniel a few questions:

What are, in your opinion, the riskiest assumptions when writing an SDK (Software Development Kit)?

SDKs have a very broad set of uses. It’s easy to assume that everyone using the SDK will be doing mobile, or servers. It’s much harder to build an SDK that also works for embedded or for SaaS. So I think platform assumptions are one of the most risky areas.

Another risky area is the threading model. Some people will want something simple. Others will want something that is very scalable or performant. It is hard to do both–so assumptions about this area are risky.

For you, what are the most promising/exciting SSI projects/repos?

I think hyperledger/aries-rfcs is super important. Also the peer did spec at openssi/peer-did-method-spec. And hyperledger/aries-cloudagent-python, hyperledger/aries-framework-dotnet, hyperledger/aries-framework-go, hyperledger/aries-protocol-test-suite.

What do you believe are the bottlenecks for the cross-ledger SSI (Ethereum, Sovrin etc)? How soon can we see cross-ledger credentials exchanges?

I think the number one bottleneck right now is not related that strongly to ledgers, but rather to credential format. There are 3 credential formats that are in harmony with the VC spec, that are not mutually interoperable. Until we solve that problem, cross-ledger SSI will probably not happen.

I predict that this problem to be solved in the next 1-2 years, with Sovrin announcing support for other ledgers and other credential formats. That’s because it’s going to be easier for Sovrin to support the simple crypto of the other formats, than for the other formats to upgrade their crypto to support Sovrin-style credentials.

What are the upsides of using Zero MQ (ZMQ) over a common HTTP/Rest connection?

ZMQ trust is not based on certificates, but rather on possession of keys. We need these keys anyway, so the transactions from individual validators can be signed and verified by one another. So, ZMQ allows us to secure the conversation using keys we already had. If we were using HTTP/Rest, we would still have those keys and would still need to sign things, but then we would redundantly be encrypting. We would also have to make sure every validator node accepted the certificates from every other validator node, and certificate expiration would be a constant headache.

How hard would it be to replace the current TLS (Transport Layer Security) architecture with SSI?

Very hard. I don’t expect this to happen any time in the next 5 years. It may never happen. TLS is good for trust between computers, not between humans–but since we will always need trust between computers, it may be here to stay…

Why was Rust chosen to write Indy-SDK?

We needed a language that could cross-compile for many different platforms, and that produced a C-callable API so lots of other languages could benefit from the artifacts it builds; if we didn’t have that, we’d have to write the same low-level crypto and wallet operations multiple times. Rust, Go, and C++ were the only serious candidates, and Rust had the nicest compiler options for cross-platform. Go’s C-callable support is harder to adapt when you are using Go routines. Rust is growing and is very popular with its developers.

Specific roadblocks other people in this space should look out for?

The biggest roadblock right now is the learning curve. The mental model is different from that of familiar web programming in important ways, and understanding how and why is hard.

I am encouraged because we now have agent frameworks that are becoming available, that allow a developer to be productive without knowing so many of the low-level details. This should help a lot with this challenge.

What is the book (or books) you have recommended most to others?

Two that have been relevant to me in recent years are Refactoring, by Kent Beck and Martin Fowler, and Working Effectively with Legacy Code, by Michael Feathers.

We, at Tykn, would like to thank Daniel Hardman for his time and for sharing his ideas and knowledge with us. Thank you, Daniel! Be sure to follow his Twitter.

Tykn is a digital identity company. If you’re keen on reading more we suggest:

  • Interview with Elizabeth M. Renieris (Law and policy engineering consultant focused on the areas of digital identity, blockchain and data protection)
  • – Interview with Stephen Curran (Technical Architect and DevOps Specialist on the Verifiable Organizations Network)
  • – Interview with Kaliya Young (co-founder of the Internet Identity Workshop and author of the Domains of Identity)
  • – Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)
  • – This Definitive Guide to Identity Management with Blockchain.
  • – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
  • – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.

SDGs – The Definitive Guide on the UN’s Sustainable Development Goals

What are the SDGs?

The Sustainable Development Goals (SDGs) are a collection of 17 global goals to achieve by 2030.

All 17 goals are connected, built on a holistic approach, meaning that no goal is to be left behind and that “success in one affects success for others” (1).

Who created the SDGs and why?

The SGDs are an initiative created by the United Nations at the United Nations Conference on Sustainable Development in Rio de Janeiro in 2012.

The SDGs aim, according to the UNDP, at producing a set of “universal goals” that meet the urgent environmental, political and economic challenges our world is going through.

The SDGs were preceded by the Millennium Development Goals (MDGs) created in 2000 to tackle poverty. The achievements of the MDGs are impressive and remain intact but for millions of people around the globe a lot more has still to be done. This is where the SDGs come in as they are an engagement to finish what the MDGs started and to address other critical challenges (2).

The 17 SDGs

The 17 global goals to achieve by 2030 are:

  1. No poverty – End poverty in all its forms everywhere.
  2. Zero hunger – End hunger, achieve food security and improved nutrition and promote sustainable agriculture.
  3. Good health & wellbeing – Ensure healthy lives and promote well-being for all and at all ages.
  4. Quality education – Ensure inclusive and equitable quality education and promote lifelong learning opportunities for all.
  5. Gender equality – Achieve gender equality and empower all women and girls.
  6. Clean water & sanitation – Ensure availability and sustainable management of water and sanitation for all
  7. Affordable & clean energy – Ensure access to affordable, reliable, sustainable and modern energy for all.
  8. Decent work & economic growth – Promote sustained, inclusive and sustainable economic growth, full and productive employment and decent work for all.
  9. Industry, innovation & infrastructure – Build resilient infrastructure, promote inclusive and sustainable industrialization and foster innovation
  10. Reduce inequalities – Reduce inequality within and among countries.
  11. Sustainable cities & communities – Make cities and human settlements inclusive, safe, resilient and sustainable.
  12. Responsible consumption and production – Ensure sustainable consumption and production pattern.
  13. Climate action – Take urgent action to combat climate change and its impacts.
  14. Life below water – Conserve and sustainably use the oceans, seas and marine resources for sustainable development.
  15. Life on land – Protect, restore and promote sustainable use of terrestrial ecosystems, sustainably manage forests, combat desertification, and halt and reverse land degradation and halt biodiversity loss.
  16. Peace, justice & strong institutions – Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels. 
  17. Partnerships for the goals – Strengthen the means of implementation and revitalize the global partnership for sustainable development.

Is it possible for the United Nation’s SDGs – Sustainable Development Goals – to be achieved?

Regarding the answer to this question we believe there are two points of view. The optimistic and the pessimistic one.

The optimistic:

It is possible to achieve the SDGs as there has been tremendous progress under the MDGs. So if the MDGs were a great success, why wouldn’t the SDGs?

One of the optimist view proponents is Jessica Toale, Advisory Board Member of We Make Change, who believes the younger generations, where she includes herself, are more implicated in such goals. And “multiple studies have shown how we look at the world with a slightly different lens than the generation before us. We have different values, a different approach to work, which we expect to be meaningful. We care about issues like inequality and climate change. We are more global in outlook” (3).

The pessimist:

As expressed by Amy Lieberman in her report, the SDGs are not achievable because progress remains “uneven and not moving fast enough” to meet all 17 goals by 2030. Recently, she adds, according to the UN’s 2018 annual checkup report on the SDGs, the results are not satisfactory enough. The goals set up by the SDGs are way too ambitious compared to what can actually be done within the specific time frame.

What does it take for the SDGs to be achieved?

Since all 17 goals are big challenges, it will require a lot of effort from both the international community but also from the citizens of the world.

Here are 5 recommendations from Ortwin Renn, Managing Scientific Director at IASS Potsdam, as to how to achieve these goals:

  • – Take it step-by-step.
  • – Think regional, not global.
  • – Work from bottom-up.
  • – Strategically balance conflicting objectives.
  • – Use stories to drive change.

In summary, it will take a lot of continuous efforts, funding and perseverance for the SDGs to be achieved.

How did the SDGs come to be? Why were those 17 goals chosen?

The SDGs came to be as a result of the success of the MDGs. As the deadline of the MDGs was approaching, about 1 billion people were still living in extreme poverty which encouraged nation states and the UN to take initiative in a new set of goals which are now known as the SDGs.

These 17 goals were chosen during the “largest consultation programme” the UN has carried out to receive opinions on what the SDGs should include (4).

After the Rio summit in 2012, a group was assembled to devise a draft agenda. The group was composed of representatives from 70 countries and came up with 17 suggestions by July 2014. The agenda was agreed upon on August 2015. The UN also conducted a series of what was called “global conversations” which included “11 thematic and 83 national consultations and door-to-door surveys” (5). The UN also started an online survey in which people were asked to “prioritize the areas they would like to see addressed in the goals” (6). These results were incorporated into the working group’s discussion and led to the birth of the 17 Goals.

How are SDGs an improvement over MDGs?

MDGs found “concrete, specific and measurable” goals to achieve. However, the MDGs were highly criticised because its goals were so targeted that they left out other equally important areas to improve. Since the MDGs were criticised as being “too narrow in focus”, it was decided the SDG’s would encompass other issues. Such as gender inequality or climate change

Another point of improvement is the fact that when the MDGs were written, the context of the 2000’s was “rich donors aiding poor recipients” and since then a lot has changed (7). One of the most important problems is “inequality and not national-level poverty” which applies to both rich and poor countries (8). Thus, SGDs are applicable to every country.

In terms of funding, the MDGs were focused on aid flow. Instead, SDGs put “sustainable, inclusive economic development at the core of the strategy” and “address the ability of countries to address social challenges through improving their own revenue-generating capabilities” (9).

In general, in comparison to the MDGs, the SDGs are more sustainable in nature, inclusive and target-specific which could potentially lead to long term progression.

Why are SDGs so important?

SGDs are important because they continue what the MDGs fought for.

Indeed, the SDGs will continue striving for equality, justice, against poverty but will also add equally important problems that we are facing. Such as “equitable development and environmental sustainability” (10).

We have seen the positive results of the MDGs and that brings us hope that the SDGs can be achieved.

How can I help the SDGs?

Goals such as fighting for equality, stop climate change and eradicate extreme poverty can be overwhelming. It is easy to feel very small and powerless when facing these 17 goals. But change starts with you and with little actions that all of us can undertake every day.

On the individual level, you too can help achieve the SDGs. Here are, from the UN’s Lazy Person’s Guide to Saving the World, just a few of the examples you could partake in:

  • Turn off the lights when you don’t need them.
  • Speak up to your local governments to engage in new initiatives that don’t harm the people or the planet.
  • Recycle.
  • Replace old appliances with energy-efficient models and light bulbs.
  • Donate what you don’t use.
  • – Use refillable water bottles and coffee cups.
  • Voice your support for equal pay for equal work.
  • Encourage your company to work with the civil society and find ways to help local communities achieve their goals.

How can my organisation help the SDGs?

On a business and organisation level, there are many ways that a business can help achieve the SDGs.

This fantastic SDG Compass document suggests 5 steps:

  1. Understanding the SDGs – Familiarise your company with what the SDG’s encompass.
  2. Defining priorities – Companies are encouraged to prioritize based on an “assessment of their positive and negative, current and potential impact on the SDGs across their value chains”.
  3. Setting goals – Setting goals for your company is essential for business success and “helps foster shared priorities and better performance across the organisation”. By showing that your company is aligned with the SDGs, the “leadership can demonstrate its commitment to sustainable development”.
  4. Integrating – In order to achieve the set goals, it is essential to integrate “sustainability into the core business”. This can also be done by partnering with other organisations that have similar goals.
  5. Reporting and communicating – The SDGs enable companies to “report information on sustainable development performance using common indicators and shared set of priorities”.

Goal 16.9: Identity For All

One of the targets of Goal 16 – Peace, Justice and Strong Institutions – is providing legal identity for all, including birth registrations.

Globally, there are 1.2 billion people without a legally recognised identity. 290 million of which are children under the age of 5. Without an identifying document they have no access to services such as healthcare or education. They are at risk, living on the fringes of society.

Vulnerable populations such as refugees are the first to suffer the problems of the current identity management systems: siloed, inefficient and paper-based infrastructures.

Without portable, private and secure identities they become even more vulnerable, losing access to basic human rights and becoming in danger of trafficking, slavery and sexual exploitation.

At Tykn we are supporting target 16.9 by developing digital identity technology for the socio-economic inclusion of refugees. Which will level the field and allow them safe and private digital access to much needed services in their host countries. Services such as banking, education and healthcare.

If you’d like to read more about how our technology makes digital identity private and secure, we wrote this in-depth guide on Identity Management and Blockchain.

Are the SDGs legally binding?

The SDGs are not legally binding (11).

However, governments are expected to take “ownership and implement adequate national frameworks” to achieve all 17 goals. Indeed, the principal responsibility that countries have is to “follow-up and review the progress made in implementing” the SDGs (12).

How are SDGs measured?

The progress towards the SDGs’ targets is measured through a set of indicators for monitoring performance. Indeed, each Goal is broken down into a range of different targets, “with a total of 169 targets spread out across the 17 goals” (13).

The goals will also be measured not at a global level but at a national one. Additional monitoring, however, will still “occur at regional and global levels” (14). 

In regards to monitoring, “each level of monitoring requires different types of indicators”. Discussions with a number of national statistical offices (NSOs) such as the OECD, for instance, report “100 to be the maximum number of global indicators on which NSOs can report and communicate effectively in a harmonized manner” (15).

How much do SDG’s cost?

According to this Forbes article penned by Michele Giddens, the SDGs will be expensive in addition to being difficult to achieve.

The UN estimates that the “total cost would be about $11.5 trillion, including $1.4 trillion a year just to achieve the first SDG, which is to end poverty for 700 million people (16).

The graphics on this post were created by Freepik.

Interview with Elizabeth M. Renieris (Law and policy engineering consultant focused on the areas of digital identity, blockchain and data protection)

“The reality is that we are being tracked, targeted, stalked, and harassed by commercial actors via digital means, whether or not we have direct contractual relationships with them” (1). That’s a quote by Elizabeth M. Renieris–a lawyer focused on policy engineering around digital and Self-Sovereign Identity, blockchain, privacy and data protection, who is fighting against the “commodification” of our personal data.

The GDPR offers improved privacy and data protection by giving individuals enhanced rights and clarifying the obligations of organizations to give effect to those rights, but it’s not enough. The advent of things such as blockchain-based digital identity bring new challenges to the table. 

First of all, a blockchain is immutable. Anything that is put there will be there forever. This raises major privacy concerns. Although blockchain technology and cryptography may be secure now, they may not be in the future, risking the exposure of personal details to malicious and non-malicious actors. And what about GDPR’s right to be forgotten? Who on a blockchain network are the data controllers to be held accountable? What about cross-border transfers of data?

Elizabeth believes that blockchain, as currently conceived, is largely incompatible with the GDPR. We highlighted 3 of the 7 reasons, based on GDPR’s core principles, why she thinks this:

1. Principle of Lawfulness: What is the lawful basis for putting this data on the ledger? Even if “legitimate interest” is argued, Elizabeth believes this legitimate interest has to be evaluated “case-by-case basis weighing the interests of the controller against the rights and interests of the individual,” which is at odds with the automated, code-is-law approach of many networks (2).

2. Principle of Purpose Limitation: Under GDPR, “personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.” But what happens on a blockchain is that data is immediately replicated between all the nodes in the network. Making that data “further processed” and “broadcast to an indeterminate number of nodes across an unspecified geographic scope and stored indefinitely” (3). Elizabeth believes that the “automatic replication of data across all nodes in a ledger is also an automatic violation of the data minimization principle” (4).

3. Principle of Accountability. Elizabeth points out that many blockchain or ledger-based projects argue that they are too “decentralized” to identify data controller(s) or take responsibility for giving effect to data subject rights, inadvertently shooting themselves in the foot from a compliance perspective. To the extent that a ledger-based project insists that no one is accountable, she argues that it cannot satisfy the accountability principle and therefore cannot comply with the GDPR.

For the remaining points, read the great in-depth blog that Elizabeth wrote.

As a fellow at the Berkman Klein Center for Internet & Society at Harvard University, Elizabeth works on “designing new and improved data governance models that are human-centric and privacy-preserving with a distinct emphasis on enhancing individual and collective rights and well-being” (5). 

We had the chance to ask her a few questions.

What does a law and a policy engineering consultant focused on the areas of digital identity, blockchain, and data protection do? What are your responsibilities & goals?

My three areas of expertise are data protection, blockchain, and digital identity. They are now converging as digital identity solutions proliferate, with many involving some form of blockchain or distributed ledger technology (DLT), and very few actually accounting for data protection and privacy-related concerns. I am trying to bring these knowledge areas together. 

I have been a government attorney, a corporate lawyer in large law firms, and in-house counsel at a number of startups. As a result, I have a very well-rounded perspective on the kind of advice and counsel that’s needed to allow these communities to work together more effectively. I sometimes describe my work as acting as a translator between “technical” and “non-technical” communities (although I dislike those categorizations because legal and other skills are also technical).

Most of my clients, at the moment, are larger organizations who are looking to integrate emerging technologies into their products and services. They look to me to perform a kind of due diligence on these technologies and to shape governance frameworks and to understand their policy implications. That said, I also work with smaller organizations and startups to design and build products accounting for law, regulation, and policy considerations. My work is also very international in scope because, while the law is still bound by geography, these technologies are not, so a cross-border perspective is crucial.

My goal is to provide an informed and critical perspective to organizations looking to integrate and implement technology solutions with potentially complex legal, regulatory, and policy implications. By understanding the technology, knowing the right (and often difficult) questions to ask, and providing a real-time, up-to-date understanding of the laws and regulations as they relate to that technology, I can integrate law and policy considerations into the design of technology products and solutions, as well as their ultimate implementations and deployments.

What does it mean and what is the importance of “designing new and improved data governance models that are human-centric and privacy-preserving”?

Data governance has traditionally been designed from the viewpoint of larger stakeholders, notably governments and large corporations. In some ways, this made sense throughout Web 1.0 and Web 2.0. where the setup was more “push” than “pull” or more unidirectional. Given the more interactive nature of later-stage Web 2.0 and the increasingly participatory nature as we transition to Web 3.0, that approach no longer makes sense. 

Human-centric data governance is about putting the human point of view at the center. This is not the same as hyper-individualism. Our humanity is shared and collective. In this way, human-centricity gives us more bargaining power against corporations and governments.  

Ultimately, human-centricity is about retaining a sense of our humanity in our increasingly digital lives. This is closely linked to what’s needed for a more privacy-preserving approach. To me, a privacy-preserving approach means that we should have norms and expectations that govern the digitized aspects of our lives, just as we have always had in the real world. It is grounded in Helen Nissembaum’s work around contextual integrity, around a sense of our shared humanity, and in the rejection of techno utopian reductionism.

In the field of Digital Identity, what is the question that people should be asking more but aren’t?

One question that people haven’t been asking enough, but are starting to ask more, is: “why ID?”. For example, Access Now has recently introduced an initiative around this question. For me, “why ID?” is about taking a step back to ask why we need to implement a digital ID solution or to identify people in the first place, in a given context. 

There are many contexts where we don’t actually need to identify specific and unique individuals, e.g. that I am Elizabeth Renieris and you are John Smith. Rather, we just need to know that someone has only shown up once. For example, in the context of certain public benefits, such as food aid, we might need to prevent double-dipping into public resources but we don’t need to know that I am me and you are you.Another important question that we should be asking is whose imagination are we living in? Whose vision of the world are we accepting? Are we accepting the constraints imposed by others before us? Do those who built Web 1.0 and Web 2.0 (with all the flaws of both) have a monopoly on the future of the Web? As the discussion grows more inclusive, what if that’s not our vision? We have to resist the inevitability and path dependency that can set in.

Specific roadblocks other people in this space should look out for?

Structural racism, misogyny, and other forms of discrimination and exclusion are rampant in the field of identity, often stemming from a history and culture of those who built the Web. My advice is to cut off the air supply. If you are an identity professional working in a toxic environment, don’t waste your time trying to change people who may not be ready or willing. Find a team or a tribe that can support you or rather even go it alone if you can. There is too much important work to be done to waste it on those who cannot see that the future is inclusive

Another obstacle is having an overly microscopic view of things. We can easily get bogged down by the tech, by standards, by specific implementations or use cases, but we often lose sight of the big picture and what we were trying to do in the first place. Often this happens because we spend all of our time around people like us, working in the same industry often on the same problems. The solution is to get out of these bubbles. Go to a non-identity specific conference (the learnings will be relevant to identity), spend time with people from other backgrounds and professions, read things that seemingly have nothing to do with identity or tech (there will still be many lessons). Diversity and interdisciplinarity are central to a sustainable future for the identity community.

What are your hopes for the future of Digital Identity

That we wake up and resist our own commodification. And that we don’t lend our technology and our efforts to those ends. 

That we realize that we are stronger together, as communities, and as humanity at large than we are as atomized individuals. 

That, while it may be part of the solution, technology alone is never the solution.

What is the book (or books) you have recommended most to others?

Dr. Ruha Benjamin’s Race after Technology (on how the design of techonlogy can be discriminatory).

The Costs of Connection by Nick Couldry and Ulises A. Mejias (on data colonialism and how tech is taking from the flow of our lives).

Margaret Atwood’s The Handmaid’s Tale (about the forces that enable a future totalitarian state to emerge).

We, at Tykn, would like to thank Elizabeth M. Renieris for her time and for sharing her ideas and knowledge with us. Thank you, Elizabeth! Be sure to follow her Twitter.

Tykn is a digital identity company. If you’re keen on reading more we suggest:

  • – Interview with Stephen Curran (Technical Architect and DevOps Specialist on the Verifiable Organizations Network)
  • – Interview with Kaliya Young (co-founder of the Internet Identity Workshop and author of the Domains of Identity)
  • – Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)
  • – This Definitive Guide to Identity Management with Blockchain.
  • – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
  • – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.

Interview with Stephen Curran (Technical Architect and DevOps Specialist on the Verifiable Organizations Network)

The government of British Columbia, Canada, is using an open-source blockchain framework, Hyperledger Indy and Aries, to streamline their services and cut red tape. 

Canadian companies claim they waste more than 6 billion € every year on unnecessary bureaucracy. This governmental project – The Verifiable Organizations Network – believes decentralized identities and trusted credentials are the solution.

Each Canadian business owner has to use three different tax numbers and navigate three different levels of governmental bureaucracy: local, provincial and federal.

As the saying goes “on the Internet no one knows you’re a dog.” How can we trust who is on the other side of our screen? The main goal of the Verifiable Organizations Network is to help people and organizations “conduct business online in a trusted manner” (1). Aiming to prevent possible online imposters and cyberattacks that want to explore and misuse a user’s personal data.

The Verifiable Organizations Network aims “to create a trusted digital network of verifiable data about organizations, which is globally connected, interoperable, secure, and easy to join” (2) using blockchain-based self-sovereign identity.

Using this innovative technology, one trusted organisation within the value chain (such as the provincial government) can issue a digital verifiable credential to the business owner, and the other organisation (such as the federal government or a financial institution) can verify that credential and trust the attestation made by the first organisation.

We had the opportunity to chat with Stephen Curran, Technical Architect and DevOps Specialist on the Verifiable Organizations Network and a member of the Sovrin Foundation’s Technical Governance Board, about his work.

What are your responsibilities as Technical Architect and DevOps Specialist on the BC Government’s Open Source Verifiable Organizations Network?

I have a varied and always interesting role on the VON team. I’m a product owner for the various Trust over IP (ToIP) projects that we have undertaken, including production systems such as OrgBook BC and the tools we are building to enable services to use ToIP, such as the Aries Cloud Agent Python (ACA-Py) that BC Gov contributed to the Linux Foundation’s Hyperledger Aries Project. Beyond that, I try to do a lot of community building to ensure that BC Gov is both aligned with the community and, where appropriate, leading the discussion. For example, we really need interoperable components and so I took a lead on our team and helped in the community to define protocols so Indy (and later Aries) agents that could be built by independent teams and yet still interoperate. To enable the digital economy we’re envisioning, we need contributions, services, tools and understanding from across the economy. We need interop.

I’m also doing a lot outside of the VON project but in the same domain. I’ve recently worked with technical writer, Carol Howard, to complete an online edX course for the Linux Foundation on the identity projects in Hyperledger. The course is titled LSF172x: Introduction to Hyperledger Sovereign Identity Blockchain Solutions: Indy, Aries and Ursa and will go live on November 21st, 2019!

I’m serving on the Sovrin Foundation’s Technical Governance Board and I’m talking to lots of people about SSI, verifiable credentials and adding a trust layer to the Internet. It’s a ton of fun!

You currently have 1.2 million active legal entities in OrgBook BC. How are all the organisations involved reacting to it and how has the feedback been?

The reactions have been fascinating. People related to registered entities—the businesses— learn about OrgBook BC and immediately go online to find their company. We’ve had one company discover that their business was “inactive” and we dug in to find that they had unknowingly let their registration lapse, effectively dissolving their active company! One of our government issuers discovered that an organization to whom they were about to issue a permit had been sold, and two others were not even registered entities. What we learned in building OrgBook BC was that although our original goal was limited (to bootstrap a verifiable credentials-based economy), we’ve found there is long-lasting value in how OrgBook BC works that makes it self-sustaining. The class of product upon which OrgBook BC is built—a “credential registry”—is broadly applicable as a source of trust in many contexts. Now that we’ve built it and understand it, we see many applications. That’s why the underlying software is now “Indy Catalyst,” an open source credential registry that BC Gov will soon donate to the Hyperledger Foundation. Governments and authorizing entities worldwide can take advantage of (and contribute to!) the Indy Catalyst project.

What are the next steps for Verifiable Organizations Network?

Our vision remains the same: to enable the digital economy for the citizens in BC in a global context. As BC Gov’s John Jordan says, we are building locally, thinking globally. The specific work we are doing is in two areas: 

First, continue to drive uses for verifiable credentials that provide value for citizens. OrgBook BC is one example, but we’ve got others that, for example, use verifiable credentials that make authentication and authorization into systems much easier to manage. Those initiatives will get verifiable credentials “in the wild” and we will learn a lot about making it easy for people and businesses to understand and use credentials to convey trust.

Second, continue to work on and drive standards and interoperability in the broader SSI community. In July 2018, we initiated within the Hyperledger Indy community the first face-to-face meeting of agent developers so we could discuss “interoperability protocols.” Now we have a raft of Indy/Aries apps that work together. But we need to go further to enable interoperability across the SSI communities, solutions that work globally. We’re trying to do our bit to make that happen.

In the field of Digital Identity, what is the question that people should be asking more but aren’t?

I’m relatively new to the Digital Identity space and the biggest revelation for me as I’ve dug in has been how contextual identity is. What attributes about you that are important to prove are different in every transaction in which you participate. One-size fits all “identity” doesn’t exist.

What really matters for a verifier, a relying party, is getting specific attributes from a source that the verifier trusts. For the subject of the attributes, what matters is simplicity, control and reducing the distribution of their private data.

This leads to two questions that I think are important. The first is for verifiers to focus on what they actually need for identity versus what they collect in order to trust the data they need, to mitigate their risk. What if they could just collect the actual contextually required attributes and trust those attributes because they were issued by a trusted source?

That leads to the second question, specifically tied to getting started using the verifiable credentials model. Since identity can be so contextual, what constrained eco-systems do you participate in where you could get started using verifiable credentials today? Places where your partners are the authority for certain attributes such that they could issue credentials, you could trust them, and eliminate the hassle and risk of over-collecting and holding private data?

My favourite example these days is one we are working on for lawyers. A government service is being provided only to lawyers currently eligible to practice. How does the service determine who is currently eligible to use it? Traditional authentication mechanisms require over collection of data and complex integrations. With verifiable credentials, the authority that tracks practicing lawyers gives their members a “practicing lawyer” verifiable credential, and to access the service, they present that credential. The service trusts the authority, access is granted.

Apart from your work, what applications for digital identity/SSI really excite you?

I think that when you can ask the user for information and you can trust their response, you open up a lot of exciting opportunities. There are many services that find out who you are, and then call out to some service to get the information they really need because they don’t trust the user. When users can present trusted information directly, you eliminate a lot of painful integrations and a lot of unnecessary data sharing. I’ve heard of a great use case in the US where a health insurance policy is given to the user as a verifiable credential and trusted when presented at a hospital or clinic to determine coverage, on the spot. No need to integrate with others to understand their policy, what’s covered, what’s not, etc. The information is all there, from the person presenting their credential. That is really powerful, especially in the uber-complicated US healthcare space!

What are your hopes for the digital identity field in the future?

The big goal is to make it “safe” for citizens to use the Internet—to make wandering around online as safe for our citizens as walking down the street. It’s not like that today—people must be constantly vigilant about who is trying to rip them off. We can do better and trusted digital identity is a huge step forward in achieving that goal.

The next big goal is for your credentials to be accepted and understood wherever you are in Canada and even globally. Imagine identity credentials given to you in one jurisdiction (e.g.  a Canadian province) that are trusted when you enroll in services because you’ve moved to another country. That’s both a technical challenge and a governance issue, but it’s possible.

What are the specific roadblocks other people in this space should look out for?

The biggest challenge we’ve seen for newcomers is that “getting started” guides are usually focused on technology, not the business problems and solutions. As a result, people jump at the wrong layer and have to work way too hard to find where they need to be to use the capabilities. Decentralized identity uses blockchain, right? Way too often, newbies jump right in at the blockchain level and waste a lot of time and energy. What about at the core verifiable credentials implementations layer?  Again, that’s rarely the right place. You want to start at the highest layer upon which you can build your use cases. Over time you will learn more about the lower levels, but if you start too low, you are wasting your time and the knowledge and experience of those that have come before. Stand on the shoulders of giants…

What is the book (or books) you have recommended most to others?

You asked this of Kim Hamilton-Duffy recently and got a really great answer for the identity space.

I run a lot and so I’ve become more of a podcast person these days so I’m going to mention a podcast of which I’m a big fan. I really like IEEE’s Software Engineering Radio podcast, especially when Felienne is hosting. She’s a brilliant interviewer and adds so much to the discussion. Checkout a recent episode that Felienne hosted on gender, cognitive styles and usability bugs. I learned a lot from that discussion.

SE Radio recently interviewed Justin Richer about API Security with OAuth2. Justin is well known in the identity space (and has great taste in t-shirts). Well worth a listen!. Other recent episodes on Securing PKI and Distributed Consensus are also great, and really useful for those in the identity space.

We, at Tykn, would like to thank Stephen Curran for his time and for sharing his ideas and knowledge with us. Thank you, Stephen! Be sure to follow his Twitter.

Tykn is a digital identity company. If you’re keen on reading more we suggest:

  • – Interview with Kaliya Young (co-founder of the Internet Identity Workshop and author of the Domains of Identity)
  • – Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)
  • – This Definitive Guide to Identity Management with Blockchain.
  • – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
  • – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.

Interview with Kaliya Young (co-founder of the Internet Identity Workshop and author of the Domains of Identity)

Photo: Kris Krug

If you follow Kaliya Young on social media, two things are immediately strikingly clear: Kaliya is one of the world’s foremost experts in Digital Identity and she is a strong advocate and a firm believer in a more diverse, inclusive and humane tech industry.

Humans First

Mark Zuckerberg is famous for his motto of “move fast and break things”. This hacker mindset, which favoured speed and disrespect for the status quo in order to build, learn and blitzscale quickly, spread like wildfire in Silicon Valley. 

According to Reid Hoffman, co-founder at Linkedin: “early-stage startups are a lot like pirate ships. Pirates do not convene a committee to decide what to do – they strike quickly, break rules and take risks. And you need this buccaneering spirit to survive when the cannonballs are flying and the odds are against you”. (source)

Start-ups became romantically associated with pirate imagery and spirit. (Steve Jobs even coined the phrase: “It’s better to be a pirate than to join the navy” and hanged a jolly roger in the Apple offices). Entrepreneurs were swashbucklers abiding to no law and order with only one focus in mind: grow their ship.

Kaliya, co-founded the Human First Tech movement with Shireen Mitchel. They think this mindset actually “broke democracy and bulldozed key aspects of social systems that are good for human communities”. 

The Human First Tech stands for three key changes in the tech culture:

  1. Humanness has to come first in all stages of tech development. Tech has to be “rooted in emotionally healthy adulthood with good boundaries, and clear agreements first”.
  2. Actively center communities that have been marginalized in the creation of Web 1.0, Web 2.0 and Social Media and involve them in the tech creation process.
  3. Anticipate and design with awareness of threat models and “bad actor behavior” that may inevitably arise rather than be surprised by it.

A reflection on the culture of tech is necessary as a revolution in tech infrastructure is approaching.

Self-Sovereign Identity, a model of identity management where users are in control of their digital personal data, will change how people interact with institutions, companies and with each other. Being in total control of that relationship. For the first time, users can be the sole owners of their data and be able to decide who to share it with and how much of it to share. Enabling a safe and private interaction online. Kaliya is a proponent, one of the first ones, of Self-Sovereign Identity but also one of thinking consciously about who is sitting at the table where the decisions on this new technology are being made. As this seismic shift in the tech infrastructure has to serve “a broad and inclusive group of people” and avoid repeating the error of prioritizing tech over people. With a purposeful deliberation on “who should create, control and benefit from people’s identity information”.

This moment, the infancy of Self-Sovereign Identity, is the best time to act.

The Domains of Identity

Kaliya Young is, along with Phil Windley and Doc Searls, the co-founder of the Internet Identity Workshop. An event that “has been finding, probing and solving identity issues twice every year since 2005”. She holds a Masters of Science in Identity Management and Security and was named one of the most influential women in tech by Fast Company Magazine. Kaliya is the co-author, along with Heather Vescent, of the Comprehensive guide to Self-Sovereign Identity and her Masters report, Domains of Identity, provides us with a framework on the several domains of identity where personal data is stored in databases.

Using that framework, Kaliya walks us through the idea that identity is socially constructed and contextual. It’s who we see ourselves to be, who we present ourselves to be and how we are seen by others. It depends on social contexts such as family, groups, institutions and organisations we are part of. All these contexts attribute us different identifiers. The government attributes us an ID number or a passport. The University gives us a student number. For the hospital we have a patient number.

She states that the proliferation of the internet brought us even more identifiers. Such as usernames and passwords, emails or URLs. But these digital identifiers are not truly ours. We are renting the url name to a domain provider or our phone number to the phone company. 

With no control over our identifiers we have no control over our personal data. So how do we own our digital identifiers? This is the question that Kaliya has been trying to answer for 15 years.

The 16 Domains of Identity, as described by Kaliya, are:

1) Me and My Identity: where and how the individual stores his own personal data.

2) You and My Identity. The cases where a person – like children or elders – need their identity management delegated to someone else.

3) Government registration. Including the registrations our parents do on our behalf and all those we do for ourselves (i.e driver’s license).

4) Government Transaction. Where we use the identity provided to us by the government to access other services (i.e: car registration).

5) Civil Society registration. Comprising all the organisations and institutions the individual has a relationship with. Schools, health facilities, sports teams, etc. All these institutions issue their own identity credentials.

6) Civil Society transactions. Where the individual uses the identity provided by the above mentioned institutions to access services.

7) Commercial registration. An identity registration used to access commercial services. Cases such as a loyalty card, airline miles, etc.

8) Commercial transactions. Using the identity provided by the commercial entities to access services from them. Like using discounts, using the airline miles, etc.

On the domains pertaining to Surveillance, Kaliya specifies that there are 3 types of surveillance – Voluntary Known, Involuntary Known, Involuntary Unknown – and each domain has levels of each one.

9) Government Surveillance.

10) Civil Society Surveillance. Examples of voluntary known would be CCTV from a school or a heart monitor.

11) Commercial Surveillance.

12) Employment registration. Job applications and the consequent process of being onboarded in a company (where the company will attribute credentials to him or her).

13) Employment transactions. Using the above mentioned credentials to do work.

14) Employment Surveillance.

15) Data Broker Industry. Using data from all the above mentioned entities and reselling it to the commercial sector.

16) Black Market. When criminals or state actors take advantage of personal data from all the above mentioned domains and use it on the black market.

Self-Sovereign Identity would allow for the individual to be at the center of all these relationships and manage them in a less complex, more private and secure way.

Note: the Domains of Identity are CC licensed with attribution.


You’ve been a leader in the community of User-Centric Identity/Self-Sovereign Identity for the past 15 years. What are the most positive changes you’ve seen happen during those 15 years?

We have created open standards that have been widely adopted (OpenID, OAuth, SCIM). 

We have, through the processes of iteration and experimentation, grown community based knowledge about what “doesn’t work” or at least is unlikely to work from past experiences (Information Cards and Mozilla Persona being two examples). 

In the past several years we have collectively innovated the emerging standards around self-sovereign and decentralized Identity.

In the field of Digital Identity, what is the question that people should be asking more but aren’t?

This may sound weird… but step way way back and figure out what you are actually talking about. 

Much of the material from the World Bank talks about “Digital Identity” but in this they think of it as a government issued ID in digital form, and primarily one that resides in a centralized government database. This is indeed one type of digital identity but the community around what was called user-centric digital identity that I got my start in begins with the premise of people having digital representations of themselves in “an online world” and then asks the questions how are they actually under the control of the person and can they be “owned” by the person instead of the company or site that that person is interacting with.

Can the digital avatar created in one (digital) place be ported by the person who created it to another (digital) place – just like bodies in the physical world can move from one location to another. Still another definition of digital identity centers on how enterprises manage the ID of the people who are their employees. I wrote the Domains of Identity. I just signed a contract with Anthem press and it is coming out as a real book this winter. 

Right now the questions need to be about what do the customers who will be early adopters of this technology really need. 

How do we really make this stuff interoperable?

Specific roadblocks other people in this space should look out for?

Not actually doing technical due diligence on systems. 

Not understanding the deeper motivations of different actors in the systems.

What are your hopes for the future of Self-Sovereign Identity?

We can live with the tensions between those who believe permissions vs those who believe in permissionless systems. They will both exist in the future no matter what.

We can continue to innovate via collaborative highly participatory forums. 

We can center the needs of real people. We can broaden the diversity, equity and inclusion in our community so that the whole range of human experience is in the room.

What is the book (or books) you have recommended most to others?

Obviously my book on Self-Sovereign Identity 🙂 

My forthcoming book on the Domains of Identity.
I would recommend folks read the Augmented Social Network: Building Identity and Trust into the Next Generation Internet. This is what inspired me to work on digital identity way back in the beginning. It’s well worth the read today.

We, at Tykn, would like to thank Kaliya Young for her time and for sharing her ideas and knowledge with us. Thank you, Kaliya! Be sure to follow her Blog and Twitter.

Tykn is a digital identity company. If you’re keen on reading more we suggest:

  • – Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)
  • – This Definitive Guide to Identity Management with Blockchain.
  • – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
  • – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.

Interview with Kim Hamilton Duffy (Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT)

Self-Sovereign Identity allows individuals to control their personal data. To fully control it and the relationships where his or her identity is being used in. Choosing who gets to “see” it and how much of it they get to “see”. 

Self-Sovereign Identity “privileges individual ownership of credentials, rather than custodianship of credentials by a software provider or issuing institution”. (source)

That’s according to Kim Hamilton Duffy, Co-chair of W3C Credentials Community Group and Architect of the Digital Academic Credentialing Infrastructure at MIT (Digital Academic Credentials Initiative). 

For her, the path towards a truly decentralized identity management system is through Decentralized Identifiers (DIDs) and Verifiable Credentials. She sees these as fundamental elements of Self-Sovereign Identity, promising to address the shortcomings of existing decentralized credentialing solutions such as Blockcerts, a blockchain-based credentialing solution that Kim developed in collaboration with the MIT Media Lab in order to solve the problem of decentralized verification.

Decentralized Identifiers

According to the W3C DID specification, “DIDs are URLs that relate a DID subject to means for trustable interactions with that subject”. They “enable the controller of a DID to prove control over it and to be implemented independently of any centralized registry, identity provider, or certificate authority”.

In an Self-Sovereign Identity ecosystem, individuals make claims about their identity, using DIDs, and those claims are “rendered tamper proof through digital signatures” stored on the blockchain. These claims can be verified anywhere, anytime. DIDs and Verifiable Claims allow for “persistent, independent digital identities” with increased privacy and security.

Kim considers DIDs an important tool for the proliferation of Self-Sovereign Identity. Managing cryptographic keys is a cumbersome process. DIDs make it easier for an individual to “retain ownership of their identifiers over time”. They offer cryptographic strength while factoring in the full lifecycle of keys, including expiration and revocation”. Decentralized Identifiers help prevent a “situation in which all of a person’s data is tied to a single individual identity profile” by allowing an individual to have as many DIDs as he or she may wish in order to “curate their identity profiles and increase their privacy”. (source)

DIDs also benefit institutions and organisations who issue or verify identity. Their decentralized nature makes identity always available for verification. As opposed to a system where identity is in a centralized database that may be rendered useless if it becomes offline for any reason (or, in a worst case scenario, destroyed).

On the Use Cases for Decentralized Identifiers, you can read what Kim considers the 15 required features for DIDs.

Open Standards

“The Blockcerts standard was published under the MIT open source license in 2016 so that any institution, vendor, or researcher can use it to build their own applications for issuing and verifying claims on the blockchain”. For Kim, it’s extremely important that identity solutions rely on open standards in order to achieve “maximum interoperability and portability of documents and data, without sacrificing privacy or individual control”. To her, openness and standards compliance are essential.

Kim believes that through open standards, DIDs and Verifiable Credentials, there is a possibility to evolve the identity management paradigm to one that preserves the privacy, security and self-sovereignty of the individual. With Blockchain opening the door for the possibility of true individual control of personal data.

We had the opportunity to ask Kim Hamilton Duffy a few questions:


What are your responsibilities (and goals) as the Architect of the Digital Academic Credentialing Infrastructure at MIT (Digital Credentials Initiative)?

For context, the Digital Credentials Initiative is a university-led effort to develop a learner-centric digital credentialing ecosystem. I joined the initiative to drive the technical architecture and prototype/implementation rollout with the technical working group. Our initial focus is on standards, requirements, and shared infrastructure. We’re not defining competing standards; we’re identifying existing standards that suit our use cases, and extending/adapting them where necessary. So this effort complements existing credentialing standards (such as W3C Verifiable Credentials) and well-known vocabularies/taxonomies in the EDU/OCC space.

There are two characteristics that make this effort special. One is our participants’ commitment to include a broader range of perspectives and expertise. We felt that emerging decentralized credentialing standards showed a lot of promise, but that there were many open questions and gaps (not just technical — policy, governance, and more) that needed to be addressed. So for us, it was important to lead the effort with a well-rounded set of stakeholders.  

The other interesting characteristic is our ability to strongly advocate for learner use cases. The learner side often gets deprioritized in existing credentialing systems, resulting in limited ability for learners to access, store, and use their credentials across systems (as an example, credential exchange protocols are still in early phases of development). This initiative is positioned (and committed) to drive these standards and requirements forward – and even develop reference implementations if the market is not providing them.

In the field of Digital Identity, what is the question that people should be asking more but aren’t?

It’s critical to have clearly defined use cases when dealing with digital identity. I think many efforts start that way, but then get muddied by adding on — almost as an afterthought — higher stakes use cases that are not well-understood. When I say “higher stakes”, I mean the stakes may be higher for the populations involved (e.g. displaced persons needing access to resources) or the nature of the claim itself (e.g. containing more private information). The risk is that a poorly-informed “solution” can do more harm than good. 

One reason is that “identity” is so overloaded and potentially all-encompassing. If instead, we’re precise about the capabilities we are building, we may not need to “go to ‘identity’” (phrase borrowed from Steve Wilson). Further, pushing for use case clarity, as well as continually learning from intended users, allows us to build systems for our users (as opposed to systems that are imposed on them).

What needs to be true for SSI to achieve mass adoption, and what uses cases you think will gain early traction?

First, a caveat. SSI on its own is not something we can reasonably ask people to adopt — it’s an idea, with a confusing name at that, due to baggage associated with the word “sovereign”. (For clarity, I’d like to point readers to Christopher Allen’s 10 principles of self-sovereign identity and also Philip Sheldrake’s Generative Identity – beyond self-sovereignty). That said, those of us working in the decentralized identity space have not done a great job communicating the value-add or articulating concise use cases that, if solved, would actually warrant adoption.

An example: an SSI advocate might lead in with “imagine a Facebook but where you control your data”. Here are the problems with pitches like that:

  • Control and privacy are not features many users will pay for. In fact, some users accept (or at least claim to accept) that their data is already for sale so they might as well get paid for it. The downsides of thinking of data as property is more thoroughly analyzed in Elizabeth Renieris’ “Do we really want to “sell” ourselves? The risks of a property law paradigm for personal data ownership”.
  • – Many users believe (rightly so, in many cases) that they must choose between usability/convenience on one hand and privacy/control on the other. Users are accustomed to the conveniences of centralized systems, and we need to work harder on UX.

In sum, we need to (1) improve usability and capabilities (particularly in “exceptional” cases requiring recovery of control), (2) develop interoperability standards currently missing in the decentralized identity stack, and (3) focus on compelling user-focused scenarios.

So there’s a lot of work to do, but there are some use cases that can obtain immediate traction. Those involve public claims (i.e., without sensitive data) that are improving efficiencies of existing workflows. This includes educational and occupational claims (equivalent to what you would post on LinkedIn), and government/business registries. As an example of the latter, Samantha Chase, founder of Venn Agency, is doing some interesting work around safety credentials backed by British Columbia’s Verifiable Organizations Network and OrgBook BC. This approach improves transparency and efficiency around safe workplace claims, which can further benefit companies through reduced costs (in the form of insurance discounts, for example).

Specific roadblocks other people in this space should look out for?

In the decentralized identity space, discussions around GDPR (and similar emerging privacy protections) have focused too much on rationalizing existing technical choices. It seems like every discussion about GDPR jumps to a debate about whether a hash of PII on a blockchain is acceptable. While I’ll steer away from that specific question, I think this misses the point, which is that designing systems for privacy and individual control offers exciting architectural challenges. It’s an opportunity to design systems more responsibly, which can lead to cleaner architectures that limit liability and exposure.

In my mind, GDPR has been generous in its rollout, and as long as system designers are being mindful about how user data is handled, and documenting decisions along the way, then they’ve made tremendous progress. And while it’s important to stay up-to-date as the consequences of such regulatory frameworks emerge, having documented your decisions along the way will make everyone’s life much easier.

What are your hopes for the digital identity field in the future?

I’d like for us to develop meaningful ways to include more diverse perspectives and expertise in our decentralized identity-focused groups. In our eagerness to develop core building blocks, technical folks (myself included) have sometimes inadvertently created sandboxes that exclude essential perspectives. We need to improve how we communicate about what we’re building. But more importantly, we need to actively engage, listen to, and accept leadership from people with a broader range of backgrounds and experience.

What is the book (or books) you have recommended most to others?

Because many of the writings I find interesting are not yet in book form, I’m going to include some blogs as well. Here are the writers/writings I keep coming back to:

We, at Tykn, would like to thank Kim Hamilton Duffy for her time and for sharing her ideas and knowledge with us. Thank you, Kim! Be sure to follow her Blog and Twitter.

Tykn is a digital identity company. If you’re keen on reading more we suggest:

  • – Interview with Tim Bouma (Senior Policy Analyst for Identity Management at the Treasury Board Secretariat of the Government of Canada).
  • – This Definitive Guide to Identity Management with Blockchain.
  • – Interview with David Lamers (Blockchain Specialist at Rabobank) about the bank’s research and Self-Sovereign Identity Initiatives.
tykn digital identity management system gif
The best content about Digital Identity delivered to your inbox once a month.

We are running a newsletter of highly curated and trustworthy content about Digital Identity.

Click here to see an example.